The insider, and friendsFrauds perpetrated in the back-office/set-tlement operations tend to comprise twoelements: a disenchanted insider that iscapable of being recruited or ‘turned’, andoutside elements that are able to organizethe reception of the funds and onward dis-persal. The insider is often more vulnerablethan their employer would like to think –earning a fraction of the salaries paid tofront office staff, the back-office worker isfrequently seen as lowly paid and semi-skilled. A favoured tactic of the criminalfraternity is the recruitment of such staff,often using a drug or sexual habit as ahook. Criminal elements also find itadvantageous to appeal to the perceivedinferior position such staff hold within anorganization in order to foster a mood ofdiscontent. Criminal elements will thusgroom their victims, probing them for theweaknesses of the payments system theyuse every day, and egging them on to takeadvantage of its loopholes.

ForgeryIn order to try and secure payment sys-tems, banks rely on a number of opera-tional procedures, both electronic andhuman. Almost invariably, with bank tobank transaction systems, the attackers do not attempt to subvert theencodedEFT instructions or indeed theEFT interfaces. To do so would require

incredible processing power to crack theencryption and, with the speed at whichthe messages travel, this is not practicable.Instead, the attackers will target the weak-est links in the chain, which are normallythe preparation and input cycles. A sim-ple cut-and-paste fraud, inserted by theright person at the right point in theprocess, can bypass the most dedicatedcontrol procedures. Furthermore, banksgenerate a variety of documents to initiatepayments, sometimes using standard soft-ware packages — another element thatallows for relatively easy forgery.

Another common method of backoffice fraud is the insertion of a fraudu-lent ultimate beneficiary instruction onan otherwise correct and genuine pay-ment instruction. In a busy settlementsoffice, the releasing officer may not paymuch attention to what is, on the face ofit, a correct looking instruction. To ourknowledge, this method has been success-fully used to steal millions of dollars.

Of further, crucial importance is theveracity of standing data. Controls in elec-tronic payment systems are criticallyreliant on the accuracy of standing data, inparticular those beneficiary account detailsheld for regular payments. The manipula-tion of such data could allow an otherwisecorrect payment instruction to be re-rout-ed to a fraudulent account. The method ofdefining such standing data should bereviewed, and any amendments to itshould be scrupulously verified.

It should also be added that the settle-ments function is normally under a greatdeal of pressure to release funds – bankscan pay severe penalties if payments arelate – which adds to the risk of fraudulentinstructions passing without too muchinvestigation.

Poor proceduresSegregation of duties is key in any autho-rization system (input, verify and release),but this is all too easily compromised. Inpractice these otherwise effective systemsare often compromised in day to dayoperations – high security smartcards andonetime only password generators can beshared between staff members in order tomake their life easy. In one instance, allthree authentication tokens were beingheld by a secretary, as all users found thisthe most effective method of knowingwhere the tokens were at any time. Such alapse in security was motivated by conve-nience, but the risk of fraud given such anoccurrence is extreme.

Executing instructionsConnectivity within a payments systemshould always be fully explored. It shouldnot be taken for granted that an instruction,once raised, will reside as an encrypted EFTmessage until released electronically. Insome systems, authorized payment instruc-tions have been found standing in a releasequeue in plain text. When questioned, ITstaff have admitted this to be the case, buthave added that they have allowed this tooccur as it has left them a valuable ‘back-door’ through which to enter and changedata if requested (i.e if the originator of theinstruction realizes they have made a mis-take). Whilst this may be understandable, itis nevertheless an extremely dangerous situ-ation. Given the relevant level of access andsome suitable software, a user could targetan instruction and alter it after it has passed

4

Bank frauds – beating thesystemJulian Parker, Data Genetics

As with all businesses, banks are at risk from external and internal fraud. Of partic-ular note among the internal risks faced by banks is back office/settlement opera-tions fraud, where insiders use their unique insight and experience to manipulate orbypass the systems that they use every day. Some common themes of such frauds, asnoted from investigations into them, are discussed below.

