Uncovering the Faces of Fraud Jay McLaughlin, CISSP | GSEC Senior Vice President, Chief Security Officer

Agenda

Understanding the Numbers

Examining How Fraudsters are Attacking Banks & Customers

LIVE DEMO – exploiting computers through website attacks

Preparing and Defending Against these Attacks

The Future State

Q & A

Account Takeover Fraud

Account takeover

Opportunistic & Non-Discriminative

Motivated by financial gain

Check Your Blind Spots

Not you? Then Hu?

By The Numbers

$4.9B reported ATO fraud in 2012

(69% increase)

$585K lost over the next 60 minutes $0

$1

$2

$3

$4

$5

2006 2007 2008 2009 2010 2011 2012 0%

2%

4%

5%

$3.0

$3.6 $3.9

$3.2 $3.1 $2.9

$4.9

0.33% 0.43% 0.52%

0.45% 0.41% 0.36%

0.60%

2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters.” Javelin Strategy & Research, February, 2013.

Attack Scenarios

•  Sophisticated phishing campaigns •  Watering holes leveraging popularly visited sites •  Drive-by-downloads via URL redirection

- malware installed (ZeuS, SpyEye, Blackhole, Citadel) - configuration files contain many target banks/providers - polymorphic code used in generating variants

•  Compromise OLB account

- keylogging of credentials - stolen persistent HTTP cookies - session hijacking – “web injects”

Malicious Apps?

The Actors

•  Suppliers of the malware/Trojan •  Hosting providers

- C&C, malicious sites, forums, downloaders - ex RBN, Real Host Ltd – bullet proof hosting - release of the source code/merger changed the model

•  Botnet operators •  Criminal gangs utilize the malware

- most often the ones arrested/indicted for ATO fraud - Hackers/Harvesters - Cashers - Mules

DDoS Attacks Hit US Banks: Operation Ababil

Socially & Religiously Motivated Attacks

http://www.youtube.com/watch?v=xYVfBNKbfRQ

Politically Motivated Attacks

Post-Compromise: Techniques Being Used

Trojans & DIY toolkits (e.g. ZeuS, KINS, Citadel,

Blackhole)

Watching behavior Spending more time

examining account activity

Exploiting compromised

targets, tunneling traffic through the

victim’s own system Attempting to appear as

originating from the victim

Financially Motivated

Attacking the customer •  Phishing and social engineering attacks

continue to rise

•  29% of attacks referenced in the Verizon DBIR were tied to social tactics

•  APWG reported that 720 FIs were “targeted” with phishing in Q1-Q2 2013

Abusing the Mules

Please log in to the Internal Management system every morning at 9.00a.m. Monday through Friday to check incoming messages and possible updates in the Document folder.

I have Dr appointment Friday morning at 7:45 am, but I will have my cell phone with me to check the dashboard frequently.

Thank you updates. Please pay extra attention to account number and routing numbers. Call your bank if you are not sure the routing numbers are correct! REMEMBER if this information is incorrect, you won't be able to perform your duties efficiently and we won't be able to pay you your salary on time!

I will withdraw as soon as possible. This job is much more important than my other one.

Ill very quitting this retail job as soon as the holidays are over.

Abusing the Mules

Please complete the assignment today asap.

Walmart rejected my transfer based on her own suspicions. It was ridiculous. She just refused me service. What should I do? Should I western union it instead?

Dear Mary, I'll setup new assignment.

Its.complete via moneygram. I just went to a different walmart. I just sent you all the details.

Bouncing Transactions

Funds quickly “bounced” thru several FIs and

ultimately out of the country

Open New Accounts • Auto Enrollment

Link to compromised accounts • micro-deposit

verification

Transfer funds • ACH-Debit the

account

Combatting Fraud Attacks

Building a Layered Security Model

Defense-in-depth (“deep” or “elastic”)

Derived from traditional military strategy requires that a defender deploy resources at and

well behind the front line

Reliance on any single control or mitigating factor is not sufficient

Prevents shortfalls in any single defense control

Authentication Controls

Transaction-based Controls

Behavioral-based Controls

Endpoint-centric Controls

Account Activity Controls

Fighting Account Takeover Fraud

Consumer Focus Group: Computer Security

Authentication

Traditional MFA solutions are no longer sufficient

Strong multi-factor authentication

Biometrics Solve 2F Challenges?

“Something You Are” leverage customer behaviors & attributes •  Voice printing, Gesture recognition,

human kinetics, heart beat sensors •  Cadence of gesture, pattern identification, pressure,

etc.

Transactional-based Controls

Tracking Attempted Fraud in 2013

High risk transactions should require elevated security

Out-of-Band Transaction Authorization

Out-of-band authentication means that a transaction that is initiated via one delivery channel [e.g.. online] must be re-authenticated or verified via an independent delivery channel [e.g.. telephone] in order for the transaction to be completed

Out-of-band authorization is can be extremely effective in protecting customers against financial malware attacks and Trojans

Points of Interest - 2013

Percentage of fraud prevented by controls

22.1 M Fraudulent transactions reported in 2013

0 Sum of account takeover fraud where out-of-band controls were defeated

129 Reported fraud cases in 2013 involving high-risk transactions (314 total)

$ 12:00(Noon) Period of the day when fraudulent activity was most often attempted

93% $ 52%

Percentage of cases where account takeover attacks utilized stolen browser cookies

Behavioral Modeling Machine Learning

30% of revenue is attributed to recommendations

60% of its members viewed recommendations presented to them.

Why not financial institutions?

Detection ≠ Prevention

Detecting fraudulent transactions after the

fact is a reactive approach and is

simply ineffective.

Real-time detection enables institutions to

have the ability to PREVENT the loss

of funds.

Dynamic models can evolve with each user’s behavior and

are effective in identifying anomalies.

Login Behavior

Attributes of Login

Geo-location

Source Address

Transaction Behavior

Transaction Behavioral Models

Dom/Intl Wire, ACH, Payroll, Ext Transfer

Transaction Policies

Recipient Monitoring

Modifications to templates

Endpoint Interrogation

User Agent strings, HTTP headers, Device ID

Reputation Analysis, Malware Detection

Risk & Fraud Analytics

Behavioral Scoring

+ + +

Customer-engagement

Account holders must play a part and participate in fighting fraud

Real-time fraud alerts provide the opportunity for financial institutions and account holders to stand ready

Engaging the Customer

•  Users must play a part and participate in fighting fraud

•  Real-time alerts delivered to a victim are timely and provide the opportunity to alert the financial institution of activity

•  Transactional Alerting !  Ex: creation, authorization

•  Changes to profile settings

•  Security Event Alerts !  Ex: pwd changes, failed logon attempts

The Future: Frictionless Security

Need transparent and frictionless security models •  Best security features are ones the end user

doesn’t see or experience •  Continue to build on behavioral analytics

Must begin to remove decision making related to security out of the hands of the end user

Closing Thoughts

Attackers will always modify their approach to maneuver around the

control measures put into place

Establish an effective strategy that employs multiple layers of

protection

Threat landscape is continuing to evolve

Security is NOT perfect – it requires

accountability

Proper assessment of risk is critical!

Risks can NEVER be eliminated…but they CAN be mitigated

Questions

Declare var $question; Declare var $response; if $question >= ‘1’ then

$response = ‘answer’ else

$response = ‘thankyou’ end if;

Jay McLaughlin Chief Security Officer @jaymclaughlin

Jay.Mclaughlin@q2ebanking.com