© 2009 securematrix : proprietary & confidential page 1 welcome ! we have something for...

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL

Welcome !

We have something for everyone here !


YOU ARE ALL WINNERS !

The graphic on this slide has been deleted from this presentation. You may click the link above to view the cartoon.

http://www.cartoonstock.com/cartoonview.asp?catref=grin691


THOUGHTS TO SET THE TONE

It is human nature to think wisely and act foolishly.

- Anatole France (1844 - 1924)


“ to provide the most trusted information security services in the world.”

Threat of frauds in online transactions

Preventing Fraud When Transacting

Online


Secure Matrix India Private Limited specializes in IT & IS Audit, Security Consulting and Technical Security Services across all industry and business segments

We are headquartered in Mumbai and operate a Technology Centre cum Security Lab out of Pune. We have offices in Delhi and Chennai. International locations are London, Dubai and Atlanta.

Our management and consulting team comprise professionals certified in Information Security, Governance Risk, Compliance having extensive industry experience covering Technology, Banking, Finance, Government , Media & Entertainment etc

An extensive service offering includes Technical Security Services for Vulnerability Assessment, Penetration Testing, Application Security, Cyber Forensics, off-site and on-site Security Monitoring and Management.

REGIONAL OFFICE

TECHNOLOGY CENTRE

HEADQUARTERS

CHENNAIPUNE

MUMBAI

DELHI

Secure MatrixIndia Pvt Ltd

Secure MatrixUK

(100%)

Secure MatrixUSA

(100%)

Secure MatrixUAE

(100%)


A man is his own easiest dupe,

for what he wishes

to be true

he generally

believes to be true.

CONSIDER THIS…


Agenda .. Fraud Threats Online and Discuss Prevention


The internet provides convenience, speed and efficiency in transactions… with internal or external customers, vendors, government and growing exponentially

Every query at the public interface can be a risk - malicious hacker ? malicious insider ? ignorant user ? smart hobbyist ? human error ? trojan / logic bomb (command / plant)?

Let’s keep our fingers crossed – it is a legitimate user knocking at your door and not one of the above !


THREATS, FRAUDS, SCAMS …. IT’S ALL OVER

The fraud can start in a parking lot …

The parking ticket has a website address where you will get details of the violation and pay the fine. On the site you are asked to install a toolbar that will enable the incident to be processed. Of course, you are expected to provide some personal info and use your credit card to pay the fine !

….. The rest is left to your imagination.

Even governments can be scammed ….

State of Utah paid $ 2.5 m into the scam bank account. Key loggers captured information and this was used to create and pay fake invoices. Luckily the transactions were spotted by a bank manager and the department managed to save about $ 1.8 m


Starting off we take a look at some numbers …..


SOME FACTS & FIGURES

Internet Crime Complaint Center

2007: 206,8842008: 275,284 (+ 33.1%) Total $ loss: 265 million Avg $ 931 per complaint

Fraud Delivery MechanismEmail 70% Webpage 25%

Victims : 55.4% MalesPerpetrators: 77% males from CA, FL, DC, TX, WA

Men lost more money than women… $ 1.69 to every $1


More than 75% of all malicious threats were aimed at compromising end users for financial gain

China accounted for almost half of all malicious activity within Asia Pacific

Symantec created 1,656,227 new malicious code signatures - a 265% increase over 2007

Malicious code development is now a professional business, supporting the demand for goods and services that facilitate online fraud

Variants of existing threats are the preferred and most cost-effective way to create new attacks, instead of creating totally new threats

- Symantec Internet Security Threat Report Volume XIV

2008 POINTERS…


Categorization of Motives of Cyber Crimes

No of Cases

Perpetrators

Revenge / Settling scores 13 Foreign National /Group 8

Greed/ Money 62 Disgruntled Employee / Employee 23

Extortion 2 Cracker / Student / Professional learners 46

Cause Disrepute 25 Business Competitor 65

Prank/ Satisfaction of Gaining Control 0 Neighbours / Friends & Relatives 70

Fraud / Illegal Gain 216 Others 151

Eve Teasing / Harassment 56

Others 85

- National Crime Records Bureau Report 2009

SOME FACTS & FIGURES (INDIA – breakdown for 2007)

