Author: ACFE Hawaii

Edward Tavares, Information Technology Internal Audit Manager for Hawaiian Electric Industries, drew on his academic studies in enterprise computing, anti-terrorism, electronic tracking and surveillance, as well as his wide ranging career at Verizon, BBN Communications and the U.S. Secret Service to discuss “Cyber Threats of Today and Tomorrow.. What Can We Do?”

Based on reports of incidences from 95 countries, cyberthreats in 2013 comprised more than 63,000 security incidents and 1,367 confirmed data breaches. While the universe of threats seems limitless, further analysis of 100,000 security incidents over the past 10 years showed that 92% of the breaches can be described by just nine patterns:

• Point-of-sale intrusions
• Payment card skimmers
• Physical theft and loss
• Web app attacks
• Crimeware
• Cyber-espionage
• Denial of Service (DOS) attacks
• Insider Misuse
• Miscellaneous Errors

Ten years of lessons on cybersecurity have shown
that breaches can affect all industries and all sizes
of organization. The frequency of specific incidents
varies by industry. For example, 75% of attacks on the Travel/Hospitality industry targeted Point of Sale devices and systems, while 75% of incidents in Financial Services came from web app attacks, Denial of Service, and card skimming. In the public sector, only four patterns accounted for 98% of attacks: 34% errors, 24% insider misuse, 21% crimeware, and lost/stolen assets (19%).

Attackers have gotten faster at breaching systems, and while defenders are also getting faster, they are falling farther behind. Many successful breaches are detected by third parties, such as law enforcement agencies, specialist fraud detection organizations, or even customers.

Questions that investigators and auditors can ask when investigating IT-related data:

• What digital information do we have?
• Where do we keep it?
  What is the risk associated with that data?
• Who has access to it?
• When was it last accessed?
• When it gets breached how do you respond?

Data Breach was a timely topic covered at our first joint luncheon with the Hawaii Chapter of ISACA – the Information Systems Audit and Control Association, held at the Pacific Club.

Our speaker was Addie Lui, the Information Security Officer at Hawaii National Bank, and ISACA’s chapter president. He covered a wide range of subjects, including:

• Types of data to protect
• Examples of data breach
• Requirements to protect credit card information
• Credit/Debit Card Scheme
• Prevention Steps

Some basic tips for prevention: know your data and protect it according to risk; keep up with software updates, use complex passwords and change them often.  Remember that banks or other companies do not need to know your password, and will not request them via email or phone. IT staff should not be able to see passwords in most systems.

More advanced prevention steps include: dedicating one computer to conduct online banking or other financial transactions only; monitor network traffic with intrusion detection, prevention devices; hire an IT security firm to perform a vulnerability security assessment or penetration test on the network; use a whitelist security application to allow only approved and authorized software to be installed on computers; and be aware of suspicious activities, e.g. transmittal of files after hours.

Always a popular speaker, FBI Special Agent Tom Simon discussed “Protecting the Nest Egg” with updates on a number of Hawaii investment fraud cases.  Many of them involved fraudsters who convinced families to extract cash from the value of their homes, then invest in what they claimed to be high-yield investments.

They may provide the stated returns one or two times, just enough for their victims to spread the word about the apparently successful investment scheme they had stumbled upon. Predictably, the payouts stop coming. That’s when Simon gets the call from the victims.

He noted that 90% of his time is spent talking to victims, who want to talk about the end of the payouts. He tries to get them to focus on what the fraudsters said to them before they invested, and how they were convinced. The gap between what victims were promised vs. what actually happened is key to building the case against them.  While he wishes people would call to check on investments that seem too good to be true, he said this only happens 10% of the time.

He called on ACFE members, especially banking and financial professionals, to ask clients  “What’s going to happen to this money?” if they notice movements of large amounts.  This could help them open up the conversation about potential fraud, and possibly prevent one before it happens.

 Christopher D.W. Young currently serves as a Supervising Deputy Attorney General and Division Chief of the Criminal Justice Division, Department of the Attorney General, State of Hawaii. At our January 2014 luncheon, he focused his talk on the Fraud Examiners’ Role in Prosecuting Fraud.  He advised those investigating fraud to not “get lost in the forest” and try not to find all theft but look for obvious theft that can more easily lead to prosecution.  

He described the 5 Steps for Developing a Provable Fraud Case:

1. Find and understand policies and procedures. This includes organizational rules, bylaws, who has oversight over funds, legal duties (particularly fiduciary), board minutes and financial reports. It is critical to obtain evidence that the suspect was made aware of the rules, e.g. through training.
2. Find the paper trail — both what exists, and what should be there but is missing. Missing documents could be an indication of intent to defraud.  Remember to track down documents that are not held by the suspect.
3. Challenge the paper trail, verify what is documented.  This could involve checking with a third party vendor or finding backup documents.
4. Apply records to the rules obtained in Step 1. Failure to comply or partial compliance, or exceeding authorization limits could be considered intent to defraud.
5. Interview a potential suspect  only within the parameters of your organization’s existing administrative process.  Under no circumstances during fact-finding should you consult law enforcement on what types of questions to ask, as this makes you an agent of law enforcement, which requires that a suspect be read his or her Miranda rights. If you do interview, obtain agreement at the outset, e.g. establish that the person was aware of the rules before inquiring about specific details.  Record the interview if possible. Don’t accuse the person, allow him or her to provide an explanation and keep your reporting factual.

