General Industry Letters
Mortgage Banking Letters
Alert to Increased Cyber Fraud Through Web-based Payment Services
September 23, 2010
Industry Letter: Alert to Increased Cyber fraud Through Web-based Payment Services
To Financial Institutions
The New York State Banking Department (“Department”) is taking this opportunity to alert institutions to the increased threat and cyber fraud through Web-based payment services, particularly effecting businesses and government entities. There have been increased reports of fraudulent EFT transactions resulting from compromised login credentials.
A Cyber Security Advisory has been issued by the various Federal and State Information Security Agencies and a Special Alert has been issued by the Federal Deposit Insurance Corporation. The details of that advisory and guidance may be obtained at the following web-sites:
The Department would further like to take this opportunity to remind institutions of their obligation to report cyber fraud instances to the Department, such as reporting of malicious software intrusions in accordance with the May 28, 2003 industry letter, which is available through the Department’s website at www.banking.state.ny.us/il030528.htm, and the filing of a Superintendent’s Part 300, as may be appropriate.
Also, it is the Department’s expectation that an institution’s risk management system be robust to incorporate the risks associated with cyber fraud. Cyber fraud not only incorporates IT risk, but expands to include both the institution’s Legal and Reputational risks. Financial losses to cyber fraud may be significant, but more damaging and significant to an institution can be the loss of customer and the institution’s reputation.
Therefore, the Department encourages institutions to adopt the “best practices” guidelines identified in the Cyber Security Advisory and FDIC Special Alert. Below are selected highlights the best practices for cyber fraud prevention for a financial institution:
Financial Institution Specific Recommendations:
● Consider offering the following security measures:
● Online credit card purchase verification programs, such as Verify by Visa.
● Automatic blocking of wire transfers to particular countries.
● Delayed transaction or batch processing of money transfers and/or immediate user
● Procedures to require account owners to verify transactions over certain amounts, possibly
through call backs.
● Out of band token/pin delivery, possibly via SMS, or automated phone calls.
● Give account owners the option to create a “white list” containing all the approved accounts
between which transactions may take place.
● Establish procedures with intermediary banks and law enforcement for responding to
potential fraudulent activity.
Further, the institution is encouraged to communicate to its customers the “best practices” that the customer can employ to protect themselves against cyber fraud. Below are selected highlights but not all of the best practices for cyber fraud prevention for customers of financial institutions:
Financial Institution Recommendations for Users:
● Check with your financial institution about enabling “alerts” and other security measures that
may be available. Some financial institutions offer additional security measures, but they are
only available upon request.
● If possible, set up accounts that cannot or are not accessed through the Internet and use those
accounts for long-term savings. Move money between those accounts and active accounts via
the phone or in-person visits.
● Immediately report any suspicious activity in your accounts. There is a limited recovery
window and a rapid response may prevent additional losses.
Thank you for your cooperation.
Richard H. Neiman
Superintendent of Banks
New York State Banking Department