Cybercrime Cases registered under IT Act in 2007 increased 53% over 2006


SOME FACTS & FIGURES (INDIA – citywise breakdown for 2007)

City Total

Bhopal 163

Bangalore 41

Pune 14

Mumbai 10

Kochi 9

Nagpur 8

Delhi 5

Vijayawada, Chennai, Amritsar, Lucknow, Ahmedabad, Ludhiana, Patna, Kolkatta, Kanpur, Indore

23

273


Malicious users in India yet to reach a high level of sophistication.

This does not remove the risk of the “foreign hand” that we are always referring to… in this case the “FH” will refer to USA, Russia, China and a number of Eastern Europe countries

Examples of outsourced malicious work in India : Indian IT worker may be coding for overseas buyer; Team works on ‘captcha’ breaking;

EVERYONE LOSES


SL.No Cities Revenge / Settling Scores Greed/Money Extortion Cause Disrepute Fraud / Illegal Gain Eve Teasing

/Harassement Others Total

1 Bhopal 0 0 0 0 158 3 2 163

2 Bangaluru 1 25 0 1 5 9 0 41

3 Pune 1 4 0 5 2 2 0 14

4 Mumbai 0 0 0 1 0 7 2 10

5 Kochi 0 2 0 0 0 1 6 9

6 Nagpur 1 0 0 2 1 4 0 8

7 Delhi (City) 0 4 0 0 0 0 1 5

8 Vijayawada 0 0 0 0 4 0 0 4

9 Chennai 2 0 0 0 1 0 1 4

10 Amristar 0 3 0 0 0 0 1 4

11 Lucknow 1 0 2 0 0 0 0 3

12 Ahmedabad 0 1 0 0 0 0 2 3

13 Ludhiana 0 2 0 0 0 0 0 2

14 Patna 0 0 0 0 0 0 0 0

15 Kolkata 0 0 0 0 0 1 0 1

16 Kanpur 0 1 0 0 0 0 0 1

17 Indore 0 0 0 0 1 0 0 1

Total (Cities) 6 42 2 9 179 22 13 273

SOME FACTS & FIGURES (INDIA – citywise detailed breakdown for 2007)


IN THE NEWS FOR THE WRONG REASONS

• Get-Rich Quick• Work-at-home• 419 Scams• Lottery Winners• Online Pharmacies• Phishing• Spear Phishing• Hoax Bomb Threats• Stolen Credit Card• Data Manipulation• Data Leakage• Impersonation / Identity

Fraud• Brand Hijacking• Job Frauds• Marriage • Sale frauds • Stock Scams• Online Degrees• Check Cashing / Fraud• Domain Name Renewal


Lottery scam attempt at ACFE !

The fraudster seems to be too intelligent for his own business !

HOT OFF THE PRESS….


Get Rich Quick

Me Smartest of Them All

Lucky Me !

No One Can See Me

It Can’t Happen To Me

He Was a Fool He Got Caught

KEYWORDS


Institutions are drawn into the fraud due to the omissions and commissions of their constituents

Institutions may be contributing to their fraud threat quotient due to lax security practices and a laissez faire attitude towards IT security / risk management / awareness

Effort and resource cost cause losses to both – customers and institutions (even if the money is recovered). Investigation and recovery is expensive !Add the cost of loss of credibility and brand / image value

EVERYONE LOSES


Malicious Insider … is by far the biggest threat and source of frauds on

connected and non-connected systems.

