cyber fraud: identify & mitigate · source: fdic experi-metal case: during a six hour period,...
Post on 04-Oct-2020
1 Views
Preview:
TRANSCRIPT
Cyber Fraud: Identify & Mitigate
DON’T BE AN ONLINE VICTIM
Angel T. Reoble
Despite the fact that controls are becoming
stronger, security mitigation solutions are
becoming more intelligent, Laws and
regulations are implemented, methods for
stealing personal data and committing fraud
are continuously evolving, resulting to millions
of dollars of financial losses to consumers as
well as business organizations in all sizes and in
all sectors
Patco Case: In 2009, cyber criminals gained control of Patco’s internet banking account and
transferred $600,000 out of the account via ACH. The bank recovered $250,000, but held Patco liable
for the $350,000 that could not be recovered. Patco sued the bank in federal district court to recover
the funds and lost. However, in 2012, the First Circuit Court of Appeals reversed the district court’s
finding of summary judgment in favor of the bank. The appeals court found that the bank’s internet
banking security system was unreasonable as a matter of law because the bank permitted the
fraudulent ACH transactions even though its risk scoring system identified the ACH transactions as
very suspicious. The Appeals Court sent the case back to the District Court for further proceedings
consistent with its opinion that the bank’s security system was not commercially reasonable.
Incidents
Source: FDIC
Experi-Metal Case: During a six hour period, after obtaining the company’s login credentials using a
phishing attack, cyber criminals initiated 93 fraudulent ACH transactions totaling $1.9 million. The
bank was able to recover all but $560,000 and held Experi-Metal liable for the loss. The company
sued the bank in federal district court and won in a decision that was announced in June 2011.
The Court held that the bank did not act in good faith since the ACH transactions
initiated by the cyber criminals were completely out of character based upon
Experi-Metals’ typical account activity and was responsible for reimbursing
the customer for the $560,000 loss.
TJX Company, Inc
Incidents
44M Customer record stolen
1YR of Database vulnerability before discovery
$250M Spent to deal with the breach and lawsuit
Heartland Payment System
Incidents
175,000 merchants information hacked
41.4M payment made to mastercard issuers to
settle claims
RackBank UAE & Bank of Muscat Oman
Incidents
45M Cash stolen
Hackers worked for months to hack the 2 banks
Compromised and removed the limits of the
hacked prepaid debit cards
Card numbers were distributed to 26 countries
and withdrew cash from ATMs around the globe
December of 2013, 4,500 ATM transactions in
over 20 countries resulting to $5M money stolen
February 2014, 36,000 ATM transactions made in
24 countries resulting to $40M cash stolen
Target
Incidents
40M Credit and Debit card information stolen
The hack did not go through the store’s website
Hackers compromised the POS system by
successfully installing a malware
Insider employee could have installed the malware
A hacker could have persuaded or tricked an employee to access a
malicious website that automatically downloaded and installed the
malware
Types of Cyber Fraud Threats &
Events
Threats
• ACH Credit/Wire
Fraud
• ACH Debit Fraud
• ATM Cash out
• Database Breach
• Client-side breach
• Denial of Service
• Malware
Events
• Online Bank Acct
Takeover
• Email Acct/ User PC
compromise
• Counterfeit cards
• Heloc Acct
compromise
• FI computers
compromise
Source: FDIC
Types of Cyber Fraud Threats: ACH
Fraud• The criminal accesses a commercial customer's credentials, generates an
ACH file in the originator's name, and quickly withdraws funds before the
victim discovers the fraud.
• The criminal accesses a retail customer's credentials and sets himself up
as an automatic bill pay recipient.
• In an insider threat scenario, an employee of the target company or a bank
modifies ACH files to steal money.
• In a variation on check kiting -- a scam in which funds are juggled back and
forth between bank accounts at separate banks -- a criminal takes
advantage of the time lag in transactions.
• In a spear phishing scam, an employee with authorization for ACH
transactions receives an email that leads him to an infected site, which
installs a keylogger to access authentication information. The thief can then
impersonate the company's authorized representative and withdraw funds.
Source: whatis.techtarget.com
ACH Fraud Scheme
Using phishing or spear phishing
emails purporting to be from
Legitimate companies, fraudsters
“trick” the recipient into providing
their bank’s login credentials. By
doing so, criminals capture the
information that they need to
access the customer’s account.
