Fraud in a Changing Treasury Landscape Episode 2:
Do You Know Who Is Accessing Your Banking Information?

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Craig Jeffery  00:19

Welcome to the Treasury Update Podcast. This is Craig Jeffery, I’m back for part two of the 2023 Treasury Fraud and Controls Survey podcast with Omri Kletter from Bottomline Technologies. Welcome back to part two of our podcast discussion, Omri.

Omri Kletter  00:35

Good to be here again, good to be here.

Craig Jeffery  00:39

Excellent. So I’m going to assume that people have listened to part one, I’m not going to do the whole preamble other than to say, a lot of this data, you can find it in the show notes, you can you can find the report, the public facing report, it’s the eighth year in a row, that we’ve done this survey together Strategic Treasurer and Bottomline Technologies. So for for the key areas, we’re going to jump into the third area. This is the idea of, you know, every every fraud, or every attack usually usually goes against the weakest link, right? If someone strengthens their defenses one area, they target other areas, certainly criminals are trying to find everything. So attacking the weakest point is a good strategy. And one that’s commonly used by criminals staff has been an area that’s been exploited for a long time. It’s tremendously vulnerable. But there’s a couple other facts about an unguarded acid or location, let’s say of key banking information. These would be unmonitored directories. If you think about banking information, it’s oftentimes stored in a ERP or a payment system or treasury system or payment hub, then there’s some kind of process of delivering those instructions to let’s say, a bank, or a third party to settle it. The protection of unmonitored directories, did not seem to be very strong based on information, less than 40% had a full audit trail of access, and changes to access. Only about a third of administrators who can assign rights to access that do not have the ability to edit or delete log files. So two thirds basically have the ability to cover up the trails. And even if everyone was perfectly pure, and noble, and all that they do if someone gain their credentials, the key is to cover up their tracks exist. This seems to be a significant thing. We’ve seen this in our practice, I’d love you to talk about this generally, but also how companies how networks are addressing these types of concerns.

Omri Kletter  02:44

Absolutely. And to some of you who followed the webinar, and may now connect the dots on things that we’ve mentioned over there, I think it’s obviously very relevant for for our discussion today, is the notion that in addition to In addition, additionally to detect and to score the payments, right, and to see money movement from A to B, and to have all the profit links and all the different things that we’ll do and all the account takeover mechanisms and an email verification, all the things that we’re doing in multiple authentication, we also need to monitor the junctions, where fraud can take place. And network directories, payment directories are critical places, by the way, not necessarily for the attack itself. But the things to facilitate the attack to your point, who is accessing, who is downloading, who is modifying, was allowed, not allowed, who is accessing all these things are critical. And one of the things that we are externally focused on is to provide this visibility, we have one, one tool, we call it recording the place, we are allowing our customers to record who is coming in who’s coming out to these key and network directories. And by the way we do it on one hand, you actually extra needed in places that you don’t have the logs, mainframe, mainframe, for example. So you’re talking about leaving the ability to change the traces or to modify the traces. In some cases, especially in in mainframe, you don’t have an even crisis because you don’t have these things being logged properly. So the notion that we want to call upon go to record and replay to record what’s happening in these network junctions, and to have the ability to then almost trigger an alert before the attack, right, because these are things that will later enable that actually, hey, something looking wrong from an access perspective, suddenly looks weird from someone who’s trying to modify something, and we start to see great value.

Craig Jeffery  04:46

That’s great. I like that. You know, I imagine that’s like watching a movie not just saying these IDs had access or these functions were done, but see what’s occurred. I imagine that allows you to see whether that’s a machine it’s just Some doing it or it’s a person exploring or person or a criminal attempting to commit the fraud there. So, yeah, appreciate the appreciate that depth. Yeah. So yeah, as we move off of this idea of unmonitored directories are these points of exposure. The other thing that was that was interesting to me from both the research here, but also something we’ve seen over time banks are banks know a lot about fraud, because they’ve seen a lot of fraud with their customers, primarily, they’re, they’re in the business of protecting payments, they educate their customers. And not everybody listens to the banks. They listen to the banks after they’ve had fraud, but they don’t always listen to them ahead of time. And so since they know about it, they’re pretty, they’re pretty smart, pretty knowledgeable, just like a company that that’s in the security business, but what are what are banks telling us that they wish their customers did? And what would you add add to this list? Right, they have a particular perspective, you have some additional degrees of separation that might might help us understand what to our to do.

