Dealing with Fraud in E-Banking Sphere

Dealing with FRAUD in
ELECTRONIC BANKING SPHERE

September 2017 Fraud in E-Banking 2
Image: DeviantArt

Workshop Agenda
1. Fraud and Fraudster: Definition and Types
2. Fraud Trends: National and Global
3. Fraud: Background, Cost and Impact
4. Fraud Cases in Electronic Banking
5. Detecting and Examining Fraud
6. Investigating Fraud
7. Mitigating Fraud
8. Managing Fraud Comprehensively
Image: smartclothing

Fraud and Fraudster:
Definition and Types

Let’s Start First with Fraud
DEFINITION
Oxford Dictionary
• Wrongful or criminal deception intended to result in financial or personal gain.
or
• A person or thing intended to deceive others, typically by unjustifiably
claiming or being credited with accomplishments or qualities.
Association of Certified Fraud Examiner (ACFE)
• Any crime for gain that uses deception as its principal modus operandi.
Black’s Law Dictionary
• A knowing misrepresentation of the truth or concealment of a material fact to
induce another to act to his or her detriment.
or
• Any intentional or deliberate act to deprive another of property or money by
guile, deception, or other unfair means.
September 2017 6Fraud in E-Banking

Fraud vs Lying
• Fraud usually involves lying for a specific gain that causes
someone loss while lying does not always include hurt.
• Example, if we take our car to an unscrupulous mechanic,
he may tell us he makes $1,000 a year. If this is a lie, it
does not hurt us.
• However, if our car does not need repairs but the
mechanic says our car needs $500 in body work, he/she
has committed fraud because truth is twisted and causes
financial loss for us.

Types of Fraud
• Internal Fraud
When employee,
manager, or executive
commits fraud against his
or her employer.
• External Fraud
Vendors, customers,
suppliers, integrators,
consultants, and other
third parties (known or
unknown).
September 2017 8
Image courtesy of: City Caucus
Fraud in E-Banking

September 2017 9
Courtesy of ACFE
Fraud in E-Banking

What is Crime?
“An event, which subjects the
doer to legal punishment or any
offence against morality, social
order or any unjust or shameful
act” ~ Oxford Dictionary

What is Crime? (cont’d)
Doing Crime is Illegal?
Being a criminal = a bad person?
Crime = Illegal against Law + Bad Motive(s) + On
Purpose
Crime != Illegal against Law + Unintentional + Good
Motive (s)
Crime != Illegal against Law + Unintentional + Bad
Motive (s)
Crime != Illegal against Law + On Purpose + Good
Motive (s)

What is Crime? (cont’d)
And so CRIMES are NOT to be MEASURED by the
ISSUE of EVENTS, but by BAD INTENSION of a
PERSON or ENTITY.

Redefining Cyber Crime
What Crime is?
“An event, which subjects the
doer to legal punishment or any
offence against morality, social
order or any unjust or shameful
act” ~ Oxford Dictionary

What Crime is All About?
Doing Crime is Illegal?
Being a criminal = a bad person?
Crime = Illegal against Law + Bad Motive(s) + On
Purpose
Crime != Illegal against Law + Unintentional + Good
Motive (s)
Crime != Illegal against Law + Unintentional + Bad
Motive (s)
Crime != Illegal against Law + On Purpose + Good
Motive (s)

What Crime is All About? (cont’d)
Therefore CRIMES are NOT to be
MEASURED by the ISSUE of
EVENTS, but by BAD INTENSION
of a PERSON or ENTITY.

Then Cyber Crime is…
• An unlawful act wherein computer/machine is
either a tool or a target or both.
• Punishable by (Information Technology) Act.
• Happened in and or through cyber space.
• Former descriptions were "computer crime",
"computer-related crime" or "crime by computer“.
• Other forms include "digital", "electronic", "virtual"
, "IT", "high-tech" and technology-enabled" crime.