Credit Cards… stolen cards used online

Letters of Credit .. Investor is offered a highly discounted “purchase” price

Ponzi Schemes… high interest rate is offered and is paid from investor

money in the beginning. The scheme falls apart in some time and the

scamster disappears

Identity Data Theft … provides personal information to the fraudster who

can then engage in phishing, vishing, spear-phishing

THREATS & FRAUDS …


Money Laundering & Money Mules … individuals are conned into working

to launder money and become part of the criminal network

FRAUDS…

Re-shipping … similarly individuals become part of a criminal chain by

accepting and shipping stolen goods


Check Fraud … a lawyer is asked to cash a high

value check and remit the funds after deduction of

handling fees. The check is cleared, you wait 5 or

10 days for a clear balance and then remit the

funds. A month later the bank reverses the amount,

because the check was fraudulent !

A variation is when an individual is “hired” as a

‘payment processor’ and gets checks that he/she

cashes and transfers to other accounts. The

checks are usually stolen and the individual

becomes a part of the crime as a “Money Mule”

FRAUDS…


Mobile Phone Insurance … UK consumers get calls offering cheap

insurance for the new phone purchased. They asked for card information

and the card is scammed

Medical Insurance …. customer purchased a policy online and when he

made a claim it was not accepted since he had not declared his medical

condition at the time of purchasing the policy – the agent sold the policy

without providing proper information or sold inadequate cover

Insurance frauds … false declarations and staged accidents against

insurance purchased online – healthcare, auto insurance

Stock market – forums, spam send out recommendations and the whole

world starts discussing how “hot” that scrip is. Of course, everyone buys and

it tanks when the scamster has made his million.

FRAUDS…


PHISHING … the nemesis of modern day transactions

Banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers)

- Gartner

I would highly recommend not entering a PIN number anywhere on the Internet, unless it was hardware based.

- Avivah Litan, Analyst at Gartner


STOCK MARKET FRAUD THREATS

Threats are lurking for the gullible investor at every corner… - Investment Newsletters… hyping stocks, false information, company promotion - Bulletin Boards / Forums … discussions are very heated and dubious - Spam …. mass mailing

Typically these are called “Pump and Dump” scams since they work to build a hype around a ‘dabba’ company to push up the share price. The scammer sells and exits and the share price tanks !

October 2000:A bogus online press release caused Emulex Corp., a California firm that designs and develops fiber optics, to lose more than $2 billion in value during a single day of trading.

It stated that the company was reducing its earnings estimates and that its chief executive was stepping down.

A 23-year old student used a computer at his community college to distribute the release and earned a $240,000 profit from the resulting price fluctuations before he was caught.


Spear Phishing (report of Jun ‘09)

The attached file is, naturally, a Trojan horse that steals stored user names and passwords, and looks for victims logging in at commercial banks.

If the victim logs in to a bank that requires two-factor authentication -- such as the input of a one-time pass phrase or random number from a supplied hardware token -- the Trojan re-writes the bank's Web page on the fly, inserting a form that requests the information.

http://isc.sans.org/diary.html?storyid=6511


Continuous network monitoring … internal and external; automated /

manual; Planned and periodic Vulnerability Assessment / Penetration Testing

on infrastructure and Web Applications

Device based monitoring… systems (FW/IDS/IPS/UTM)

Logging and log analysis… use of SIM/SIEM tools

Proactive Incident Management… to identify, contain, learn and update

Backup, Patch, Change Management, Continuity and Recovery…. use

appropriate technologies and processes with regular testing schedules and

drills

Secure Software Development… build security in – purchase software that

has undergone security testing

PREVENTION– Corporate / Institutional Vigilance


IF IT SOUNDS TOO GOOD TO BE TRUE ……… IT’S NOT TRUE !


NIGERIAN SCAM or 419 SCAM … was a $ 5 billion industry in 1996 !

