icg pres cts (letter) - citibank · cyber attack is an attempt by online criminals to access or...
TRANSCRIPT
The Cyber Threat Landscape for Financial Institutions David Rose CitiDirect and Digital Security Product Manager EMEA Treasury and Trade Solutions, Citi
Justin Deck Vice President Strategic Intelligence Analysis Group Citi
Cybersecurity: Cyber Threat Landscape & Security Best Practices
The Changing Information Security Threat Landscape The cyber threat landscape continues to evolve as better organized and more sophisticated attackers have emerged.
Past
Non real-time theft of passwords and confidential information
Present
Evolving Threats—An Illustration of the Information Security Challenge
Real time compromises of computers, servers, mobile devices and their associated communication channels
Typically targets of opportunity Highly-targeted victims for their access to the most sensitive information
Very variable -hard to monetize without exposing the malicious actor
Readily monetized in a sophisticated , secure, and anonymous underground economy
Workforce primarily based in same geography as business and on payroll
Complex underground marketplace with sophisticated specialists; overlap of actors and infrastructure
Moderately sophisticated adversaries seeking to exploit well known vulnerabilities
Highly sophisticated supply chain to create or detect vulnerabilities and exploit tools
Custom tools created by knowledgeable individuals to perform a specific attack
Malicious tools are commodity items readily available on the black market; overlap of tool usage among actors
Individual players Opportunistic and casual Driven by desire to ‘prove they can’
Typically still individual players Premeditated and planned actions Driven by desire for financial gain
Organized collectives, criminal enterprises, and nation states Typically coordinated and well funded Driven by the opportunity for geopolitical and financial gain Adversaries increasingly focused on disruption and destruction
Incr
easi
ng
Soph
istic
atio
n
Speed of Attack
Target of Attack
Value of Information
Complexity of Business Model
Sophistication of Techniques
Availability of Tools
6
Cyber Attack is an attempt by online criminals to access or damage a computer network/system often stealing data or money, and using both technical and non-technical methods.
Cyber Attacks—Common Tactics and Impacts on Business
1. Computer Weekly; “Cyber crime is a threat to global economy, says researcher”; February 2015. 2. McAfee; “Net Losses: Estimating the Global Cost of Cybercrime”; June 2014. 3. Ponemon Institute; “2014 Global Report on the Cost of Cyber crime”; October 2014.
Social Engineering Relying on human interaction to trick people into breaking security procedures and sharing useful information for exploit efforts
$445 Billion Estimated global cost of cybercrime as of February 20151
All others $203BN
US $116BN
China $71BN
Japan $0.93BN
Germany $54BN
Average annualized cost of cybercrime to companies in 20143
United States
Germany
Russia
Common Attack Methods Impact on Business
Malware Software tools that enable an unauthorized user to gain control of a computer system and gather sensitive information
Phishing Emails or online posts that masquerade as a trustworthy party in an attempt to trick the target into divulging information or downloading malware
Cyber Masquerading Taking over executive account to conduct cyber espionage or complete financial transaction
Human Effect
Human + Technology
Technology
$242 Billion Combined cost to top four global economies2
$12.7 M
$6.8 M
$1.8 M
7
Cyber attackers are increasingly targeting financial institutions to steal money and sensitive data. The biggest threat is the combined type of attacks using various tactics.
Cyber Threat Trends Against Financial Institutions and Assets
Trends in Cyber Crime Common Manifestation against Financial Centers
Targeted victims
Sophisticated tools
Persistence and long-term outlook
New players: Organized Crime
Indirect attacks
Caller pretends to be bank’s fraud team or Microsoft Help. Victim reveals sensitive information or even allows screen sharing on their machine leading to exploitation and fraud.
New malware programmers are using sophisticated methods that evade Anti-Virus solutions. Banking malware now features file stealing capabilities.
Advanced tools are added to infected machines to steal valuable intellectual property.
Blackmail and Extortion schemes, Data stealing, and even Drug and Human Smuggling is being aided by cyber crime services.
