Financial crime A changing landscape Presentation to AFP Ottawa October 21, 2015 Ed Rosenberg VP &...
-
Upload
brenda-jacobs -
Category
Documents
-
view
213 -
download
0
Transcript of Financial crime A changing landscape Presentation to AFP Ottawa October 21, 2015 Ed Rosenberg VP &...
Financial crimeA changing landscape
Presentation to AFP OttawaOctober 21, 2015
Ed RosenbergVP & CSOBMO Financial Group
•Evolution of crime•Overview of cyber crime•Meet the hackers/the Dark Web•Malicious insiders•Social Engineering•Business Email Compromise (BEC) •Email Account Compromise (EAC)•Ways to mitigate email compromise•Q&A
Agenda
Disclaimer: The material in this presentation provides commonly known information about fraud trends, and BMO’s observations about controls and activities. This presentation is intended to provide you and your companies with information and helpful tips, but it does not purport to be complete or provide advice or recommendations to you or your company. You should always seek independent legal or professional advice when implementing fraud or risk initiatives.
Meet the new face of crime
Evolution of crime,1970s to the present
1970s – when kiting had a different meaning…
1980s – credit card fraud increases; vigilante groups pop up
1990s– Violence in the Workplace enters the lexicon; Internet takes shape
2000s – cyber crime emerges; skimming is a problem
2010s – the age of the faceless criminal
*“US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey”, p.4. PwC July 2015
“The lines separating the intents of nation-states, hacktivists and organized crime are beginning to blur...”*
Cyber crime
Doppelgangers
The World Wide Web of deceit
THE WORLD WIDE WEB
OF DECEIT
FRAUDULENT
PAYMENTS
EMAIL TAKEOVERS
DOPPELGANGERS (LOOK-A-LIKE SITES)
WHAT THE INDUSTRY IS
SEEING
X
✓
Trends in corporate cyber crime
TARGETED SPEAR PHISHING ATTACKS
ADVANCED SOCIAL ENGINEERING TECHNIQUES
CUSTOMER DATA THEFT & BREACHES
IDENTITY THEFT
Average Annualized Cyber Crime Costs Per Incident*
Taken from 2013 Cost of Cyber Crime Study: Global Report. Ponemon Institute, October 2013, p 12
The costs of cyber crime
CYBER CRIME IS
COSTLY
Cyber crime: A closer look
1%
2%
4%
4%
16%
40%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
USD 5M-100M
USD 1M-5M
USD 100K-1M
USD 50K-100K
USD 1K-50K
USD 0
2014 Global
Source: Global Economic Crime Survey, 2014, PWC, pages 5, 6, 29
Companies experienced cybercrime
PREVALENCE OF CYBERCRIME 24% 48%INCREASED
CONCERN
Perceptionof cybercrime risk has increased
INDIRECT COSTS OF CYBERCRIME OF
GREATER CONCERN
Companies greatest concerns related to cybercrime
3% OF ORGANIZATIONS SUFFERED FINANCIAL LOSSES OF MORE THAN US $1 MILLION IN 2014
FINANCIAL COSTS OF CYBERCRIME
Meet the hackers
MALICIOUS INSIDERS
CARELESS
EMPLOYEES
Market Advantage, Corporate Secrets, Revenge, Business Disruption, Cyber Terrorism, Hactivism Network (Denial of Service, network intrusions); Infrastructure – Servers, desktops, mobile devices; Applications (e.g. website intrusion); Employees (spear phishing)Corporate Secrets, Intellectual property, Business Plans, Identity Information, Strategic & Financial Data; Client information, Access to Accounts
Systems Unavailable, Regulatory sanctions, Litigation, Increased Competition, Revenue Loss; Increased Costs, Reputation Loss; Brand Damage; Loss of Share
OTHER GOVERNME
NTS
OTHER COMPANIE
S
ORGANIZED CRIME
WHY
HOW
WHAT
IMPACT
?
MEET THE
HACKERS
Means and motives
• Deep Web: collection of all sites on the web that aren’t reachable by a search engine
• Tor – network developed with funding from the U.S. Navy, it uses multiple relay servers and layers of encryption to create a parallel, anonymous Internet. Tor networks are used to access the Dark Web1
• Dark Web: Not to be mistaken with the Deep Web, the Dark Web is a collection of websites that are publicly visible, but the IP addresses of the servers that run them are hidden.2
• It’s believed the Deep Web (which includes the Dark Web) accounts for 90% of all Internet sites.
