August Fraud Roundup

For cyber criminals, security researchers, regulators and financial institutions, there’s been no summer break.  The FFIEC announced a Supplement to its 2005 Authentication Guidance, hackers produced significant volumes of new malware, more businesses lost money and another lawsuit was filed.
With so much going on, we thought we’d use the blog to regularly summarize the hot news. Welcome to our first “Fraud Roundup”:
New FFIEC Supplement and Clarifications from the Agencies
The FFIEC raised the bar on expectations for layered security, risk assessments and customer education. Following the Supplement’s release, there has been a lot of discussion on the topic of the guidance and layered security.
In recent presentations by the FDIC, OCC and the Federal Reserve Board, the Agencies make one thing very clear about the Supplement: all institutions are expected to have layered security; layered security at a minimum is defined by the capability to detect and respond to anomalous customer behavior at login and initiation of transaction. The Agencies further clarified this is expected for retail and commercial banking and that business accounts.
New ACH Fraud Suit Filed,
In March 2010, Village View Escrow of California had its online bank account infiltrated by hackers, suffering $465,000 in losses. The company now has filed a lawsuit in the California Superior Court against its bank. This is the latest in a stream of other recent commercial banking fraud lawsuits.
FBI Investigating Online Banking Theft of $139,000 from Pittsford, NY, Krebs on Security
The fraud losses continue. The latest theft is the latest reminder that cybercriminals are effectively bypassing existing controls.
More Fraud Losses – eThieves Steal $217k from Arena Firm, Krebs on Security
Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.
Spam Fraud Down, Targeted Phishing Attacks Up 400%, Bank Technology News
End users aren’t getting any relief. A Cisco study finds that cyber fraud has shifted from mass, generalized attacks to very specific spear phishing hits that harness stolen user information to dupe unwitting consumers (such as bank customers and cardholders) into divulging account information.
Mobile Malware on the Rise, McAfee
McAfee reports that the Android was the most popular target for malware developers in Q2 2011. Researchers highlight mobile crimeware on the Android that forwards SMS messages, a technique to thwart out of band authentication and verification.