Fraud Trends: National
and Global

Cyber Crime Categories
• Computing Devices as a Target
Using those devices to
attacks other devices
e.g. Hacking, virus/worms
attacks, DoS attack, etc.
• Computing Devices as a Weapon
Using those devices to
commit real-world crimes
e.g. cyber terrorism, credit
card fraud, etc.
September 2017
Image courtesy of chakreview.com
18Fraud in E-Banking

Cyber Crime Categories (cont’d)
From victim point of views:
1. Cyber crime on Persons
e.g. Harassment occurred in cyberspace,
or through the use of cyberspace (sexual,
racial, religious, or other) and cyber bullying.
2. Cyber crime on Groups/Organizations
Targeting particular or certain organizations
or groups whether profit or non-profit. Often
time those who reside as financial industry
players.

Cyber Crime Categories (cont’d)
3. Cyber crime on Property
e.g. Computer vandalism (destruction of others'
property), transmission of harmful programs,
unauthorized intrusion through cyber
space, unauthorized possession of computer
information.
4. Cyber crime on Government
e.g. Cyber terrorism is one distinct kind of crime in
this category.

In 2014 according to Federal Bureau
Investigation (FBI):
• Viruses
• Employee abuse of privileges
• Unauthorized access by
insiders
• Denial of Service (DoS, DDoS)
• System penetration from the
outside
• Theft of proprietary information
(User ID and password) and
devices
• Sabotage of data/networks
• Proving/scanning systems
• Financial fraud
Notable Cyber Crimes
September 2017
Image courtesy of indiatimes.com

 Manipulate data
integrity
 Sniffing
 Keylogger
 IP spoofing
 Vishing (Voice
Phishing)
Notable Cyber Crimes (cont’d)
September 2017
Image courtesy of @TrojanLax

September 2017
Source: IBM [1] UNODC Comprehensive Study on Cybercrime, 2013

September 2017
Source: IBM
[2] FBI: Crime in the United States 2013
[3] United California Bank Robbery
[4] Center for Strategic and International Studies

September 2017
Source: IBM [6] ESG: http://bit.ly/1xzTmUW

Cyber Crime-as-a-Service Marketplace
• Continues to mature over the past two years.
• Enables more fraudsters to cash in without needing
to understand the chain of fraud, how to phish or
spam, or IT infrastructure requirements.
• Becomes fiercely competitive.
• Cybercrime 'service providers' must work harder than
ever before to win and keep 'customers.’
• Generalized increase in quality of malware produced.
• Enables much larger pool of bad actors with no
technical knowledge to profit from.

(cont’d)
• Many types of attack are simple and low
cost.
• Phishing attacks: 500,000 email addresses
cost $30.
• Hosting a phishing site can be more or less
free.
• Thousands of credit cards can be stolen in
return for around $100.

(cont’d)
September 2017 28
Image courtesy of EMC
Fraud in E-Banking

Mobile-Only Attack Vectors
September 2017 29
Fraud in E-Banking

Ransomware Continues
• In mobile devices, such as Police Locker
capitalizing typical user behavior during
installation.
• Gain privileges needed to lock the device.
• Give instruction to pay a ransom to unlock their
files (or to 'pay a fine' because the phone
supposedly contains 'illegal content').
• Ransoms generally have to be paid via an online
payment system, such as Bitcoin, or prepaid cash
cards (untraceable and non-reversible).

September 2017 31
Fraud in E-Banking

Global Trends in Banking Fraud
• Banking fraud costs an estimated $72B per year in 2016.
• 70% of the actors are internal.

Progression of Attack Techniques
Phishing and Keyloggers
Bypass static Username/Password
Man in the Browser, Man in the Middle
Inject transactions, steal secondary authentication
MitB with Login Blocking, Automated Scripts
Steal credentials, bypass Device ID, Risk Engines
Online / Mobile Cross Channel Attacks
Leverage mobile anonymity, bypass SMS OTP,
2FA
2003
Viruses and Worms
Focused on nuisance and damaga
2004
2005
2009
2012
2014
RDP/VNC, PC-Grade Mobile Malware
Bypass Device ID, overlay mobile app 2015