CAUGHT RED HANDED

IntroductionThe purpose of this paper is to address atrend in the nature of attacks on the glob-al network. It will cover the most seriousattacks of the past year and an assessmentof the level of technical skill required toperpetrate those attacks, the complexityof the attacks, and the seriousness of theattacks. The paper will also cover thetechnologies and techniques available ascountermeasures to reduce the effective-ness of the attacks and will focus on thereal-time versus non-real-time nature ofattacks.

Cyberspace is becoming an increasinglydangerous place. When the ComputerEmergency Response Team CoordinationCenter (CERT/CC) first began collectingstatistics on security incidents in 1988 at the behest of the US Government,there were only six recorded incidents.1

During calendar year 2002, there were 82094 security incidents reported to

CERT/CC.2 This astounding growth inthe number of incidents is shown graphi-cally in figure 1.

Perhaps the only thing more amazingis the fact that many US companies donot implement the security necessary toprotect themselves due to the cost3. Onbalancing the cost of implementing evenbest-practice levels of security againstthe rarity of serious cyber-attacks, mostcompanies are opting to play the odds4

— a dangerous game to play when evi-dence suggests that companies connect-ed to the internet ‘are virtuallyguaranteed to suffer some form ofattack5.’ Indeed, Newsweek reportedresults from a Gartner survey thatshowed average financial losses as high as$6.6 million per incident6. There are, perhaps, as many ways to clas-sify attacks as there are observers of thephenomenon. For this paper, a focus onthe automated nature of the hack points

to both a simplification of the knowledgerequired on the hacker's part and a tem-poral element — a quality that allows thehacker to develop malicious code off-lineand then release it with minimal amountof exposure online. Thus the attacks out-lined in this paper will be examined andclassified based on the real-time involve-ment of a perpetrator and generally beclassified as direct or indirect.

Direct attacks require the engagementof the perpetrator's attacking machine onthe network in real-time. Such attacksinclude Unicode attacks, website defac-ing, buffer overrun attacks, and bruteforce password cracking7 or securitybypass attempts to gain unauthorizedaccess to systems in real-time. The defin-ing characteristic is that the perpetrator iseither sitting at the keyboard during theattack or has started some automated toolthat is maintaining a connection betweenthe attacking machine and the target(s).

In contrast, indirect attacks do notrequire the physical participation of theperpetrator's attacking machine at the timeof the attack. Such attacks include the cre-ation and distribution of viruses, worms,and logic bombs8, social engineering tech-niques designed to obtain passwords orother sensitive data or to install Trojanhorses, and denial-of-service (DoS) attacksor the more popular variant, the distributedDOS (DDoS). In these cases, the attackerdoes his9 dirty work in relative security andonly later introduces the attacking mecha-nism to the network, perhaps from a publicmachine where he may more easily retainhis anonymity.

research

5

through the bank’s security. Such backdoorsmake a mockery of any well-intentionedsecurity system.

ReconciliationFinally, a word about reconciliation. Thereare many different and useful forms of this,but we would add a word of caution aboutone sort in particular. It is completelypointless to run a reconciliation by printingout the instructions from the system and

then verifying them against the same sys-tem. In effect, this is merely reading theprintout twice. Reconciliations only serveany purpose if they compare details frominitiation to completion.

Think like a thief…As with all frauds, the attackers will targetthe weakest link in the chain. In back office,this will likely involve corners which thestaff have learned how to cut and systems

they have learned to bypass, often in thesimplest of ways. To try and catch them, orindeed head them off, you will have to putyourself in their place, and see the system asthey see it – in other words, think like athief, or perhaps just an overworked, under-paid, stressed or lazy individual.

Contacts:

Data Genetics InternationalTel: 00442075209384Email: mail@dgiforensic.com

The trend toward non-real-time attacksGerald D. Hill III (Jerry),The George Washington University, Washington,D.C.

A shift in the methodology of attacking networks is occurring. The shift is fromreal-time attacks via hacking into systems directly to non-real-time attacksthrough the use of viruses, worms and Trojans that can invade tens of thousandsof systems over time. They perform all manner of mischief, including the collec-tion and forwarding of information such as credit card data to the perpetrator touse at their convenience.