Fincrime Briefing: Former Wells execs face criminal probe in fake accounts scandal, Travelex hit with ransomware attack, Iran cyber defense tactics, and more

By Brian Monroe
bmonroe@acfcs.org
January 7, 2020

Quote of the Day: There’s a way to do it better – find it.” – Thomas A. Edison

In today’s briefing, former Wells execs to face criminal charges tied to fake accounts scandal, forex giant Travelex held hostage for $6 million in ransomware attack, Verafin offers 2020 outlook on fincrime compliance trends, expert shares tips to defend against potential Iran cyber fusillades today, and more.

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!

ENFORCEMENT/INDIVIDUAL LIABILITY

Former Wells Fargo execs may face criminal charges in coming weeks

Multiple former high-level Wells Fargo executives are under criminal investigation in connection with the bank’s fake-accounts scandal and could be indicted as soon as this month.

Federal prosecutors have been eyeing potential charges against individuals who were once in the San Francisco bank’s upper management ranks, according to sources familiar with the situation.

Until this point, the scandal’s repercussions have fallen most heavily on lower-level employees, thousands of whom were fired, though some high-level executives have also lost their jobs and had compensation clawed back.

In September 2016, Wells Fargo agreed to pay $185 million in fines to the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency and the Los Angeles City Attorney’s office in connection with the more than 2 million customer accounts that had been flagged as potentially unauthorized.

The federal criminal investigation has been conducted by Department of Justice prosecutors in California and North Carolina, with assistance from both the OCC and the Securities and Exchange Commission, according to one source.

The probe could yield some of the most high-profile criminal charges against U.S. bankers since the financial crisis, though sources noted that the situation remains fluid and is subject to change.

Individual defendants will likely argue that the sales tactics used at Wells Fargo were similar to those employed by other banks. They are also expected to contend that the alleged misconduct does not rise to the level of criminal behavior.

As charges against former Wells Fargo executives have been under consideration, the bank itself has been in talks to resolve matters under investigation by the Justice Department and the SEC.

Wells Fargo first disclosed in late 2016 that it was facing sales-conduct-related scrutiny from those two agencies.

In February 2019, the scandal-plagued bank revealed in a securities filing that it had begun engaging in discussions about a potential resolution. It said in a November 2019 filing that the talks were continuing.

The criminal investigation grew partly out of an internal probe by Wells Fargo in 2013, which focused on employee misconduct in Los Angeles and Orange County, Calif., one source said.

This source added that the charges under consideration by prosecutors may include making false or misleading statements to investors and conspiracy to obstruct the examination of a financial institution, (via American Banker).

Monroe’s Musings: This case was a huge deal and continues to cause headaches for Wells Fargo – an insider fraud that eventually led to many of the institution’s top compliance officials to be axed, not just bloodletting at the executive leadership level.

The not-so-subtle meaning for financial crime compliance professionals: For you to be truly “woke” as the millennials say, you had better take the insider threats at your institution just as seriously as you do external threats that could strain your AML systems with instances of possible money laundering, fraud, sanctions busting and other fincrimes. 

CYBERSECURITY

Hackers hit forex giant Travelex with ransomware attack, asking for $6 million to release locked systems

Hackers are holding foreign exchange company Travelex hostage until it pays a $6 million ransom after a cyber-attack forced the firm to turn off all computer systems and resort to using pen and paper, according to company statements and media reports.

On New Year’s Eve, hackers launched their attack on the Travelex network.

As a result, the company took down its websites across 30 countries to contain “the virus and protect data,” according to a statement on the website, which has alternated between allowing some user access, being totally offline or simply offering a page consisting of a company update.

A ransomware gang called Sodinokibi has told the BBC it is behind the hack and wants Travelex to pay $6m (£4.6m).

The gang, also known as REvil, claims to have gained access to the company’s computer network six months ago and has downloaded 5GB of sensitive customer data,  a detail confirmed by Travelex Tuesday.

Dates of birth, credit card information and national insurance numbers are all in their possession, they say, though Travelex has refuted some of those claims.

“In the case of payment, we will delete and will not use that [data]base and restore them the entire network,” the hackers told them. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

Travelex says it is working with police and has deployed teams of IT specialists and external cyber-security experts who have been working continuously.

Travelex websites across Europe, Asia and the US have been offline since 31 December, with a message to visitors that they are down for “planned maintenance”.

Visitors to the Travelex website are told that the site is down for “planned maintenance”.

Customers have not been sent any email communication about the cyber-attack, but queries are being replied to on social media by the company.

Network partners affected

Travelex’s decision to take down its site has meant the large network of other firms that use its services cannot sell currency online.

Virgin Money’s site showed an error message, which said: “Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly.”

Sainsbury’s Bank also said its online travel money services were unavailable, although it said customers could still buy travel money in its stores. In a statement to the BBC, the bank said: “We’re in close contact with Travelex so that we can resume our online service as soon as possible.”

A spokesperson for First Direct, which is owned by HSBC, said: “Unfortunately, our online travel money service is currently unavailable due to a service issue with third party service provider, Travelex.”

