By the Division of Banks
What is CATO?
Corporate Account Takeovers occur when cyber thieves gain control of systems by stealing sensitive employee credentials and information. Criminals can then initiate fraudulent wire transfers and transactions through the ACH to any account. Thieves typically access a computer via malicious software (malware) that can infect a computer through e-mail, websites, or as malware disguised as software. It is necessary to fully understand the severity of these attacks and its effects on client confidence, as well as its potential implications on your institution’s reputation. The Division recognizes the growing risks in cyber crimes and the need for financial institutions to identify, develop, and implement appropriate risk management systems.
- In May 2010, Golden State Bridge, an engineering and construction company based in Martinez, Calif., was robbed of more than $125,000 when cybercriminals hacked into its bank account. The hackers made two automated clearinghouse batch transactions with the office manager’s user name and password, routing stolen money to eight other banks across the country. Ann Talbot, Golden State’s chief financial officer, learned later that the office manager had violated policy by visiting a social networking site, which the company said it believed was how her computer was infected with malicious software, or “malware,” that antivirus software did not detect.1
- A California escrow firm has been forced to take out a high-cost loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year. In March, computer criminals broke into the network of Redondo Beach based Villiage View Escrow, Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm. Owner Michelle Marisco said her financial institution at the time - Professional Business Bank of Pasadena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. However, the attackers apparently disabled that feature before initiating the fraudulent wires.2
Collaboration between the banks and the Federal Bureau of Investigation helped build a case against Waya Nwaki, a.k.a. Shawn Conley, who was arrested in December on charges of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorized access to computers. According to the indictment filed with the U.S. District Court in New Jersey, Nwaki and six co-conspirators between August 2000 and June 2010 worked across three continents to launch phishing attacks through spoofed websites designed to mimic banks and payroll processors such as ADP. When online users visited the spoofed pages, they were asked to provide confidential personal and financial information, such as dates of birth, Social Security numbers, mothers' maiden names, and online account user names and passwords. Once the hackers obtained log-in credentials and answers to commonly-asked security questions, they accessed online accounts to make unauthorized transfers to accounts they controlled and/or wired money overseas through money remittance providers such as Western Union and MoneyGram.3
Best Practice Recommendations for Businesses
Educate all employees on this type of fraud scheme:
- Review risky behavior with employees, especially when opening unsolicited emails.
- Educate employees on what suspicious websites and malicious “computer optimization” software looks like.
Enhance the security of computer networks:
- Minimize the number of machines used for various business functions. Consider conducting online banking on dedicated machines segregated from other business functions.
- Always lock computers when unattended, especially those with administrator access.
- Install and maintain anti-virus, anti-malware and anti-spam programs that periodically scan file systems.
- Utilize firewalls and routers to restrict network access.
- Ensure that programs are consistently updated through an organized patching process.
- Consider creating regular backup copies of system files.
- Encrypt hard drives if possible, and if not, encrypt important documents including those containing sensitive information.
- Avoid utilizing open internet access points for internet connectivity.
- Be aware of emerging information security threats and what measures can be taken to mitigate the risk of unauthorized intrusion.
Enhance processes and procedures for corporate banking activity:
- When conducting Automated Clearing House ACH or wire transfer activities, utilize dual controls through two separate computers.
- Verify confirmation channels for approval and notification of activity with your financial institution.
- If for any reason your account information or settings have been changed without proper authorization, contact your financial institution immediately.
Understand responsibilities and liability:
- Ensure that you understand the account agreement you have entered into with your financial institution. Understand how liability is determined for cases of fraud.
What to do if a breach is suspected:
- Cease all online activity and remove any compromised systems from the network.
- Ensure all proper authorities are contacted, such as senior management at your firm, information technology personnel, banking institutions, and the police.
- Maintain a written log of events that have transpired since abnormal activity was detected.
- Consider what kind of data might have been accessed by the intruding party.
- File a police report and provide any facts known about the circumstances surrounding the loss.
- Have a contingency plan in place to recover systems that are suspected to have been breached.
Best Practice Recommendations for Financial Institutions
Assess risk to banking systems:
- Identify systems such as e-banking, mobile banking, remote deposit capture, wire transfer and any other systems involving nonpublic personal information or the ability to transfer funds.
Educate corporate account holders on best practices:
- Corporate account holders should by trained on items such as password complexity, duel controls, securing sensitive information and utilization of workstations for non-business functions.
Implement layered security into systems:
- Utilize multifactor authentication processes when corporate account holders sign into an account.
Review vendor contracts:
- Ensure that vendor contracts take precautions to prevent unwarranted access to information and that the proper controls and procedures are in place to address any security breach.
Develop a monitoring system:
- Utilize either an automated or manual monitoring system that monitors traffic and information movement on the bank’s network.
Incorporate CATO into the incident response plan:
- Ensure that the incident response plan contains procedures for addressing a CATO related breach.
Develop follow-up and recovery procedures:
- After an incident has taken place it is important to follow up with the customer, law enforcement and regulators. A detailed plan for recovery of assets should also be in place.
- Federal Financial Institutions Examination Council guidance: http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf
- Conference of State Bank Supervisors guidance: http://www.csbs.org/ec/cato/Pages/cato.aspx
- Press Release on Corporate Account Takeovers: http://www.csbs.org/ec/cato/Documents/CSBSUSSSFS-ISAConCATOFINAL.pdf
- Best Practices document: http://www.csbs.org/ec/cato/Documents/BestPracticesCATO.docx
- Tools and resources: http://www.csbs.org/ec/cato/Pages/catotools.aspx
- State of Texas Department of Banking guidance: http://www.ectf.dob.texas.gov/aboutcato.htm
- North American Clearing House Association guidance: https://www.nacha.org/CorporateAccountTakeoverResourceCenter
- Secret Service Electronic Crimes Task Force: http://www.secretservice.gov/ectf.shtml
- Guidance from Treasury and prepared by White Hat Security provides guidelines for responding to a Distributed Denial of Service attack: http://csbs.informz.net/csbs/data/images/whitehatsecurity_ddos-runbook.docx