Heartland Credit Card Fraud - PowerPoint

Document Sample
Heartland Credit Card Fraud - PowerPoint Powered By Docstoc
					  Fraud and Identity Theft Risk –
Red Flag Rule Impacts & Compliance
                   Presented By:
     Jim Kreiser, CISA, CFSA, Senior Manager
           Information Security Services

• Profile of a Fraudster
• High-Tech Fraud
• Red Flag Identity Theft
• Questions

Profile of a Fraudster/
  High-Tech Fraud
  Definition of Fraud

Fraud includes any intentional or
deliberate act to deprive another of
    property or money by guile,
 deception, or other unfair means.

         Computer Fraud

• Computer fraud involves misrepresentation
  or alteration of data for monetary gain or to
  acquire something of value.

• This could include goods or services such
  as the intentional introduction of
  fraudulent records into a computer system.

Characteristics of a Fraudster

     •   Intelligent
     •   Non-Conformist
     •   Egotistical
     •   High Roller
     •   Hard Working
     •   Stressed
     •   Inquisitive
     •   Disgruntled
Fraud Triangle & Diamond

Opportunity                        Attitude/Rationalization

      Statistical Analysis

• Gender: 59% Male vs 41% Female
• Age: More common among employees
  age 40-50
• Employee, Manager, or Owner: 75%
  of fraud is committed by employees and
• Tenure: 53% of frauds analyzed were
  perpetrated by those with 5 or more
  years with employer
  Source: Association of Certified Fraud Examiners   8
      Statistical Analysis

• Education: 77% of fraud analyzed was
  perpetrated by those with at least some
  college education; and 56% were
  perpetrated by those who had a
  bachelor’s or higher degree

• Department: Fraud loss varies by
  department; however, the largest frauds
  were perpetrated in Purchasing, Upper
  Management, and Marketing

  Source: Association of Certified Fraud Examiners   9
        Evidence Sources
Evidence can be:
 • Electronic mail on server, workstation and
 • Computer state (running, logged in, active
   services, active applications)
 • Any storage media (USB drive, camera,
   Ipod, phone, Blackberry, Cd-Rom,

        Evidence Sources

Evidence can be:
 • Paper files
 • Data stored on workstations, file shares
 • Server and network device logs – activity
   logs, source/destination connections, Web

      Social Engineering

How many, currently, do some form of
social engineering to test internal
  • Recent results regarding client
    engagement procedures for IT security
    and branch operations…
     Our IT team was able to obtain cash from a
      branch without showing photo identification
                 * Clients are not in the State of Maryland

        Social Engineering

Recent Results:
 • After attempts to compromise customer account
   data via call center and online activity; there were
   no call back procedures in place to inquire of
   suspicious activity
      Further, no escalation or reporting of the incident
       to branch manager or management.
 • Team was able to obtain customer information
   (account number) by providing member name and
   date of birth only (no photo ID, no SSN, etc.)
      This was obtained by asking for help in
       completing a withdrawal slip.
    Computer Forensics

Computer forensics techniques and
methodology are used in two primary types
of investigations
  1. When the computer is used as an instrument
     to commit a crime or involved in some other
     type of misuse
  2. When the computer is used as the target of a
     crime – for example, a computer may be
     hacked into and information stolen

Red Flag Identity Theft
  Red Flag Identity Theft
• Red Flag Identity Theft rules were
  issued under the Fair and Accurate Credit
  Transaction Act (FACTA) of 2003. The
  rules are intended to address risks of
  identity theft and to require “creditors”
  to have programs in place to monitor and
  prevent these risks.
• The rules require covered entities to
  implement a written program approved by
  their board of directors to detect, prevent,
  and mitigate identity theft.
• A “Red Flag” is a pattern, practice, or
  activity that includes the possible
  existence of identity theft.
       Key Definitions
  • FACTA defines a creditor as “as any entity
    that regularly extends, renews, or continues
    credit; any entity that regularly arranges for
    the extension, renewal, or continuation of
    credit; or any assignee of an original
    creditor who is involved in the decision to
    extend, renew, or continue credit… any
    person that provides a product or service for
    which the consumer pays after delivery is a

        Key Definitions
Creditor (continued):
  • Entities that do not regularly require
    payment of goods and services at the time
    of delivery, and defer payments to the
    future is considered as extending credit by
    the FTC.
  • Banks, Thrifts, Credit Unions, Mortgage
    Lenders, Savings and Loan, etc.
  • Other examples:
       – Utility companies
       – Car Dealers
       – Telecommunications companies and cable
       – Health Care companies
       – Debt Collectors
         Key Definitions