Attacker targets third-party vendors in order to access sensitive financial center data/systems and steal data/money.
Multi-vector attacks Attacks against financial institutions are delivered in multiple phases, Using Email, Social Media, unsecure Mobile/Personal devices to log into corporate assets.
8
Attackers use a wide variety of tactics, techniques, and procedures to facilitate cyber attacks.
Understanding the Anatomy of a Cyber Attack
Targeting and Compromise
Lateral Movements Persistence Exploration Exfiltration Cover Tracks
Hacker targets financial institution based on the LinkedIn update and then compromises the LinkedIn account via password guessing
Hacker conducts reconnaissance and makes connections with all associates holding an employee’s title linked to that account
By using malware to compromise e-mail accounts, the Hacker ensures that they have a foothold into the victim, even if the LinkedIn compromise is discovered
Attacker conducts lengthy research of the victim network, including decryption of data throughout the compromised networks
Attacker removes data from the victim network (e.g. using of encryption) to make it difficult for stolen data to be identified
Attacker destroys artifacts and evidence of their intrusion
Examples
All cyber actors do not fully complete the full Anatomy of a Cyber Attack, as their objective may be achieved early in the attack process.
9
Case Studies – Fraud Management
Fraud Attempt – Beneficiary Change The following scenario demonstrates the tactic of the Hacker to fabricate a change of beneficiary to steal money.
Red flags
• Account Payable staff (Mike) notices an email requesting change of bank account details from his supplier (Hacker), and is surprised that the tone is more formal than usual
• Mike replies requiring signature verification call-back
• Supplier replies that he is currently traveling and not available via usual contact number and to work with his trusted colleague Johan
• Two weeks later, Sam (actual supplier) calls noticing a large overdue payment
• Mike remembers the invoice due to its unusual size as he needed management approval and it was received on the same day as the request to change bank details
• Sam says that they did not change their bank account
• Mike escalates for investigation and finds that payment was effected 4 weeks earlier, soon after the holidays
• Soon after Johan calls (in-bound call) to complete the transaction
• Johan becomes anxious, aggressive, and responds that his colleague had previously provided dual authorisation by email and instructed him to contact them.
• Mike quickly takes Johan through the security process given the urgency, and upon his answering of a few questions correctly, confirmed the change of bank details
• Mike explains to Sam that soon after the email request and Johan’s call, an invoice from “ABC Technology” was received and paid to the new bank account held with Lucky bank
• Sam confirms that they have never banked with Lucky Bank, and did not request a bank account change
• Mike realises that he acted on a fraudulent request to change account details
8 Fraud Landscape and Case Studies
Key learnings
The Ways to Reduce Risk of Fraud is to . . .
1. Create your own customer/supplier/payee profiles
2. Independently validate all change requests that you receive
3. Confirm agreements in writing with known contacts
4. Never deal with agreements from unknown requesters
5. Validate only via approved channels and contacts
6. Ensure beneficiary payment processes are robust
7. Always be vigilant to unusual or requests that contain red flags
12
Fraud Attempt – Screen Sharing This is a social engineering illustration where the fraudster impersonates a bank helpdesk staff member, requesting a client to screen share to facilitate fraud.