Method Capitalized for Identity Theft

Fraud Incident Rate

Mobile Consumers Security Preference

Mobile Bankers Security Preference

When Misuse of Information Happens

Attitude on Fraud Responsibility

Indonesia’s Trends and Figures
Security Threat and Symantec says
• 36,6 million cyber attacks (35% from outside, the rests
from inside the country) from 2012 to 2014.
• 497 cyber crime cases from 2012 to April 2015 with 389
are foreigners and 108 local citizens.
• Fake bank account, money laundering, artificial LC
document, camouflage posting.
• Accounted for 4.1% of the world cyber crimes.
• The highest percentage of PC infected by malware across
the globe.
Government CSRIT says
• 60% of government domains encountered web
defacements and 36% infected by malware

Indonesia’s Trends and Figures (cont’d)
• According to Norton latest Cyber
Crime report, global consumer
cyber crime cost over than USD
150bn annually.
• Yet the figures for Indonesia are
unknown.
• Dakaadvisory predicts around USD
2.3bn in 2013 by multiplying
number of victims with cost per
victim.
• From Ministry of Communication
and IT’s total budget of USD 500m,
1% allocated for Cyber Security.

• 2014 until 2016, Indonesia National Police
(Bareskrim POLRI) have received 101
investigation requests/inquiries from banking
institutions with estimated losses of IDR 4 billion.
• 2014 until 2016, Bareskrim says out of 5,550
skimming cases, 1,549 occurred in Indonesia.
• OJK in 2015 says most notable e-banking fraud
happened in these channels (highest to lowest
volume): Credit Card, ATM, SMS Banking, Mobile
Banking and Phone Banking.

•BI state since 2012, fraud rate through
Payment Card in Indonesia, compared
to those SEA countries, is the lowest,
around 0,0008% from total transaction
volume.
•Interpol acknowledges Indonesia as
the nest of Cyber Criminalist.

Recovered Fraud Losses

Outcome of Fraud Investigation Cases
Source: 2016 Report to the Nations on Occupational Fraud and Abuse

Fraud: Background,
Cost and Impact

Background
Fraud Triangle
• Motive (or pressure)
The need for committing fraud (need for money, etc).
• Rationalization
Mindset of the fraudster that justifies them to commit fraud.
• Opportunity
The situation that enables fraud to occur.
Often when internal controls are weak or non existent.

Background (cont’d)
• Donald Cressey’s hypothesis
September 2017 54
Courtesy of ACFE
Fraud in E-Banking

Cost
• Survey participants estimated that the typical organization loses 5% of its
annual revenues to fraud.
• On an annual basis, 5% of corporate revenues are lost due to
fraudulent activity.
• The median loss for companies is $150,000, while 23% of
cases involved losses of $1 million or more.
• Corruption scams are on the rise, as they comprised 33.4% of
all fraud in 2012 and 36.8% in the 2014 ACFE report. These
schemes have a higher price tag than other forms of fraud, at
$200,000 on average.
• Some other monetary amounts of note are among companies
with less than 100 workers, almost one-third experience
losses due to fraud, at an average of $154,000.

Cost (cont’d)
• Larger businesses, with 100 or more employees, lose less due to
unlawful activity.
• Just over 23% of these companies suffer losses, on average
$128,000.
• The reason is tied to anti-fraud protections. Larger enterprises tend
to invest in anti-fraud controls, which serve as a deterrent to crime
due to the fact that employees are aware of the measures.

Cost (cont’d)

Impact
• Financial
• Lost of revenue
• Cost of response
• Non-Financial Impact
• Legal
• Credibility/Image/Reputation
• Example of Non-Financial Impact
• Emotionally demotivated
• lack of confidence in financial and operational data
• lack of trust in your organization's Information Systems
• lack of trust in your organization's Information Technology
• losing your users’, customers’ and vendors’ confidence

Fraud Statistics
Global Scale
• A typical scam, measured from the time the activity
began until it was discovered by the victim, is around 18
months in duration.
• In the corporate setting, many of those convicted of fraud
are first time offenders with relatively uneventful
employment histories.
• 87% of the thieves had never been charged with a crime
involving fraud
• 84% had never been punished by an employer for such
activity.

Fraud Statistics (cont’d)
• In most cases, 92%, the fraudster was exhibiting
behavioral signs of fraudulent activity in the months
leading up to detection.
• Red flags include living beyond their means and having
inappropriate business relationships with vendors/
customers. Business owners and managers should be
aware of the behavioral signs that may indicate fraud in
order to prevent it.