Source: http://www.aciworldwide.com/
Compromise the
Customer’s
Computer
Types of Cyber Fraud Threats: ACH
Fraud Scheme
Source: http://www.aciworldwide.com/
Types of Cyber Fraud Threats: ACH
Fraud Scheme
Source: http://www.aciworldwide.com/
Types of Cyber Fraud Threats: ACH
Fraud Scheme
Source: http://www.aciworldwide.com/
Types of Cyber Fraud Threats: ACH
Fraud Scheme
With the online login credentials in
hand, criminals log into the
customer’s bank account (manually
or via malware code) and identify
the account(s) to target.
Source: http://www.aciworldwide.com/
Access the bank
account online
Types of Cyber Fraud Threats: ACH
Fraud Scheme
To avoid detection and the recall, or
blocking, of pending ACH
transactions, the fraudster may
change the account holder’s email
address, phone number, etc.
and password.
Source: http://www.aciworldwide.com/
Take over the
account
Types of Cyber Fraud Threats: ACH
Fraud SchemeIf the bank contacts the customer to
verify the pending transactions, since
the fraudster has changed the contact
information on file, they may end up
talking to a criminal who is pretending
to be the customer. Alternatively, if they
bank requests via email that the
customer calls the bank to confirm the
transaction, since the email on file is
under control of the criminal, again, the
bank will receive confirmation from the
fraudster that the transactions are
approved.
Source: http://www.aciworldwide.com/
Respond to bank
verification
process
Types of Cyber Fraud Threats: ACH
Fraud Scheme
To ensure that the fraudulent funds
are impossible to recover, via a series
of transactions including ACH, wire
transfers and/or purchases, the
fraudster conceals the source of the
funds, or at least makes it extremely
difficult to trace the funds to their
ultimate destination
Source: http://www.aciworldwide.com/
Conceal the
source of the
funds
ACH Fraud Mitigation
Update your risk assessment
Source: FDIC
Have comprehensive written policies and procedures
Utilize security features built into your systems
Deploy robust multifactor authentication solutions
Limit administrative rights on workstations
Deploy third party security controls
Review security, maintenance, and activity logs/reports
Implement employee segregation of duties
Implement an effective audit program
Train employees
Losses by Event Type
Source: FDIC
Losses by Out Flow Method
Source: FDIC
Hackers are Shifting to Different
Targets
Source: FDIC
MOTIVATIONS
Motivations
Passport
VisaImmigration
Motivations
Affordable Internet Access
Affordable Hacking Tools
Motivations
Accessible Hacking Tutorials
Motivations
Source: GIB-CERT
Easy Money
Russian Cybercrime market = 2.3B USD
Russian-Speaking hackers earned= 4.5B
USD
Global Cybercrime market = 12.5B USD
Motivations
Source: GIB-CERT
Easy Money
Page 27
DDOS Menu
Per hour = 5-10 USD
Per week = 350-400 USD
Per day = 40-50 USD
Per month = 1200 USD
Or buy the DDOS kit with
BOT builder and web admin
Motivations
Source: McAfee, Center for Strategic and International StudiesPage 28
Motivations
Source: McAfee, Center for Strategic and International StudiesPage 29
It is almost impossibleto trace and identifyThe source and thePerson behind everycyber attack
Motivations
Source: McAfee, Center for Strategic and International StudiesPage 30
Reconnaissance Scanning System Access Maintain Access Clean Up
Information
gathering
Social eng’g
Vulnerability
Identification
Vulnerability
exploitation
Create
backdoors
Remove logs
and traceable
activities
Cyber attack planning
Cyber attack design
Cyber attack initiation
Cyber attack
Denial of Service
If exploit is
unsuccessful
Phone home
Phone home
User Statistics
60% will insert a found thumb drive into their desktop/laptop
Source: FDIC
90% if it has a company logo on it
More than 50% will give up their passwords in exchange for a token
gift90% share passwords across accounts
41% share passwords with others
14% have never changed their banking password
What are we protecting
Source: FDIC
Information
Internal
Applications
Internal Network
External Network
External
Applications
Facilities
What are we protecting
Source: FDIC
Building
Office
Computers
What are we protecting
Building
Office
Computers
User Statistics
It is easier and cheaper to
ATTACK than to DEFEND
Source: FDIC
END
Thank you
top related