1

Account Takeover: Why Payment

Fraud Protection is Not Enough

Cybercrime Protection

April 2014

Mustafa Rassiwala, ThreatMetrix, Inc.

2

Agenda

1. Customer Accounts – Blessing or Curse?

2. Passwords – Weakest Link

3. Account Takeover – Data Breaches – Vicious Cycle

4. Authentication Alternatives

5. ThreatMetrix Approach

6. Examples of Account Takeover Prevention

3

Customer Accounts - Blessing

4

Customer Accounts - Blessing

Removing Customer Friction for

Online Transactions

5

Customer Benefits

Money Transfer

Bill Pay and Account Pay

Ease of doing online business

6

Customer Account Curse -

Cybercriminals and Account Takeover

Cybercriminals access genuine customer accounts using stolen

identity credentials – Username and Password

Account Takeover

7

Secure Web Application?

Sql Injection

Cross-site Scripting

Broken Session Management

Insecure Direct Object Reference

Security Misconfigurations

Insecure Storage

Account Takeover is not an Application Security Issue...

8

Identity and Trust

Password – Weakest Link in

Security

Cybercriminals enter through

the front door

9

Authentication Principle

1. Something the user

Knows

2. Something the user

Has

3. Something the user Is

or Does

Password = Something Only the User Knows. Is it true?

10

Password Security – Relies on Your

Customers

they will be phishedtheir passwords will

be stolenthey will get malware on their computers

they will lose their mobile device

they will reuse passwords at multiple sites

other sites frequented by your

visitors will be hacked

their personal info (name, emails,

address, maiden name, etc.) is

accessible

they will not be up to date on their OS and

anti-virus

they will get frustrated if they

cannot login

11

Password Security – 25 Worst

Passwords in 2013

Rank Password

1 123456

2 Password

3 12345678

4 qwerty

5 abc123

6 123456789

7 111111

8 1234567

9 Iloveyou

10 adobe123

11 12312312

12 admi

13 1234567890

Rank Password

14 Letmein

15 photoshop

16 1234

17 Monkey

18 shadow

19 sunshine

20 12345

21 password1

22 princess

23 Azerty

24 trustno1

25 000000

http://splashdata.com/press/worstpasswords2013.htm

12

Malware

Phishing

Data breach

How Does Account Takeover Happen?

13

Malware

● Trojans that have traditionally targeted banks are now targeting retailers, payment providers

● Due to easily available malware kits, sophisticated attacks become very easy

● More and more sophisticated MitB attacks against retailers

14

Phishing

● Phishing is still highly effective

– Especially hybrid approaches to get around two-factor authentication

15

Data Breach

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

16

Complete List of Data Breaches - US

17

2 Sides of the Same Coin

Data BreachCredit Card/Account

Takeover Fraud

18

Organized Crime – Data Breaches & Fraud

•Data Breaches

•Steal Credit Card Data in Millions

•Steal Identities by Millions

•Underground Forums

•$10-$15 per Credit Card

•$5-$10 per Identity

•Card Not Present

•Account Takeover

•Financial Fraud – Money Transfer

•Drop Zones for Physical Goods

•Knock-off Sites for Digital Goods

•Classified Ads

Steal Sell

FraudCash

19

Underground Forums

• Buy/Sell Stolen

Credit Card Data

• Rent Bot

Infrastructure

• Matching Identity

Data with Credit

Card Details

• Identity Data

(Email/logins/Passw

ords)

http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-

target/#more-24130

20

The Criminals’ Efforts are Paying Off

Source: Aite Group, 2012

$409.4$454.8

$523

$627

$721.8

$794

2011 e2012 e2013 e2014 e2015 e2016

Global Corporate Account Takeover Losses, 2011 to e2016(In US$ millions)

21

Breaches – Attack Surface

Cybercriminals have a Significant Advantage

Pervasive Enterprise Technology = Larger Attack Surface

22

22

Availability

Information Security CIA Triad

Note: From “Information Security Illuminated”(p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.

Ensure information is protected from exposure to unauthorizedindividuals

Prevent unauthorizedchanges to information

Ensure information access by authorized usersfor legitimate purposes

Information Security Framework

23

Breaches – Security Paradox

Regulations and Security Controls – More than

Ever Before

Yet Number and Impact of Breaches Increasing

Each Day

24

Authentication - Alternatives

Something the User Has

- SMS OTP

- Software OTP

- Hardware OTP

- Smart Card

- USB Token

- X.509 Certificates

Something the User Is

- Human Fingerprint

- Face Recognition

- Voice Recognition

25

Balancing Act

Customer ExperienceSecurity

26

ThreatMetrix – Context Based

Authentication

Friction-less 2-Factor Authentication

Something the User Has

• Persona/Identity

• Device Fingerprint

• Device Threats

• Network Attributes

• Geo-Location Attributes

Something the User Does

• Behavior over time

• Actions

• Associations

• Reputation

27

Real-time Cybercrime Prevention

Advanced Fraud Prevention

Context-Based Authentication

Sensitive Data Protection

Device &

Location

MITM &

Proxies

MITB &

Malware

Identities

& Personas

Attributes

& Activities

Associations &

Related Events

Patterns &

Anomalies

Behavior &

VelocitiesCustomer Defined

Policies

Analyst & Trust

FeedbackWorlds Largest Trusted Identity Network

Device Analytics

Identity Analytics

Behavior Analytics

TrustedUser?

