Www.trmg.org [email protected] European Commission Directorate-General Enlargement JHA 24111...
-
Upload
meghan-foster -
Category
Documents
-
view
220 -
download
3
Transcript of Www.trmg.org [email protected] European Commission Directorate-General Enlargement JHA 24111...
European CommissionDirectorate-General Enlargement
JHA 24111
Communications & Virtual Commerce Risks
Agenda
• Part 1: The evolution of communications
fraud
• Part 2: Online threats and 3G convergence
Agenda
• Part 1: The evolution of communications
fraud
• Part 2: Online threats and 3G convergence
• Part 3: Current commercial and security risks
in virtual online communities
• Part 4: From Cybercrime to Cyber-terrorism
Fraud Defined
• Theft through deception
• Financial incentive
• Not ‘Security’
• Not ‘Credit Control’
• Not ‘Revenue Assurance’
• A criminal act…
The Original Business Case
• 10 active lines (no intention to pay)
• 24 hours traffic per line, per day
• 10p per minute to expensive IDD
• Revenue:– 10x24x60x0.1 = £1,440 per day– Or £43,200 per month– Or £518,400 per year– In cash, tax free
The estimated cost
• Up to 5% of revenue
• Typically 30% of bad debt
• Does not include:– Out-payment costs– Opportunity costs– Infrastructure costs– Image and PR– Cost of investigations and security
Key root causes of fraud
1. Migration & demographics
2. Penetration of new technology
3. Staff dissatisfaction
4. The ‘challenge factor’
5. Operational weaknesses
6. Poor business models
7. Criminal greed
8. Money laundering
9. Political & ideological factors
Fraud Evolution
1900 20041950 1970 1980 1990
Operator Services
Teeingin
Payphone‘tapping’
Metertampering Black BoxRed Box
3rd party billingCalling cardTumbling ESNCloningGhostingPBX DISA
SubscriptionRoamingIMEI cloningFree phoneCall forwardPre-paidPRSCDR suppressionMagic phonesSocial engineeringVoicemail hacking
PRS Fraud
OperatorPRSSP
3. Out payment
2. Fraudulent traffic – no revenue
1. PRS service provider takes out fraudulent subscriptions
IDD Call Selling
Operator
2. Fraudulent traffic – no revenue for operator
1. Fraudulent subscriptions based in call selling ‘shop’
3. International traffic triggers a settlement out payment to the carrier
PABX DISA Fraud
Hacker
DISA Port
1. Hacker cracks the DISA code
2. Multiple high value outbound calls from the PABX
3. The bill goes to the PABX owner
$
VoIP Bypass via SIM GatewayFacilitates VoIP Bypass Fraud – a ‘wholesale’ category of fraud
Country ACountry B$ Settlements
Traffic
Multiple SIMs
GSMGateway(1 IMEI)
VoIPGateway
VoIPGateway
The cost of fraud
Billwrite-offs
Out-payments
Infra-structure
Congest-ion
LitigationImage &
PR
30% 30% 10% 5% 5%20%
Fraud Countermeasures
• Call data analysis
• Customer vetting
• Credit control
• Information pooling
• Secure services
• Secure technology
• Awareness
Call Data Tracking
Handset
SIM
MSISDNIMSI
IMEI
Calling MSISDN; IMSI; IMEI; Called Number; Cell Site; Duration; Cost
Call Record:
Mobile Device:
Cross-border Issues
Handset
SIM
Pre-paid balPost-paid bill payments
Large top-ups, high spend, heavy VAS usage, roaming patterns
Transportable anywhere:
SIM as a Credit Card
Subscriber Data ‘Fingerprinting’
Part 2Online Threats & 3G Convergence
Service Convergence
Voice& data
Info-tainment
Banking
OneAccount
e.g. A1 Bank in Austria
The Evolutionary Threat Model
NewTechnology
Serviceofferings
Businessmodels
Threats
From traditional voice telephony to convergent online communications & Info-tainment
Typical Online Issues
• Identity theft– True name takeover– Account takeover
• Hacking & Database Theft
• Phishing, pharming & social engineering
• Fake websites
• Key loggers & password stealers
Typical Online Issues
• Virus attacks
• Trojans
• System reconfiguration attacks
• Session hijacking
• Man-in-the-middle attacks
• Blackmail
NGN Maturity
NGN Network Maturity
NG
N S
ervi
ce C
om
ple
xity
Today
Comment:
There is a direct correlation between service complexity and the number of fraud opportunities.
More complex services also imply more complex detection and investigation techniques.
A simple example
• An SMS is sent to a vending machine.
• The machine dispenses a can.
• Cost of the drink is charged to caller’s account.
