Discussing how to deal with frauds occurred in e-banking channels by implementing end-to-end controls (deterrent, preventive, detective, responsive, corrective and recovery), the line of defences as well as deploying numerous anti-fraud strategies.
6. Let’s Start First with Fraud
DEFINITION
Oxford Dictionary
• Wrongful or criminal deception intended to result in financial or personal gain.
or
• A person or thing intended to deceive others, typically by unjustifiably
claiming or being credited with accomplishments or qualities.
Association of Certified Fraud Examiner (ACFE)
• Any crime for gain that uses deception as its principal modus operandi.
Black’s Law Dictionary
• A knowing misrepresentation of the truth or concealment of a material fact to
induce another to act to his or her detriment.
or
• Any intentional or deliberate act to deprive another of property or money by
guile, deception, or other unfair means.
September 2017 6Fraud in E-Banking
7. Fraud vs Lying
• Fraud usually involves lying for a specific gain that causes
someone loss while lying does not always include hurt.
• Example, if we take our car to an unscrupulous mechanic,
he may tell us he makes $1,000 a year. If this is a lie, it
does not hurt us.
• However, if our car does not need repairs but the
mechanic says our car needs $500 in body work, he/she
has committed fraud because truth is twisted and causes
financial loss for us.
September 2017 7Fraud in E-Banking
8. Types of Fraud
• Internal Fraud
When employee,
manager, or executive
commits fraud against his
or her employer.
• External Fraud
Vendors, customers,
suppliers, integrators,
consultants, and other
third parties (known or
unknown).
September 2017 8
Image courtesy of: City Caucus
Fraud in E-Banking
10. What is Crime?
“An event, which subjects the
doer to legal punishment or any
offence against morality, social
order or any unjust or shameful
act” ~ Oxford Dictionary
September 2017 10Fraud in E-Banking
11. What is Crime? (cont’d)
Doing Crime is Illegal?
Being a criminal = a bad person?
Crime = Illegal against Law + Bad Motive(s) + On
Purpose
Crime != Illegal against Law + Unintentional + Good
Motive (s)
Crime != Illegal against Law + Unintentional + Bad
Motive (s)
Crime != Illegal against Law + On Purpose + Good
Motive (s)
September 2017 11Fraud in E-Banking
12. What is Crime? (cont’d)
And so CRIMES are NOT to be MEASURED by the
ISSUE of EVENTS, but by BAD INTENSION of a
PERSON or ENTITY.
September 2017 12Fraud in E-Banking
13. Redefining Cyber Crime
What Crime is?
“An event, which subjects the
doer to legal punishment or any
offence against morality, social
order or any unjust or shameful
act” ~ Oxford Dictionary
September 2017 13Fraud in E-Banking
14. What Crime is All About?
Doing Crime is Illegal?
Being a criminal = a bad person?
Crime = Illegal against Law + Bad Motive(s) + On
Purpose
Crime != Illegal against Law + Unintentional + Good
Motive (s)
Crime != Illegal against Law + Unintentional + Bad
Motive (s)
Crime != Illegal against Law + On Purpose + Good
Motive (s)
September 2017 14Fraud in E-Banking
15. What Crime is All About? (cont’d)
Therefore CRIMES are NOT to be
MEASURED by the ISSUE of
EVENTS, but by BAD INTENSION
of a PERSON or ENTITY.
September 2017 15Fraud in E-Banking
16. Then Cyber Crime is…
• An unlawful act wherein computer/machine is
either a tool or a target or both.
• Punishable by (Information Technology) Act.
• Happened in and or through cyber space.
• Former descriptions were "computer crime",
"computer-related crime" or "crime by computer“.
• Other forms include "digital", "electronic", "virtual"
, "IT", "high-tech" and technology-enabled" crime.
September 2017 16Fraud in E-Banking
18. Cyber Crime Categories
• Computing Devices as a Target
Using those devices to
attacks other devices
e.g. Hacking, virus/worms
attacks, DoS attack, etc.