Cyber Threat?

28

Building Trust On The Internet

Drive More

Revenue and

Profitability

Frictionless

Access for

Trusted Users

29

ThreatMetrix Solution – Persona ID

Online Identity

• Login

• Email

• Credit Card Data

• Account

• Ship To Address

30

ThreatMetrix Solution – Device and

Threat

Device IntelligenceCookie-less Device Identification

Network IntelligenceProxy-Piercing

Location IntelligenceTrue IP based Location

GPS on mobile

Threat IntelligenceMalware Detection

• Browser

• OS

• PC/Mobile

• Device Fingerprint

• IP Address

• VPN/Proxies

Device Identity

31

ThreatMetrix Solution – Malware

Detection

Page Fingerprinting

• Detects Man-in-the-

Browser (MitB) Attacks

• Cloud Based Malware

Detection

• Whitelisting Technique –

does not rely on

signatures

• Detects malware

targeted to your specific

site

Honeypot

• Detects Malware

(MitB attacks) on

devices targeting

common high-

profile sites

32

ThreatMetrix Solution– Transaction

Data

• $50

• Credit Card

• Bill To

• Ship To

• ACH Number

• Payee Info

• $500

• Online ID

• Email

• Location

• Login Name

• Password

Online Payment Money Transfer New Account Login

33

Examples

Real-world scenarios from Global Trust Intelligence Network

34

Identity Spoofing

Anomaly Indicators Description

N Logins from same IP in a Time Period

Velocity rule triggers if the same IP address

exceeds a configurable threshold (n) for logins

within a configurable time period, eg: 1 day, 2

days, week, etc.

N Accounts accessed on the same

device

Velocity rule detects if a single device is being

used to access a configurable number of

accounts (n) within a configurable time period.

This typically indicates that the person using

this device is exploiting multiple stolen account

details.

User Behavior Anomaly

Detects if the same device has been used with

N or more Persona attributes such as email

address, phone number, Bill To or Ship To

Address etc within a configurable time period

Distance TravelledDetects if the same account login was used in

N transactions that originated more than 100

miles apart

35

Device Spoofing

Anomaly Indicators Description

Images Disabled

Images could not be rendered on the

connecting device. This typically

indicates that a bot or script is being

used to execute this transaction.

Geo Language Mismatch

Rule triggers if there is a discrepancy

between the detected device language

and the expected language for their True

IP geographical region

No Device ID

Rule triggers if a profiled device is

lacking sufficient available attributes to

form a complete device identifier. This

indicates that the device is missing

commonly available attributes (e.g no

user agent, fonts or screen resolution is

detected).

36

IP Spoofing

Anomaly Indicators Description

Proxy Detection

ThreatMetrix uses multiple techniques to

detect proxies. This rule triggers when

anonymous or hidden proxies are

detected

VPN Detection Rule Triggers if VPN Detected

IP Negative HistoryThis rule triggers if Proxy IP is on a local

or Global Blacklist

37

Attack vectors

0.0%

0.5%

1.0%

1.5%

2.0%

2.5%

3.0%

3.5%

4.0%

4.5%

5.0%

geo_spoofing identity_spoofing ip_spoofing device_spoofing mitb_or_bot

% transactions per attack vector

38

Attack vectors – event type

0%

1%

2%

3%

4%

5%

6%

7%

account_creation login payment

% transactions per event type per attack vector

device_spoofing

geo_spoofing

identity_spoofing

ip_spoofing

mitb_or_bot

0%

1%

2%

3%

4%

5%

6%

7%

% transactions per event type per attack vector

account_creation

login

payment

39

Attack vectors – continent

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

Africa Asia Australia Europe NorthAmerica

SouthAmerica

% transactions per attack vector per continent

device_spoofing

geo_spoofing

identity_spoofing

ip_spoofing

mitb_or_bot

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

% transactions per attack vector per continent

Africa

Asia

Australia

Europe

North America

South America

40

Attack vectors – industry

0%

1%

2%

3%

4%

5%

6%

7%

8%

Ecommerce Finance Other

% transactions per attack vector per industry

device_spoofing

geo_spoofing

identity_spoofing

ip_spoofing

mitb_or_bot

0%

1%

2%

3%

4%

5%

6%

7%

8%

% transactions per attack vector per industry

Ecommerce

Finance

Other

41

Attack vectors – US vs. European

enterprises

0%

1%

2%

3%

4%

5%

6%

Europe US

% transactions per attack vectorUS vs. European companies

device_spoofing

geo_spoofing

identity_spoofing

ip_spoofing

mitb_or_bot

0%

1%

2%

3%

4%

5%

6%

% transactions per attack vectorUS vs. European companies

Europe

US

42

Business Benefit – Frictionless

Customer Experience

Transparent and Frictionless

Authentication for Customers

43

Business Benefit – Customer Protection

Protect Customers – Bad Things Happen

to Good People

Context Based Authentication – Protect against

Password Compromise

44

Business Benefit – Protect from any

Device

Context Based Authentication

from any device including

mobile apps

45

The Global Trust Intelligence Network

Questions

● Type questions into the Question feature in GoToWebinar

● We’ll answer as many questions as time permits

● Remaining questions will be answered with follow-up emails

www.threatmetrix.com +1.408.200.5700 sales@threatmetrix.com

46

Thank You For Attending