InfoSec

By Robert McGarvey

Now is the time to take stock of our defenses and I’m not talking about pickpockets and hotel safe thieves. What I mean is guarding against cybercriminals who, unfortunately, prey on business travelers particularly – everywhere from coffee shops to airports to hotels, even whole foreign countries.

A few steps will keep your data safe on the road and it is vastly more valuable than the devices themselves. At least in my case where I usually travel with a five yearold Chromebook, somtimes an iPad Air 2 , neither having much value. The Pixel 3 XL phone has a little value but not much. A suggestion: always travel with disposable tech gear that you won’t miss.

It’s the data that I am concerned about because a criminal could feast on my financial accounts and maybe find a way to monetize data gleaned from emails and documents, many thousands of both on my devices.

Here are my steps towards safe travels.

Countries That Spy on You

Whole countries? You bet.  Visit China and you will hear that the “Great Firewall” means you cannot access Gmail and lots of other websites. You will also hear that, psst, use a VPN – only certain vendors pass muster and the list is a changing target – and you will be able to surf to Gmail, Facebook, you name it.

But you have to wonder: is the Chinese government monitoring that VPN traffic and do they have keys that decode it?

Know too that high level security consultants – with clients inside the Beltway and on the highest floors of Fortune 100 office towers – urge their clients to bring a clean computer and a clean phone, no business data on either, and to never access sensitive information while in China because your devices will be copied on your travels.

Not might be. Will be.

Maybe not the gear of Bob Schub, average citizen, but if there is a reason to think you might have interesting info on your computer or phone know it will be copied.

Do not bring your every day business computers or phones to China. Don’t.

China is not alone. Here’s a map of the world with nations that heavily monitor Internet traffic highlighted. There are places you might not go – Saudi Arabia – and there are places you might go that monitor at least some traffic (Russia, Turkey).  Know before you go and, when in doubt, use clean devices when traveling overseas.

Password Protect Your Phone

At least once a month a friend or neighbor asks me, what do I do, I was traveling and I lost my phone?

Sometimes they say it was stolen.

It doesn’t matter.  You probably will never see it again.

Know this happens, take steps now to protect yourself.

Set up Find My Device (Android) or Find My iPhone in Settings.  Now. When you lose a device it may help you find it and – crucially – it may let you wipe the device which means erasing all personal data.

Also, lock the phone, with a PIN or biometric, in Security (Android) or TouchID and Passcode (Apple).  That simple step will keep most criminals away from your data and, in most cases, they only want the phone hardware anyway.

The data is more valuable than the hardware but most criminals are grab and run small change crooks and that’s the good news.

Just take the two simple steps above and, yes, you can cry about losing a $1000 piece of hardware but at least your data and bank accounts will stay safe and that is what matters.

Never Use a Public Phone Recharging Station

You see them in airports, also at meeting venues. Don’t use them.  They are a fast track to getting hacked. It’s tempting. Your phone is beeping for juice.  Just let it die. Or always carry a plug when on the road, as I do. Often there are two in my bag.  They do get forgotten in hotels, a spare is a good idea.

Don’t Use Public WiFi

Never, don’t.  That means no public WiFi at airports, coffee shops, and definitely not hotels.

You say you are protected because you use a VPN.  Good luck with that (read about China above). Know that there are known vulnerabilities in consumer facing VPNs and there also are vulnerabilities with enterprise grade VPNs.

Personally I sometimes use Google’s VPN on a Google Fi phone when accessing the Internet but generally I am reading the news or checking a website and if that traffic is hijacked, so be it.

My preference is to create a cellphone hotspot and access the Internet via cellular data networks. A few clicks in setting and you are in business.

You really think public WiFi is faster and of course it usually is cheaper? There is one safe way to use public WiFi – read the next step.

Use a Secure Cloud Based Browser

When on the road and accessing sensitive data via public WiFi, I use Silo, a remote browser that processes all data remotely, in the cloud. (Here’s a paper on the technicalities.) It then transmits an encrypted display of the data to you so you “see” the web page but any computing functions have occurred in the cloud, at a remove from your computer.

There are other remote browsers.

Whichever you use, know that when you look at a page with toxic code, no prob, the bad stuff happens in the cloud. Not on your computer.

And eavesdroppers – who often listen in on public WiFi sessions – will only see an encrypted data steam that won’t mean a thing to them.

