Winter/Spring 2015
The
SHIELD
A Security Newsletter for Business
The Best
Offense
is a Good
Defense
In this issue:
Accept or Reject?
What a certificate alert means
and how to respond.
Strength in Numbers
Public and private sectors join forces to
defend against cyberthreats.
Heightened Fraudulent
Activity Alert
The Best
Offense
is a Good
Defense
In this issue, learn
more about site
certifications, plus
new developments
to strengthen
online security.
What can a company do in the face
of new and ever-changing IT threats?
One of the easiest approaches is to
follow recommended best practices to
create multiple layers of cyberdefense.
One best practice that is often ignored
is to stay aware of SSL (certificate)
warnings when visiting websites. For
example, when your Internet Explorer
browser presents this warning for a
perceived certificate issue: “There is
a problem with this website’s security
certificate,” what should you do and why?
Another good defense is the collaboration
underway between financial leaders,
federal government and state governments
as they work to secure our online technology
against threats.
This newsletter outlines certain
practices that businesses should consider
to reduce the likelihood of loss related
to site certification issues and other
online security issues. The content
does not purport to identify all existing
related issues or all fraud mitigation
measures that your business should
consider implementing. There is no way
to guarantee that any set of protective
measures will eliminate loss caused by
online fraud and identify theft. U.S. Bank
is not responsible for losses caused by
site certification issues and other online
security issues.
Want to learn more about best practices
you can implement for a good defense?
Contact your U.S. Bank representative
or check usbank.com/security.
The Shield newsletter is for...
• Business professionals and leaders with responsibility for business
account management, including payroll, wire transfer and/or ACH services.
• Business owners without IT support, or businesses that do not have Information
Security and/or business account management policies or processes in place.
• Clients of U.S. Bank and other financial institutions. Information shared
in this newsletter is not intended to supersede your existing IT, account
management and/or security processes, systems or policies in your workplace,
or those of your current FI. Please consult your IT support and your Financial
Institution providers for more assistance.
Strength in
Numbers
Public and private sectors join forces
to defend against cyberthreats
Faced with a deluge of cybersecurity concerns, private
companies concerned about liability or competitive advantage
are sometimes reluctant to share information with other
businesses and with government. That hesitation and reluctance
can hinder government and business efforts to defend and protect
U.S. business interests. This perspective is slowly changing. For
example, banks who experienced DDoS attacks two years ago
shared their knowledge with the security teams of other banks
to help them avoid becoming the next victim.
U.S. Bancorp leaders collaborate
to strengthen technology support
U.S. Bancorp CEO Richard Davis and Chief Information Security
Officer Jason Witty have teamed up with financial leaders and
government officials to create innovative and new solutions to
cyberthreats. The first is Soltra Edge, a technology that collects
huge amounts of cyberthreat intelligence from multiple sources
and enables companies across the world to quickly and costeffectively share and use the information to defend against
cyberattacks.
Additionally, U.S. Bancorp has championed a new “.bank” Internet
domain with enhanced security controls, scheduled to launch
in 2015. Only verified banks can register .bank addresses and
will be required to adhere to strict standards. Consumers who
do financial transactions on a .bank site will have additional
assurance their data is being protected.
Federal guideline lays tracks for
secure infrastructure
In February 2013, President Obama issued an Executive Order
for the U.S. government to improve cybersecurity in the nation’s
“critical infrastructure,” including the transportation, energy and
finance sectors, and to “increase the volume, timeliness and quality
of cyberthreat information shared with U.S. private sector entities.”
Through collaboration between government and private cybersecurity
experts, in February 2014, the National Institute of Standards and
Technology (NIST) published the Cybersecurity Framework. This
document outlines voluntary cybersecurity guidelines for public and
private organizations as part of the critical infrastructure. Experts
from U.S. Bancorp participated in the development of this Framework.
Further commentary from the White House in early 2015 has
renewed the push for legislative efforts and further collaboration
among the public and private sectors. U.S. Bancorp will stay atop
these legislative developments in our continued efforts to safeguard
our clients and the financial sector as a whole.
We all gain advantage
As government and private industry are learning, everyone wins
when we join forces to strengthen cybersecurity and defend
ourselves and our clients.
Accept
or Reject?
What a certificate alert
means and how to respond
What is a site certificate?
U.S. Bancorp has over 6,000
certificates for websites and
applications that leverage
secure transmission.
Websites that use secure transmission, such as
U.S. Bank SinglePoint®, must request certification
from a recognized authority, such as Entrust or
Verisign.* They validate the identity of the server
owner and organization and they issue a digital
site certificate. This certificate is stored within a
website to verify its identity.
How to spot a secure site
What happens if it is not valid?
What should you do?
When you navigate to a secure website, your
browser (such as Google Chrome, Mozilla Firefox
or Internet Explorer) checks the website’s
certificate to verify that:
You’ll get an SSL (certificate) error message if
the browser finds one of these problems:
• Close your browser.
• The website name doesn’t match the name
registered to the certificate.
• The website address matches the
address on the certificate.
• The certificate wasn’t signed by a trusted
certificate authority.
• The certificate is signed by a trusted
certificate authority.
• The certificate is expired, compromised or
superseded by a newer certificate.
• The URL starts with “https:” instead of “http:”
(for example: https://www.usbank.com).