• If no payment is made, the main loss is the value
of the drink, not the value of the SMS message.
The growing value of contentValue of the contenttransaction
Cost of the connection
Time
$ V
alue
NGN Services
Communication SMS E-MAIL FAX
Productivity AGENDA ADDRESS ALBUM
Entertainment MUSIC VIDEO GAMES
Information NEWS LOCATION EVENTS
CHAT
OTHERTOOLS
DATING
BUY &SELL
The SIM Card as a Credit Card. The Operator as a Bank
Framework 2006 to 2010…
ServiceProvider
Subscribers
Artists
DRM
Royalties
Fees
Delivery
Contentprovider Gaming
SP
Contentaggregator
Net Revenue
VASproviders
Net Revenue
Network
Prize money
Focus 2006 to 2010…
ServiceProvider
Artists
DRM
Royalties
Fees
Delivery
Contentprovider Gaming
SP
Contentaggregator
Net Revenue
VASproviders
Net Revenue
Network
• Smarter handsets• Internet access device:
• Viruses• Trojans• Pin & CC# capture
• More handset theft
ServiceProvider
Subscribers
Artists
DRM
Royalties
Fees
Delivery
Contentprovider Gaming
SP
Contentaggregator
Net Revenue
VASproviders
Net Revenue
Network
Prize money
• Redistribution• Copyright
Focus 2006 to 2010…
ServiceProvider
Subscribers
Artists
DRM
Royalties
Fees
Delivery
Contentprovider Gaming
SP
Contentaggregator
Net Revenue
VASproviders
Net Revenue
Network
Prize money
• PRS-type frauds• Unlawful content• QoS exploits
Focus 2006 to 2010…
ServiceProvider
Artists
DRM
Royalties
Fees
Delivery
Contentprovider Gaming
ASP
Contentaggregator
Net Revenue
VASproviders
Net Revenue
Network
Prize money
• SP manipulation of results• Player fraud• Staff/developer fraud• PRS-type fraud• Payment fraud
Focus 2006 to 2010…
ServiceProvider
Subscribers
Artists
DRM
Royalties
Fees
Delivery
Contentprovider Gaming
SP
Contentaggregator
Net Revenue
VASproviders
Net Revenue
Network
Prize money
• LBS abuse• Premium MMSDenial of Service
Focus 2006 to 2010…
Focus 2006 to 2010…
ServiceProvider
Artists
DRM
Royalties
Fees
Delivery
Contentprovider Gaming
SP
Contentaggregator
Net Revenue
VASproviders
Net Revenue
Network
• More identity theft• Real identity• Synthetic identity
• Org. crime• Terrorism
Related Issues 2010
ServiceProvider
Artists
DRM
Royalties
Fees
Contentprovider Gaming
SP
Contentaggregator
Net Revenue
VASproviders
Net Revenue
Network
• Social engineering• Hacking• Mal-ware• Identity & payment• Lawful intercept
• Virtual communities• Unlawful content• Money laundering• DoS: ‘state’ sponsored• Voting fraud
Summary of NGN Risks
• Attacks on the ‘electronic wallet’
• Frauds by subscribers
- On operators
- On third party service providers
• Staff frauds
• Third party SP frauds
• Denial of service type attacks
Impact on Operators
• Increasingly complex FM roles
• Digital rights management issues
• Banking compliance & regulation
• Handset-based anti-virus provision
• Implications for pre-paid customer
vetting
Key Online Countermeasures
• Awareness - paramount
• Firewalls and other security software
• Virus detection
• Secure website development
• IP Penetration Testing
• IPDR tracking
• URL Fingerprinting
Agenda
• Part 1: The evolution of communications
fraud
• Part 2: Online threats and 3G convergence
Agenda
• Part 1: The evolution of communications
fraud
• Part 2: Online threats and 3G convergence
• Part 3: Current commercial and security risks
in virtual online communities
• Part 4: From Cybercrime to Cyber-terrorism
Part 3Risks in Virtual Online Communities
What is a Digital Virtual Community?
• A Chat Room• A Meeting Place• An Online Game• A Marketplace• A Lecture Room• A Training Centre• An Art Form• A Parallel Universe
(From www.secondlife.com)
A Virtual Seminar in progress
The Second Life example
• 3,700,000+ members
• Evolved from online fantasy games
• Contains its own commercial model
• Operates its own currency (Linden$)
• Ability to buy & develop real estate
• Ability to sell ‘land’, goods & services
• USD 450,000 in trades per day
• Just the first of many…
Users can be who they want to be…
Is he a ‘he’? Is she really a ‘she’?
It’s not for everyone, but don’t be fooled:
Big Business is taking this seriously.