That’s five steps. Take them and there’s no guarantee of data security on the road. But you can know you are taking steps to secure your phone, your computer, your Internet traffic. And that puts you in a safer place than 99% of travelers

by Robert McGarvey

Online fraud in the aviation sector is up – by a lot. 61% to use the number offered by Forter. “The fraud prevention specialist says the rise can be attributed to loyalty programs as well as data breaches, such as that suffered by British Airways just over a year ago,” reports Phocuswire.

Last week I reported that airlines were doing better than hotels in fighting cybercriminals. But just maybe the fortunes of airlines have shifted from positive to a shambles. Forter’s new numbers tell the sad story.

What’s stunning is that in 2018 fraud attacks on the airline industry in fact went down, 28%.

However, Forter plainly said this was no cause for joy. In its report the company noted: “This indicates that the large data hacks within the industry, some of which made passport information available along with other stolen data, have yet to be reused to commit air travel fraud. This data is valuable enough to be leveraged for fully fledged identity theft (which may have many stages) rather than ‘thrown away’ on a single fraud attempt.”

That prophecy has come true in 2019 with the steep jump in airline fraud – particularly involving miles and loyalty, according to the just released numbers.

Forter especially highlighted this fraud in its most recent fraud index: “Loyalty fraud increased by 89% year over year, while the total dollar amount in online fraud increased by 12% year over year. “

In some respects this is not exactly news. As I wrote last week, “Loyalty programs have for some years been hacker targets. ” The reasons are plain. Most of us are lax about keeping tabs on loyalty accounts and the miles and points are easy for a thief to turn into cash equivalents. Airline tickets are always salable – but so are airline points and miles because they readily convert to air travel.

Loyalty programs are especially vulnerable because companies strive to deliver a frictionless experience – and where there is no friction, generally the on ramp for fraudsters is that much more welcoming.

Said Forter: “As a result, loyalty point programs become more vulnerable to opportunistic fraudsters. Points accrued in a customer’s account are treated like digital goods — redemption is wholly conducted online, and requires no stolen credit card information to execute. Fraudsters are thereby able to leverage these points as ‘free’ funding sources and given the minimal
mitigation efforts by merchants, are able to consistently do damage without raising suspicions.”

The massive BA breach of course fueled much of the jump in airline related fraud. About 500,000 customer details were harvested in the breach.

Land travel incidentally also saw a jump in fraud, up 38%. Said Forter: “This increase is attributed to the fact that car rentals and ride services apply less friction in their platforms (ease of pick up in parking, no ID required, etc.), in order to remain competitive in the market and for the perceived better customer experience. The push for an excellent and friction-free customer experience has created vulnerabilities in these platforms, which fraudsters have been targeting.”

Protecting your accounts – especially your loyalty accounts – is squarely on you. Regularly check balances and, hey, I know it’s tempting not to bother until you want to cash in miles but wait until then and when you look, the miles may be gone.

Now also is a good time to log into any car rental accounts you have. Ditto Uber, Lyft, etc.

Focus in on the loyalty accounts because that’s where fraudsters are hunting. Personally I have in the past couple weeks set up new, complex passwords and I have also set up four airline accounts to work on biometrics. The goal: to never actually input the password and always to use the biometrics.

What to do if miles have in fact been pilfered from an airline account?Prepare for what may turn out to be a prolonged battle. Particularly when many months have elapsed between when a theft occurs and when it’s reported, some airlines are proving to be stubborn about restoring miles. You may get them, you may not, and a real key to success is quick notification on your part.

Which bring us back to our core advice to regularly check balances. How often is good enough? Personally I aim now for once monthly. You may check more frequently with high balance accounts, you may want less frequently with low balance accounts.

But know it’s up to you. Use a very strong password, use biometrics, and stay aware of account activity.

That’s how to protect what is yours. Because – plainly – it’s on you because you can’t depend on the airlines’ defenses.

by Robert McGarvey

If you are reading this on hotel WiFi, sign off now.  A new Bloomberg report underlines how porous hotel WiFi networks are. This is a long look at the problem and that’s good because it is a grim reality that savvy travelers need to know about.

Do you care if hackers have your credit card numbers, maybe passport info, possibly driver’s license details, hotel loyalty program log in and password, and probably more? Because they do. Because hotels do not care about your privacy. They just don’t.

Of course this week’s news is about airlines and breaches – specifically BA – and they have a sorry history of poor defense against hackers. Don’t get distracted however. Airlines are bad at this. But hotels are simply the worst.

Forgive me a Cassandra moment. I have been writing about how much hotel WiFi sucks for at least a decade. The stories are manifold and they always say the same: hackers long ago figured out that hotels have essentially no protections on their wifi networks so it is very much a wild west where an Internet caveat emptor prevails.

