cyber fraud: identify & mitigate · source: fdic experi-metal case: during a six hour period,...

Cyber Fraud: Identify & Mitigate

DON’T BE AN ONLINE VICTIM

Angel T. Reoble

Despite the fact that controls are becoming

stronger, security mitigation solutions are

becoming more intelligent, Laws and

regulations are implemented, methods for

stealing personal data and committing fraud

are continuously evolving, resulting to millions

of dollars of financial losses to consumers as

well as business organizations in all sizes and in

all sectors

Patco Case: In 2009, cyber criminals gained control of Patco’s internet banking account and

transferred $600,000 out of the account via ACH. The bank recovered $250,000, but held Patco liable

for the $350,000 that could not be recovered. Patco sued the bank in federal district court to recover

the funds and lost. However, in 2012, the First Circuit Court of Appeals reversed the district court’s

finding of summary judgment in favor of the bank. The appeals court found that the bank’s internet

banking security system was unreasonable as a matter of law because the bank permitted the

fraudulent ACH transactions even though its risk scoring system identified the ACH transactions as

very suspicious. The Appeals Court sent the case back to the District Court for further proceedings

consistent with its opinion that the bank’s security system was not commercially reasonable.

Incidents

Source: FDIC

Experi-Metal Case: During a six hour period, after obtaining the company’s login credentials using a

phishing attack, cyber criminals initiated 93 fraudulent ACH transactions totaling $1.9 million. The

bank was able to recover all but $560,000 and held Experi-Metal liable for the loss. The company

sued the bank in federal district court and won in a decision that was announced in June 2011.

The Court held that the bank did not act in good faith since the ACH transactions

initiated by the cyber criminals were completely out of character based upon

Experi-Metals’ typical account activity and was responsible for reimbursing

the customer for the $560,000 loss.

TJX Company, Inc

Incidents

44M Customer record stolen

1YR of Database vulnerability before discovery

$250M Spent to deal with the breach and lawsuit

Heartland Payment System

Incidents

175,000 merchants information hacked

41.4M payment made to mastercard issuers to

settle claims

RackBank UAE & Bank of Muscat Oman

Incidents

45M Cash stolen

Hackers worked for months to hack the 2 banks

Compromised and removed the limits of the

hacked prepaid debit cards

Card numbers were distributed to 26 countries

and withdrew cash from ATMs around the globe

December of 2013, 4,500 ATM transactions in

over 20 countries resulting to $5M money stolen

February 2014, 36,000 ATM transactions made in

24 countries resulting to $40M cash stolen

Target

Incidents

40M Credit and Debit card information stolen

The hack did not go through the store’s website

Hackers compromised the POS system by

successfully installing a malware

Insider employee could have installed the malware

A hacker could have persuaded or tricked an employee to access a

malicious website that automatically downloaded and installed the

malware

Types of Cyber Fraud Threats &

Events

Threats

• ACH Credit/Wire

Fraud

• ACH Debit Fraud

• ATM Cash out

• Database Breach

• Client-side breach

• Denial of Service

• Malware

Events

• Online Bank Acct

Takeover

• Email Acct/ User PC

compromise

• Counterfeit cards

• Heloc Acct

compromise

• FI computers

compromise

Source: FDIC

Types of Cyber Fraud Threats: ACH

Fraud• The criminal accesses a commercial customer's credentials, generates an

ACH file in the originator's name, and quickly withdraws funds before the

victim discovers the fraud.

• The criminal accesses a retail customer's credentials and sets himself up

as an automatic bill pay recipient.

• In an insider threat scenario, an employee of the target company or a bank

modifies ACH files to steal money.

• In a variation on check kiting -- a scam in which funds are juggled back and

forth between bank accounts at separate banks -- a criminal takes

advantage of the time lag in transactions.

• In a spear phishing scam, an employee with authorization for ACH

transactions receives an email that leads him to an infected site, which

installs a keylogger to access authentication information. The thief can then

impersonate the company's authorized representative and withdraw funds.