The Dark Web: where the hackers ply their goods
1Taken from “Touring the Deep Web” by Adam Rice, in Information Security, February 2014, pp 22-262Hacker Lexicon: What is the Dark Web? Andy Greenberg, November 19, 2014. http://www.wired.com/2014/11/hacker-lexicon-whats-dark-web
The cyber underworld
Connection with organized crime • Criminal activity via the Dark Web adds additional complexity in terms
of both internal and external threats -- or a combination of both• Organized crime buys and sells credit and debit cards, customer
information and other data on Dark Web forums such as the Silk Road
• Dark Web is also a repository of sites selling counterfeit prescription drugs – a huge problem for the pharmaceutical industry – as well as guns, narcotics and pornography etc.
Internal threats• Dark Web usage often goes undetected on corporate networks,
raising security risks, liability and potential litigation for companies• Employees access TOR on company computers to:
• Purchase illegal goods and services• Get around security controls• Establish Tor hidden services on company networks
*Taken from “Touring the Deep Web” by Adam Rice, in Information Security, February 2014, pp 22-26.
Malicious insiders
• External and internal threats often share one key motive – the desire to profit from data1
• In the underworld, customer data is Big Money -- potential $$$ payout for employees who sell company secrets2
• Insiders are capable of more harm than outside hackers – they already have access to the network
• Information theft is often an inside job; when the attacker is known, 39% say it was the result of employees3
• Employee malfeasance remains the most common driver of information theft
• Insiders that lead or join an organized crime group can be more difficult to detect than a lone insider in an organization.4
1“Are your biggest security threats on the inside?” David Weldon, csoonline.com, September 24, 2015.2 2013 Kroll survey of 901 global senior executives, taken from 2013/14 Kroll Global Fraud Report, p.63 2013 Kroll survey of 901 global senior executives, taken from 2013/14 Kroll Global Fraud Report, p.74 Quoted from “Spotlight On: Malicious Insiders and Organized Crime Activity” p.9 by Chris King, Software Engineering Institute, January 2012.
Insider threats are real
When insiders have ties to existing organized crime groups, the risks are that much greater:
• “A motivated group of insiders can bypass normal checks and balances by reaching across departmental boundaries.
• Insiders affiliated with external organized crime groups have the resources of a large organization available to help them in their crime.
• This can include multiple insiders working for several organizations that are all part of the same criminal group.
• The impact of insiders and organized crime exceeds a normal fraud case and can cause $3M in damages on average and up to $50M in the most extreme case.”*
*Quoted from “Spotlight On: Malicious Insiders and Organized Crime Activity” p.9 by Chris King, Software Engineering Institute, January 2012.
Insiders and organized crime
Some general employee controls
• Make fraud prevention everyone’s responsibility:• Enforce a workplace fraud prevention policy• Ensure fraud prevention controls are inherent in a process• Implement a Whistleblower Hotline or other communication
channel• Design controls to cover vacations and urgent emergency
situations• Be alert for behaviour cues• Do rigorous pre-employment screening.
21
Social engineering
Meet the Social Engineer’s New Best Friends
SOCIAL ENGINEERING
Online profiles such as LinkedIn – critical tool in the social
engineer’s arsenal Targeting certain job profiles in your organization: Security
Analyst, Help Desk Analyst, IT Operations hackers are looking
for Full Admin Rights Titles aid in determining who to target Info gleaned from profiles also used to personalize spear
phishing emails and hack passwords
SOCIAL ENGINEERING… INCREASINGLY TARGETED
One of the best chances of getting access to company networks is through an email spear phishing attack
Spear phishing is becoming increasingly sophisticated, hard to spot a fake
Getting into the company’s system can also enable email account takeovers and other fraud
Encryption helps but… Strong encryption is a strong defense against hacking
– it’s difficult to break – but it’s not foolproof Encryption’s weak link: social engineering
SPEAR PHISHING
Business Email Compromise
Business Email Compromise (BEC) - defined as a sophisticated scam targeting businesses
working with foreign suppliers and/or businesses that regularly perform wire transfer payments.