Except the odds are stacked against you: the hackers are very good at their work, which is stealing salable data.  Hotels are very bad at protecting our data. Hotel group after hotel group has fallen victim to hackers. Trump.  Hard Rock. Hilton. Marriott. 

Information security blogger Brian Krebs has reported that the Marriott (Starwood) breach involved 500 million of us.  

In a mea culpa, Marriott said: “The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.  For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

As for who hacked these hotels, nobody knows.  In many cases it doubtless is ordinary, common criminals.  In other cases, something else may be afoot. Noted Bloomberg: “Marriott hasn’t found any evidence of customer data showing up on dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in March. That sounds like good news but may actually be bad. The lack of commercial intent indicated to security experts that the hack was carried out by a government, which might use the data to extrapolate information about politicians, intelligence assets, and business leaders.”

Yep.  The Chinese are believed to be voluminous acquirers of data. But the Russian aren’t slouches. Several European governments are in the game too.  And the US government increasingly is active. In that last case it is difficult to see a hack on a domestic company. But impossible? Not really.

Understand this: hotels are truly bad at protecting data. It’s an industrywide malady.  And hotels are lots worse than most other industries. Bloomberg posits a theory: “Hospitality companies long saw technology as antithetical to the human touch that represented good service. The industry’s admirable habit of promoting from the bottom up means it’s not uncommon to find IT executives who started their careers toting luggage. Former bellboys might understand how a hotel works better than a software engineer, but that doesn’t mean they understand network architecture.”

That rings true to me.

Bloomberg went on: “There’s also a structural issue. Companies such as Marriott and Hilton are responsible for securing brand-wide databases that store reservations and loyalty program information. But the task of protecting the electronic locks or guest Wi-Fi at an individual property falls on the investors who own the hotels. Many of them operate on thin margins and would rather spend money on things their customers actually see, such as new carpeting or state-of-the-art televisions.”

In the big chains the vast majority of hotels are owned by “asset holders” – everything from pension funds and big insurance companies to wealthy individuals.  They have to be persuaded to fund big ticket campaigns. And often they haven’t been.

The result in the hotel business is a patchwork of old, cruddy, unreliable technology.

But you do not have to be a victim. There is nothing we can do to strengthen the defenses around a hotel’s property management system, etc. But we can take steps to protect ourselves when it involves WiFi.

You have three options.  Definitely use them in hotels, but also in airports, coffee shops, and airport lounges. I don’t guarantee your safety but I promise you will be much, much safer than if you don’t take such steps.

O Create a personal hotspot with your cellphone and log in via it.  Cellular data is much, much more secure than is hotel network data. Not perfect. But good enough for most of us. This has been my go to for some years.

O Use VPN, a virtual private network.  There are known limitations to the security delivered by VPNs.  I personally no longer use one. But I know many companies require their traveling execs use a vpn and if that’s policy, it is much, much better than logging on naked to a hotel network.  

O Use Silo or a similar secure browser. The secure browser processes all web data inside a secure container so even if a user accesses malware it’s no harm, because the data won’t reach the user’s computer. Silo also encrypts traffic to shield it from prying eyes. A tool such as Silo offers more robust protection than do VPNs.  (Note: I have been paid by Silo’s developer for past work. That company had no involvement in this column and did not pay me for this.)

That’s three choices.  On your next hotel stay when you log into the Internet use one of the three and know that you will be a lot safer than the guests who log into the hotel’s computer. There is no excuse for not protecting yourself.  Not when you know just how perilous hotel networks are and will almost certainly remain.

By Robert McGarvey

Mea culpa.  I probably have misled you about road warrior Internet security in the past. But today I am here to make amends.

The problem is the public WiFi so many of us use daily. In coffee shops, hotel rooms, meetings venues, airplanes – we hear the Siren call of public WiFi and often succumb to the temptation. We tell ourselves we will be safe because we use VPN.

For some time I have said that probably is good enough protection.

Now I am rethinking that position. A small project I’ve done with Authentic 8, a security company that has developed Silo, a secure remote browser, is what’s persuaded me that oftentimes VPN just isn’t good enough.

The problem with computing on the road starts with public WiFi which is – well documented – a hacker’s paradise.  Noted Kaspersky: “The biggest threat to free Wi-Fi security is the ability for the hacker to position himself between you and the connection point. So instead of talking directly with the hotspot, you’re sending your information to the hacker, who then relays it on.

“While working in this setup, the hacker has access to every piece of information you’re sending out on the Internet: important emails, credit card information and even security credentials to your business network. Once the hacker has that information, he can — at his leisure — access your systems as if he were you.”