Fraud Statistics (cont’d)
• With more than half of victims organizations unable to
recover their losses, proactive measures to deter and or
prevent fraud are extremely critical.
• Smallest organizations tend to suffer disproportionately
large losses since they typically employ fewer anti-fraud
controls.
• More than 75% of Fortune 500 companies employ
Certified Fraud Examiners
• Organizations with CFEs uncover frauds 50% sooner and
have losses 55% lower.

Other Statistics
Source: ACFE In-House Fraud Investigation Teams: 2017 Benchmarking Report

Other Statistics (cont’d)

Number of Fraud Investigators

Fraud Investigators Report To

Fraud Investigators Time Allocation

Number of Cases

Type of Cases and Losses Recovered

Case Management Software

Data Analytics Software

Zooming Fraud In
• Fraud can destroy entire companies – Remember Enron,
Arthur Andersen and WorldCom?
• Alleged fraud resulted in a 17% stock price decline in two
days surrounding the announcement.
• These companies often experienced bankruptcy, delisting
from a stock exchange, or asset sale.
• In many cases, CEO and or CFO were named for alleged
involvement.

Zooming Fraud In (cont’d)
• Among the various forms of asset misappropriation, billing
schemes and check tampering schemes posed the greatest
risk based on their relative frequency and median loss.
• The longer a fraud lasted, the greater the financial damage it
caused.
• While the median duration of the frauds in our study was 18
months, the losses rose as the duration increased. At the
extreme end, schemes that lasted more than five years caused
a median loss of $850,000.
• Most common detection method was tips (39.1% of cases), but
organizations that had reporting hotlines were much more likely
to detect fraud through tips than organizations without hotlines
(47.3% compared to 28.2%, respectively).

• In cases detected by tip at organizations with formal fraud
reporting mechanisms, telephone hotlines were the most
commonly used method (39.5%).
• Tips submitted via email (34.1%) and web-based or online
form (23.5%) combined to make reporting more common
through the Internet than by telephone.
• Whistleblowers were most likely to report fraud to their
direct supervisors (20.6% of cases) or company
executives (18%).
• More occupational frauds originated in the accounting
department (16.6%) than in any other business unit.

• In cases detected by tip at organizations with formal fraud
reporting mechanisms, telephone hotlines were the most
commonly used method (39.5%).
• Fraud perpetrators tended to display behavioral warning
signs when they were engaged in their crimes.
• The most common red flags were living beyond means,
financial difficulties, unusually close association with a
vendor or customer, excessive control issues, a general
“wheeler-dealer” attitude involving unscrupulous behavior,
and recent divorce or family problems.
• At least one of these red flags was exhibited during the
fraud in 78.9% of cases.

• In 40.7% of cases, the victim organizations decided not to
refer their fraud cases to law enforcement, with fear of
bad publicity being the most-cited reason.
• 23.1% resulted in a civil suit, and 80.8% of such
completed suits led to either a judgment for the victim or a
settlement.
• 8.4% of the victim organizations were fined as a result of
the fraud. The proportion of victim organizations fined was
highest in the Western Europe (15.6%), Southern Asia
(13.6%), and Asia-Pacific (11.7%) regions.

Fraud Investigator Must-Have Skillsets

Fraud Cases in
Electronic Banking

Source: Indonesia National Police (Bareskrim POLRI), February 2016

Stealing Customer Fund through Malware

ATM Skimming

E-mail Fraud

Number of Cases and Evidences

Estimated Costs of Cyber Crimes in
Indonesia
• DAKAAdvisory reveals from 2011 to 2013

Putting Them into Global Context
• DAKAAdvisory reveals in 2013

Detecting and
Examining Fraud

Initial Detection of Fraud
All fraud occurred in US SMEs in 2015
33.3% by tips
15.3% by management review
12.1% by accident
9.2% by account reconciliation
8.2% by internal audit
7.9% by document examination
7.1% by external audit

How to Detect?
• Implement anti-fraud controls had a significant impact on
financial fraud statistics.
• These organizations reduced their financial losses due to
fraud and experienced crimes that where shorter in
duration, i.e., the activity was discovered faster as
compared to businesses with no anti-fraud controls in
place.
• Over three-quarters of fraud cases involving corporations
were committed by employees in one of seven
divisions: Accounting, Customer service, Operations,
Sales, Executives/C-Suite, Purchasing, and/or Finance.

