Three Ashley Madison 'Mandates'

This article was originally published on GonzoBanker and is reprinted with permission.

Why go to the trouble of taking money out of people’s accounts if you can get them to just give it to you?

That, apparently, is the logic behind hackers who use stolen passwords and information from breaches to send fake wire transfer requests to trick recipients into approving funds transfers.

Take, for example, the Ashley Madison breach in which a Canada-based dating site was hacked and its users subsequently blackmailed via email. While at first glance a financial institution may see no immediate fraud issue with such a breach, let’s look at an example of what can be done with this type of data.

Very recently, a mid-size bank with assets over $5 billion received a wire request using a seemingly legitimate email address and password, and the transfer was sent through. Even though the contents of the email are unknown, it’s apparent the employee was disinclined to call and question a request from a director. Upon discovering this, the wire department suspended email requests for the remainder of the day.

I was unable to confirm the details of the group(s) who sent these specific fraudulent wire transfers, and we are not saying Ashley Madison data was in fact used for fraudulent wire activities. Rather, these are examples of how your institution could be hit at any time. And, despite your efforts to safeguard your customers’ passwords and identities and to establish security procedures to prevent unauthorized access to accounts, your customers may be giving their money to hackers --and using your wire departments as pawns in the game.

A breach such as Ashley Madison burns twice, and any credit union that does wire transfers is at risk.

Three key pieces of information were publically disclosed by hackers for each Ashley Madison account: email address, the amount spent on the service, and the customer’s physical address.

When you consider that the majority of people -- one estimate puts it at 70 percent -- re-use their passwords across sites, you realize that getting into their email and banking accounts becomes a relatively easy task.

With access to an email account, the hackers check the sent mail folder to see if the rightful owner ever transferred funds via an email request. They then forward an old wire request and ask for a new destination for the funds.

Your credit union should adopt three mandates to prevent Ashley Madison-like burns:

• Enforce internal procedures. Many times what we see documented on paper is only half-heartedly practiced by the staff, or the credit union doesn’t fully support it. If your policy is to call customers to verify wire transfers, make sure calls are logged electronically to provide a paper trail.
• Adjust your employee training. For wire fraud, a quick inspection of previous amounts, frequency and typical wiring dates can serve as a litmus test for fraudulent outliers. If the institution has a large volume of wire transfers per day, investigate technologies that can help identify malicious requests.
• Have a cyber-response plan. If you can execute your fire evacuation drill better than your cyber-response plan, you have a serious problem. The time to figure out the right person to call is before the money is gone. Use the Federal Financial Institutions Examination Council’s cyber assessment tool (it’s free). Identify the Web sites you’ll need to file complaints. Create a list of numbers for local, state and federal authorities so you have it on tap if (make that when) a security-related event occurs.

Todd Stringer is director of information security services for CUES Supplier member Cornerstone Advisors Inc., Scottsdale, Ariz., a CUES partner in providing strategic technology and enterprise risk management services.