The company has resorted to carrying out transactions manually, providing foreign-exchange services over the counter in its branches.

The company has since told the BBC that its systems are currently down and it is unable to sell or reload its pre-paid travel cards.

But, it said: “Existing cards continue to function as normal and customers in the UK can continue to spend and withdraw money from ATMs.”

“For customers who have ordered money online, please contact Travelex customer services by phone or via social media to discuss their individual situation and requirements.”

Personal data secure?

The recovery operation is being co-ordinated from a Travelex office in the UK and the company insists that no customer data has been leaked.

But it would not say what data could potentially be at risk.

The company, however, has been insistent that the personal data of customers has not been broadly breached, even as it did confirm the company was attacked by REvil and its dreaded Sodinokibi ransomware, according to a statement Tuesday.

“To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted,” Traveled said. “Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”

Having completed the “containment stage of its remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems,” Travelex said in a statement.

Though these efforts are typically wildly expensive, the company stated the financial impact would be minimal.

To date Travelex has been able to “restore a number of internal systems, which are operating normally,” the company said. “The company is working to resume normal operations as quickly as possible and does not currently anticipate any material financial impact for the Finablr Group,” (via Travelex). To read more analysis, click here.

Monroe’s Musings: This story about Travelex is yet another terrifying and cautionary tale about the true risks, scope and absolute crushing potential a cyberattack can have on a company.

For firms of all sizes, they should make 2020 the “Year of the Cyber Warrior,” and finally devote staff, budgets and resources to analyzing cyber defense gaps, implementing recovery plans and instilling a culture of awareness to build and gird the operation’s overall virtual world resilience. 

COMPLIANCE

In 2020, banks should expect more cyber-enabled frauds, compliance pressure to reduce false positives with tech, more public, private data sharing: Verafin  

Cyber-enabled frauds like business email compromise attacks will become more complex and target banks more aggressively.

At the same time, financial institutions will be under more pressure to tinker with technology to better trim transaction monitoring false positive rates and improve compliance program effectiveness – something that must occur in tandem with stronger public and private information sharing.

Those are just some of the challenges and opportunities anti-money laundering (AML) teams will face in 2020, according to industry heavyweight Verafin in its “Crime Trends & Technology: Reflections & Perspectives for 2020,” report released Tuesday.

Here are some snapshots:

Fraud schemes evolve: Business Email Compromise (BEC) Attacks

In an updated 2019 advisory, FinCEN highlighted the role of BEC in criminal money laundering networks, and encouraged FIs to employ information sharing as a means of identifying and preventing financial crime.

With data trends showing BEC fraudsters are now favoring industries such as construction and real estate, FIs must consider how cross-institutional collaborative investigations can strengthen their defense against BEC fraud and crime ring activity in 2020.

Optimizing AML programs, investigations, effectiveness: False Positive Reduction

The industry-wide problem of false positive alerts continues to cost AML investigators significant time and resources that would be better invested in examining truly suspicious cases. Machine learning solutions will play a key role in improving alert precision for investigators that adopt Artificial Intelligence (AI) approaches for financial crime management.

Applying AI to Financial Crime Management: Machine learning

More and more FIs are incorporating machine learning technology into their financial crime management programs to significantly reduce false positive alerts, improve analytical performance, and increase detection rates.

Given the significant benefit to FIs this adoption will only continue, with the use of AI and machine learning for fraud detection expected to triple by 2021.

The Future of Public/Private Partnerships: Collaborative Investigations to Combat Crime Rings

The need for effective information sharing and collaboration in financial crime investigations has never been clearer. Based on trend analysis in the Verafin Cloud, it is estimated that there are more than 100 active crime rings operating in the U.S. today.

Uncovering these networks of bad actors, often implicated in many illicit activities spanning multiple FIs, is impossible without collaboration. 

Continued adoption of private-private information sharing will be critical to strengthen investigations that span multiple FIs and get a step ahead of organized criminal activity, (via Verafin).

Monroe’s Musings: This look ahead to 2020 is absolutely on the money and tracks with many conclusions we have also made here at ACFCS.

Criminals, particularly those powered with cyber-enabled weaponry, are getting more creative and more aggressive, playing on both potential systems vulnerabilities and the most dangerous of all specters: human error.

That puts even more pressure on banks to engage broad, holistic and full spectrum counter-crime compliance training for those in and out of dedicated AML, fraud and cybersecurity roles.

But even a bank with the best systems, people and processes has a massive, glaring and gaping Achilles heel: it still doesn’t know what the bad guy is doing at the bank across the street and is virtually blind when the scofflaw strolls through the door to continue his latest scam.

That will only change, as the Verafin piece concludes, with more banks sharing data with each other regionally, nationally and even internationally – and more broadly and proactively swimming that data with details gleaned from government partners on the ground investigating the big financial crime cases before they hit the papers.  

