 Welcome to another edition of Kondo Insider, Hawaii's show about association living. I've said it many times, but about 40% of our population lives in some form of association in the state of Hawaii. And this show is all about education, helping owners and board members alike, understanding their responsibilities, resources that are available to them, and to have interesting topics on industry matters. And we may have all read many, many times in the paper recently about cyber problems, cyber theft, people stealing IDs, passwords, money. And so today we have on our show one of my good friends and a very knowledgeable person about cyber security, Alan Crandall from Mutual Obamaha Bank. Thank you, Richard. Thanks for having me. Welcome here. Well, you know, a lot of people don't know about Mutual Obamaha Bank. First, tell us a little bit about yourself and who you are. For me, I'm the Western Regional Manager for Mutual Obamaha Bank. My territory is Colorado to Hawaii. I travel about 40 weeks out of the year around to the various areas that I have members of the bank working. And I've been doing community association banking for 27 years. Wow. And did your wife pay them to make you travel so much? Well, she's been to Hawaii so many times that she doesn't want to come anymore. I know your wife, she's a wonderful lady. That's a beautiful place and I enjoy coming here every time. Well, you know, for the longest time and for maybe more than a decade, I've heard people say, well, you know, we have some great local banks. You know, they do really well as far as our performance and ratings and security. And I've always heard that Mutual Obamaha Bank is not a local bank. How do you answer that? Well, we are actually local. Our parent company Mutual Obamaha Insurance has been here for over 50 years. We've been here active serving the AOA community for going on 12 years itself. We have approximately 1,400 AOA clients here in the islands. And we've even created a branch here about six years ago on one Kapilani building and on the fourth floor. So we're here to serve the community. Well, I think sometime it's the perception because, you know, traditional banks, for lack of a better word, they offer like car loans and all sorts of retail type services, which I don't think is your business model. No, no. For our Community Association Banking Group, we specialize in just this industry itself. We have over 100 employees on our team that handle about 28,000 communities across the country and almost 1,500 management companies and about 700 self-managed communities as part of that group. We process approximately one million assessment payments a month. So we are the nation's largest specialized group for Community Association Banking. So how would you define your products and services for a given, what is your differentiators with regard to, I don't want to say one bank versus another bank, but just kind of what are your products and services since you really specialize in association management? We have all the traditional products, of course, checking accounts and money market accounts and wealth management accounts for investments for a reserve fund. But really our strength is in the quality of our lock box processing, which is processing assessments and providing that service at no cost to large communities and management companies. We provide interest on operating accounts, which many banks don't. They don't provide interest community associations on their checking accounts. So there are some things that we do that set us off unique there. We also are very strong on the loan for community associations. We know there are associations out there that have significant problems in raising monies for roof repairs, decks and siding, which is about 80% of loans that we do. And we have several different products to service them, depending on what their specific needs are for that particular problem. And our largest loan, I think we've done today, is pushing $20 million. And so we've helped some associations out of some pretty difficult situations. And from a historical point of view, and you may remember this, we first met back in 2009, I think it was, we as a management company, I was the president of a local management company, and we all know we had the financial crisis in 2008 where all of a sudden more interest rates were high, the whole world changed overnight and the interest on even CDs dropped to a quarter of a percent, a half of a percent. So what we looked at as the banks locally, we wanted to charge more for lockbox services. And I was a much smaller company. We managed about 180 associations at the time. I remember doing an analysis in my small company that the analysis fees that banks proposed to charge for handling this lockbox, boarded on close to $100,000 a year for all my clients combined, where I think your product might understand it correctly as you do that for free. Correct. Yeah, that's the way you look to make our returns off the deposits of the communities keep with us. And of our 28,000 plus communities, we have over four billion, that's with a B, billion dollars of community association funds, reserve funds primarily entrusted to us to protect and maintain and help support the activities that they need to run their communities. Well, in other terms I've heard, you know, like positive pay. What's positive pay? Positive pay is a product which is primarily for fraud prevention. And in fact, what happens is the management company, the large self-managed community, sends us a file that says we paid these 10 checks, these are the check numbers, this is the payee, this is the amount. And then when those checks come in, we compare the checks that we've received for that community to the list. And if they don't show up on the list, then we contact the treasurer of the large community or the property management company and