Omri Kletter  06:14

Perfect setup on this question. So absolutely. Yeah, I agree with you, Craig.  There is nothing more valuable than more and more treasurers working much closer with with banks and finding ways to, to do all the things from inner treasury education, to ensure the controls and processes in place, in some cases, and we supported some of our bank clients on that allowing some judges to review the layouts as if they were the bank, right just to have like inner especially for big, big corporate organizations to have the ability to score and if your payments within the organization. So all these things are definitely viable. And important. I think there is more to be done on a scoring internal risk. Absolutely. And I think banks all and I know it from many of them are talking about them feeling that treasures can do more on having the processes, the whistleblower, a processes, the four eyes reviews, the management, all the things that can both protect from internal risks because of malicious wrongdoing, but also from negligence and being vulnerable for account takeover or social engineering, etcetera, etcetera. We know that businesses will compromise is more highly to take place in organizations when they don’t have culture of See something, say something, right, and you see something problematic, and you say something. So there is a connect, I think banks first I would say I think you’re right, organizations and corporate should work much closer with with the banks, partnerships, I would argue that one of the reasons the banks are doing better because they are having ways to communicate with each other. And I think treasuries should start to do more around that. I think that’s where the regulator and some payment vehicles and all payment organizations and associations should, should say the same for that the UK, by the way, is doing quite a good job in facilitating that. I am yet to see what is that ciphers equivalent in the US for, for ciphers in the UK. And technology is many times 10 times more advanced in the US. But in terms of building, I would say mechanisms and industry bodies to support the different organizations talking and working together. There is still room for development.

Craig Jeffery  08:39

Yeah, that idea of sharing, sharing information to protect against a common common criminal is certainly paying off quite well. They try to repeat what they do many times. But if it’s if it’s identified, and squelched, or extinguished early, that’s, that’s great. A couple of things came up on what banks wished their customers to do the top four items. The fourth one was have regular security training and testing. We’ve seen banks do a much better job with this over time. Essentially, we’re right at about 100% of banks do this regularly with training and testing. More of them are doing it on a repeated recurring basis as opposed to just annually, corporations are doing that as well. They never seem to stop emphasizing that to all controls multifactor authentication wherever possible. 67% I think our audience is probably pretty clued into that. Two things. One is reconcile their accounts quickly, preferably the same day, but definitely within a week that’s 69% are saying reconcile. And, you know, Omri, I guess one of those things is reconciliation means something has already happened. So why does it matter to do that quickly?

Omri Kletter  09:56

Why it’s important to do these types of reconciliation quickly?

Craig Jeffery  09:59

Yeah, Let’s say let’s say you already had a loss. Why is it important to do it quickly?

Omri Kletter  10:04

We talked about on the webinar for the full speed, right? We need to be ready to have a better mechanisms of reporting and reconciliation? That’s for sure. I think the regulator will step in and ask more informed organizations to do so. It will also make us better aligned or better prepared a for new technologies or new methodologies around a money movement and reporting. And sometimes, by the way, clawback the money. I think, one things that the industry definitely will do more is to find ways to have money recovery, even after loss. And, you know, post factum, and asking, you know, asking organizations to do more around detecting new accounts are usually the receiving end and then obviously, go, you know, cash it out with crypto or with other types of cashing out techniques. I think this is critical to get things in order, in order later with when regulation can whoa new technology, or new type of payment that will ask us to act much faster. So we are prepared to do it properly.

Craig Jeffery  11:07

Fraud follows speed and speed matters in detection, because you can stop future events, you can sometimes call it back or stop it good good points. The most frequently listed one is not really biased, in my opinion, this use payment control services, think largely referring to payment control services that the banks offer, but there’s certainly others. And this makes tremendous sense that people would avail themselves of commercially reasonable procedures that are quite affordable to protect themselves. So any final words as we close out this discussion about fraud and controls payment fraud?

Omri Kletter  11:43

I first I’m looking forward to see obviously how the industry will continue to evolve and how their next year statistical See I’ve said also during the webinar, P Roscoe has 300 respondents in the live data that we are seeing across the globe, it’s definitely aligned with that so I can definitely echo what’s it’s being done on data and I would definitely treat it with a with professionalism. And also, I see many of the items there as a call for action. And I urge anyone who is listening to this podcast and would like to learn more say only mentioned recording play, what does it mean? Can we can really record a what’s happening on these directories? Or talk about the regulator? Hey, Omri, what’s going in the UK? And what can we learn from confirmation of pay? I’m more than welcome to continue these discussions, reach out on LinkedIn or any other way. And we’ll find ways to make this just as a first date.

Craig Jeffery  12:40

Very good. Well done, Omri. Thank you for joining me on the Treasury Update Podcast again.  Really appreciate your your comments, insight, and energy on this topic.

Announcer  12:49

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.