If that didn’t scare you, read it again.  It’s saying that when using public WiFi you are a sitting duck.

Enter VPN, the putative magic bullet.  Many believe it makes public WiFi safe. I wrote as much myself. What VPN does is create a so-called secure tunnel and, they say, that’s ample protection against hackers.

Is it really?  That’s not what I discovered. In fact VPN often is hacked.  Here’s one write up that documents five ways VPNs can fail to deliver protection.

Here’s a headline from ComputerWeekly:  “VPN hacks can be lethal, warns security expert.”  

Here’s another headline: “DEF CON Update: Researcher Shows How To Hack VPN Services Via VORACLE Attacks.”

VPN can be hacked, it can be used to distribute malware, and, even worse, there are ever more bogus VPN apps that exist to herd the unwary sheep to hacker wolves.

Understand, I use VPN probably daily. It’s set up to self deploy on my Pixel phone when I’m in range of a public WiFi network.  I agreed to that offer from Google Fi, my cellular provider. But I am very cautious about what info I access under that arrangement. And it’s a Google VPN in the bargain.

If you are accessing public WiFi and all you have is VPN, use it.  Most of the time VPN will probably be good enough. And it’s definitely better than nothing.

But be very careful about what you access. Stay aware of VPN’s limits.

What if I want more access, and to access more sensitive data? For looking at brokerage accounts, company financial data, maybe even loyalty program balances, personal bank and credit accounts, VPN alone may not be good enough. That’s where I now say a user ought to deploy the secure, remote Silo browser or similar.  Advantages are plentiful. With it, the user location is opaque. No Web data ever touches the endpoint – what’s distributed are pixels, no more.

This document tells you what you want to know about Silo.  

What Silo does is process all web data remotely, inside a cloud container. It then transmits an encrypted display of the data back to the user. And when it’s done, Silo destroys the browser session, leaving no traces on the user’s device.

That’s the beauty of it. The web data is handled inside a secure, web based container.  There can be all manner of bad stuff in it and it won’t matter to your user session because it will live only in the cloud.  

Oh, and in my tests, I don’t see speed losses when using Silo. There of course are usually significant speed losses with VPN. If there’s a reason users don’t deploy VPN when they have it available, it’s the speed bump.  That isn’t a problem with Silo.

Note: Silo does not run on phones. For them, you will still want to use VPN. It does run on iPad. Also laptops of course.

The key point is if you want something better – more secure – than VPN, know it exists.

Full disclosure: I have done contract writing for Authentic 8, which is how I grew aware of Silo. I was not paid by Authentic 8 for this column, which I wrote on my own initiative, in large part because I remember the many cases where I scolded friends and colleagues about public WiFi and told them they needed VPN.  So I was half right. But also half wrong. Mea culpa.

http://bit.ly/2Dg2jda

 

By Robert McGarvey

 

Another day, another hotel breach. Face reality. Hoteliers suck at protecting your data. There is no gentle way to put that. They really, really stink.

Hotel News Now has a piece that explores the many hotel data breaches over the last decade. Read it and weep because it is your data that now is in play on the dark web.  

Can you in fact stay in hotels and protect yourself? Maybe, we offer tips below. But, first, feast on how inept hoteliers are at data security.

Hotels treat your personal data – name, address, credit card numbers, passport info – the way a deadbeat treats yet another bill collection notice.  

HNN traces the history back to 2010 when there was a big Wyndham data breach. That prompted an FTC suit against Wyndham that eventually was settled. I covered this and, honestly, I find it increasingly tiresome to write about the hotel industry’s cluelessness, or maybe just indifference, to guest data security.

Along the way White Lodging, a management company, had data breaches. So did Trump. Mandarin Oriental.  Hilton. Hard Rock. Kimpton. Noble House. IHC. Sabre.Hyatt. Radisson. Many more.

And now there’s Marriott where maybe 500 million guests were compromised. Apparently because of Starwood data insecurities.

Marriott has not been forthcoming about specific details pertaining to the breach.  It has said it is notifying customers who have fallen victim – so expect a phone call, or email, if you’ve stayed at a  Starwood in memory. (For the record here’s the company statement on the breach.)

Word of immediate advice: right now go and check any rewards accounts you maintain at Marriott.  There are suggestions that maybe these crooks were after those points – there is no confirmation on that front – but it is believable because there’s increasing evidence that hackers are hungry for points and miles that are fairly easy to convert into cash or cash equivalents (like an iPad or iPhone). Make sure all is copacetic and if it’s not, raise a loud yell at the nearest Marriott rep.  

