Post on 16-Jan-2015
description
Using Anomaly Detection to Prevent ACH Payments FraudTiffany Riley – Vice President, MarketingEric LaBadie – Vice President Sales and Customer Success
Guardian Analytics: The Leader in Fraud Prevention
"Guardian Analytics…has a proven and effective fraud detection risk-scoring engine."
“FraudMAP allowed us to shift from being reactive to proactive giving us confidence to expand our online and mobile offerings
“Minimum expectations for layered security include the ability to detect and respond to anomalous activity”
Criminals Turning Focus to ACH
“It seems that from some of the data, the criminals are shifting from wires in
many respects to ACH to exfiltrate funds”
– Bill Nelson, FS-ISAC (July 2012)
“It seems that from some of the data, the criminals are shifting from wires in
many respects to ACH to exfiltrate funds”
– Bill Nelson, FS-ISAC (July 2012)
Two Recent Examples
“In the second week of July, I spoke with three different small companies that had just been hit by cyberheists.” - Brian Krebs, Krebs on Security (Aug 12)
Example 1: Business: Georgia fuel supplierBank: $123M Community bankStory: Criminals attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed.
Example 2: Business: Tennessee contracting firmBank: $270M community bankStory: Trojan stole controllers login info and one-time password and redirected user to “site down” webpage. Meanwhile, the attackers used that browser session to put through a batch of fraudulent payroll payments for $328,000 to at least 50 “money mules.”
Criminals Better At Defeating Authentication
Human
Automated
Steal Credentials
Twishing Phishing
Spear phishing Vishing
Zeus SpyEye Ice IX Gameover Citadel Shylock
AccessOnline Banking
Fraudster machine
Proxy/RDP through victim machine
Leprechaun
TransferMoney
“Operation High Roller” attacks
Set Up Fraud
ACH, Wire, Bill Pay, Check Fraud… Zitmo
Ice IX Spitmo Gameover
Change personal info Call/phone forwarding
Validate Transaction
s
Customers and Profits Are At Risk
1
2
3
4
FRAUDULENT FILE
ROGUE RECIPIENTS
BALANCED BATCHES
TAMPERED TRANSACTIONS
• Fraudster submits a new completely fraudulent ACH batch file
• May or may not exceed caps/limits
• Existing batch file• New fraudulent payments• Changes volume of transactions and batch amount• May or many not exceed caps/limits
• Existing batch file• Criminal adds new credit transactions• Criminal balances file amount by adding debits• Likely not to exceed caps/limits or violate rules
• Existing batch file• Edits portions of transactions only (account
number, routing number)• Transactions and amount typically the same• Likely not to exceed caps/limits or violate rules
Progressive levels of fraud infiltration Effort to find fraud with traditional rules-based monitoring and reports
Fraudster takes over corporate account
Progressive levels of fraud infiltration Effort to find fraud
Criminals
Business
In 73% of corporate account takeovers, money was successfully transferred. Increasing effectiveness
at defeating caps. rules, limits
Customers and Profits Are At Risk
1
2
3
4
FRAUDULENT FILE
ROGUE RECIPIENTS
BALANCED BATCHES
TAMPERED TRANSACTIONS
• Fraudster submits a new completely fraudulent ACH batch file
• May or may not exceed caps/limits
• Existing batch file• New fraudulent payments• Changes volume of transactions and batch amount• May or many not exceed caps/limits
• Existing batch file• Criminal adds new credit transactions• Criminal balances file amount by adding debits• Likely not to exceed caps/limits or violate rules
• Existing batch file• Edits portions of transactions only (account
number, routing number)• Transactions and amount typically the same• Likely not to exceed caps/limits or violate rules
Progressive levels of fraud infiltration Effort to find fraud with traditional rules-based monitoring and reports
Fraudster takes over corporate account
Progressive levels of fraud infiltration Effort to find fraud
Criminals
Business
In 73% of corporate account takeovers, money was successfully transferred.
In 73% of corporate account takeovers, money was successfully transferred.
Lose confidence after 1 fraud attack
Took their business elsewhere following a fraud attack.
Banks sharing losses with their customers
Courts Favoring Businesses
Comerica – Experi Metal – Bank Did Not Act in Good Faith
Ocean Bank – Patco – Bank Did Not Have Reasonable Security
Bancorp South– Choice Escrow – Contract Not Valid• "Long story short, the court ruled that UCC 4A pre-empted the
indemnification clauses being used by the bank in their counterclaim,”
• The ruling suggests that a bank's contract with a customer that contradicts the spirit of the UCC could be nullified by the courts when legal disputes over fraud arise.
Investments in Addressing This Problem
“Behavioral analytics is a big area of spending we're seeing, both to ward off the threats as well as to comply with the FFIEC (Federal Financial Institutions Examination Council) guidance.”
Julie McNelley, Aite Group
58% of FIs implemented anomaly detection and cited it as effective in reducing Account Takeover Fraud.
FS-ISAC ABA 201 Account Takeover Survey
FFIEC Guidance, RMAG Sound Business Practices
Behavior-based Fraud Prevention Solutions
Instant, 100% coverage, no adoption issues
Stops widest array of fraud attacks
Not threat specific
Individual behavioral analytics
Maximum detection, minimum alerts
SaaS Offering
Fast time to security with no customer impact
No IT maintenance
No rules to write/maintain
Easy to deploy and manage
Most complete protection
Proven Approach
Dynamic Account ModelingTMDynamic Account ModelingTM
Retail Business
Introducing FraudMAP ACH Best protection against sophisticated criminal
attacks• Automatically analyzes ACH origination files for
suspicious activity
• Dynamic Account Modeling™ determines risk based on individual originator behavior
Eliminate manual file review and streamline investigation • Prioritize highest risk batches and transactions
• Risk reasons inform investigations
• Rich behavioral history provides context
Fast time to security, low ongoing maintenance• Rapid implementation
• No rules required
FRAUDMAP® ACH RISKENGINE
FRAUDMAP® ACH RISKAPPLICATION
• Customer Account• File date• File time• File ID modifier• …
• Transaction Code• Amount• Destination Account• Receiver name• …
•Company Name•Effective Entry Date•Batch/credit amount•Standard Entry Class Code
•…
Behavior-Based Anomaly Detection for ACH Files
File TransactionBatch
Are the transactions being made to a risky receiver? (confirmed/suspected mule)
Are the customer’s ACH actions normal? For this time in history? (occurrence, frequency, sequence, timing, type amounts, number)
Are the transactions typical? Given past relationship between customer/ receiver? (type, amount)
FRAUDMAP® RISKENGINE
FraudMAP ACH DEMO
FraudMAP ACH Customer Story
"The customer e-mails us to tell us the total amount of the batch, but with hundreds of transactions in one batched file, Burris says it's impossible to catch everything with a manual review.”
“With FraudMAP, the review of ACH files will be completely automated, detecting if any payees, for instance, have been changed or if line-item amounts in the batch are atypical.”
"We know the threats aren't going away, and there is only so much you can do to educate your customers."
“And even if we covered a loss, we could run the risk of losing the client. We have not had any account takeovers in the past, but we consider ourselves lucky. Many banks and credit unions our size have been hit."
For More Information
info@guardiananalytics.com - Monthly Fraud Factor and ongoing Fraud Informers
www.guardiananalytics.com - Copy of the Business Banking Trust Study or the Operation High Roller Report
elabadie@guardiananalytics.com
triley@guardiananalytics.com
Thank You