Electronic Fraud: A Never-Ending Problem
Mary Lou Santovec

Late last year, customers at Bank First National in Manitowoc and West Bend Savings Bank became targets of phishing scams. Some customers were conned into giving up personal information that enabled thieves to clean out their accounts.

Like a multi-headed hydra, financial fraud is continuously evolving. Cut off one threat and two others pop up. The bad old days of computer hacking for fun or revenge have given way to the worse new days of complete takeovers of cell phones, laptops, and personal digital assistants (PDAs). At InterSec 2008 sponsored by several organizations including the Community Bankers of Wisconsin and held in Rice Lake in February, participants heard about the latest threats, as well as solutions to current financial fraud.

Think that because you’re a small community bank in rural Wisconsin that you’re not at-risk? Better think again. The phishing attacks on Bank First National and West Bend Savings Bank are part of a new wave of threats targeting smaller banks.

PULL QUOTE: [Recent] phishing attacks … are part of a new wave of threats targeting smaller banks.

Scammers know that many smaller institutions don’t implement a layered defense, said Rick McGuigan, CBW executive vice president. A layered defense includes passwords, encryption, anti-spyware, firewalls, and anti-virus software. It should also include employee education and ways to combat more sophisticated social engineering strategies.

Desktop computers now represent only one portion of the problem. Laptops, mobile phones, and PDAs are a major component of the new security risk said Dane Deutsch, CEO and president with DCS Netlink. Essentially all of those devices are mini computers and require the same type of security as the desktop to keep them secure.

For example, if a loan officer leaves his or her desk to put away papers, is the computer locked up? It should be. Software that automatically locks a machine if it hasn’t been used for a specific amount of time is easy to use.

In most cases, it’s not the data that the bad guys want, it’s actually your machine. They want to control your computer or laptop along with hundreds of others and harness their combined power. “Botnets,” distantly controlled “robotic” networks, are then used to attack other systems.

Prior to the Internet, the potential for banking information to fall into the wrong hands was minimal. Bankers personally knew who they were dealing with. But with online banking, account information suddenly is available to anyone with a computer and a desire — especially if security is weak. Balancing customer convenience with protection, banks have been working to stay ahead of the curve.

Web sites are one of the ways bad guys gain access and information. It’s estimated that one in 1,000 Web sites is actually malicious. And there is no “red light district” anymore. At one time, trolling the porn sites was a surefire way to pick up a computer virus. But now malicious pages can be found even at the most innocuous Web addresses. To prevent your bank’s Web site from being hijacked, security must be built into the code; it can’t be added on as an afterthought.

E-mail is also fraught with problems. Secure e-mail systems should have both authentication and confidentiality included. Authentication should go beyond passwords to biometric solutions. And if a hacker does access your e-mail accounts, encryption programs should prevent him from reading any important e-mails.

Besides protecting their information, banks must conduct risk assessments to make sure that the intended protection is actually taking place, said Jeff Haase, vice president of business development, Secure Banking Solutions. This Madison, S.D. company develops information security programs and controls, so that community banks can safely use leading-edge technology.

Most banks don’t have the in-house staff with the sophisticated knowledge to handle IT security, so they contract with a third party vendor. The regulators are concerned about this trend since many vendors are writing the contracts to reduce their liability should anything go wrong. “The regulators want language there to protect the bank,” said Haase. “They want to hold someone accountable if something … goes wrong.”

Vendor management is a “sleeper” issue that’s poised to become a regulator hot button. Thanks to vendors who have made their services easy to use, bankers are adopting technology so fast that they’re not really understanding the true risk. If information is lost or stolen, the vendor just loses the contract, but the bank loses much more in reputation and brand. Hence, the regulators are insisting that banks must do due diligence on all vendors.

Educating employees as to their responsibilities in the security game is critical. They can either be the first line of security defense or contribute to the problem. The Massachusetts-based National Security Institute suggests banks adopt the following ways to promote security awareness:

• Education, rather than punishment and intimidation, works better at delivering the message.
• Make security fun with games, food, contests. How about allowing your employees to choose a security mascot?
• Reward those who complete computer-based security training.
• Make sure all employees know that they have responsibility for a piece of the security puzzle.

To outwit the bad guys, security must be as routine as clicking a seat belt. Make sure your employees are a part of the solution.

<< back to current issue

---

Wisconsin Community Banking News is provided at no cost to CBW members and associate members. They may purchase additional subscriptions at the following rates: 1-5 copies, $30 each; 6+ copies, $25 each. Nonmembers may also purchase subscriptions; cost: $57. To order, e-mail green@merr.com.

Published by Community Bankers of Wisconsin
through Client Communications
EDITOR AND PUBLISHER: Doris Green
CONTRIBUTOR: Mary Lou Santovec
ART DIRECTOR: Lisa Otto, Grey Horse Studio
Editorial or subscriptions: call Doris Green at
(608) 583-3027, or fax (608) 583-2084; E-mail green@merr.com
Advertising: Penny Heberlein, CBW vice president,
membership services, at (608)833-4229 or contact Doris Green

COMMUNITY BANKERS OF WISCONSIN
BOARD OF DIRECTORS
2006-2007 CHAIRMAN: James Bomberg, Community Financial Group, Inc., New Berlin
CHAIRMAN ELECT: Richard Busch, Royal Bank, Gays Mills
VICE CHAIRMAN: Stephen Eager, Union Bank & Trust Company, Evansville
PAST CHAIRMAN: Norm Kommer, Community Bank of Central Wisconsin, Colby
SECRETARY/TREASURER: Ted Gurzynski, PyraMax Bank, FSB, Greenfield
ICBA State Director: Gary Sipiorski, Citizens State Bank of Loyal
ICBA State Director: Paul Adamski, The Pineries Bank, Stevens Point
Jerry Jacobson, The Northwestern Bank, Chippewa Falls
Thomas Reed, Headwaters State Bank, Land O’ Lakes
Scott Kopp, Bank of Galesville
Jeffrey Mueller, Wisconsin State Bank, Random Lake
Russel Kuehn, The First National Bank of Berlin
Steve Swanson, McFarland State Bank
Jay Mack, Town Bank, Delafield
Craig O'Leary, Farmers & Merchants Bank, Orfordville

CBW STAFF
PRESIDENT AND CEO: Daryll Lund
EXECUTIVE VICE PRESIDENT: Rick McGuigan
SENIOR VICE PRESIDENT (CBW FINANCIAL SERVICES): Kevin Christians
VICE PRESIDENT (MEMBERSHIP SERVICES): Penny Heberlein
VICE PRESIDENT (CBW FINANCIAL SERVICES): Phil Hoover
PROGRAM ADMINISTRATOR: Sandra Gruber
ACCOUNT MANAGER AND LEGISLATIVE ASSISTANT: Shannon Schlueter
ADMINISTRATIVE ASSISTANT: Cheryl Miller
ASSISTANT ACCOUNT MANAGER: Jami Erickson

Community Bankers of Wisconsin
455 County Road M, Ste. 101
Madison, WI 53719
Ph: (608) 833-4229 Fax: (608) 833-8114
E-mail: info@communitybankers.org