Police in the United Kingdom are searching for a man convicted of a £2.5 million fraud (US $4.2 million), after he failed to appear at his sentencing hearing, according to The Daily Mail
. A crown court in Manchester found Maxwell Parsons guilty of carrying out a sophisticated fraud operation in 2008 and 2009 that manipulated banking systems so that payments were automatically reversed. That enabled him to make repeated payments, which were then converted back to pounds sterling. At its peak, the fraud collected £50,000 a day. Parsons, who faces up to 10 years in prison, was not required to surrender his passport before the trial, which may make it harder for authorities to apprehend him.
The kind of financial fraud discussed in this story, an automatic payment reversal scheme, provides an opportunity to review the kinds of controls internal auditors should be looking to be in place and working well in their organizations, particularly in financial institutions. Frequently, news stories of fraud schemes involve the compromise of banking systems — particularly as electronic and Internet commerce increases.
While this story does not provide specifics, it appears the scheme may have manipulated banking transaction systems to compromise how they processed withdrawals or transfers of funds to the fraudster’s bank account. The funds withdrawn were immediately reversed as transactions in the systems, even though the money actually went out. The fraudster does not appear to have been a bank employee, making this case all the more alarming.
Here are 10 elements that auditors should examine. Although not a complete list, these elements may be of particular use in detecting compromises of financial systems.
- Follow forums. Following hacking forums can allow auditors and management to learn all the latest methods being used. A good ethical hacking forum can be found at http://zero-security.org.
- Identify entry points. Install appropriate scanning software to identify all entry points from the outside into the internal network and systems of the organization. Any attack needs to start from these points. Identifying these entry points, however, is not easy. To perform this task successfully, it often is better to seek help from skilled ethical hackers with special network security training.
- Perform attack and penetration tests. By running these tests, auditors can identify vulnerable points in the network and systems that easily can be accessed from both external and internal users. Identifying these points can enhance the organization’s ability to thwart attacks from external sources and correct the pitfalls that could become the entry points for intruders. Tests must be done from both the internal and external perspectives to detect all the vulnerabilities. However, auditors always should be alert to the limitations of security measures. For example, although Secure Socket Layer (SSL) protection is mostly now a required component of transaction-based Web applications, vulnerabilities exist in portions of pages and sites that are unencrypted.
- Test internal systems controls and “red flags” to ensure they are in place at all possible attack points and are rigorous. For example, automatic flags should be in place and alert monitoring personnel whenever unusual transactions are involved, such as large dollar amounts, high frequencies, transaction cancellations, or amendments. This also should link to the mode of interaction with financial systems — for example, the ATM mode should be monitored/flagged more scrupulously than some others.
- Establish user-awareness campaigns. All possible steps must be taken to make all users of the network and systems aware of the security pitfalls and the security practices needed to minimize these risks. Internal auditors can conduct social-engineering tests to determine user awareness. Until all users are aware of certain factors related to the network, true protection cannot be carried out.
- Check firewall configuration. When not configured correctly, a firewall can become an open door for any intruder. Hence, it is vital for organizations to set the rules to allow traffic that is important to the business through the firewall. A firewall should be configured based on the organization’s security aspects. From time to time, appropriate analysis of the composition and nature of the traffic itself is also necessary to maintain security.
- Review password policies. The organization should use strong password policies by having passwords of several characters (alpha and numeric) that are of secure length. Passwords must be changed frequently.
- Look for password-less authentication. Regardless of the policies above, passwords are less secure than secure shell (SSH) or virtual private network keys, so organizations should consider using these or similar technologies instead. Where possible, the organization should use smart cards and other advanced methods.
- Make sure default passwords are changed immediately. Some software has built-in passwords to allow the first login after installation; it is unwise to leave these passwords unchanged. If one-time passwords are used to protect only the login ID or password, that still means that vulnerabilities exist after the credential gateway. For example, man-in-the-browser attacks can alter amounts or recipients of financial transactions.
- Verify that unnecessary services are removed from devices. Organizations should not be dependent on the reliability of the modules they actually do not use.
- Confirm that antivirus and anti-malware software is installed and updated regularly. Both intrusion detection systems and antivirus software must be updated regularly — daily, if possible. The updated version of antivirus software can help detect even the latest viruses. Anti-malware is based on blacklists, but this simple technology is incapable of responding to emergent or variant hacking threats.
- Ensure physical security. Apart from ensuring the internal security of the network, internal auditors should think about the physical security of their organization. Until and unless there is full security, any intruder can simply walk into an office to gain whatever information he or she seeks. As with technical security, auditors also must ensure that the physical security mechanisms of the organization are fully functional and effective. For financial organizations such as the bank victimized in the U.K. case, ATMs probably need greater use of cameras and remote monitoring. Virtual keyboards can be used to bypass the inherent vulnerabilities of physical keyboards, but be aware that hackers can easily alter Web pages or capture screens, or exploit vulnerabilities in the help portions of those pages to disarm this security approach.