Fraud Examination and Investigation
September 2017 101
Courtesy of ACFE
Fraud in E-Banking

Fraud Examination and Investigation (cont’d)
September 2017 102
Courtesy of ACFE
Fraud in E-Banking

Examining and Investigating Activities
• Examine/analyze evidence
and close
investigation activities.
• We have all the tools we
need to successfully analyze
the evidence and make a
determination on the case.
• What have our targets been
doing? Is it illegal?
• Has a fraud occurred?
• How does the evidence we
have uncovered inform our
conclusions?

Collecting Evidence
• How to collect
electronically stored
information (ESI) from Web
sites in a manner that will
meet or exceed evidence
collection standards.
• Electronic Surveillance:
• Oral intercepts (wiretaps)
• Pen Registers
• Key-loggers
September 2017
Image courtesy of indiatimes.com

Investigating Fraud

Examination versus Audit
September 2017 106
Courtesy of ACFE
Fraud in E-Banking

Examination versus Audit (cont’d)
September 2017 107
Courtesy of ACFE
Fraud in E-Banking

Fraud Examination vs Forensic Accounting
• Different but related.
• FA is done by accountants using Accounting Skills in
anticipation of potential or actual civil or criminal litigation
and can include fraud, valuation, bankruptcy, and others.
• FE conducted by either accountants or non-accountants
and refer only to anti-fraud matters.
• Most FE involve forensic accounting but not all forensic
accounting is fraud examination.
• Simply because majority of examinations, investigations,
and reports regarding fraud are done with “an eye toward
litigation.”
• FE conduct their examination with assumption the case
may end in litigation.

Managing Fraud
Comprehensively

Defining Fraud
•Have we defined and classified
fraud?
•Financial and non-financial fraud?
•For both internal and external
individuals and parties?

Hotline
Do you have an anonymous hotline for
reporting fraud?

Whistle Blower
Any Whistle Blower system in place to
report misconduct or furthermore, fraud
both financial and non-financial?

Management Review
Do we have effective management
review processes in place?

Account Reconciliation
Do you perform account reconciliations
at least monthly?

Audit Function and Activities
Do you have an effective internal and
external audit function and committee?

Risk Function and Activities
Do you have an effective risk function
and committee?

Internal Control
•Do you have an effective internal
control in place as the 1st level of
defense?
•Do you review it regularly and
continuously?

Examining Documentation
Do you examine the supporting
documentation for your transactions?

Fraud Management Systems
Do you have any Fraud Management
Systems with responsive and or
proactive approach?

Through End-to-End Controls
Type of controls
• Deterrent
• Preventive
• Detective
• Response
• Recovery
Variety of controls
• Administrative
• Physical
• Technical

Control Types
Deterrent – intended to discourage attacks
Preventive – intended to prevent incidents
Detective – intended to detect incidents
Corrective – intended to correct incidents
Recovery – intended to bring controls back
up to normal operation
Compensative – provides alternative
controls to other controls

Administrative Controls
•Personnel such as HR policies,
procedures and practices
•Supervisory such as Management
practices (supervisor, corrective
actions)
•Training
•Testing and managements
responsibility to ensure it happens.

Example of Physical Controls
•Physical Network Segregation (not
logical) to ensure certain networks
segments are physically restricted.
•Perimeter Security – CCTV, fences,
security guards, badges
•Computer Controls – physical locks on
computer equipment, restrict USB
access etc.

Example of Physical Controls (cont’d)
•Work Area Separation e.g. keep
accountants out of R&D areas
•Cabling – Shielding, Fiber
•Control Zone
Break up office space into numerous
areas (lobby for public, R&D room as
Top Secret, and office as secret)

Example of Technical/Logical Controls
Using technology to protect
• System Access: Kerberos, PKI, radius
(specifically access to a system)
• Network Architecture: IP Subnets, VLANS,
DMZ
• Network Access: Routers, Switches and
Firewalls that control access
• Encryption: protect confidentiality, integrity
• Auditing: logging and notification systems.