"419 fraud" so called after Section 419 of the Nigerian Penal code, the section that specifically prohibits this type of crime

Variations of the scam mails carry an ‘emotional’ appeal

- Deposed Leaders and their families ( widows, sons ) and associates ( aides, lawyers).- Over-invoiced contracts and government employees (NNPC, Central Bank of Nigeria ).- Forgotten accounts, wills and inheritances, death-bed claims of wealth.- Trade deals.- Assistance getting stolen assets ( cash, diamonds ) out of the country- Gifts to charitable or religious organizations.

- Scholarships

!! scam

med !!


THE FIVE RULES FOR DOING BUSINESS WITH NIGERIACourtesy of The 419 Coalition

1. NEVER pay anything up front for ANY reason.2. NEVER extend credit for ANY reason.3. NEVER do ANYTHING until their check clears.4. NEVER expect ANY help from the Nigerian Government.5. NEVER rely on YOUR Government to bail you out.

Mountains of goldAn exploratory research on Nigerian 419-fraud: backgrounds http://419.swpbook.com/Research was carried out in 2008 by Bureau Beke and the Police Academy. It is in Dutch and the first English edition is due any time.

Not just Nigeria !These rules apply to doing

business with anyone !

http://419.swpbook.com/


A fool and his money are easily parted

AN UNFORTUNATE FACT …. TRUE THROUGH THE AGES


We have to smarten up not to be fooled and win the game …

Prevention measures primarily require the tweaking of people, process

and technology….. the triumvirate on which all security best practices

rest.

WINNING THE FRAUD GAME USING THE PREVENTION STRATEGY


Continuous network monitoring … internal and external; automated /

manual; Planned and periodic Vulnerability Assessment / Penetration Testing

on infrastructure and Web Applications

Device based monitoring… systems (IDS/IPS/UTM)

Logging and log analysis… use of SIM/SIEM tools

Proactive Incident Management… to identify, contain, learn and update

Backup, Patch, Change Management, Continuity and Recovery…. use

appropriate technologies and processes with regular testing schedules and

drills

Secure Software Development… build security in – purchase software that

has undergone security testing

FRAUD PREVENTION– Corporate / Institutional Vigilance


Awareness & Training for users at all levels – there is nothing like low end

or high-end training. Use Mailers and Seminars to reach out.

Banks – online issues and how-to practice safe surfing

Stock & Shares - do your own research don’t rely on gossip

Identity / Access Management … role based access control

Policies and Procedures to detect, respond, neutralize (or) remediate,

report and learn. In addition to the IT use / security policy

Monitoring behavior, activity, markets, trends, internal controls, technology

Risk Management should be proactively built into controls that can alert

responsible persons when a threshold is breached



Anti Phishing… guidelines (gyaan) must be highlighted on login page

Website Design must be simple… There is too much noise so the user

does not care about any announcement or warnings. Don’t make life difficult

for the user – e.g. a frequent password change is no guarantee against

compromise but if you log out the user after he / she has logged in and made

a password change you are creating an unnecessary step in the process

Provide Visible Links… for Statements, Password Change etc and inform

customers that NO email will ever carry a clickable link

Auto Logout ... Inactive log-in is automatically logged out

Communicate… proactively about any problems on the website (downtime,

hack etc) and seek to educate the user (but this must be in plainspeak)

Endpoint Security… regularly check for virus, keyloggers, spyware



THE USER


Personal Vigilance

Rely on Common Sense

Check the URL you are going to

click (if it is in a mail)

Bookmark bank URLs and use it

to visit the site

Do not save passwords using

the browser save password

feature

Careful about social engineering

BEATING FRAUD


Watch out for “phishy/ scammy” emails and sites

Don’t click on links within emails that ask for your personal information

Block Pop-ups and never trust a site that is asking for your sensitive information on a

pop-up – if you must then verify the pop-up source and “allow” only those instances

Secure your system by using anti-virus, anti-spam, firewall and keep updated

Email Attachments from known people ? Trust it only if it is a known file type. Your

system will show a cute program icon. In any case why do you want to mess with

unknown file types when you have enough troubles already !