• Computing Devices as a Weapon
Using those devices to
commit real-world crimes
e.g. cyber terrorism, credit
card fraud, etc.
September 2017
Image courtesy of chakreview.com
18Fraud in E-Banking
19. Cyber Crime Categories (cont’d)
From victim point of views:
1. Cyber crime on Persons
e.g. Harassment occurred in cyberspace,
or through the use of cyberspace (sexual,
racial, religious, or other) and cyber bullying.
2. Cyber crime on Groups/Organizations
Targeting particular or certain organizations
or groups whether profit or non-profit. Often
time those who reside as financial industry
players.
September 2017 19Fraud in E-Banking
20. Cyber Crime Categories (cont’d)
3. Cyber crime on Property
e.g. Computer vandalism (destruction of others'
property), transmission of harmful programs,
unauthorized intrusion through cyber
space, unauthorized possession of computer
information.
4. Cyber crime on Government
e.g. Cyber terrorism is one distinct kind of crime in
this category.
September 2017 20Fraud in E-Banking
21. In 2014 according to Federal Bureau
Investigation (FBI):
• Viruses
• Employee abuse of privileges
• Unauthorized access by
insiders
• Denial of Service (DoS, DDoS)
• System penetration from the
outside
• Theft of proprietary information
(User ID and password) and
devices
• Sabotage of data/networks
• Proving/scanning systems
• Financial fraud
Notable Cyber Crimes
September 2017
Image courtesy of indiatimes.com
21Fraud in E-Banking
22. Manipulate data
integrity
Sniffing
Keylogger
IP spoofing
Vishing (Voice
Phishing)
Notable Cyber Crimes (cont’d)
September 2017
Image courtesy of @TrojanLax
22Fraud in E-Banking
24. September 2017
Source: IBM
[2] FBI: Crime in the United States 2013
[3] United California Bank Robbery
[4] Center for Strategic and International Studies
24Fraud in E-Banking
26. Cyber Crime-as-a-Service Marketplace
• Continues to mature over the past two years.
• Enables more fraudsters to cash in without needing
to understand the chain of fraud, how to phish or
spam, or IT infrastructure requirements.
• Becomes fiercely competitive.
• Cybercrime 'service providers' must work harder than
ever before to win and keep 'customers.’
• Generalized increase in quality of malware produced.
• Enables much larger pool of bad actors with no
technical knowledge to profit from.
September 2017 26Fraud in E-Banking
27. Cyber Crime-as-a-Service Marketplace
(cont’d)
• Many types of attack are simple and low
cost.
• Phishing attacks: 500,000 email addresses
cost $30.
• Hosting a phishing site can be more or less
free.
• Thousands of credit cards can be stolen in
return for around $100.
September 2017 27Fraud in E-Banking
30. Ransomware Continues
• In mobile devices, such as Police Locker
capitalizing typical user behavior during
installation.
• Gain privileges needed to lock the device.
• Give instruction to pay a ransom to unlock their
files (or to 'pay a fine' because the phone
supposedly contains 'illegal content').
• Ransoms generally have to be paid via an online
payment system, such as Bitcoin, or prepaid cash
cards (untraceable and non-reversible).
September 2017 30Fraud in E-Banking
32. Global Trends in Banking Fraud
• Banking fraud costs an estimated $72B per year in 2016.
• 70% of the actors are internal.
September 2017 Fraud in E-Banking 32
33. Progression of Attack Techniques
Phishing and Keyloggers
Bypass static Username/Password
Man in the Browser, Man in the Middle
Inject transactions, steal secondary authentication
MitB with Login Blocking, Automated Scripts
Steal credentials, bypass Device ID, Risk Engines
Online / Mobile Cross Channel Attacks
Leverage mobile anonymity, bypass SMS OTP,
2FA
2003
Viruses and Worms
Focused on nuisance and damaga
2004
2005
2009
2012
2014
RDP/VNC, PC-Grade Mobile Malware
Bypass Device ID, overlay mobile app 2015
44. When Misuse of Information Happens
September 2017 Fraud in E-Banking 44
45. Attitude on Fraud Responsibility
September 2017 Fraud in E-Banking 45
46. Indonesia’s Trends and Figures
Security Threat and Symantec says
• 36,6 million cyber attacks (35% from outside, the rests
from inside the country) from 2012 to 2014.