SANCTIONS/CYBERSECURITY

Level It Up! The Iran Cyber Threat: Executive discussion and steps institutions can take today to strengthen virtual defenses

The recent events with Iran and the potential for Iranian directed or inspired physical and cyberattacks is at the top of mind for many of our community, so it’s vital firms understand what they can do today to counter potential virtual vulnerabilities.  

Based on calls from trusted executives looking for more concrete information, I wanted to share a few thoughts on Iranian cyber capabilities to “Level it Up,” when it comes to broad, overarching cyber defense initiatives. 

Executive Summary 

Overall, while Iran may have a developed cyber program, it has not shown the capability at this point to cause widespread or lasting physical impacts from its attacks.

Iran’s ransomware and denial of service attacks are “impactful” on the organizations they hit, and a great discussion topic for reporting, but often are not nationally significant in terms of impact on human lives or physical damage.

Shore up your defenses against phishing, account takeover, denial of service and make sure your backups are not able to be encrypted by a malware attack (i.e. consider offline backups).

Iran, right next to China, Russia and North Korea targets the US on a regular basis and there has been a long history of Iranian cyber activity against the US infrastructure and US corporations, along with Iranian cyber activities targeting other Middle Eastern countries and organizations or “influence operations” in their psychological operations against the United States or other nations.

If you are concerned about Iran this month, use that concern to address the same things that would make your company a victim of Eastern European ransomware, Chinese espionage, or organized criminal fraud, or theft of your critical intellectual property.

For those in the financial sector, there are many lessons learned from previous years of Iranian activities targeting banking mentioned below.

For those in the industrial control systems (ICS) arena, Iran learned a great deal from being hit by a targeted malware that impacted physical machinery, so additional vigilance in US infrastructure companies around phishing attacks, privilege escalation, and things that permit lateral movement without logging should be addressed immediately.

Increase vigilance and alerting or automatic denials around unfamiliar IP addresses or of activities from an employee or partner that far exceed their normal roles.

Details:

What Iran is known to do: denial of service, targeted malware, phishing as a means of gaining entry, account takeover, attacks on infrastructure, leveraging known network vulnerabilities, financial systems targeting, and stealing information for Iranian research programs.

Web site defacements, while embarrassing, are often not a huge impact on real world operations, and some recent ones have been attributed to “Iranian inspired” activities, not official cyber operations. (Patch your website to avoid this issue)

Examples of Attacks Attributed to Iran

Late 2011 and mid-2013 – DDoS attacks against 46 victims, primarily in the U.S financial sector.

2012 – One of the most infamous attacks some attributed to Iran was the Shamoon data wiper software attack on Saudi Aramco wiping over 30,000 systems.

August – Sept 2013 – Iranian accused of accessing Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, located in Rye, New York.

2014 – Theft of Sands Las Vegas Corporation in Las Vegas, which saw customer data stolen and — according to reports — some computers wiped, some blamed it on Iran.

2018 – Nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries.

The US and companies have hit back –

The March 2016 and March 2018 US charged two different groups of Iranians for the 2016 DDoS attacks and 2018 intellectual property theft activities targeting the US.

in August 2018, Microsoft conducted operations to take down web sites used by Iranian intelligence collectors targeting their customers.

What you can do today:

While longer term employee training, awareness and incident response planning are ALWAYS recommended and should be discussed and budgeted every year, if you have limited staff, budget and resources, and are concerned about this threat, please at least consider emergency efforts to:

  • Patch known vulnerabilities – It is more often known vulnerabilities (and not very often zero days) that compromise many organizations.
  • Segmentation – Also, step up your plans to segment your networks (corporate and industrial control systems) in a way to minimize either the compromise of a particular division of the company and to mitigate antiquated or unpatched systems. Think of your company like a ship – what is the appropriate number of water tight compartments to keep the ship afloat if one area is compromised. (Or fire breaks/doors in a hotel for those not nautically inclined.)
  • Implement multi-factor authentication on system administrative and critical accounts or resources. Lock down system administrative tools or functions that can be used by adversaries achieving access.
  • Have OFFLINE backups: This would cover critical data and even backups of physical production line configurations in the event of any attacks, to aid in recovery.
  • Phishers of men: Hire a trusted vendor to try to phish your teams, hack your systems, and immediately implement those findings back into your program.
  • Can you print this for me: And have your current incident response plan in place (AND PRINTED) in case of a ransomware or wiper attack on your systems. 
  • Key contacts: Include the names, phone numbers, and back up email addresses of critical employees, your outside counsel, and incident response provider all in that printout, (via Bryan Hurd, Vice President at law firm Stroz Friedberg, Aon – CISO, former Intel Director, Microsoft Digital Crimes Unit and Founder of the NCIS Cyber Program).

Monroe’s Musings: I just loved Bryan’s breakdown of what a company could and should do right now to strengthen its cyber defense, resilience and recovery efforts, and I told him so in the LinkedIn post.  

His concrete steps truly follow in the footsteps of one of the guiding mantras at ACFCS: make content relevant, practical and tactical.

And, honestly, these tactics should be fully embraced immediately by corporates of all sizes even when they are not fearing increased digital fusillades from a foaming Iran.