Red flags
• Joe (2nd authoriser) receives a call from Mr Green (fraudster) asking to speak with Ann (1st authoriser)
• Joe re-directs the call to Ann • Green explains to Ann that
he is calling from XYZ Bank Helpdesk regarding a Java software update for the XYZ-Online banking application
• Ann asks Green to send her an email to confirm he is from XYZ Bank, providing Green her email and phone number
• Green promptly sends an email that “appears” to be from xyz-online.com. Ann overlooks the fact that XYZ Bank staff email addresses normally end in xyz.com
• Green finally announces that the ‘updates’ have completed and requests Ann and Joe not to use XYZ-Online until Jan 5 to avoid disrupting the ‘server migration’
• On Dec 31, Bob noticed that US$800,000 had been debited from their accounts
• Bob and Joe simultaneously try to contact XYZ Bank and Green to understand why there was a debit on the account
• XYZ Bank confirms there had been no scheduled ‘software updates’ and that the circumstances are suspicious
• Green asks Ann to leave the XYZ-Online session open for 10 minutes and re-direct the call to a transaction maker
• Ann redirects Green to Bob, who was then asked to follow the exact same screen sharing process
• Green asks Bob to leave the session open and re-direct his call to Joe, which he did
• Joe was then asked to log in to an active screen sharing session using Ann’s laptop
• Green calls Ann again once the email had been received, asking her to open the XYZ-Online banking application
• Green then provides an alternative internet address which redirects Ann to a legitimate online screen sharing service provider
• Green asks Ann to return to the XYZ-Online login page and sign in using her credentials
• Green then spends 5 minutes with Ann ‘testing’, but does not ask her to authorise a transaction
10 Fraud Landscape and Case Studies
Key learnings
Do
• Be suspicious of unsolicited phone calls from any individuals you do not know
• Be aware of appropriate privacy settings on social networking sites
Do not…
• Share your challenge response with anyone (Citi will not ask you to share this information)
• Click on any unexpected email links
• Share PC screens with any unauthorised person
14
Fraud Attempt – Impersonation This is a general example of how cyber-attacks may target and compromise a senior executive’s account to conduct fraud.
• Employee updates Social Networking Site account that he will be speaking at an annual international conference in China
• Because of the malware infection, the Hacker compromises the credentials for the associate’s e-mail account and sends directions to the employee’s Account Payable colleague to change vendor bank details and transfer funds
• All associates are infected unknowingly by malware when they click on the link
• Hacker sends a Social Networking Site message to all associates asking them to click on the link to the upcoming conference that the employee is speaking at
• Hacker makes connections with all associates (e.g. key supplier) holding a similar job title linked to that account
• The Social Networking Site Account is opened by Hacker using online brute force attack to guess the employee’s login ID and password
12 Fraud Landscape and Case Studies
Key learnings
Are You Being Asked to?
1. Receive unsolicited calls from unknown contacts (or unusual source – CEO?)
2. Receive or act on unsolicited instructions
3. Click on unexpected, unfamiliar or fake links
4. Circumvent procedures with plausible reasons a. i.e. request to transfer funds via Manually Initiated Funds Transfer (MIFT)
5. Deal with a first-time or unknown beneficiary
6. Make immediate ‘Confidential’ or urgent payments
7. Approve an unknown or unfamiliar transaction
8. Transfer funds by or before an extended holiday
9. Transfer funds to a known secrecy haven
10.Transfer funds to an alternative jurisdiction
16
Profile of a Fraudster
Profile of a Fraudster ... KPMG 2011 – Global Survey – 348 cases of “white collar” crime.
The typical fraudster is…
• Male • 36 to 45 years old • Holds a senior management position • Works in the finance function or in a finance-related
role/Operations • Employed by the company for more than 10 years • Works in collusion with another perpetrator
18
Profile of a Fraudster ... (Cont’d)
Based on Analysis of 596 Fraudsters Member Firms Investigated Between 2011–2013
• The typical fraudster is aged between 36 and 55 (70)%, as per 2013 survey
• Historically Male – evolving gender variances in senior corporate positions
• Employed by the company for more than 6 years
• Commits fraud against his own employer (61)%
• Works in the Finance function / Operations or senior management position
• 72% of all frauds were perpetrated over 1 to 5 years
• In 70% of the frauds the perpetrator worked in collusion over a period of 1 to 5 years
– 43% had a value in excess of US$500,000, exceeding US$5,000,000 in16% of these cases
• When fraudsters act alone a large majority of frauds were still protracted over 1 to 5 years
– 32% had a value in excess of US$500,000, exceeding US$5,000,000 in 9% of the cases
KPMG 2013 – Global Survey – 596 cases of “white collar” crime.