• 497 cyber crime cases from 2012 to April 2015 with 389
are foreigners and 108 local citizens.
• Fake bank account, money laundering, artificial LC
document, camouflage posting.
• Accounted for 4.1% of the world cyber crimes.
• The highest percentage of PC infected by malware across
the globe.
Government CSRIT says
• 60% of government domains encountered web
defacements and 36% infected by malware
September 2017 46Fraud in E-Banking
47. Indonesia’s Trends and Figures (cont’d)
• According to Norton latest Cyber
Crime report, global consumer
cyber crime cost over than USD
150bn annually.
• Yet the figures for Indonesia are
unknown.
• Dakaadvisory predicts around USD
2.3bn in 2013 by multiplying
number of victims with cost per
victim.
• From Ministry of Communication
and IT’s total budget of USD 500m,
1% allocated for Cyber Security.
September 2017 47Fraud in E-Banking
48. Indonesia’s Trends and Figures (cont’d)
• 2014 until 2016, Indonesia National Police
(Bareskrim POLRI) have received 101
investigation requests/inquiries from banking
institutions with estimated losses of IDR 4 billion.
• 2014 until 2016, Bareskrim says out of 5,550
skimming cases, 1,549 occurred in Indonesia.
• OJK in 2015 says most notable e-banking fraud
happened in these channels (highest to lowest
volume): Credit Card, ATM, SMS Banking, Mobile
Banking and Phone Banking.
September 2017 Fraud in E-Banking 48
49. Indonesia’s Trends and Figures (cont’d)
•BI state since 2012, fraud rate through
Payment Card in Indonesia, compared
to those SEA countries, is the lowest,
around 0,0008% from total transaction
volume.
•Interpol acknowledges Indonesia as
the nest of Cyber Criminalist.
September 2017 Fraud in E-Banking 49
53. Background
Fraud Triangle
• Motive (or pressure)
The need for committing fraud (need for money, etc).
• Rationalization
Mindset of the fraudster that justifies them to commit fraud.
• Opportunity
The situation that enables fraud to occur.
Often when internal controls are weak or non existent.
September 2017 Fraud in E-Banking 53
55. Cost
• Survey participants estimated that the typical organization loses 5% of its
annual revenues to fraud.
• On an annual basis, 5% of corporate revenues are lost due to
fraudulent activity.
• The median loss for companies is $150,000, while 23% of
cases involved losses of $1 million or more.
• Corruption scams are on the rise, as they comprised 33.4% of
all fraud in 2012 and 36.8% in the 2014 ACFE report. These
schemes have a higher price tag than other forms of fraud, at
$200,000 on average.
• Some other monetary amounts of note are among companies
with less than 100 workers, almost one-third experience
losses due to fraud, at an average of $154,000.
September 2017 Fraud in E-Banking 55
56. Cost (cont’d)
• Larger businesses, with 100 or more employees, lose less due to
unlawful activity.
• Just over 23% of these companies suffer losses, on average
$128,000.
• The reason is tied to anti-fraud protections. Larger enterprises tend
to invest in anti-fraud controls, which serve as a deterrent to crime
due to the fact that employees are aware of the measures.
September 2017 Fraud in E-Banking 56
57. Cost (cont’d)
September 2017 Fraud in E-Banking 57
Source: 2016 Report to the Nations on Occupational Fraud and Abuse
58. Impact
• Financial
• Lost of revenue
• Cost of response
• Non-Financial Impact
• Legal
• Credibility/Image/Reputation
• Example of Non-Financial Impact
• Emotionally demotivated
• lack of confidence in financial and operational data
• lack of trust in your organization's Information Systems
• lack of trust in your organization's Information Technology
• losing your users’, customers’ and vendors’ confidence
September 2017 Fraud in E-Banking 58
59. Fraud Statistics
Global Scale
• A typical scam, measured from the time the activity
began until it was discovered by the victim, is around 18
months in duration.
