ABA Banking Journal - June 2010 - (Page 44)
How secure is your bank?
An interview with Doug Johnson, ABA’s head of Risk Management
ABABJ: What is your responsibility at ABA in terms of security issues? Doug Johnson: I’m paid to worry—about any threats and risks that potentially impact banks and their customers. Everything from bank robberies to cyber crime to managing risk on an enterprise-wide basis. ABABJ: What about this area may a CEO not know? DJ: Currently there are some serious cyber risks to smallbusiness and municipal customers. Even though check fraud generates a bigger loss figure for a bank, nothing will cause greater reputational risk than if a customer’s information is compromised. Especially if it’s a business or municipal customer since that customer is potentially liable for a loss that could bankrupt the business or put a school district in jeopardy. Even though the bank doesn’t take the loss, cyber crime can quickly destroy the case for doing online banking with these customers. ABABJ: How do these cyber crimes work? DJ: One particularly nasty area that I’m following closely is corporate account takeovers—the infecting of the PCs of corporate and municipal customers like school districts to facilitate fraudulent wire transfers to overseas locations. Zeus Botnet or Zbot is one that sends emails with links that the recipient is highly likely to click on—like a tax court summons or subpoena. (See graphic below.) It’s controlled by many independent users because there’s a
Doug Johnson uses this very official-looking, but fraudulent, subpoena email in his presentations to demonstrate what banks are up against
Zeus toolkit that teaches others how to target and infect a computer, create new payees, and transfer large sums of money overseas. ABABJ: What can be done? DJ: There’s no silver bullet, and the perpetrators of these crimes continue to refine their methods to avoid detection. But there are steps that businesses should take—from installing malware detection software on their PCs to using layered security, to making sure there are human controls in the middle and not totally automated. Extra notifications—such as when changes are made to payees or other account information—can also help, since only 30%-40% of the Zeus attacks can be picked up by existing detection software. ABABJ: What questions should a CEO be asking the bank’s security personnel? DJ: What are we doing to protect small business customers? Are we using internal controls as well as technology? What are we doing to increase the level of awareness of our customers? What do our contracts and websites say about the safety of online banking and the obligations customers have to protect themselves? ABA does webinars, conducts workshops, gives talks and writes articles to help raise banker awareness. It’s a critically important issue. When the FBI heard we were doing a webinar, they wanted to be a part of it to help make the case. It’s the first time I ever had someone carrying a gun come into one of our briefings! Doug Johnson is Vice-President, Risk Management Policy at ABA. He can be reached at email@example.com.
44 | ABA BANKING JOURNAL | june 2010
Table of Contents for the Digital Edition of ABA Banking Journal - June 2010
ABA Banking Journal - June 2010
When “Plans” Go Awry
Pass the Aspirin
Cover Story: Danger Ahead
Blue Sky Amid the Clouds
ABA Banking Journal - June 2010