Ex-FBI On The Onion Approach To Battling Cyber Criminals

When it comes to combating payments fraud, it helps to have insight from one who’s been in the trenches.

Stacy Arruda, a former special agent with the FBI and now executive director of the state of Florida ISAO on cybersecurity, said that part of the problem is that when it comes to protecting credit unions — and really any financial institution — danger lurks in what they don’t know.

As Arruda, who spoke at the PSCU Member Forum earlier this month, told Karen Webster: To be specific — the danger is in what you don’t know you don’t know.

We may know the ways to create better, stronger passwords. Ignore them at your peril. But at least the knowledge is there, the roadmap, the letters and number and punctuation marks that make it harder for the bad guys to get into your email and bank accounts.

But all too often we don’t know just who is on the other side of emails.  These are malicious emails, the kind that spread viruses, or the kind that trick CFOs and other company execs into wiring money into accounts, never to be seen again.

There’s a lot of fodder out there for the scammers, said Arruda, with information on one’s comings and goings on Facebook, on LinkedIn and beyond.  Thus, they craft missives that seems friendly, even familiar, lulling victims with e-mail addresses that may even be, on first or second glance, legit.

“You should never blindly click on email,” she told Webster. At the very least, don’t open it on your company’s network.

Of the bad guys, she said, “depending on the complexity or the level of security at the industry that they’re targeting, they could send an email that could have a piece of malicious code in an attachment. They could send an email with an infected Word document — or if they’re trying to break into a government agency or defense contractor, they could send an email that has the malicious code built into the email and all you have to do is open the email.”

The attacks are targeted ones, said Arruda, who noted that hackers don’t usually directly try to hack banks or credit unions, but instead try to get access through the aforementioned email campaigns, where the credentials are stolen and the stolen credentials are leveraged to gain access to the FI.

Yes, said Arruda, the FIs spend tremendous amounts of money on cybersecurity defense … but when an unwitting employee clicks on the wrong email, “all that money goes down the tubes,” said Arruda.

The Great Trade-Off

Arruda noted the continuing trade-off that exists between a fictionless online interaction with the bank and one where security is the guiding factor. “If you want to have a very secure institution and secure network, it’s going to take you a little longer to log on. You’re going to probably have two or three factor authentication,” she told Webster. “So it’s not that instant gratification that people are used to … we’ve got to find a happy medium.”

Who Are the Bad Guys?

Webster asked who lies behind the attacks.  Criminal rings or state sponsored agents … or are they individuals?

“It’s not organized crime,” said Arruda, “like you would think of with the Mob where everybody knows everybody.”

Across the dark reaches of the internet, she explained, criminal groups come together and each group has a different skill set. One group may have the skill set of writing the malicious code. Group two may be tasked with finding the computers that are susceptible to that malicious code. Group three may be hackers who go in and harvest the data — the credit cards, for example.  And as for these far-flung groups getting paid?  Call it honor among thieves — and as Webster noted, the age of faster payments has made it increasingly harder for authorities to recover those ill-gotten gains.

What to Do

Education from FIs has been key, noted Arruda, who added that warnings from banks and credit unions has increased awareness about various scams including business e-mail compromises.

But, as they say, prevention begins at home. The majority of individuals who have computers at home do not practice “defense in depth” said Arruda. “Look at your security like an onion.  The onion has several layers. And as the layers overlap they catch things that would fall through a single layer.”

She added that “you would need to make sure that your system is patched. You would need to make sure that you have antivirus and it’s up to date.  You would need to run a firewall and you need to have everything working together because antivirus only catches about 35 percent of the threat.”