Should you in fact expect meaningful compensation? Nah. That rarely is on offer. If points were stolen, almost certainly they can be restored. But beyond that I suggest never holding one’s breath in expectation of real compensation for pains suffered in a data breach.

The usual compensation is a year or two of monitoring of credit and dark web activity by a namebrand cybersecurity outfit. My favorite such is when T-Mobile revealed some 15 million applicants for credit – yours truly among them – had their data compromised when a server maintained by Experian was hacked. Victims were offered free credit monitoring by, you guessed it, Experian.

What can you do to protect yourself?

Do make it a practice to get free activity reports from such as MasterCard. Closely monitor credit activity and do stay on top of accrued rewards points. If offered free credit monitoring by Marriott, sure, take it.

Accept that by now bad guys know all your private data, from Social Security to your health insurance number (yes, there’s brisk trade in health insurance documents).

So what more can we do to protect our data security? Personally,  I cannot recall the last time I booked directly with a hotel, despite their massive push for that. I use OTAs and many of them have tech company roots and, as an industry, tech has fared a lot better in regard to data privacy than have hotels. OTAs aren’t perfect but I’ll bet on them before a hotel company. In that regard I’ve liked Expedia and will soon start using Google.

But what about the nasty business of check-in where the desk clerk asks for a photo ID and credit card? I am increasingly tempted to buy a fake (“novelty) Nova Scotia driver’s license – on sale for $89 or maybe an Irish driver’s permit for 30 quid.  Use a fake name – maybe Michael Collins – a fake address and I have a good ID to flash at check in at a hotel.

Then I can ask an issuer of a credit card that I already have to issue a supplementary card in Mr. Collins’ name.  Bills continue to go to me and I would make monitoring the account a prime task because there really is no trusting the hotel.

Isn’t this extreme? Of course.  But if hoteliers refuse to take the proper precautions to safeguard our data we have to take our own precautions. And traveling under a false flag may be just the answer.

Have different suggestions on staying safe? Have at it in the comments box below. I’m at wit’s end myself, forced to cogitate on forgeries. Better ideas are welcome.

 

By Robert McGarvey

 

The dark web is aflood with stolen airline miles for sale.  That’s the surprising punch to the face in a recent report from Comparitech.

The subhead delivers the message: “There’s a black market for your frequent flyer miles. Stolen frequent flyer accounts and rewards points are a hot commodity on the Dark Net.”

According to Javelin Strategy + Research, in 2017 11% of attacks on existing financial accounts were on loyalty programs. That’s up from 4% in 2016.

According to Barry Kirk, Vice President of Loyalty, Maritz Motivation Solutions, “Every sizable loyalty program was a victim of attempted fraud or hacking in 2017. Those who believe they weren’t simply haven’t paid attention.”

Maritz research says that 7% of us self identify as victims of program fraud.

Left unknown is how many of us are victims but haven’t realized it – probably because a little used account was pilfered.  If we do eventually return to that site, we may have forgotten what our miles total should be and just accept that, well, I must have emptied it out, I forget on what.

Headline winning breaches of loyalty programs are few.  The Hilton attack four years ago comes to mind.

In 2015 United and American admitted their programs had been hacked – but both were relatively small thefts. Some 10,000 accounts were said to be compromised at American, fewer at United.

Yet hackers are continually nibbling away at our stashes of miles and points.

A proof is that brisk dark web marketplace, reported by Comparitech, which observed: “On Dream Market, one of the largest black markets on the dark web, a single vendor sells reward points from over a dozen different airline reward programs, including Emirates Skywards, SkyMiles, and Asia Miles. Going by the handle @UpInTheAir, they sell a minimum of 100,000 points for the reward program of your choice, starting out at $884 as of time of writing (this was probably $1,000 originally, but Bitcoin price fluctuations caused it to go down).”

A rule of thumb is that miles are worth 1 to 2 cents apiece (of course smart shoppers can get significantly greater value and less astute shoppers will get lower returns).

On the dark web, however, the going rate, according to Comparitech, appears to be much lower – often as little as 1/10th of the typical value.

There’s a reason for that. Stolen miles probably will not get cashed in for flights, mainly because of ID issues.  So what are they good for?

Stuff.  

For instance, in 2017, Air Miles, a Canadian loyalty scheme, issued a warning that thieves were using miles to buy merchandise in stores that participate in the program.

In other cases, bolder crooks redeem miles for flights and then sell the travel on websites, often at huge discounts.  See a flight going for half what it’s worth and that’s a red flag for trouble ahead.