• In the corporate setting, many of those convicted of fraud
are first time offenders with relatively uneventful
employment histories.
• 87% of the thieves had never been charged with a crime
involving fraud
• 84% had never been punished by an employer for such
activity.
September 2017 Fraud in E-Banking 59
60. Fraud Statistics (cont’d)
• In most cases, 92%, the fraudster was exhibiting
behavioral signs of fraudulent activity in the months
leading up to detection.
• Red flags include living beyond their means and having
inappropriate business relationships with vendors/
customers. Business owners and managers should be
aware of the behavioral signs that may indicate fraud in
order to prevent it.
September 2017 Fraud in E-Banking 60
61. Fraud Statistics (cont’d)
• With more than half of victims organizations unable to
recover their losses, proactive measures to deter and or
prevent fraud are extremely critical.
• Smallest organizations tend to suffer disproportionately
large losses since they typically employ fewer anti-fraud
controls.
• More than 75% of Fortune 500 companies employ
Certified Fraud Examiners
• Organizations with CFEs uncover frauds 50% sooner and
have losses 55% lower.
September 2017 Fraud in E-Banking 61
62. Other Statistics
September 2017 Fraud in E-Banking 62
Source: ACFE In-House Fraud Investigation Teams: 2017 Benchmarking Report
72. Data Analytics Software
September 2017 Fraud in E-Banking 72
Source: ACFE In-House Fraud Investigation Teams: 2017 Benchmarking Report
73. Zooming Fraud In
• Fraud can destroy entire companies – Remember Enron,
Arthur Andersen and WorldCom?
• Alleged fraud resulted in a 17% stock price decline in two
days surrounding the announcement.
• These companies often experienced bankruptcy, delisting
from a stock exchange, or asset sale.
• In many cases, CEO and or CFO were named for alleged
involvement.
September 2017 Fraud in E-Banking 73
74. Zooming Fraud In (cont’d)
• Among the various forms of asset misappropriation, billing
schemes and check tampering schemes posed the greatest
risk based on their relative frequency and median loss.
• The longer a fraud lasted, the greater the financial damage it
caused.
• While the median duration of the frauds in our study was 18
months, the losses rose as the duration increased. At the
extreme end, schemes that lasted more than five years caused
a median loss of $850,000.
• Most common detection method was tips (39.1% of cases), but
organizations that had reporting hotlines were much more likely
to detect fraud through tips than organizations without hotlines
(47.3% compared to 28.2%, respectively).
September 2017 Fraud in E-Banking 74
75. Zooming Fraud In (cont’d)
• In cases detected by tip at organizations with formal fraud
reporting mechanisms, telephone hotlines were the most
commonly used method (39.5%).
• Tips submitted via email (34.1%) and web-based or online
form (23.5%) combined to make reporting more common
through the Internet than by telephone.
• Whistleblowers were most likely to report fraud to their
direct supervisors (20.6% of cases) or company
executives (18%).
• More occupational frauds originated in the accounting
department (16.6%) than in any other business unit.
September 2017 Fraud in E-Banking 75
76. Zooming Fraud In (cont’d)
• In cases detected by tip at organizations with formal fraud
reporting mechanisms, telephone hotlines were the most
commonly used method (39.5%).
• Fraud perpetrators tended to display behavioral warning
signs when they were engaged in their crimes.
• The most common red flags were living beyond means,
financial difficulties, unusually close association with a
vendor or customer, excessive control issues, a general
“wheeler-dealer” attitude involving unscrupulous behavior,
and recent divorce or family problems.
• At least one of these red flags was exhibited during the
fraud in 78.9% of cases.
