Winter/Spring 2015 The SHIELD - U.S. Bank€¦ · Winter/Spring 2015. This newsletter outlines...
Transcript of Winter/Spring 2015 The SHIELD - U.S. Bank€¦ · Winter/Spring 2015. This newsletter outlines...
The Best Offense is a Good Defense
SHIELDThe
A Security Newsletter for Business
In this issue:Accept or Reject? What a certificate alert means and how to respond.
Strength in NumbersPublic and private sectors join forces to defend against cyberthreats.
Heightened FraudulentActivity Alert
Winter/Spring 2015
This newsletter outlines certain
practices that businesses should consider
to reduce the likelihood of loss related
to site certification issues and other
online security issues. The content
does not purport to identify all existing
related issues or all fraud mitigation
measures that your business should
consider implementing. There is no way
to guarantee that any set of protective
measures will eliminate loss caused by
online fraud and identify theft. U.S. Bank
is not responsible for losses caused by
site certification issues and other online
security issues.
Want to learn more about best practices
you can implement for a good defense?
Contact your U.S. Bank representative
or check usbank.com/security.
What can a company do in the face
of new and ever-changing IT threats?
One of the easiest approaches is to
follow recommended best practices to
create multiple layers of cyberdefense.
One best practice that is often ignored
is to stay aware of SSL (certificate)
warnings when visiting websites. For
example, when your Internet Explorer
browser presents this warning for a
perceived certificate issue: “There is
a problem with this website’s security
certificate,” what should you do and why?
Another good defense is the collaboration
underway between financial leaders,
federal government and state governments
as they work to secure our online technology
against threats.
In this issue, learn more about site certifications, plus new developments to strengthen online security.
The Best Offense is a Good Defense
The Shield newsletter is for...
• Business professionals and leaders with responsibility for business
account management, including payroll, wire transfer and/or ACH services.
• Business owners without IT support, or businesses that do not have Information
Security and/or business account management policies or processes in place.
• Clients of U.S. Bank and other financial institutions. Information shared
in this newsletter is not intended to supersede your existing IT, account
management and/or security processes, systems or policies in your workplace,
or those of your current FI. Please consult your IT support and your Financial
Institution providers for more assistance.
Strength inNumbersPublic and private sectors join forces to defend against cyberthreats
Faced with a deluge of cybersecurity concerns, private
companies concerned about liability or competitive advantage
are sometimes reluctant to share information with other
businesses and with government. That hesitation and reluctance
can hinder government and business efforts to defend and protect
U.S. business interests. This perspective is slowly changing. For
example, banks who experienced DDoS attacks two years ago
shared their knowledge with the security teams of other banks
to help them avoid becoming the next victim.
U.S. Bancorp leaders collaborate to strengthen technology support
U.S. Bancorp CEO Richard Davis and Chief Information Security
Officer Jason Witty have teamed up with financial leaders and
government officials to create innovative and new solutions to
cyberthreats. The first is Soltra Edge, a technology that collects
huge amounts of cyberthreat intelligence from multiple sources
and enables companies across the world to quickly and cost-
effectively share and use the information to defend against
cyberattacks.
Additionally, U.S. Bancorp has championed a new “.bank” Internet
domain with enhanced security controls, scheduled to launch
in 2015. Only verified banks can register .bank addresses and
will be required to adhere to strict standards. Consumers who
do financial transactions on a .bank site will have additional
assurance their data is being protected.
Federal guideline lays tracks for secure infrastructure
In February 2013, President Obama issued an Executive Order
for the U.S. government to improve cybersecurity in the nation’s
“critical infrastructure,” including the transportation, energy and
finance sectors, and to “increase the volume, timeliness and quality
of cyberthreat information shared with U.S. private sector entities.”
Through collaboration between government and private cybersecurity
experts, in February 2014, the National Institute of Standards and
Technology (NIST) published the Cybersecurity Framework. This
document outlines voluntary cybersecurity guidelines for public and
private organizations as part of the critical infrastructure. Experts
from U.S. Bancorp participated in the development of this Framework.
Further commentary from the White House in early 2015 has
renewed the push for legislative efforts and further collaboration
among the public and private sectors. U.S. Bancorp will stay atop
these legislative developments in our continued efforts to safeguard
our clients and the financial sector as a whole.
We all gain advantage
As government and private industry are learning, everyone wins
when we join forces to strengthen cybersecurity and defend
ourselves and our clients.
Accept or Reject?What a certificate alert means and how to respond
What is a site certificate?
Websites that use secure transmission, such as
U.S. Bank SinglePoint®, must request certification
from a recognized authority, such as Entrust or
Verisign.* They validate the identity of the server
owner and organization and they issue a digital
site certificate. This certificate is stored within a
website to verify its identity.
How to spot a secure site
When you navigate to a secure website, your
browser (such as Google Chrome, Mozilla Firefox
or Internet Explorer) checks the website’s
certificate to verify that:
• The website address matches the address on the certificate.
• The certificate is signed by a trusted certificate authority.
• The URL starts with “https:” instead of “http:” (for example: https://www.usbank.com).
• A closed padlock image, depending on the browser, will appear either in the status bar at the bottom of the page or to the right of the address field.
What happens if it is not valid?
You’ll get an SSL (certificate) error message if
the browser finds one of these problems:
• The website name doesn’t match the name registered to the certificate.