The scam is carried out by compromising legitimate business e-mail accounts through social
engineering or computer intrusion techniques to conduct unauthorized transfers of funds.1
1 This definition was revised to emphasize the different techniques used to compromise victim e-mail accounts. Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715a-PSA.
Business email compromise – what it is
•The BEC scam continues to grow and targets businesses of all sizes: 270% increase in identified victims and exposed loss since January 2015•The scam has been reported in all 50 states and in 79 countries•Fraudulent transfers have been reported going to 72 countries with majority of transfers going to Asian banks (China and Hong Kong)•The following BEC statistics were reported to the Internet Crime Complaint Center from October 2013 to August 2015:
Combined victims (U.S. and non-U.S): 8,179 Combined exposed dollar loss (U.S. and non-U.S): ~$800 million.1
1 Exposed dollar loss includes actual and attempted loss in United States dollars. Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715a-PSA.
Business email compromise – the statistics
Email Account Compromise (EAC) - is a sophisticated scam that targets the general public and professionals associated with, but not limited to, financial and lending institutions, real estate companies and law firms.
•The EAC scam is very similar to the BEC scam except that it targets individuals rather than businesses.•Some common examples include:
Financial/Brokerage ServicesReal EstateLegal
Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715b-PSA.
Email account compromise
Financial/Brokerage Services •An individual’s e-mail account is compromised. The criminal poses as the victim and sends an e-mail to the victim’s FI or brokerage firm requesting a wire transfer to an account under the control of the criminal •An accounting firm’s e-mail account is compromised and used to request a wire transfer from a client’s bank, supposedly on behalf of the client.
Real Estate•A seller’s or buyer’s e-mail is compromised. The criminal intercepts transactions between the two and alters instructions for the transfer of funds•A realtor’s e-mail address is used to contact an escrow company to redirect commission proceeds to a bank account associated with the criminal. •A realtor receives a link within an e-mail from an unknown person requesting info related to property. When the realtor clicks on the link, the criminal gains access to the realtor’s e-mail and obtains client information. The criminal uses this when e-mailing the clients and attempts to change wire instructions for loan processing proceeds.
Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715b-PSA.
Email account compromise – some examples
XXXBEC and EAC
MITIGATION
When receiving instructions by email or fax, validate!
Implement a mandatory callback policy if you receive a request from a supplier – might not be
who you think it is…
VALIDATE REQUESTS
Subscribe to balance and transaction
threshold alerts, such as any debits above a certain $
amount
SUBSCRIBE TO ALERTS
DUAL AUTHENTICATION
32
!
TRANSACTION
LIMIT$
IMPLEMENT LIMITS
✓
Ask a secondary wire reviewer to
approve any wire requests through online
banking
Re-evaluate dollar limits – existing limits
may be too high
White papers and publications
FBI’s Public Service Announcement, August 27, 2015, 1-082715a-PSA and 1-082715b-PSA.
Hacker Lexicon: What is the Dark Web? Andy Greenberg, November 19, 2014. http://www.wired.com/2014/11/hacker-lexicon-whats-dark-web/ .
2013/14 Global Fraud Report. Ernest E.J. Hilbert, Kroll, p. 6, 7, p.39.
“Spotlight On: Malicious Insiders and Organized Crime Activity” by Chris King, Software Engineering Institute, January 2012, p.9.
“How do companies navigate bribery and corruption? 2015 Anti-Bribery and Corruption Benchmarking Report” A collaboration between Kroll and Compliance Week, p.11.
2013 Cost of Cyber Crime Study: Global Report. Ponemon Institute, October 2013, p 12.
“US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey”, PwC July 2015, p.4.
Economic crime is on the rise – but you can fight back. PwC’s 2014 Global Economic Crime Survey Canadian supplement, p.10.
Economic crime: a threat to business processes. PwC’s 2014 Global Economic Crime Survey U.S. Supplement.
“Touring the Deep Web” Adam Rice, in Information Security, February 2014, pp 22-26.
Top Ten Cybersecurity Risks: How Prepared Are You for 2013? James Michael Stewart , Global Knowledge Training LLC, 2013. www.globalknowledge.com.
“Are your biggest security threats on the inside?” David Weldon, csoonline.com, September 24, 2015.
Resources
Q&A