How do thieves get most of their stolen miles? Generally by hacking into individual accounts – meaning they figure out your user name and password, or they use a robot to try enough combinations until it stumbles into the proper formula.  It sounds labor intensive but, increasingly, it is automated.

Loyalty programs now are in a fast track mode to contain fraud. According to Maritz’ Kirk, “Until very recently, program fraud was only discussed in hushed tones or dismissed as a non-issue. Now all major loyalty agencies proudly promote their fraud protection tools and process.”

Even so, the burden is on you.  The miles and points are yours and that also means they are yours to safeguard.

How? That’s easy.  Comparitech offered a number of tips, including:

“Shred your boarding pass after a flight.
Never post a photo of your boarding pass online.
Use a strong and unique password for your frequent flyer account.
Monitor your account for suspicious activity.”

The last is crucial.  Make it a habit to stop into your loyalty accounts at least monthly.

And also make it a habit to change your passwords occasionally, certainly yearly.

One last bit of advice: just don’t use public wifi to access your loyalty accounts. Of course it’s tempting when you are sitting at the airport to put the time to use surfing your airline and hotel websites. Don’t. At least don’t on public wifi. Use a cellphone hotspot instead.

It’s up to you to protect your miles.  Know that and do it.

 

By Robert McGarvey

 

For CU2.0

 

Talk with credit union AML/BSA staffers as well as senior executives and you will hear a torrent of woe is me complaining about rising workloads, intransigent regulators, too tight budgets, and inadequate resources.

And then there is a new report from Aite Group’s Julie Conroy – based on extensive interviews with over 40 BSA/AML experts – and the title tells you the theme: The AML of Tomorrow: Here Today.

In the second paragraph Conroy puts out the good news: “Advanced technologies such as machine learning, robotic process automation (RPA), and natural language processing and generation are helping to even the playing field by enhancing both detection and operational efficiency. The even better news: Regulators are gradually growing comfortable with the use of these advanced technologies for AML.”

Read that again.  What she is insisting is that financial institutions now have access to technologies that will let them keep pace with – maybe get a step ahead of – criminals who want to launder money.

The stakes are high.  Two credit unions in the past decade have effectively been put out of business because of AML deficiencies – Bethex and North Dade.  

No credit union wants to be linked with money laundering. But, frankly, trying to keep up with this with a small staff who are doing everything by hand is a loser’s tactic.

How much money is laundered annually? Nobody knows. The United Nations has estimated it’s somewhere between $800 billion and $2 trillion.  The high end is about the GDP of Brazil and more than Italy’s.  That’s a lot of money in motion and, accordingly, you have to assume that the people who have put it in motion are savvy, wily, and of course know exactly the defenses used by banks and credit unions.

Accordingly, FIs are spending a lot to defend themselves – much of it on payroll. Conroy cited a report from the Clearing House that estimated that major US FIs spent $8 billion on compliance in 2017. She also noted that one large US FI interviewed for her report employed more than 5000 in compliance and “can’t hire fast enough.”

All those workers push out an avalanche of SARs. In 2013 they filed 1.22 million. By 2017 that rose to 2.03 million.

Conroy also pointed to a numerical disconnect that frustrates AML workers and their bosses.  “the fact remains that there are on average only 1,200 moneylaundering- related convictions per year in the U.S., compared with over 1 million SARs filed per year.”

In other words: is all the work really worth the effort and expense?

It gets worse. In many institutions, said Conroy, business line execs grumble that AML teams are “hassling” their customers, making it harder to do the business that brings in money to the FI.   AML, in many institutions, is seen as a nuisance that wastes money while making it harder to make money.

Ouch.

Wrote Conroy: “All of this points to the need for the AML function to find technology that enables precise detection while minimizing false positive noise.”

She continued: “The trifecta of increasing criminal sophistication, a steady increase in regulatory expectations, and under-resourced AML departments are bringing AML efforts to a breaking point. As a result, financial services firms are beginning to embrace technologies such as machine learning, RPA [robotic process automation], and natural language processing and generation.”

“Today’s AML function can no longer rely on legions of AML analysts, investigators, and rules-based automation. The use of advanced technologies is needed to aid AML departments in the gathering, filtering, and meaningful assessment of data from multiple sources in multiple formats.”

That prescription puts fear in the hearts of many credit union leaders – they worry about the costs and also the complexities of advanced technologies.

But Conroy has this absolutely right. The only way to stay ahead the AML wars is with technology that can automate much detection and even reporting.  There just aren’t enough AML staffers to be hired and so they get paid ever more.