say, what do you want to do with this check? So for example, let's say there's check one through 10, and we get a check that's check 15. Well, check 15 was a fraudulent check. Normal situation for banks, they would just say that all the normal requirements is a small dollar amount. They process it through, typically of 25 hours to respond. If the association or the management company hasn't caught it, then it's very difficult to get those monies back. Whereas if you have positive pay, we identify it, no, that's a fraudulent check, we return it, we return it as fraudulent. So for simple terms, the management company is sending you their file of their checks they've created and the check register for lack of a better word. Correct. And when you process a check, you're comparing it to make sure that matches the file. So the payee and the amount, those types of things, and check numbers are all valid according to the file. Correct. And if so, you pay it. If not, which is great fraud protection. Correct. We also have a new product coming out called Mutual Pay, which is integrated with the software, the particular software that the management company is using. That allows them to automatically cut checks. We have a service where we cut and mail the checks. And as a component of that, the board can actually go online and approve checks. So the management company doesn't have to show up with a stack of checks and necessarily have the boards look through all the invoices to approve. They can go online, review the information, approve checks to be paid, and it's paid all automatically. Because the other thing I particularly liked about your technology going back then was that when an owner mailed in and checked for payment to the lockbox and they forgot their coupon, you also had online the owner database of the management company that you could do research to help the management company be more efficient and give that owner credit for their payment quicker than have an exception go back to the management company and all this research. Right. If you have a homeowner that let's say they left on vacation and the husband thought the wife paid the assessment and the wife thought the husband paid the assessment, now they're on a cruise ship in the Mediterranean and it's coming up on their delinquent date, they can actually go online and do a one-time automatic payment and pay their assessments from wherever they are. As long as they have access to the internet, they can make their payment. And I don't know how to ask this question exactly precisely, but is your bank a stable bank? I mean, is it a safe bank? Oh, absolutely. We're a four or five-star rated bank power just depending on which bank rating system you use, we're at the top. And I'm assuming the insurance company decided to go into banking business in your subsidiary of the Mutual Vomaha Insurance. Yeah, they are our parent and for those of your viewers who own Mutual Vomaha Insurance products, you in effect are owners of the bank because you own the mutual company, it's owned by its policy holders and therefore you are also an owner of the bank itself. And do you have retail products like mortgages and things like that? We do, but we don't offer them here. We offer them through our other branch system and other states in the country. We're not in every state. Our community association division has clients in, I think, up to 48 states now, but our other entities in the bank operate, I believe, 14 states. Well, I know that your expertise, one of your many expertises, is cybersecurity and the fraud about that. And we're going to start this conversation, but in about two minutes we've got to take a break, so we'll get this started and we have the rest of the show to talk about something that's very important to all of us. But recently in the paper we had a kind of association, self-managed, that had, I'm going to say, a quarter of a million dollar loss because someone was able to tap into their account at a bank, not your bank, and how does this happen? Typically it happens through social engineering where the cyber thieves have acquired one of the board members on online banking credentials for the bank that they work with. And so let's say you're the president of the bank, and I've, through social engineering and the use of Zeus, which is a form of Zeus, which is a keystroke logging program. So they log every keystroke you make. And so they caught you logging into your online banking program. I now have your user ID and password. Now I log into the bank as you. And I tell the bank to wire that money to Berlin, for example. The bank thinks that you, they think it's a legitimate instruction from you, as part of your banking services agreement, you're to protect your password. So the bank really didn't do anything wrong as far as they knew it was you telling them to wire it. One of the difficulties is if it's not a bank that specializes in community association banking, they don't realize that it's not usual for a community association to be wiring money to Moscow or Berlin or Beijing, for example. With us, we're very aware of that. This is our area of specialty in any kind of unusual wire activities. We make a actual phone call to the management company or to the board treasurer, the board president to confirm that they actually want to do that. And we have had seen instances where the person says, what are you talking about? I'm playing golf with my brother. What's this about? You're wanting somebody wants me to wire money somewhere. I have a very interesting story about this. And actually a story related to the security we use locally here. But we're going to take a short break for one minute. We'll be right back with Kondo Insider. Hi, and thanks for watching Think Tech Hawaii. My name is Justine Espiritu and I host the Hawaii Food and Farmer series with my co-host Matthew