This forms the basis for a summary of findings, which the prosecutor can use to build his or her case.  He noted that felony charges — which could be for amounts as little as $20,000 — must be brought within three years of discovery, so time is of the essence. Do not delay reporting, as law enforcement has better tools for obtaining records and testimony.

Cyber Crimes Investigator Chris Duque – a 30-year veteran of the Honolulu Police Department and now with the White Collar Crime Section at the City & County of Honolulu Department of the Prosecuting Attorney – shared what he has seen as he continues to focus on investigations through social media.

For example, sites such as eBay may be used as a fencing operation. The challenge is finding the person who actually committed the crime. In addition to tracking electronic footprints to find the people behind the user name, social media used in combination with what the criminal investigator knows about certain associates can be used as a tool to determine connections among various people.

Thus, real life crimes can be traced in the virtual world, then brought back to real life, leading to real prosecutions. For those in law enforcement, subpoenas can be used to find the actual people behind user IDs. Mr. Duque noted that the subpoena should not only include the person using the account, but also who is paying the bill. He noted that because technology allows multiple logins into the same account from various devices, one should be cautious about concluding who is actually posting information at specific times.

To keep up with Chris Duque’s ongoing activities, follow him online at:

• http://cybersafety808.blogspot.com/
• http://twitter.com/#!/cybersafety808
• https://www.facebook.com/pages/CyberSafety808/130360716982891

At our luncheon on September 19, Lt. John McCarthy gave attendees an update on Financial Crime Trends that he has seen this year. Some examples were:

• Green Dot cards: A type of advance payment scheme in which victims receive what appears to be an award check.  However, prior to receiving the award, victims are told that they must pay “processing fees” by placing money on a Green Dot MoneyPak, a type of prepaid money card.  Once the money is on the card, the victim is instructed to tell the scammer the access code, which the scammer then uses to drain the MoneyPak.  This allows scammers to bypass traditional cash-wiring companies.
• Credit card skimming on a global scale:  One of the largest financial crimes in Honolulu started with credit cards originally skimmed in Florida, sold to a group in Russia, and ultimately used by a group in Honolulu.  Within four days, scammers racked up $500,000 in purchases at high-end retailers.  The suspects were arrested and charged with 24 crimes in Hawaii, New York, Florida and other states on the West Coast.
• Account takeovers:  Usually the result of phishing, spyware or malware scams, an account takeover is the unauthorized use of a legitimate account that results in a loss of funds.  Recently, Home Equity Line of Credit (HELOC) accounts have been commonly targeted in this scheme.  In one example, a Capital One HELOC account was taken over when a signature block stored on a stolen cell phone was used to gain access to the account.  Spear phishing, where malware on victims’ computers record key strokes, is another common method of gaining online access to accounts.
• Metadata on Facebook:  We all leave footprints on the Web when we use social media. Third-party software can extract metadata from pictures posted on sites such as Facebook to determine when or where a photo was taken and who took it, which can then be related to others in the area who took photos at the same time.
• Bitcoin and Silk Road: Bitcoin is an Internet currency independent of any central authority. Bitcoins can be transferred through a computer or smartphone without an intermediate financial institution and used around the world.  This has made it a handy tool for illegal purchases (such as drugs or guns) on online black markets such as Silk Road.  Transactions were anonymous and there was no way to trace or record their identities.  Silk Road was shut down by the FBI on October 2, 2013.

Aloha Termite owner Shawn Murray gave our luncheon attendees a rare public discussion from a victim of fraud.  His former office manager, JoAnn Rodrigues, a longtime friend and his son’s godmother, stole close to $1 million over a three-year period.  Murray nearly lost his company, filed for bankruptcy, reduced his staff and cut pay for remaining employees. Since then Murray’s wife has been in charge of the company books.

 His continuing challenge is his desire to trust his employees, while acknowledging that there is a need for additional controls.  Our members provided him with valuable advice about protecting his interests so as to better provide for his employees over the long term.  In addition, he was reminded that controls exist to help his employees make the right decisions. Murray noted that he did not expect to have any takeaways from making this speech, but was excited about writing down some of the ideas he was given.

We were honored to have two guests at our previous luncheon: City & County of Honolulu Prosecuting Attorney Keith Kaneshiro, and Scott Spallina, Supervisor of the Elder Abuse Justice Unit.  Attorney Kaneshiro noted some of the reasons the elderly are victimized:

• Many are homeowners
• They are often lonely
• They have predictable habits regarding paychecks and spending
• Are trusting
• Many are physically or mentally handicapped.

Perpetrators include not only contractors who target the elderly by not doing work they were paid to do, but also family members. For more information, check out this website: http://elderjusticehonolulu.com/

At our March luncheon, we welcomed IRS Special Agent Derek Tubania, who shared examples of cases he has worked on, including techniques used to discover and investigate fraud.  He graduated from the University of Hawaii and has been an IRS Special Agent for 20 years. While he has focused mainly on income tax cases, he also shared his experiences in cases involving money laundering and structuring cases.

Our January luncheon featured Bill Kauppila, who talked about Fraud and Forensic Accounting. An adjunct professor at Chaminade University, he teaches Forensic Accounting & Fraud during the winter quarter (January to March). He spends the rest of the year in Seattle, Washington, where he teaches at Seattle Pacific University and maintains a personal consulting practice. He has been in the auditing profession since 1968.