But – and this is crucial – many of them are burning out, even quitting.  

The machines won’t quit on you.

What should your next step be?

In her report Conroy reviews the many technology options out there. Get the report, read her reviews.

And then what?  Her advice is simple: accept that you can’t wait, delay is not an option.

She added: “Try starting small. Cloud-based solutions can be implemented in modules that wrap around or interact with legacy systems to improve performance without a ‘rip and replace’ scenario. In this way, FIs can address the most pressing system deficiencies relatively quickly with less impact to budget and IT resources.”

It’s good advice.

Just don’t wait.

 

 

By Robert McGarvey

 

Highly regarded security researcher Brian Krebs has published a bombshell report that maintains a flaw in some Fiserv banking technology leaves customer data potentially exposed to criminals.

Krebs does not finger credit unions that may have fallen victim to this but there is no reason to think some aren’t.  

Krebs credited the flaw discovery to independent security researcher Kristian Erik Hermansen who noticed that when he setup an alert on his bank account, the alert was assigned an event number.  So Hermansen, on a hunch, tried to log into an event number a digit different and what he found was that he indeed could log in.  This matters because, said Krebs, “In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.”

That means a criminal could add his email address to the account and get alerts on, for instance, all transactions.

Krebs also noted that a criminal could hunt for customers who had set up high minimum balance alerts – $5000, say. Which would tell the crook he could siphon out $4999 and he might be undetected for some time.

Krebs said he personally signed up for accounts at two small banks that use Fiserv.  Here’s what he found: “In both cases I was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers of each bank just by editing a single digit in a Web page request.”

He said he found “hundreds” more banks with similar vulnerabilities.

Krebs told Fiserv what he had discovered. The company responded this way: “Fiserv places a high priority on security, and we have responded accordingly,” Fiserv spokesperson Ann Cave said. “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”

Cave elaborated to Credit Union Times: “This is related to a one-way messaging feature on a limited number of bank websites. Upon notification, we promptly developed a patch to update the feature, deployed the patch to clients using the feature and completed testing to confirm the issue has been fully resolved. Our ongoing research and continued monitoring have not identified, and we have not received reports of, any adverse consumer impact.”

There is no count of the number of websites impacted by this flaw.

Any credit union running a Fiserv core and/or online banking ought to quickly contact Fiserv and inquire into the availability of that patch.  They ought also to see if they can replicate Krebs’ hack of the alerts system. And – above all else – check your own systems to see if you can replicate the Hermansen hack.

If you can, take action.

Krebs said that, in his inspection, the Fiserv patch in fact works.  “This author confirmed that Fiserv no longer shows a sequential event number in their banking sites and has replaced them with a pseudo-random string.”

But Fiserv is not blowing trumpets to announce the patch or the flaw.

A scan of Fiserv’s Twitter feed found no mention of the flaw or Krebs’ reporting or the purported patch.   

There’s silence over at Facebook too.

Julie Conroy of Aite told Krebs this about Fiserv’s customers: “These financial institutions use a core banking provider like Fiserv because they don’t have the wherewithal to do it on their own, so they’re really trusting Fiserv to do this on their behalf,” Conroy said. “This will not only reflect on Fiserv’s brand, but also it will impact customer’s perception about their small local bank, which is already struggling to compete with the larger, nationwide institutions.”

What she is saying is that big banks – that ordinarily don’t buy off the shelf technology from a Fiserv – may have a competitive advantage because they build their own.

I’m not sure that is true – I doubt most consumers have a clue as to whether their bank or credit union technology is off the shelf or bespoke.

But Conroy is right: in some ways the big banks keep expanding their technology lead over small institutions. That does not have to be the case. A smart credit union can use fintech alliances to create an institution that is the rival of even the most polished money center banks.

But the credit union has to want to get there.

And a necessary first step is cleaning up that Fiserv mess if your institution is a victim.  Do it now.

 

 

By Robert McGarvey

 

For CU2.0

Ask a senior credit union executive what’s new at his/her institution in regard to anti money laundering (AML), Patriot Act, and Bank Secrecy Act initiatives and the reality is that you will have a longer and friendlier conversation if you asked about his/her last colonoscopy.

Yes, it’s that bad.

And that’s despite the reality that a credit union can be shut down if it grievously botches its BSA and AML analysis.

Buckle up because in December 2016 FinCEN issued a press release where it announced a $500,000 fine against a credit union named Bethex in the Bronx.

Bethex has assets of under $13 million.  