Covered Account:
  • Defined as a consumer account primarily for
    personal, family, or household purposes that
    involves or is designed to permit multiple
    payments or transactions (i.e. credit card
    account, mortgage loan, automobile loan,
    margin account, cell phone account, utility
    account, checking account, or savings account)
  • Any other account for which there is a
    reasonably foreseeable risk to customers or to
    the safety and soundness of the financial
    institution or creditor from ID theft, including
    financial, operational, compliance, reputation or
    litigation risks).
          Key Definitions
Covered Account (continued):
   • Determining business accounts is based on each
     creditor’s flexibility in determining which business
     account will be covered by their ID Program through
     a risk evaluation process.
   • NOTE – FDIC has already begun challenging
     institutions that do not include business accounts
     within their analysis and controls. If not included –
     need to articulate why you have “opted out” of
     covering them in the risks and monitoring.
   • Another key question to ask in assessing if you have
     a covered account is “Can I provide this product
     and/or service and the customer can default on the

        Personally Identifiable
The types of personally identifiable information (PII)
related to identity theft would include any name or
information that can be used to identify a specific
person including:
    • Name
    • Social Security Number
    • Date of Birth
    • Drivers License info
    • Passport info
    • Tax ID
    • Biometric data
    • Electronic ID numbers (credit card, routing, etc.)
    • Telecommunications identifiable information
         Red Flag Timeline
• Initial Deadline was November 1, 2008
• For financial institutions (those under the FDIC,
  NCUA, Federal Reserve, OCC, and OTS),
  November 1, 2008 was the enforcement date
• In October – the Federal Trade Commission (FTC)
  issued clarification. In this statement, the FTC
  delayed “enforcement” of the rule for those under
  its jurisdiction until May 1, 2009
     • Update – on April 30, 2009, the FTC issued another
       three month enforcement delay to August 1, 2009.

        Notable Cases

Through the normal course of business
ChoicePoint disclosed customer
information to unauthorized individuals
resulting in over 800 cases of identify
theft and $15 million in fines. The
settlement with the FTC requires
ChoicePoint to implement a
comprehensive security program and bi-
annual third-party audits for the next 20
         Notable Cases

Through apparent ineffective disposal of
computer equipment and retention of
customer information by non-current
employees, Goal Financial exposed an
estimated 41,000 customer’s
information. Goal Financial settled with
the FTC to implement a comprehensive
security program and bi-annual third-party
audits for the next 10 years.

                 Notable Cases

• Heartland Payment Systems
  (175,000 merchants – 100 Million transactions per month):
   –   http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-
   –   http://www.2008breach.com/

• Other cases – BJ Wholesale, TJ Maxx, etc.
• The 2008 CSI Computer Crime & Security
  Survey provided the following information:
   – 43% of respondents detected a computer security
     incident costing an average of $288,618 per
   – 13% of respondents were unaware if any computer
     security incident occurred
    Categories of Red Flags

The rules stratify red flags into five categories:
• alerts, notifications, or warnings from a
  consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information,
  such as a suspicious address;
• unusual use of – or suspicious activity relating to
  – a covered account; and
• notices from customers, victims of identity theft,
  law enforcement authorities, or other businesses
  about possible identity theft in connection with
  covered accounts.
   – Lists 26 illustrative examples (from page 213 of the regulations)

    Program Components
How to achieve compliance:
 • Centralize fraud, compliance, and Red Flag
   functions? (Trend analysis and reporting?)
 • Establish a board approved policy to implement
   an identity theft prevention program
 • Identify “red flag” risks (see Sup. A); and
   establish controls to mitigate the identified risks
 • Create reasonable procedures to monitor the
   program and “red flags” for covered accounts
 • Respond to red flags which are detected and
   escalate/review these appropriately
 • Update the program and risks periodically

Clifton Gunderson’s Approach
 Key aspects to consider in implementing the
 program relative to identify theft include:
  • Risk Assessment and evaluation (including
    business and IT)
  • Vulnerability assessment (including
    leveraging of any PCI and/or other privacy
    programs in place)
  • Security framework and strategy
  • Program Management, including internal
    reporting, incident response, etc.

      Other Considerations
Other thoughts:
  • It has been discussed and suggested that FDIC,
    OTS, NCUA, etc. examiners will begin to
    incorporate red flag requirements into their
    examination procedures
  • Auditors beginning to inquire on red flag
    programs from a compliance/control aspect
  • FTC currently doesn’t appear to have
    authority/capacity to initiate routine
       FTC might initiate investigations based on
         consumer complaints, tips, or other sources
         and industry information

• Supplement A to Appendix from FTC
• http://www.ftc.gov/os/fedreg/2007/novem
• http://www.ftc.gov/opa/2008/10/redflags.
• http://www.radware.com.cn/newsletter/08

  For More Information

Jim Kreiser, CISA, CFSA
 • Clifton Gunderson LLP
 • Mid-Atlantic Commercial IT
   Assurance and Information Security
   Services Leader
 • James.Kreiser@cliftoncpa.com
 • 410-308-8095


Description: Heartland Credit Card Fraud document sample