• A closed padlock image, depending on the
browser, will appear either in the status bar
at the bottom of the page or to the right
of the address field.
You will be prompted to choose: “Do you want to
accept the certificate and continue using the site, or
reject the certificate and leave the site.” You
can also accept the certificate for just this one visit
or for all future visits.
• Do not enter any
personal information
on that website!
The risk is that the certificate
has been compromised by an
individual wishing to intercept
your secure traffic. If you ever
encounter a certificate issue
on a U.S. Bank site, please
contact your designated
customer service team.
Heightened
Fraudulent
Activity Alert
On January 22, 2015, the FBI released a Public Service
Announcement regarding the fraudulent wire transfer schemes.
We encourage our clients to review this alert from the FBI and
continue to be aware of this evolving threat.
Over the past several months, the financial services industry has
seen a growth in social engineering activities targeting businesses’
use of wire and ACH funds transfers. These fraud attempts have
originated from increased foreign and domestic social engineering
focused more on deceiving businesses’ employees and internal
financial processes, rather than attacking the underlying financial
technologies. Here are some details regarding recent schemes, and a
few tips for avoiding a potentially significant adverse financial impact.
How does this social engineering work?
These attacks use techniques that convince organizations to
unintentionally move money to accounts controlled by cyberthieves.
In many of these cases, a delay in discovering and reacting to the
crime may serve to reduce or eliminate the chance of stopping the
transaction or being able to recall the funds.
Recalling funds after a fraudulent transaction
In the event of a fraudulent transaction, a successful recall of
unauthorized funds is never guaranteed. Foreign banking laws
and policies can impede or prohibit the refund of unauthorized
funds. Your organization will be responsible for the lost funds,
resulting in a potentially material loss.
Link to FBI I3C Public Service Announcement, 22 Jan 2015
Additional reading
Targeted Wire Transfer Scam Aims at Corporate Execs
Corporate Executives Targeted in New Email Scam
DID YOU KNOW?
E-Payment Service Upgrade
U.S. Bank will be upgrading the U.S. Bank E-Payment Service
infrastructure during first quarter 2015 to further increase security
against cyberattacks by supporting new Secure Hash Algorithm
(SHA) certificates. All of the major web browsers are in the process
of converting from SHA-1 certificates that are currently in place
to the more secure SHA-2 certificates. U.S. Bank’s scheduled
upgrades are consistent with the industry standards which have
evolved, necessitating the support of SHA-2 certificates. Additional
communication regarding this topic will also be sent from our
E-Payment Service team. If you have any questions, please contact
your U.S. Bank Commercial Customer Service Team.
Executive email spoofs - be wary of this fraud technique
1. The scheme starts by gathering information about a company’s organizational
structure and leadership through social media (Facebook, LinkedIn), Google
searches or other publicly available documentation.
2. The fraudster identifies key leaders who may request a payment to a third
party (for example, C suite, high-level executive) and spoofs an email or call (or
both) from the leader to financial staff with an urgent tone.
a. A variant to this attack may request a change in
account information from someone posing as a key vendor receiving payment. This is especially prevalent
for vendors operating out of a foreign country.
b. The email domain of the sender of the fraudulent
email may be extremely close to that of the actual
company (i.e., using an “n” instead of an “m”).
3. Based on the urgency of the email (or phone call), the
financial staff may quickly complete a wire (or ACH)
transfer without contacting the original requestor to
confirm the payment details ensuring validation of the
request. Any secondary approvers may also be informed
that it was an urgent request and will likely approve
without verification.
4. The funds are received by an intermediary (often a
money mule) who sends the money directly to the
fraudster or may be directly received by the fraudster,
typically, if a foreign wire.
What can you do to help protect your organization?
• Trust, but verify - Consider enhancing your operational money movement
controls to verify the source of any email or phone-based request via an
alternate communication method. For example, if a request is received from
the CFO via email, use the company directory phone number (not the one in the
email) to call and confirm the transfer details. Apply further scrutiny if the
funding account is new and has not been used in past transactions.
• Create awareness - Inform your financial staff of these scams and ensure
they understand operational protocol.
• Use email blocking - Work with IT staff to assess the viability of filtering or
blocking messages of this nature.
• Communicate quickly - Inform your U.S. Bank relationship manager and your
IT security staff immediately when these events occur. It may also be
*Entrust Inc., owned by Entrust Datacard, www.entrust.com; Verisign, Inc.,
owned by Symantec, www.verisigninc.com
U.S. Bank SinglePoint is a registered trademark of U.S. Bank National Association.
©2015 U.S. Bank. Member FDIC. usbank.com.
appropriate to contact U.S. law enforcement agencies as well
as law enforcement agencies with jurisdiction over the
recipient account’s bank.
• Implement dual control - If you haven’t already, contact us to
update your U.S. Bank SinglePoint® security settings to
enforce dual control for ACH and wire transactions. This will
ensure two separate individuals are required to approve each
transaction request. Dual control also helps mitigate the risk
of fraudulent transactions due to malware account takeover.
• Protect workstations - Aside from social engineering attacks,
threats also continue to come from malware inadvertently
installed on workstations. U.S. Bank recommends installing
IBM® Security Trusteer Rapport™ to protect against
financial malware fraud. This tool is being provided at no
cost to U.S. Bank SinglePoint clients. Click here for details.