Source: whatis.techtarget.com

http://searchmidmarketsecurity.techtarget.com/definition/keylogger

ACH Fraud Scheme

Using phishing or spear phishing

emails purporting to be from

Legitimate companies, fraudsters

“trick” the recipient into providing

their bank’s login credentials. By

doing so, criminals capture the

information that they need to

access the customer’s account.

Source: http://www.aciworldwide.com/

Compromise the

Customer’s

Computer


Fraud Scheme



Fraud Scheme

With the online login credentials in

hand, criminals log into the

customer’s bank account (manually

or via malware code) and identify

the account(s) to target.


Access the bank

account online


Fraud Scheme

To avoid detection and the recall, or

blocking, of pending ACH

transactions, the fraudster may

change the account holder’s email

address, phone number, etc.

and password.


Take over the

account


Fraud SchemeIf the bank contacts the customer to

verify the pending transactions, since

the fraudster has changed the contact

information on file, they may end up

talking to a criminal who is pretending

to be the customer. Alternatively, if they

bank requests via email that the

customer calls the bank to confirm the

transaction, since the email on file is

under control of the criminal, again, the

bank will receive confirmation from the

fraudster that the transactions are

approved.


Respond to bank

verification

process


Fraud Scheme

To ensure that the fraudulent funds

are impossible to recover, via a series

of transactions including ACH, wire

transfers and/or purchases, the

fraudster conceals the source of the

funds, or at least makes it extremely

difficult to trace the funds to their

ultimate destination


Conceal the

source of the

funds

ACH Fraud Mitigation

Update your risk assessment

Source: FDIC

Have comprehensive written policies and procedures

Utilize security features built into your systems

Deploy robust multifactor authentication solutions

Limit administrative rights on workstations

Deploy third party security controls

Review security, maintenance, and activity logs/reports

Implement employee segregation of duties

Implement an effective audit program

Train employees

Losses by Event Type

Source: FDIC

Losses by Out Flow Method

Source: FDIC

Hackers are Shifting to Different

Targets

Source: FDIC

MOTIVATIONS

Motivations

Passport

VisaImmigration

Motivations

Affordable Internet Access

Affordable Hacking Tools

Motivations

Accessible Hacking Tutorials

Motivations

Source: GIB-CERT

Easy Money

Russian Cybercrime market = 2.3B USD

Russian-Speaking hackers earned= 4.5B

USD

Global Cybercrime market = 12.5B USD

Motivations

Source: GIB-CERT

Easy Money

DDOS Menu

Per hour = 5-10 USD

Per week = 350-400 USD

Per day = 40-50 USD

Per month = 1200 USD

Or buy the DDOS kit with

BOT builder and web admin

Motivations

Source: McAfee, Center for Strategic and International Studies

Motivations


It is almost impossibleto trace and identifyThe source and thePerson behind everycyber attack

Motivations


Reconnaissance Scanning System Access Maintain Access Clean Up

Information

gathering

Social eng’g

Vulnerability

Identification

Vulnerability

exploitation

Create

backdoors

Remove logs

and traceable

activities

Cyber attack planning

Cyber attack design

Cyber attack initiation

Cyber attack

Denial of Service

If exploit is

unsuccessful

Phone home

Phone home

User Statistics

60% will insert a found thumb drive into their desktop/laptop

Source: FDIC

90% if it has a company logo on it

More than 50% will give up their passwords in exchange for a token

gift90% share passwords across accounts

41% share passwords with others

14% have never changed their banking password

What are we protecting

Source: FDIC

Information

Internal

Applications

Internal Network

External Network

External

Applications

Facilities


Source: FDIC

Building

Office

Computers


Building

Office

Computers

User Statistics

It is easier and cheaper to

ATTACK than to DEFEND

Source: FDIC

END

Thank you

cyber fraud: identify & mitigate · source: fdic experi-metal case: during a six hour period,...

Documents