19
Fraud Management – Basic Controls
Fraud Awareness: Basic Controls Main controls that can determine the effectiveness of a company’s ability to counter fraud attempts.
Trust v. Process
Know Your Employee
Know Your customer/supplier
Understand the risk (internal/external)
Training
21
Basic Controls – Multi-layered Controls Environment
Fraud Risk Assessment
Accounts Reconciliation
Audit Trail Physical Security
Staff Training & Awareness
Mandatory Absence
Maker Checker
Network, Servers and PCs Security
Segregation of Duties
Escalation & Referral Policy
Fraud Management
Policy
Entitlements Management
Information Security Policy
Independent Investigation
22
Case Study – Payment Operations Employee Wrongdoing
This is a the general case of how cyber-attacks may target and compromise a senior executive’s account to conduct fraud.
• In Nov 2012 The Fraud investigation team are alerted to a client side Fraud of US$6.1 Mil. involving an Employee in Kazakhstan.
• The employee has used his colleagues token to approve two fraudulent transactions and absconded the following day
• The beneficiary bank advised that the funds have been converted to USD, layered into 12 transactions and transferred to accounts in 6 different countries
• Despite being hampered by secrecy laws recall messages are sent to the correspondent banks via SWIFT
• All but US$250,000 recovered due to rapid response by client and fraud investigations team
• Funds sent to Malaysia/Switzerland had been accepted in good faith where unwittingly goods and services were dispatched
• Investigation reveals that the token was reassigned to a new user rather than a new token being issued
• The perpetrator “borrowed” two tokens without the users consent
• Pins were left in the cards and were not secured
• Payments were initiated out of office hours
• Both approvers including the CFO were no longer in the company’s employment
• USD payments are subject to currency control regulations in Kazakhstan
• All 12 payments were made to first time beneficiaries
Lessons Learnt:
• Password sharing prevalent
• No proper Segregation of duties
• Poor management oversight
• No fraud training
• Suspect had links to organised crime gangs
18 Case Study – Electronic Banking Employee Wrongdoing
Case Study: Payment Operations Employee Wrongdoing
Inve
stig
atio
n
All payments were initiated during out of (normal) office hours on the evening of 31 October
Case Study: Payment Operations Employee Wrongdoing (Cont’d)
Time Date Amount (US$) Action User ID User Name Beneficiary Name
1
20:10:44 31-Oct-12 US$3.65 million Initiate Payment 3957527 Employee 1 Primary Beneficiary
20:20:06 31-Oct-12 US$3.65 million Level 1 Authorisation 3269215 Employee 2 Primary Beneficiary
07:33:14 01-Nov-12 US$3.65 million Level 2 Authorisation 6912813 Employee 3 Primary Beneficiary
2
20:15:41 31-Oct-12 US$2.46 million Initiate Payment 3957527 Employee 1 Primary Beneficiary
20:20:38 31-Oct-12 US$2.46 million Level 1 Authorisation 3269215 Employee 2 Primary Beneficiary
07:33:20 01-Nov-12 US$2.46 million Level 2 Authorisation 6912813 Employee 3 Primary Beneficiary
25
Case Study: Payment Operations Employee Wrongdoing (Cont’d)
The graphic depicts how funds are layered across multiple banks and jurisdictions to complicate recovery efforts.
26
Investigation Lessons Learned Conjecture
• USD payments are subject to local currency control regulations in Kazakhstan – OCG
• First Time Beneficiary – checks across the correspondent bank payment network identified no other payments made to/from this beneficiary
• Open source media investigations into the ultimate beneficiaries found little information on their business activities
• Company beneficiaries were linked to Money Laundering networks in Kazakhstan
• All registered under the same accommodation address in the UK and were not physically present at this address
• Segregation of Duties (Entitlement Management)
• Information Security Controls (Password Sharing)
• Poor Management Oversight
• Periodic Fraud Awareness Training
• To understand the mindset of this individual, the following motif was added to his social networking site on 2 September 2012…
• “In order to earn, one has to work. But in order to become rich, one has to come up with something different”
• Review of the suspects profile on a Russian language social networking site
• Suspect did not act single-handedly with possible multiple connections to organised crime
27
Case Study: Payment Operations Employee Wrongdoing (Cont’d)
Response and Recovery
The following is recommended Citi Security and Investigative Services advice on steps to take in the event of suspected or actual fraud involving bank payments.