Johnson of A Wahu Fresh. Every week we bring on farmers as well as all the other individuals and organizations that help support a thriving sustainable food system. In fact, it's interesting to learn what others are doing so you don't have to be a Hawaii resident or producing food on Hawaii to be featured on the show, like today's guest, Wyatt Bryson of Jewels of the Forest and Michael Lab Solutions. Aloha, thank you. It's been a pleasure being on the show. I love seeing what you guys do and I really support your mission. And it's really nice being back in Hawaii. And thank you again. It's an honor. So you can see guests like Wyatt every Thursday at 4 PM on Think Tech Hawaii. Thank you. Aloha, welcome back to Kondo Insider. We're talking about cyber security with Alan Crandall, Senior VP of Mutual Womaha Bank and how your association funds may or may not be a risk because of all those bad people out there in the world trying to use technology and internet to get ahold of your money. And before we took the break, Alan was talking about people getting ahold of your password and they can transfer money to, for example, Moscow. And I wanted to tell this short story that for years I'd been a member of something called InfraGuard. That's a private collaboration between the FBI and private business on internet security. And they told me the story of the controller for the head of the state of Kentucky who through social media they had determined that he loved dogs. And so they sent him like save the dog kind of a PDF. But when they opened the PDF, they gave them access to the controller's computer. And then meanwhile, they ended up moving the money actually to the mainland, to the northeast. They had sent up these people who were like make money, import, export business at home. And so they had these other people who were thinking they were working for coming and import, export, who were really cleansing the money and sending it off to the U.S. and off to Moscow. Yeah, they're called mules in the industry. They're a mule. And you capture them and you really have the nobody guy. You don't have the mastermind. And you can easily recruit those people on Craig's list in places like that. And you know what happens is that people just don't know and I can just tell you from my experience through InfraGuard is that there's professional organizations out there trying to steal our government's secrets, trying to steal your money and security for your funds and your internet are important. But you did bring up this question. So people go in by password and transfer money. I know you have a token system. How does that work? We use a token system. It's really a third step authentication. It's a device where you can also have a small program that generates it on your computer. It generates another number. And it's a random number that's tied back to the bank's computer. So you enter your user ID, you enter your password, and then you generate this number. And it generates a new one. It's only good for about 30 seconds. Then you put that in and then now you're logged into the system. The typical cyber thief doesn't have that. And so they may have already, through the keystroke logger, gotten your user ID and password. But they'd never caught that third set of numbers because it's only good for 30 seconds. And so when they try to log in, they're not able to get in. Well, I think that's a great step. I think also that you have protocol within your system that if someone did make a transfer, it's got to be validated by another employee of the company. And I think there's some other steps within that that provides broad protection that someone just can't log in. We also have an authorized contact list where we just don't take instructions from anybody in the company or from the association. It's only a specific list of people that they've provided to us. And it runs into issues when people change and they haven't updated that list. And somebody calls in and wants to give us an instruction. We won't accept the instruction because they're not on the list. So you have some great steps to that. But going back to the basic issue, we know that they come in, they want to get your password, they want to move the money. And so what do you think happened in this case with this local small self-made association? Well, here's how it typically happens. And your viewers can do this as a homework assignment, is to go online and here in Hawaii and Google AOAO budgets, AOAO assessments, AOA construction plan, and see what people are putting on their websites. And what they're putting is what I call targeting information. So if I did that search and I find a community that says, we just got, they broadly announced on their website that we just received the last of our $1 million special assessment. The cyber thief now knows they have $1 million. So now they go and try to drill down and find out how can I get at it. And so they find out that this community, the controller, because on their website also has a list of contacts and the contact says, controller, and here's their user ID and password. Not user, but here's their phone number and their email address. They email them something like you talked about the PDF. It gets the keystroke logger on the computer, local computer there. When that person logged in to do online banking, that's how they captured their information. It's that simple. And now they log in as that person, instruct the bank to wire the money out, cut a cashier's check and mail it to someplace. That all happened without the original user even knowing it's going on. Now some banking systems and for your viewership, they should check with your accounting programs. You need to ask your accounting provider, software provider, what happens if two people log into the same user ID and password at the same time? So you could be in as a legitimate