Through End-To-End Anti-Fraud Activities
•Deterrence
•Prevention/Mitigation
•Detection
•Analysis/Examination
•Investigation
•Response
•Recovery

Fraud Management Tools
• Data analysis and alert generation
Ability to assimilate data from multiple sources and apply
predictive analytics to accurately assess transactions,
activities and customer state in real time.
• Alert management.
Mechanism for accepting, prioritizing and distributing alerts
from the various fraud detection and money laundering
tools used across the enterprise, and to record actions
taken to determine whether actual fraud is present or
suspicious activity has been identified.
• Social network analysis.
An analysis and visualization tool for uncovering previously
unknown relationships among accounts or entities.

Fraud Management Tools (cont’d)
• Case management.
A structured environment in which to manage:
 Investigation workflows
 Document loss incidents
 Collection of information and documentation in
developing cases for civil and criminal prosecution,
restitution and/or collections
 Report on fraud management performance
 File necessary regulatory reports
• Behavioral analytics
• Big Data, perhaps?

Indonesia Laws and Regulations
• Telecommunication Act No. 36/1999 focused
on Telecommunications Infrastructure briefly; Not
internet in particular.
• Information and Transaction Electronic Act
No. 11/2008 for legal enforcements against cyber
crime.
• Copyright Act No. 19/2002.
• Pornography Act No. 44/2008.
• Electronic System Provider and Electronic
Transaction Regulation No. 82/2012.

Indonesia Laws and Regulations (cont’d)
UU No. 3 Year 2004 about Bank Indonesia (BI) roles in
managing and monitoring banking institutions.

PBI No. 5/8/PBI/2003 about Implementing Risk
Management for General Banking Institutions.
SE BI No. 6/18/DPNP/2004 about Implementing Risk
Management on Internet Banking.

PBI No. 3/23/2001 about Implementing KYC Principles
SE BI No. 6/37/DPNP/2004 about Identification and
Sanction on KYC and Anti Money Laundering (TPPU)

PBI No. 6/30/PBI/2004 about Providing APMK Activities.
SE No. 7/60/DASP/2005 about Protecting Account Holder
throughout APMK activities.

Start with Fraud Deterrence
• Proactive identification and removal of the
casual and enabling factors of fraud.
• Based on premise that fraud is not a
random occurrence, it occurs when the
conditions are right for it to occur.
• It attacks the root causes and enablers of
fraud.
• This analysis could reveal potential fraud
opportunities in the process.

Start with Fraud Deterrence (cont’d)
•Performed on the premise that
improving organizational procedures
to reduce the casual factors of fraud is
the single best defense against fraud.
•Involves both short term (procedural)
and long term (cultural) initiatives.

Start with Fraud Deterrence (cont’d)
• Deterrence involves an analysis of the
conditions and procedures that affect fraud
enablers.
• Looking at what could happen in the future
given the process definitions in place, and
the people operating that process.
• Therefore, deterrence is a preventive
measure-reducing input factors.

Deterrence versus Prevention
While deterrence is preventive in nature,
there are semantically problems with
referring to ‘fraud prevention’.
‘Prevention’ can imply complete elimination
of a risk, which is not possible in the case
of fraud.
Risk of fraud, like any other risks, can
never be completely eliminated; to attempt
do so would be cost prohibitive.

Deterrence versus Prevention (cont’d)
Why? Cost of additional internal controls to
further reduce the risk of fraud would
dramatically outweigh the incremental
reduction in potential fraud loss.
Moreover, the imposition of additional
internal controls tends to degrade process
functioning and efficiency.

How to Deter?
COSO (Committee of Sponsoring
Organizations of the Treadway Commission)
Frameworks
It describes 5 inter related components of
internal control that provide the foundation for
fraud deterrence.
These elements are the means for which the
opportunity factors in the fraud triangle can be
removed to most effectively limit instances of
fraud.