• The certificate wasn’t signed by a trusted certificate authority.
• The certificate is expired, compromised or superseded by a newer certificate.
You will be prompted to choose: “Do you want to
accept the certificate and continue using the site, or
reject the certificate and leave the site.” You
can also accept the certificate for just this one visit
or for all future visits.
What should you do?
• Close your browser.
• Do not enter any personal information on that website!
The risk is that the certificate
has been compromised by an
individual wishing to intercept
your secure traffic. If you ever
encounter a certificate issue
on a U.S. Bank site, please
contact your designated
customer service team.
U.S. Bancorp has over 6,000 certificates for websites and applications that leverage secure transmission.
Heightened Fraudulent Activity AlertOn January 22, 2015, the FBI released a Public Service
Announcement regarding the fraudulent wire transfer schemes.
We encourage our clients to review this alert from the FBI and
continue to be aware of this evolving threat.
Over the past several months, the financial services industry has
seen a growth in social engineering activities targeting businesses’
use of wire and ACH funds transfers. These fraud attempts have
originated from increased foreign and domestic social engineering
focused more on deceiving businesses’ employees and internal
financial processes, rather than attacking the underlying financial
technologies. Here are some details regarding recent schemes, and a
few tips for avoiding a potentially significant adverse financial impact.
How does this social engineering work?
These attacks use techniques that convince organizations to
unintentionally move money to accounts controlled by cyberthieves.
In many of these cases, a delay in discovering and reacting to the
crime may serve to reduce or eliminate the chance of stopping the
transaction or being able to recall the funds.
Recalling funds after a fraudulent transaction
In the event of a fraudulent transaction, a successful recall of
unauthorized funds is never guaranteed. Foreign banking laws
and policies can impede or prohibit the refund of unauthorized
funds. Your organization will be responsible for the lost funds,
resulting in a potentially material loss.
DID YOU KNOW?E-Payment Service Upgrade
U.S. Bank will be upgrading the U.S. Bank E-Payment Service
infrastructure during first quarter 2015 to further increase security
against cyberattacks by supporting new Secure Hash Algorithm
(SHA) certificates. All of the major web browsers are in the process
of converting from SHA-1 certificates that are currently in place
to the more secure SHA-2 certificates. U.S. Bank’s scheduled
upgrades are consistent with the industry standards which have
evolved, necessitating the support of SHA-2 certificates. Additional
communication regarding this topic will also be sent from our
E-Payment Service team. If you have any questions, please contact
your U.S. Bank Commercial Customer Service Team.
Link to FBI I3C Public Service Announcement, 22 Jan 2015
Additional reading
Targeted Wire Transfer Scam Aims at Corporate ExecsCorporate Executives Targeted in New Email Scam
both) from the leader to financial staff with an urgent tone.
a. A variant to this attack may request a change in account information from someone posing as a key vendor receiving payment. This is especially prevalent for vendors operating out of a foreign country.
b. The email domain of the sender of the fraudulent email may be extremely close to that of the actual company (i.e., using an “n” instead of an “m”).
3. Based on the urgency of the email (or phone call), the financial staff may quickly complete a wire (or ACH) transfer without contacting the original requestor to confirm the payment details ensuring validation of the request. Any secondary approvers may also be informed that it was an urgent request and will likely approve without verification.
4. The funds are received by an intermediary (often a money mule) who sends the money directly to the fraudster or may be directly received by the fraudster, typically, if a foreign wire.
What can you do to help protect your organization?
• Trust, but verify - Consider enhancing your operational money movement controls to verify the source of any email or phone-based request via an alternate communication method. For example, if a request is received from the CFO via email, use the company directory phone number (not the one in the email) to call and confirm the transfer details. Apply further scrutiny if the
funding account is new and has not been used in past transactions.
• Create awareness - Inform your financial staff of these scams and ensure they understand operational protocol.
• Use email blocking - Work with IT staff to assess the viability of filtering or blocking messages of this nature.
• Communicate quickly - Inform your U.S. Bank relationship manager and your IT security staff immediately when these events occur. It may also be
appropriate to contact U.S. law enforcement agencies as well as law enforcement agencies with jurisdiction over the recipient account’s bank.
• Implement dual control - If you haven’t already, contact us to update your U.S. Bank SinglePoint® security settings to enforce dual control for ACH and wire transactions. This will ensure two separate individuals are required to approve each transaction request. Dual control also helps mitigate the risk of fraudulent transactions due to malware account takeover.
• Protect workstations - Aside from social engineering attacks, threats also continue to come from malware inadvertently installed on workstations. U.S. Bank recommends installing IBM® Security Trusteer Rapport™ to protect against financial malware fraud. This tool is being provided at no cost to U.S. Bank SinglePoint clients. Click here for details.
Executive email spoofs - be wary of this fraud technique
1. The scheme starts by gathering information about a company’s organizational structure and leadership through social media (Facebook, LinkedIn), Google searches or other publicly available documentation.
2. The fraudster identifies key leaders who may request a payment to a third party (for example, C suite, high-level executive) and spoofs an email or call (or
*Entrust Inc., owned by Entrust Datacard, www.entrust.com; Verisign, Inc., owned by Symantec, www.verisigninc.com
U.S. Bank SinglePoint is a registered trademark of U.S. Bank National Association.
©2015 U.S. Bank. Member FDIC. usbank.com.