user and me as the cyber thief have logged in and in the background, when your drive speeds up and your lights are blinking on your computer, you really don't know what's happening in the background. You're just doing your thing. Well, I could be on your computer at the same time if the software doesn't have a lockout feature. And that's one of the things that we upgraded our online banking system many years ago to add a lockout. As soon as two people, a second person logs in under the same user ID and password, both are locked out and they would have to contact the bank to have access again. So there are mechanisms out there to protect the association, but the matter of doing your homework and making sure you understand what security mechanisms are in place. And your viewers need to go to your bank and ask them, can you provide us with information about cyber security, et cetera? And this is the honest truth. If your local bank says cyber what, you need to change banks. The Federal Reserve has been warning banks about this as an issue for over 10 years and your bank needs to be up on that. I don't know if I heard this correctly from our producer, but did you say we have a call? Our question? Oh, we have a couple of minutes left. Okay, we have a couple of minutes left, what do you say? So anyway, what do the do's and don'ts you recommend for a board? Well, don't click on any links that you get from an email that you don't have any clue where it's from. These guys are ambushers, it's an ambush. You may get an email that you think is from UPS, for example, and you go, I don't have any UPS stuff coming in, it's obviously fake, but what if they replace that with the IRS, sheriff, chief of police, you're more than likely to click on it and that's when you put it on there. So when in doubt, delete it, they'll contact you another way. The other one is to make sure that you have insurance to protect you from cyber theft of what I call third party cyber theft. You may have insurance that it's called cyber theft, but the attorneys will tell you that everything has a definition and this definition might be, well, if one of your employees steals it through electronic transfer, we're covered, but not if somebody's pretending to be one of your employees. It's a special type of insurance. The other one is to look at your websites. Is there any, now that you're thinking like a cyber thief, is there anything on our website that would lend somebody to think that we have money to come after and most communities have reserve funds? Don't put things on there specific to construction budgets. We have a $3 million construction budget for the construction this summer. You've just put targeting information on there that will lead you to you. Leave them to you. For the management companies, what you have to be concerned about is if one of your AOA customers is putting that information on the internet to attack your AOA customer, they have to attack the management company which now exposes all of your clients because now they're into your system and can see what all of your community clients have and may pick somebody else to attack now because they know they have more money to go after. So a really good question would be to take your insurance agent. Now my question is what recourse to the condo owner who finds themselves a victim of identity theft, what recourse do they have? Say they think they're paying their association fees and whatnot, not over a period of months. I'm getting a question online. Only to find out that it's going somewhere else. It hasn't gone to the association and now they're facing foreclosure or addiction. What recourse would that owner have? Well the question is, this is an owner saying, what recourse does an owner have if there's individual cyber thefts against them and where they think money is being paid to the association, it's really a cyber theft and the money's going not to the association, it's going to this offshore or this other person. So what recourse does an owner have? What can an owner do with regard to that? Well, it's typically a legal question. You would not need to talk to an attorney in your area and it can vary depending on the laws. In some states there are regulations that if a management company thought that they'd been penetrated, they have to monitor the credit for all of their member clients for up to 18 months. That's in one state. Other states, there's penalties. You really need to go and be able to verify that that's actually what happened. If the attack came through your management company or some other vendor, then there may be some liability to them. Again, you need to check with your attorney. But if the attack started with you, that they got into your system and when you thought your online banking was going to pay to your community and they changed it internally so that now got sent to them, your bank really didn't do anything wrong, your management company did anything wrong and it would pretty much fall on you at that point in my opinion. So they've got to do their homework. They've got to find out what caused the problem. You need to be alert. Whether their computer was breached and so they're really, because they didn't have security created a problem, or whether the bank or the management company's security, somehow the payment was diverted, they didn't get credit and the owner did everything right, so they're going to have to do some homework. Correct. Do you know of ham whether homeowners can buy insurance to cover for cyber theft? I don't know on the individual level. I know management companies can. I know community associations can. People would need to check with their insurance company but make sure that they're defining it as third party where somebody's pretending to be them as opposed to a family member or an employee or a caregiver or somebody that you may have given