the fraud economy - 2015 the year of spear phishing
TRANSCRIPT
2015 The Year of Spear Phishing
The Fraud Economy
Deirdre “Dee” Millard
Senior Fraud Prevention Consultant
In this presentation we will discuss:
Common Methods of Payment Card Fraud
How the Black Market Economy Operates
Impact of Card Fraud on Financial Institutions
Protection from Payment Card Fraud
Phase 1: Payment Card Theft
Phase 2: Payment Card Sale
Phase 3: Cashing
Phases of Fraud
Common Methods:
• Physical Theft (ex. lost or stolen card)
• Skimming (ex. ATM or gas pump)
• Malware on consumer computer or mobile device
• Data breaches Malware on point-of-sale device Network compromise Database or web site compromise
Phase 1: Payment Card Theft
Card-not-present fraud
New account fraud
http://www.statista.com/statistics/419628/payment-card-fraud-losses-usa-by-type/
Phase 1: Payment Card Theft
Shift from face to face fraud to card not present online fraud.
Skimming:
Phase 1: Payment Card Theft
http://krebsonsecurity.com/tag/atm-skimmer/
Devices are small, compact and easy to get.
Skimmers have been found on ATM, POS terminals to steal credentials.
Malware on Consumer Computer or Mobile Device:
Phase 1: Payment Card Theft
2015 The Year of Spear Phishing
• All the latest breaches linked to malware
• Trend of targeting employees
• Harvest info on social networks to customize attacks
• Multi-factor authentication often not required for employees
Malware on Consumer Computer or Mobile Device:
Phase 1: Payment Card Theft
Rogue Mobile Apps Emerge:
• 86% of Android malware was repackaged legitimate apps
• 77% of top 50 free apps in Google’s Play Store have fake versions elsewhere
• Trend Micro cataloged 890,482 fake apps (59,185 aggressive adware & 394,263 were malware)
http://www.zdnet.com/article/android-malwares-dirty-secret-repackaging-of-legit-apps/
http://www.pcworld.com/article/2454980/theres-almost-a-million-fake-apps-targeting-your-phone.html
Data Breaches:
Phase 1: Payment Card Theft
Recent breaches have been the result of malware that was placed on Point of Sale systems. Often the breached organization has been certified as having the appropriate security controls in place.
Phase 2: Black Market Sale
Easy Checkout
.
Customer Support
.
Money Back Gurantee
Technical Support
The rise of online card shops in recent years provides secure forums for buyers and sellers.
How Much is a Card Worth?
Factors affecting price:
Validity Rate
Supply &
Demand
Issuing Region
Phase 2: Black Market Sale
“A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each.”
http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf
Phase 2: Black Market Sale
How Much is a Personal Data Worth?
Phase 3: Cashing
Image Source: http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/
Stolen credit cards are used to charge pre-paid cards which then purchase store specific gift cards.
Credit to Gift Card Shell Game
Impact on Financial Institutions
Of financial institutions in a recent survey were impacted by the Target breach*
*ISMG Faces of Fraud Survey
Impact on Financial InstitutionsTop types of fraud experienced?
Impact on Financial Institutions
How did these breaches impact your organization or customers?
Impact on Financial InstitutionsHow is a fraud incident typically detected?
“Too often institutions learn of fraud incidents only after their customers notify them.”
• Be sure to have a plan in place• Make sure you are covering all bases• Tackle the problem from beginning to end• Evaluate current tools and look for constant innovation• Speed and flexibility are critical when fighting back fraud• Awareness & Visibility• Proactive Approach
How to Protect Your Customers
Questions?Contact:Dee MillardSenior Fraud Prevention [email protected]
More Info:
Thank You
Detect Monitoring Service