#1. Control Environment
• Consists of actions, policies and procedures reflecting
overall attitude of management, directors and owners of
an entity about internal control and its importance to the
entity.
• Sub Components
• Integrity
• Ethical Values
• Commitment to competence
• Board of Directors
• Audit committee participation
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human Resources Policies and Practices

#2. Risk Assessment
• A forward looking survey of the business environment to
identify anything that could prevent the accomplishment of
organizational objectives.
• Related to fraud deterrence, it involves identification of
internal and external means risks that could potentially
defeat the organization’s internal control structure,
compromise an asset, and conceal the actions from
management.
• It involves identifying as many potential vulnerabilities and
threats as possible, and evaluating them in a way to
determine which require action, and the priority for that
action.

#3. Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions
and activities
3. Adequate documents and records
4. Physical control over assets and
records
5. Independent checks on performance

#4. Information and Communication
• Relates to flow of information in two directions within an
organization.
• Information should flow downward to the line functions and
provide the best, most accurate information as needed to allow
the function to produce the best results possible.
• Information about performance should flow upwards through
management, through both formal and informal communication
channels, providing objective feedback.
• Both communication channels must function effectively to
safeguard the organization.

#5. Monitoring
• Deal with ongoing/periodic assessment of
quality of internal control performance by
management.
• Determine that controls are operating as
intended and that they are modified as
appropriate for changes in conditions.
• Monitoring involves both fraud deterrence
and fraud detection activities.

#5. Monitoring (cont’d)
• Management must ensure all control processes are
performed as designed and approved.
• Control compliance analysis to verify correct performance
of procedures could reveal a control that has been
inappropriately modified/one that is not performed as
approved; this control weakness could present the
opportunity for fraud.
• Proactively identifying these weaknesses and correcting
them – this is the fraud deterrence aspect of monitoring
process.

What the Controls Look Like
• Dedicated I(T) Security Personnel
• IT/Information Security Risk Management (and
Security Architecture if needed)
• IT/Information Security Standards and Frameworks
• Security Incidents Plan (Policies and Procedures)
• Security Incidents Logs or Documentations
• Security Incidents Review Activity
• User Access Rights Policies and Procedures
• User Access Rights Documentation
• User Access Rights Review Activity
• Anti Virus, Anti-Malware/Spyware and Firewall

What the Controls Look Like (cont’d)
• Intrusion Prevention Systems
• Intrusion Detection Systems
• Physical Security
• Data Security
• Information Security
• Software/Application Security
• Database Security
• Vulnerability Assessment
• Penetration Testing

InfoSec Control Frameworks

ISACA Framework on Information Security
September 2017 157
ISMS: Information Security Management Systems
R: Responsible; A: Accountable; C: Coordinate; I: Informed Credit: ISACA
Fraud in E-Banking

NIST Cybersecurity Framework
• Critical Infrastructure
- Vital infrastructure - private and public operators
- Lack of availability would have “debilitating impact”
on the nation’s security, economy, public health,
safety…
• Executive Order 13636; February 12, 2013
• Threat information sharing
• NIST: Baseline Framework to reduce cyber risk
• “Standards, methodologies, procedures and processes that align
policy, business, and technological approaches…”

InfoSec Standards
‘ISO/IEC 27001’
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
• Risk Assessment
• Security Policy
• Asset Management
• Physical/Environmental Security
• Access Control
• And many others

InfoSec Standards (cont’d)
• Payment Card Industry – Data Security Standards (PCI-
DSS) version 3

InfoSec Standards (cont’d)
PCI-DSS High Level Overview

Educate, Educate, Educate
•Our security stakeholders: employees,
executives, partners, suppliers,
vendors
•What are our policies?
•How to comply?
•Consequences of failure to comply

Monitoring and Controlling
• Assessment
• Review
• Audit
• Monitor change control
• New vendor relationships
• Marketing initiatives
• Employee terminations

Reaching Out
goutama@gmail.com
www.linkedin.com/in/goutama
(+62-815) 962 8555
www.slideshare.net/goudotmobi
164
September 2017Fraud in E-Banking

Thank You!
Image: pinimg
165September 2017 Fraud in E-Banking

Dealing with Fraud in E-Banking Sphere

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Dealing with Fraud in E-Banking Sphere

Similar to Dealing with Fraud in E-Banking Sphere (20)

More from Goutama Bachtiar

More from Goutama Bachtiar (20)

Recently uploaded

Recently uploaded (20)

Dealing with Fraud in E-Banking Sphere