access to your system and that person stole it, they may be covered but if it was somebody pretending to be that person they may not be and that's where you really need to sit down with your insurance professional. What I recommend to people is get everything and writing. I'm sure your attorneys would tell you as well. You don't want what I call selective memory. If they say you have it, say can you please send me a letter confirming where in my policy that I have that type of coverage? Cause if I heard the young lady who asked the question correctly, it's kind of like she thought her maintenance she's payments were being made and they weren't. So the association starts saying you didn't pass and they start threatening foreclosure could have been paid, which is probably true if the money got diverted. Correct. You know, what do they do? And I think the question is they need to get their homework done and find out where the problem began, what caused the problem. Yeah. And then they need to be asking questions of the management company, the bank and or their. Right. If the money truly went someplace else the management company never collected the money. It got, now the question is where did it go and how did it get there? And if the root causes with the individual homeowner then I don't know how much recourse they would have against anybody else. It's hard to answer these questions you generic questions online but certainly not knowing the exact facts they should look at this carefully to see if the management company software had any influence on this and or the bank for some reason had some. Yeah, these guys Richard are really good. And the more money you have the more they're gonna dig for it. And that's why it's so important. Don't let them know you have it. Don't put stuff on your website. You may have a password protected website and that's great. These are the kind of guys that break into the Pentagon. These are the guys that break into Sony International. Your little program to protect logins for your homeowners is nothing to these people. I know board members wanna be transparent but you need to be prudent. If somebody wants a copy of a budget if somebody wants to know what's going on with the special assessment payment fine let them come into the office. We'll talk to you there. We'll give it to you there. Do not put it on a website or just anybody can see it. There's bad guys out there and they're very smart. They don't care about you. You're just a puzzle with a payoff on the end. You're a puzzle with a payoff on the end and they will wipe you out. And when you find yourself in a situation where you just collected that last dollar for that special assessment that was so painful for all your homeowners and that money now vanishes in less than 30 minutes. Guess what? You still gotta fix that roof. Those decks still need to get paid. It can devastate a community. You have to be aware. You have to be alert. It's gonna get worse. It's not gonna get better. In my general experience is as follows and to be fair about this. I think the larger management companies who are in this business who work with the major banks like yourself they probably have fairly strong security protocol to prevent this from happening. The real issue becomes a the homeowner's computer. What have they done to protect their own computer? Number two, some of the smaller companies or if they're self-managed really haven't looked at this but more than simple transfers. So the ability to steal a username and password is much easier because they don't have the protocol in place for like the tokens, additional checks and balances. And the staff training and all that. And then number three, bad habits of going in and opening PDFs and from people you don't know and things like that. You kinda open the gate because they are tenacious and they are a major organization probably with hundreds of people spending time all over the world. They're actually criminal cartels organized to do this type of activity. They bring in tens of millions of dollars a year. So they can afford to buy protection in the countries that they're in. They can afford to buy McAfee and all these other virus protection softwares that some of you viewers might buy. These guys buy all of it too. So when they test their virus that's gonna be put on your computer they've already tested it against your system. They can buy everyone that's out there. And if you've told them that your community has three million in reserves and they think they can get at it they will design one specifically to beat your system because there's a puzzle with a payoff. There's a big payoff on the end. Well, I think the key worker we're coming to the end of the show is that I would just say to everyone that it's an important topic. You can lose a lot of money and there's a certain responsibility to make sure your association funds are safe and owners just goes to your personal funds as well. Correct. And so you need to look at what security protocols in place. Number one, number two you should be asking your insurance agent how are we covered? Do we have some pucas as you would say with respect to unknown third parties stealing it. And number three, you've got to learn the protocol. Now, Alan has promised me to send his 13 or 14 key steps with regard to protecting yourself. Anybody interested to send an email to condoinsider and I'll send you a copy of his notes with respect to this show and the things to watch out for. But it's all beyond guard because cybersecurity is becoming a bigger and bigger threat to all of us. I do want to thank you Alan for being on the show today. Always very enlightened. I may have to have you come back this is a lot of interesting questions. I'd love to. I'd like to thank all of our viewers for watching condoinsider. We'll see you again next Thursday at three o'clock. Aloha.