September 2017 Fraud in E-Banking 76
77. Zooming Fraud In (cont’d)
• In 40.7% of cases, the victim organizations decided not to
refer their fraud cases to law enforcement, with fear of
bad publicity being the most-cited reason.
• 23.1% resulted in a civil suit, and 80.8% of such
completed suits led to either a judgment for the victim or a
settlement.
• 8.4% of the victim organizations were fined as a result of
the fraud. The proportion of victim organizations fined was
highest in the Western Europe (15.6%), Southern Asia
(13.6%), and Asia-Pacific (11.7%) regions.
September 2017 Fraud in E-Banking 77
99. Initial Detection of Fraud
All fraud occurred in US SMEs in 2015
33.3% by tips
15.3% by management review
12.1% by accident
9.2% by account reconciliation
8.2% by internal audit
7.9% by document examination
7.1% by external audit
September 2017 Fraud in E-Banking 99
100. How to Detect?
• Implement anti-fraud controls had a significant impact on
financial fraud statistics.
• These organizations reduced their financial losses due to
fraud and experienced crimes that where shorter in
duration, i.e., the activity was discovered faster as
compared to businesses with no anti-fraud controls in
place.
• Over three-quarters of fraud cases involving corporations
were committed by employees in one of seven
divisions: Accounting, Customer service, Operations,
Sales, Executives/C-Suite, Purchasing, and/or Finance.
September 2017 Fraud in E-Banking 100
101. Fraud Examination and Investigation
September 2017 101
Courtesy of ACFE
Fraud in E-Banking
102. Fraud Examination and Investigation (cont’d)
September 2017 102
Courtesy of ACFE
Fraud in E-Banking
103. Examining and Investigating Activities
• Examine/analyze evidence
and close
investigation activities.
• We have all the tools we
need to successfully analyze
the evidence and make a
determination on the case.
• What have our targets been
doing? Is it illegal?
• Has a fraud occurred?
• How does the evidence we
have uncovered inform our
conclusions?
September 2017 103Fraud in E-Banking
104. Collecting Evidence
• How to collect
electronically stored
information (ESI) from Web
sites in a manner that will
meet or exceed evidence
collection standards.
• Electronic Surveillance:
• Oral intercepts (wiretaps)
• Pen Registers
• Key-loggers
September 2017
Image courtesy of indiatimes.com
104Fraud in E-Banking
108. Fraud Examination vs Forensic Accounting
• Different but related.
• FA is done by accountants using Accounting Skills in
anticipation of potential or actual civil or criminal litigation
and can include fraud, valuation, bankruptcy, and others.
• FE conducted by either accountants or non-accountants
and refer only to anti-fraud matters.
• Most FE involve forensic accounting but not all forensic
accounting is fraud examination.
• Simply because majority of examinations, investigations,
and reports regarding fraud are done with “an eye toward
litigation.”
• FE conduct their examination with assumption the case
may end in litigation.
September 2017 108Fraud in E-Banking
110. Defining Fraud
•Have we defined and classified
fraud?
•Financial and non-financial fraud?
•For both internal and external
individuals and parties?
September 2017 Fraud in E-Banking 110
111. Hotline
Do you have an anonymous hotline for
reporting fraud?
September 2017 Fraud in E-Banking 111
112. Whistle Blower
Any Whistle Blower system in place to
report misconduct or furthermore, fraud
both financial and non-financial?
September 2017 Fraud in E-Banking 112
113. Management Review
Do we have effective management
review processes in place?
September 2017 Fraud in E-Banking 113
114. Account Reconciliation
Do you perform account reconciliations
at least monthly?
September 2017 Fraud in E-Banking 114
115. Audit Function and Activities
Do you have an effective internal and
external audit function and committee?
September 2017 Fraud in E-Banking 115
116. Risk Function and Activities
Do you have an effective risk function
and committee?
September 2017 Fraud in E-Banking 116
117. Internal Control
•Do you have an effective internal
control in place as the 1st level of
defense?