What to do in the Event of Fraud
First Response … – Act Quickly
• Review and urgently confirm fraud, every minute may count
– Use the ‘F’ Word • Be prepared to state “fraud” and confirm this in writing/ email (not “potential fraud” or similar, banks
will not act on “potential” issues)
– Alert Citi Immediately • Citi will initiate recall actions (this may include SWIFT recall and/ or direct contact)
• The shorter the time between fraudulent transaction and detection, the greater the chance of recovery (ideally 24-48 hours, thereafter the prospect of recovery drops off dramatically)
– Provide the Details • Beneficiary banks and others will need clear background information before they will act
• Some jurisdictions are more difficult than others so clients may need to consider further action to secure their position (There may be legal restrictions on freezing/returning funds locally, or providing information on the identity of the beneficiary client or remaining balance without a court/ Police order. There may also be certain processes that the client may need to follow.)
• Where a beneficiary bank requests an indemnity from Citi to return funds (protecting that bank from any claims from their account holder), Citi will request an indemnity from the client
29
The following is recommended Citi Security and Investigative Services advice on steps to take in the event of suspected or actual fraud involving bank payments.
More information
Further Steps • Engage internal fraud/security resources
• Report to local law enforcement as soon as possible – obtain a copy of the report or take a crime reference number
• Independently review all recent transactions and logs for other suspect payments or unusual activity
• Independently secure your bank accounts to prevent further misuse
• Alert any other banks you may hold accounts with
• Send an internal alert to increase awareness and vigilance
• Retain and hold any potential evidence for investigation
• Consider appointing legal counsel, forensic consultants or private investigators to represent/ assist you if necessary
• Question employees carefully, seek verification of activity and keep written records
Reason/Example Bring in subject matter experts
Beneficiary banks may expect/request this)
Look for other potentially fraudulent transactions
Example: Disable system users, implement payment exception approval process, etc.)
In case fraudsters attack other bank accounts
In case of further contact/ attempts, unless there is a concern of internal compromise
Examples of evidence include email correspondence, audio logs, desktop PCs)
Some jurisdictions can be more difficult to navigate then others
Ensure your employee’s recollection of events is accurate.
30
Some recommended reading.
More information
• FBI Information http://www.ic3.gov/media/default.aspx
• Cyber Masquerading https://www.citibank.com/tts/sa/emea_marketing/docs/cyber_masquerading.pdf
• Combatting Fraud placemat https://www.citibank.com/tts/sa/emea_marketing/docs/combat_fraud.pdf
• Cyber Security Webinar https://www.citibank.com/tts/about_us/online_academy/videos/digisec_060115.html
• PWC - The Global State of Information Security® Survey 2015 http://www.pwchk.com/home/eng/rcs_info_security_2015.html
31
32
IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used orrelied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction").Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.
Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment or firm offer and does notobligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the information contained herein andthe existence of and proposed terms for any Transaction.
We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number.We may also request corporate formation documents, or other forms of identification, to verify information provided.[TRADEMARK SIGNOFF: add the appropriate signoff for the relevant legal vehicle]
© 2015 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.
© 2015 Citibank, N.A. London. Authorised and regulated by the Office of the Comptroller of the Currency (USA) and authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world
These materials are for information purposes only and do not constitute legal or other advice. These materials are intended as an aid in improving cyber security and fraud awareness and are not a substitute for your own programme in this regard. We have no responsibility or liability for any consequences of any entity relying on any information in these materials.