Ask Yourself… If someone can make a crore out of my thousand why does that

person look like a beggar. And if not, why is he /she doing you a favor !

BEATING FRAUD – its Common Sense (to a large extent)


Google Safe Browsing is an extension to Firefox that alerts you if a web page that

you visit appears to be asking for your personal or financial information under false

pretences.

Link Alert is a Firefox Add-on that will warn you of any phishing attempt

Phishing Filter for IE 7 and higher from Microsoft

BEATING FRAUD – some tools will help


We are in a state of denial, dispute and (many a times) over-confidence

Government / Law enforcement / Institutions currently seem to work in

reactive mode rather than proactively address threats / risks

Management purse strings have to loosen

“IT / IT Security is a business function”

Techical team members have to participate with business group and must

communicate ‘plainspeak’ rather than ‘geekspeak’ it is the only way they can

attract business managers to their table

Disciplines (Controls) in Security, Governance, Risk, Compliance, Continuity

have to be considered together to be effective

WHERE ARE WE AND WHERE DO WE GO


http://www.fraud.org

URBAN LEGENDS : http://www.snopes.com/

http://www.cambusters.org

http://www.fbi.org

INTERNET CRIME COMPLAINT CENTER: http://www.ic3.gov

NATIONAL CRIME RECORDS BUREAU: http://ncrb.nic.in/

Australian Competition and Consumer Commission:

www.scamwatch.gov.au

http://www.antiphishing.org/

http://www.banksafeonline.org.uk/

THE UK PAYMENTS ASSOCIATION : http://www.apacs.org.uk/

RESOURCES


Partner & Relationships, Clients, Locations,


Dinesh BarejaCISA, CISM, ITIL, BS: 7799 (Imp & LA)- Senior Vice President

Email: [email protected]

Information Security professional, having more than 11 years of experience in technology in commercial, operational, functional and project management roles on multiple large and small projects in global and domestic markets. Experienced in establishing ISMS (Information Security Management System), planning and implementation of large scale CobiT® implementation, ISO: 27001, ERM, BCP/DR,

BIA, Asset Management, Incident Mgt, Governance and Compliance, VA/PT, AppSec etc He is also member of ISACA, OCEG, iTSMF and co-founder of Indian Honeynet Project and Open Security Alliance. You can find him on Linked In as the owner of the India – Information Security Community group.

PRESENTED BY

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Global Locations

Abdul Kareem Holdings, Saudi Arabia

KSA, UAE

Omania e-Commerce Ltd, Oman

Oman

Consolidated Gulf Company, Qatar

Qatar

NextGen Technologies, South Africa

RSA, Mauritius, Botswana, Namibia and Kenya

IPMC, Ghana

Ghana and Nigeria

New Delhi

Mumbai

Pune

Malaysia

Indonesia

Chennai

London Office UK and Europe

Canada

USA

Sri Lanka

Secure Matrix Head OfficeRegional Office LocationPartner LocationPlanned Office Location


STRATEGIC RELATIONSHIPS


CONTACT US

Registered Office Mumbai: 12 Oricon House14, K. Dubash Marg, FortMumbai 400 001INDIA T +91 22 3253 7579F +91 22 2288 6152E: [email protected]

Technology Centre Chennai:Plot No. 1, Door No. 5Venkateshwara StreetDhanalakshmi ColonyVadapalani, Chennai 600 026INDIATel: +91 4465269369/4443054114Tele Fax: +91 4442048620

Technology Centre Pune:Trident TowersOffice No: 32nd Floor, Pashan RoadBavdhanPune 411 021INDIA

Dubai:P O Box 5207Dubai, UAEEmail: [email protected]

mailto:[email protected]

mailto:[email protected]


THANK YOU

© 2009 securematrix : proprietary & confidential page 1 welcome ! we have something for...

Documents

proprietary confidential

online slide

prevention slide

security consulting

application security

security lab

technical security services

secure matrix uk