•Do you review it regularly and
continuously?
September 2017 Fraud in E-Banking 117
118. Examining Documentation
Do you examine the supporting
documentation for your transactions?
September 2017 Fraud in E-Banking 118
119. Fraud Management Systems
Do you have any Fraud Management
Systems with responsive and or
proactive approach?
September 2017 Fraud in E-Banking 119
120. Through End-to-End Controls
Type of controls
• Deterrent
• Preventive
• Detective
• Response
• Recovery
Variety of controls
• Administrative
• Physical
• Technical
September 2017 Fraud in E-Banking 120
121. Control Types
Deterrent – intended to discourage attacks
Preventive – intended to prevent incidents
Detective – intended to detect incidents
Corrective – intended to correct incidents
Recovery – intended to bring controls back
up to normal operation
Compensative – provides alternative
controls to other controls
September 2017 Fraud in E-Banking 121
122. Administrative Controls
•Personnel such as HR policies,
procedures and practices
•Supervisory such as Management
practices (supervisor, corrective
actions)
•Training
•Testing and managements
responsibility to ensure it happens.
September 2017 Fraud in E-Banking 122
123. Example of Physical Controls
•Physical Network Segregation (not
logical) to ensure certain networks
segments are physically restricted.
•Perimeter Security – CCTV, fences,
security guards, badges
•Computer Controls – physical locks on
computer equipment, restrict USB
access etc.
September 2017 Fraud in E-Banking 123
124. Example of Physical Controls (cont’d)
•Work Area Separation e.g. keep
accountants out of R&D areas
•Cabling – Shielding, Fiber
•Control Zone
Break up office space into numerous
areas (lobby for public, R&D room as
Top Secret, and office as secret)
September 2017 Fraud in E-Banking 124
125. Example of Technical/Logical Controls
Using technology to protect
• System Access: Kerberos, PKI, radius
(specifically access to a system)
• Network Architecture: IP Subnets, VLANS,
DMZ
• Network Access: Routers, Switches and
Firewalls that control access
• Encryption: protect confidentiality, integrity
• Auditing: logging and notification systems.
September 2017 Fraud in E-Banking 125
126. Through End-To-End Anti-Fraud Activities
•Deterrence
•Prevention/Mitigation
•Detection
•Analysis/Examination
•Investigation
•Response
•Recovery
September 2017 Fraud in E-Banking 126
127. Fraud Management Tools
• Data analysis and alert generation
Ability to assimilate data from multiple sources and apply
predictive analytics to accurately assess transactions,
activities and customer state in real time.
• Alert management.
Mechanism for accepting, prioritizing and distributing alerts
from the various fraud detection and money laundering
tools used across the enterprise, and to record actions
taken to determine whether actual fraud is present or
suspicious activity has been identified.
• Social network analysis.
An analysis and visualization tool for uncovering previously
unknown relationships among accounts or entities.
September 2017 Fraud in E-Banking 127
128. Fraud Management Tools (cont’d)
• Case management.
A structured environment in which to manage:
Investigation workflows
Document loss incidents
Collection of information and documentation in
developing cases for civil and criminal prosecution,
restitution and/or collections
Report on fraud management performance
File necessary regulatory reports
• Behavioral analytics
• Big Data, perhaps?
September 2017 Fraud in E-Banking 128
132. Indonesia Laws and Regulations
• Telecommunication Act No. 36/1999 focused
on Telecommunications Infrastructure briefly; Not
internet in particular.
• Information and Transaction Electronic Act
No. 11/2008 for legal enforcements against cyber
crime.
• Copyright Act No. 19/2002.
• Pornography Act No. 44/2008.
• Electronic System Provider and Electronic
Transaction Regulation No. 82/2012.
September 2017 132Fraud in E-Banking
133. Indonesia Laws and Regulations (cont’d)
UU No. 3 Year 2004 about Bank Indonesia (BI) roles in
managing and monitoring banking institutions.
