DDoS: Impact on Account TakeoverFormer Examiner's Advice for Mitigating Fraud Risks
A key factor contributing to controlled account takeover losses, McHugh says, is that banking institutions have made big investments to improve online security as they've worked toward conforming to the Federal Financial Institutions Examination Council's updated authentication guidance.
"I was at a bank performing an examination when they had stopped a fraudulent ACH request," McHugh says during an interview with Information Security Media Group. Anomaly detection and behavioral analysis helped this institution flag the suspicious transaction before it resulted in fraud, she says.
"There is an increased awareness," says McHugh, a bank adviser who's a former IT examination analyst for the Federal Deposit Insurance Corp. "There's also an increased push by the regulatory agencies to ensure that the financial institutions are aware of the risks."
Steady losses despite rising account takeover incidents could be a sign that banking institutions are catching more incidents and stopping them, she adds.
But McHugh also notes that smaller banking institutions still have a lot of security work to do. "The very large institutions have robust programs for anomaly monitoring for electronic funds transfer, as well as increasing fraud awareness," she says. "So the fraudsters are moving down to the smaller institutions."
As a result, smaller banks and credit unions should be implementing more out-of-band authentication measures, such as transaction-verification call-backs, McHugh says. Unfortunately, too many are more concerned about inconveniencing the customer than improving security.
"Customer awareness is improving," she says. "But institutions need to push back on the clients and say there are certain security procedures that they are going to require. Dual controls, out-of-band confirmations - these are basic security controls. Also, the banks should implement some kind of anomaly monitoring or detection so that there is some awareness of the pattern of the customer's behavior."
During this second half of a two-part interview, McHugh discusses:
- The struggles smaller institutions face when it comes to anomaly detection practices and procedures;
- How working with Internet service providers can enhance security and reduce fraud losses;
- Why distributed-denial-of-service attacks are an increasing concern for smaller institutions being targeted for ACH/wire fraud.
In part one of the interview, McHugh reviews recent legal disputes involving incidents of corporate account takeover, highlighting that most settlements and judgments favor commercial customers (see ACH Fraud Cases: Lessons for Banks).
McHugh, an attorney and former regulatory examiner, is now a banking institution adviser for CliftonLarsonAllen, a professional services firm. Her areas of specialization include Gramm-Leach-Bliley Act compliance; information systems review; risk assessments and policy development; information security program development and implementation; vendor management; cloud computing; and corporate account takeover fraud.