They were folded into USALLIANCE, a Rye NY credit union. Bethex was no more.

FinCEN outlined Bethex’s sins: “In 2011, Bethex began providing banking services to many wholesale, commercial money services businesses (MSBs). Many of these MSBs were located in high-risk jurisdictions outside New York and engaged in high-risk activity, including wiring millions of dollars per month to countries at risk for money laundering. When Bethex began to service these MSBs, it did not take steps to update its AML programs.” 

“Among other violations, Bethex failed to timely detect and report suspicious activity to FinCEN and did not file any Suspicious Activity Reports (SARs) from 2008 through 2011. In 2013, as a result of a mandated review of previous transactions, it late-filed 28 SARs. The majority of the suspicious activity involved high-volume, large amount transfers outside of Bethex’s expected customer base by MSBs capable of exploiting Bethex’s AML weaknesses. Most of those SARs were inadequate and contained short, vague narratives encompassing a broad summary of multiple and unrelated instances of suspicious activity. For example, one SAR covered over $906 million in total aggregate of suspicious transactions, but provided little information useful to law enforcement investigators.”

In 2015, North Dade – a small Florida credit union – was effectively put out of business because of AML and BSA violations.  In 2013, tiny North Dade moved over $1 billion in wires, often overseas. According to FinCEN: “When a small institution opens its doors to the world, takes on greater risks than it can manage, and puts profits before AML controls, bad actors are bound to take advantage,” said FinCEN Director Jennifer Shasky Calvery. “This case raises pretty obvious questions that no one seems to have asked. Why would MSBs located all over the world choose a small Florida credit union to conduct close to $2 billion in transactions? Credit unions pride themselves on close and low- risk relationships with known neighborhood customers. However, North Dade welcomed customers far beyond its field of membership, without adequate policies and procedures to ensure AML compliance.”

Face this reality: the big banks have big teams in place to handle BSA, AML, etc. They also have invested – heavily in many cases – in automation that takes a lot of the heavy lifting out of compliance. Machines do the work.

Credit unions – especially the vast majority with assets under $1 billion – generally have not invested in automation for compliance. “There are case management systems that are good. They can be expensive for a small FI.  A lot of bigger banks are using robotics to get screenshots of bank statements and so on – an analyst doesn’t have to spend an hour collecting it. Only the biggest banks are doing this,” said Alma Angotti, managing director in the Global Investigations & Compliance practice of management consulting firm Navigant Consulting, Inc.

Another issue that many small financial institutions now face: “Many employees in compliance are burning out,” said John Podvin, a Dallas lawyer well known in BSA circles.  He added: “There are people in BSA who are asking themselves, do I want to be second guessed all the time. Some are leaving the field.”

A reality in BSA/AML is that the easier course is to file a SAR (suspicious activity report – this documents flags an action for possible investigation by law enforcement). Do that and a financial institution probably has satisfied its regulators. “There is no downside to filing,” said Angotti.

Where the credit union may find itself in a pothole is when it does not file a SAR. In that case the credit union needs to justify why it did not file – and an examiner may well challenge the credit union.

And that means many more hours get invested in explaining and justifying decisions.  Said Podvin: “There are increasing expectations from examiners – that’s the biggest problem now.”

“It’s one thing for a big bank with a staff of several hundred working in compliance. It’s different for a community bank.”

Or credit union.

A result is that slender compliance staffs may be worn down in many small credit unions.

Another barrier at credit unions: there may be “competition for scarce IT resources,” said Angotti. Doing BSA/AML research is computer intensive and, at least at smaller institutions, there may be a battle for resources and ask yourself this: who will win if the fight is between marketing, which needs IT resources to power a new campaign that may bring in lots of new members, and compliance which wants to research possibly suspicious activity by members?

It’s a fight that compliance usually does does not win.

Don’t expect BSA/AML workloads to magically lighten.  

Possible light at this tunnel’s end, said Podvin, is a federal effort to streamline some BSA/AML compliance.  He pointed to pending legislation, HR 6068, as offering hope to financial institutions. The aim of the bill, in its own words, is to “reduce regulatory burdens, and ensure that the information provided is of a ‘high degree of usefulness’ to law enforcement.”

Don’t count on relief until a bill is signed into law.

Meantime, good advice for top credit union management is keep your ear to the ground and ask – and ask again- your BSA and AML teams what issues are they facing and what resources they need to do their jobs better and smarter.  

No credit union CEO wants to increase the budget for compliance work.

But no credit union CEO wants his/her institution to go the way of Bethex.

That makes the choice easier.