September 2017 Fraud in E-Banking 133
134. Indonesia Laws and Regulations (cont’d)
PBI No. 5/8/PBI/2003 about Implementing Risk
Management for General Banking Institutions.
SE BI No. 6/18/DPNP/2004 about Implementing Risk
Management on Internet Banking.
September 2017 Fraud in E-Banking 134
135. Indonesia Laws and Regulations (cont’d)
September 2017 Fraud in E-Banking 135
136. Indonesia Laws and Regulations (cont’d)
September 2017 Fraud in E-Banking 136
137. Indonesia Laws and Regulations (cont’d)
September 2017 Fraud in E-Banking 137
138. Indonesia Laws and Regulations (cont’d)
PBI No. 3/23/2001 about Implementing KYC Principles
SE BI No. 6/37/DPNP/2004 about Identification and
Sanction on KYC and Anti Money Laundering (TPPU)
September 2017 Fraud in E-Banking 138
139. Indonesia Laws and Regulations (cont’d)
September 2017 Fraud in E-Banking 139
140. Indonesia Laws and Regulations (cont’d)
September 2017 Fraud in E-Banking 140
141. Indonesia Laws and Regulations (cont’d)
PBI No. 6/30/PBI/2004 about Providing APMK Activities.
SE No. 7/60/DASP/2005 about Protecting Account Holder
throughout APMK activities.
September 2017 Fraud in E-Banking 141
142. Start with Fraud Deterrence
• Proactive identification and removal of the
casual and enabling factors of fraud.
• Based on premise that fraud is not a
random occurrence, it occurs when the
conditions are right for it to occur.
• It attacks the root causes and enablers of
fraud.
• This analysis could reveal potential fraud
opportunities in the process.
September 2017 Fraud in E-Banking 142
143. Start with Fraud Deterrence (cont’d)
•Performed on the premise that
improving organizational procedures
to reduce the casual factors of fraud is
the single best defense against fraud.
•Involves both short term (procedural)
and long term (cultural) initiatives.
September 2017 Fraud in E-Banking 143
144. Start with Fraud Deterrence (cont’d)
• Deterrence involves an analysis of the
conditions and procedures that affect fraud
enablers.
• Looking at what could happen in the future
given the process definitions in place, and
the people operating that process.
• Therefore, deterrence is a preventive
measure-reducing input factors.
September 2017 Fraud in E-Banking 144
145. Deterrence versus Prevention
While deterrence is preventive in nature,
there are semantically problems with
referring to ‘fraud prevention’.
‘Prevention’ can imply complete elimination
of a risk, which is not possible in the case
of fraud.
Risk of fraud, like any other risks, can
never be completely eliminated; to attempt
do so would be cost prohibitive.
September 2017 Fraud in E-Banking 145
146. Deterrence versus Prevention (cont’d)
Why? Cost of additional internal controls to
further reduce the risk of fraud would
dramatically outweigh the incremental
reduction in potential fraud loss.
Moreover, the imposition of additional
internal controls tends to degrade process
functioning and efficiency.
September 2017 Fraud in E-Banking 146
147. How to Deter?
COSO (Committee of Sponsoring
Organizations of the Treadway Commission)
Frameworks
It describes 5 inter related components of
internal control that provide the foundation for
fraud deterrence.
These elements are the means for which the
opportunity factors in the fraud triangle can be
removed to most effectively limit instances of
fraud.
September 2017 Fraud in E-Banking 147
148. #1. Control Environment
• Consists of actions, policies and procedures reflecting
overall attitude of management, directors and owners of
an entity about internal control and its importance to the
entity.
• Sub Components
• Integrity
• Ethical Values
• Commitment to competence
• Board of Directors
• Audit committee participation
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human Resources Policies and Practices
September 2017 Fraud in E-Banking 148
149. #2. Risk Assessment
• A forward looking survey of the business environment to
identify anything that could prevent the accomplishment of
organizational objectives.
