uncovering the faces of fraud
TRANSCRIPT
Uncovering the Faces of Fraud Jay McLaughlin, CISSP | GSEC Senior Vice President, Chief Security Officer
Agenda
Understanding the Numbers
Examining How Fraudsters are Attacking Banks & Customers
LIVE DEMO – exploiting computers through website attacks
Preparing and Defending Against these Attacks
The Future State
Q & A
Account Takeover Fraud
Account takeover
Opportunistic & Non-Discriminative
Motivated by financial gain
By The Numbers
$4.9B reported ATO fraud in 2012
(69% increase)
$585K lost over the next 60 minutes $0
$1
$2
$3
$4
$5
2006 2007 2008 2009 2010 2011 2012 0%
2%
4%
5%
$3.0
$3.6 $3.9
$3.2 $3.1 $2.9
$4.9
0.33% 0.43% 0.52%
0.45% 0.41% 0.36%
0.60%
2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters.” Javelin Strategy & Research, February, 2013.
Attack Scenarios
• Sophisticated phishing campaigns • Watering holes leveraging popularly visited sites • Drive-by-downloads via URL redirection
- malware installed (ZeuS, SpyEye, Blackhole, Citadel) - configuration files contain many target banks/providers - polymorphic code used in generating variants
• Compromise OLB account
- keylogging of credentials - stolen persistent HTTP cookies - session hijacking – “web injects”
The Actors
• Suppliers of the malware/Trojan • Hosting providers
- C&C, malicious sites, forums, downloaders - ex RBN, Real Host Ltd – bullet proof hosting - release of the source code/merger changed the model
• Botnet operators • Criminal gangs utilize the malware
- most often the ones arrested/indicted for ATO fraud - Hackers/Harvesters - Cashers - Mules
Post-Compromise: Techniques Being Used
Trojans & DIY toolkits (e.g. ZeuS, KINS, Citadel,
Blackhole)
Watching behavior Spending more time
examining account activity
Exploiting compromised
targets, tunneling traffic through the
victim’s own system Attempting to appear as
originating from the victim
Financially Motivated
Attacking the customer • Phishing and social engineering attacks
continue to rise
• 29% of attacks referenced in the Verizon DBIR were tied to social tactics
• APWG reported that 720 FIs were “targeted” with phishing in Q1-Q2 2013
Abusing the Mules
Please log in to the Internal Management system every morning at 9.00a.m. Monday through Friday to check incoming messages and possible updates in the Document folder.
I have Dr appointment Friday morning at 7:45 am, but I will have my cell phone with me to check the dashboard frequently.
Thank you updates. Please pay extra attention to account number and routing numbers. Call your bank if you are not sure the routing numbers are correct! REMEMBER if this information is incorrect, you won't be able to perform your duties efficiently and we won't be able to pay you your salary on time!
I will withdraw as soon as possible. This job is much more important than my other one.
Ill very quitting this retail job as soon as the holidays are over.
Abusing the Mules
Please complete the assignment today asap.
Walmart rejected my transfer based on her own suspicions. It was ridiculous. She just refused me service. What should I do? Should I western union it instead?
Dear Mary, I'll setup new assignment.
Its.complete via moneygram. I just went to a different walmart. I just sent you all the details.
Bouncing Transactions
Funds quickly “bounced” thru several FIs and
ultimately out of the country
Open New Accounts • Auto Enrollment
Link to compromised accounts • micro-deposit
verification
Transfer funds • ACH-Debit the
account
Building a Layered Security Model
Defense-in-depth (“deep” or “elastic”)
Derived from traditional military strategy requires that a defender deploy resources at and
well behind the front line
Reliance on any single control or mitigating factor is not sufficient
Prevents shortfalls in any single defense control
Authentication Controls
Transaction-based Controls
Behavioral-based Controls
Endpoint-centric Controls
Account Activity Controls
Fighting Account Takeover Fraud
Biometrics Solve 2F Challenges?
“Something You Are” leverage customer behaviors & attributes • Voice printing, Gesture recognition,
human kinetics, heart beat sensors • Cadence of gesture, pattern identification, pressure,
etc.
Out-of-Band Transaction Authorization
Out-of-band authentication means that a transaction that is initiated via one delivery channel [e.g.. online] must be re-authenticated or verified via an independent delivery channel [e.g.. telephone] in order for the transaction to be completed
Out-of-band authorization is can be extremely effective in protecting customers against financial malware attacks and Trojans
Points of Interest - 2013
Percentage of fraud prevented by controls
22.1 M Fraudulent transactions reported in 2013
0 Sum of account takeover fraud where out-of-band controls were defeated
129 Reported fraud cases in 2013 involving high-risk transactions (314 total)
$ 12:00(Noon) Period of the day when fraudulent activity was most often attempted
93% $ 52%
Percentage of cases where account takeover attacks utilized stolen browser cookies
Detection ≠ Prevention
Detecting fraudulent transactions after the
fact is a reactive approach and is
simply ineffective.
Real-time detection enables institutions to
have the ability to PREVENT the loss
of funds.
Dynamic models can evolve with each user’s behavior and
are effective in identifying anomalies.
Login Behavior
Attributes of Login
Geo-location
Source Address
Transaction Behavior
Transaction Behavioral Models
Dom/Intl Wire, ACH, Payroll, Ext Transfer
Transaction Policies
Recipient Monitoring
Modifications to templates
Endpoint Interrogation
User Agent strings, HTTP headers, Device ID
Reputation Analysis, Malware Detection
Risk & Fraud Analytics
Behavioral Scoring
+ + +
Real-time fraud alerts provide the opportunity for financial institutions and account holders to stand ready
Engaging the Customer
• Users must play a part and participate in fighting fraud
• Real-time alerts delivered to a victim are timely and provide the opportunity to alert the financial institution of activity
• Transactional Alerting ! Ex: creation, authorization
• Changes to profile settings
• Security Event Alerts ! Ex: pwd changes, failed logon attempts
The Future: Frictionless Security
Need transparent and frictionless security models • Best security features are ones the end user
doesn’t see or experience • Continue to build on behavioral analytics
Must begin to remove decision making related to security out of the hands of the end user
Closing Thoughts
Attackers will always modify their approach to maneuver around the
control measures put into place
Establish an effective strategy that employs multiple layers of
protection
Threat landscape is continuing to evolve
Security is NOT perfect – it requires
accountability
Proper assessment of risk is critical!
Questions
Declare var $question; Declare var $response; if $question >= ‘1’ then
$response = ‘answer’ else
$response = ‘thankyou’ end if;