WASHINGTON, D.C.— Cybersecurity dominated the conversation at the Payments Roundtable Sunday at the 2014 AFP Annual Conference. SSA Clyde Ellis with the FBI’s Major Cyber Crimes Unit (MCCU) provided treasury and finance professionals with a glimpse into the biggest cyber threat trends his unit is looking at.
“In my 9-10 years investigating cyber, the one thing I can tell you is, it’s evolved,” Ellis said. “The cyberthreat is constantly changing. Things I talk about today will be different next year. Things I talk about next year will be different the year after that.”
Cybercriminals are trying to create a full profile on you. Ellis noted that cybercriminals are no longer merely attempting a breach for debit and credit card fraud; they’re taking things a step further. “Bad guys are specifically targeting you; they want to pull the websites that you go to. They want to get your user ID, your password, your PIN numbers, etc. They’re also launching spear-phishing attacks; directly targeting victims with emails, links, and going after professionals with access to Lexis Nexis and credit reports.
Why go after all this data? “We found out that now the bad guys are creating workups on us,” Ellis said. “They don’t just want your name and your social security number. They want every credit card that you have. They want to know your rental history, where you moved to, whether you’re married, how many dependents do you have. Because if I know everything about you, I can practically be you.”
Prepaid card fraud is skyrocketing. While all card fraud is increasing, the trends show prepaid card fraud rising at an alarming rate.
Ellis said he worked a stolen identity case recently in Texas. “You had this group of individuals and they intercepted people’s information,” he said. “They took it and went around to retailers and purchased Green Dot prepaid cards. After they purchased these cards, they downloaded and issued tax returns. They would direct the tax return they filed in your name, straight to that card. They were using these prepaid cards like virtual bank accounts. They had mules that would go out to ATMs and cash out all this money.”
Ellis added that this particular group was connected to groups in Cincinnati, Atlanta and Florida. “But at the end of the day, we found out that these cyber criminals had attempted $100 million loss. Actual losses totaled $56 million.
To mitigate this threat, the FBI is analyzing purchases, trying to determine what the criminals are doing with these prepaid cards; what they are purchasing with them. The FBI is also working closely with retailers to find out whose personally identifiable information (PII) was used to determine if a breach occurred. The agency is also looking at the addresses these crooks are making when they make online purchases with these cards.
Mobile malware is becoming an even bigger threat to mobile payments. The FBI has strong partnerships in the telecommunications industry, and also works with the Wireless Association and the Communications Fraud Control Association (CFCA) to analyze different types of mobile malware.
“Malware today steals contact information from your phones,” Ellis said. “It steals your call logs and your address books. It’s tracking your websites. It’s trying to pull your passwords. We use smartphones now like we use computers. We can check our bank accounts and make payments, and there’s malware that specifically goes after that. You also have malware that takes components of your mobile device and takes it over.”
The FBI provides the following tips for protecting yourself against mobile malware.
- Be careful about the links that you click on in a text or email.
- Read permissions on apps. What exactly are you allowing when you download an app?
- Update your device regularly.
- Passcode protect your devices.
Underground forums are the place to be if you’re a cybercriminal. Fully 95 percent of cybercriminals are active on underground forums. Ellis noted that he has been undercover on some of these boards. “You should hear the things they’re talking about,” he said. “They’re talking about ways that they can extort your data. They’re talking about who has vulnerability. They’re talking about ways that they can take this information and use it come after us, because we’re the victims.”
Ellis stressed that the bad guys are talking; they’re game planning. Treasury and finance professionals then, have to do the same thing. “Gone are the days when, if something happens, you don’t talk about it with other organizations; we need to be sharing,” he said. “There could be something that you see, that someone else doesn’t. And unless we’re talking, we don’t know. So we have to use venues like this, we’ve got to have work groups and task forces, we’ve got to have public service announcements. We have to be sharing information with our communities.”