• Related to fraud deterrence, it involves identification of
internal and external means risks that could potentially
defeat the organization’s internal control structure,
compromise an asset, and conceal the actions from
management.
• It involves identifying as many potential vulnerabilities and
threats as possible, and evaluating them in a way to
determine which require action, and the priority for that
action.
September 2017 Fraud in E-Banking 149
150. #3. Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions
and activities
3. Adequate documents and records
4. Physical control over assets and
records
5. Independent checks on performance
September 2017 Fraud in E-Banking 150
151. #4. Information and Communication
• Relates to flow of information in two directions within an
organization.
• Information should flow downward to the line functions and
provide the best, most accurate information as needed to allow
the function to produce the best results possible.
• Information about performance should flow upwards through
management, through both formal and informal communication
channels, providing objective feedback.
• Both communication channels must function effectively to
safeguard the organization.
September 2017 Fraud in E-Banking 151
152. #5. Monitoring
• Deal with ongoing/periodic assessment of
quality of internal control performance by
management.
• Determine that controls are operating as
intended and that they are modified as
appropriate for changes in conditions.
• Monitoring involves both fraud deterrence
and fraud detection activities.
September 2017 Fraud in E-Banking 152
153. #5. Monitoring (cont’d)
• Management must ensure all control processes are
performed as designed and approved.
• Control compliance analysis to verify correct performance
of procedures could reveal a control that has been
inappropriately modified/one that is not performed as
approved; this control weakness could present the
opportunity for fraud.
• Proactively identifying these weaknesses and correcting
them – this is the fraud deterrence aspect of monitoring
process.
September 2017 Fraud in E-Banking 153
154. What the Controls Look Like
• Dedicated I(T) Security Personnel
• IT/Information Security Risk Management (and
Security Architecture if needed)
• IT/Information Security Standards and Frameworks
• Security Incidents Plan (Policies and Procedures)
• Security Incidents Logs or Documentations
• Security Incidents Review Activity
• User Access Rights Policies and Procedures
• User Access Rights Documentation
• User Access Rights Review Activity
• Anti Virus, Anti-Malware/Spyware and Firewall
September 2017 154Fraud in E-Banking
155. What the Controls Look Like (cont’d)
• Intrusion Prevention Systems
• Intrusion Detection Systems
• Physical Security
• Data Security
• Information Security
• Software/Application Security
• Database Security
• Vulnerability Assessment
• Penetration Testing
September 2017 155Fraud in E-Banking
157. ISACA Framework on Information Security
September 2017 157
ISMS: Information Security Management Systems
R: Responsible; A: Accountable; C: Coordinate; I: Informed Credit: ISACA
Fraud in E-Banking
158. NIST Cybersecurity Framework
• Critical Infrastructure
- Vital infrastructure - private and public operators
- Lack of availability would have “debilitating impact”
on the nation’s security, economy, public health,
safety…
• Executive Order 13636; February 12, 2013
• Threat information sharing
• NIST: Baseline Framework to reduce cyber risk
• “Standards, methodologies, procedures and processes that align
policy, business, and technological approaches…”
September 2017 158Fraud in E-Banking
159. InfoSec Standards
‘ISO/IEC 27001’
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
• Risk Assessment
• Security Policy
• Asset Management
• Physical/Environmental Security
• Access Control
• And many others
September 2017 159Fraud in E-Banking
160. InfoSec Standards (cont’d)
• Payment Card Industry – Data Security Standards (PCI-
DSS) version 3
September 2017 160Fraud in E-Banking
162. Educate, Educate, Educate
•Our security stakeholders: employees,
executives, partners, suppliers,
vendors
•What are our policies?
•How to comply?
•Consequences of failure to comply
September 2017 162Fraud in E-Banking
163. Monitoring and Controlling
• Assessment
• Review
• Audit
• Monitor change control
• New vendor relationships
• Marketing initiatives
• Employee terminations
September 2017 163Fraud in E-Banking