More virtual players…
• Adidas Reebok• 20th Century Fox• BBC Radio• Disney• IBM• Intel• Starwood Hotels• Dept of Homeland Security
Recent New Sites
• Entropia: 500,000 users
• There.com
• Active Worlds
• Gaia Online
• Kaneva (beta testing)
Commerce in ‘Second Life’
• Currency exchange:– Buy ‘Linden$’ with your
credit card (E-money)
– Buy and sell land, goods and services
• Transfer profits back out to the real world:– By PayPal
– By Check
Profit is a primary difference
• In the E-money model, money transfers are the sole motive.
• In the virtual money model, both movement and trade for profit are primary motives.
Examples of 2nd Life trades
• Digital clothing• Gambling• Escort services• Virtual land• Property development• Artistic projects• Architectural services• And more…
Statement
“This has the look of a killer application that is being replicated, with adaptations, many times over”.
RealLife 2nd
Life3rd Life
4th Life
General Issues
• Virtual economic trends already seen:– Inflation– Property market downturns– Exchange rate fluctuations
• Virtual stocks and shares?
• Insider trading?– By staff of the Host– By the Virtual ‘Elite’
• Who protects the consumer?
Due Diligence Issues• Regulation
– Is a virtual currency a real currency?– Isn’t a Virtual Life account really a ‘bank account’?
• Taxation– Income Tax– Sales Tax
• Book-keeping and audits– Are virtual holdings ‘assets’?– Are virtual debts ‘liabilities’?
More Issues…
• Fraud– Social engineering– Harassment, coercion, solicitation & begging– Hacking, database exposure & identity theft– Plain old credit card fraud– Copyright theft & resale of content
• Illegal content
• Unlawful sale of content to minors
Even More Issues…
• Avoidance of surveillance– Fictional identities– Virtual phone traffic– Dedicated instant messaging– Closed user groups (‘www.the_jihadist_site.org’?)
– Lawful intercept– Jurisdiction
Issues, Issues, Issues…
• Online gambling:– Virtual money is not real money?– Gambling wins & losses occur within the virtual
economy– Wins transferred out to real world accounts
may not be identified as gambling-related
• Money laundering– Credit card payment in from one identity– PayPal payment out to another identity
Far out issues
• ‘Grey Goo’ attacks
• Virtual Gang raids
In Korea in 2004, Police reported that over 50% of alleged Cyber Crime occurred on virtual world gaming and commerce sites. Theft of digital designs was a leading problem.
Possible Triggers for Growth
• Corporate interest/investment– Brand awareness– Product placement– Click-through
• Political interest
• Economic recession leading to cost cutting
• Increasing international tensions leading to business travel restrictions
How might this evolve?
• New economic models will emerge
• Corporates will start marketing to the virtual community:– Digital product offerings– Click-through to real websites– Product placement– Advertising
• Telecom operators are already getting on board
Evolution 2
• M-Life as a feature of WIMAX
• Apple’s i-phone = convergence of voice, data, multi-media and M-Life
• The Nintendo Wiii
• Put them all together…
Part 4From Cyber crime to Cyber terrorism
Future Threats
• VOCs could rapidly become both a tool and a target for terrorist organisations
• There is a low technical barrier to entry for existing terrorist organisations and affiliates
• There is a low ‘ethical’ barrier to entry for individuals who have previously never committed a criminal act
Terrorist Profile: The Loner
• Educated, middle class
• Technically skilled
• Economically unsuccessful
• Targets; corporate brands and business operations online, other users, government sites and news agency sites for PR purposes
• Objective; ideological/personal gain
Terrorist Profile: The Group
• Probably trans-national• Already known, so fears surveillance• Technically proficient• Targets; Primarily corporate/governmental• Main Objectives;
– Avoidance of surveillance– Virtual Planning & Recon (e.g. Virtual Congress)– Virtual training/practice sessions– Money laundering
Specific Techniques
• Mutation of existing techniques– Viruses & Virtual Trojans– Other virtual Malware– Password hacking– Virtual identity theft and account takeover
• Emergence of new techniques– Virtual Grey Goo attacks– Virtual ‘nuclear’ attacks
The Impact of Virtual Terrorism
• Financial gain for terrorist cells
• Public relations:– Victimless– Focused on brands and governments
• Lawful intercept issues
• Political concerns– Expression of unlawful views– Hijacking of virtual institutions
Virtual Terror Countermeasures
• Education & awareness:– Policy makers– Law enforcement– Virtual site hosts
• Virtual currency regulation & compliance
• Cooperation with hosts for Intercept
• Conventional virtual intelligence collection
• Tracking & surveillance of behaviour
Conclusions• This is an ultra-modern technology which:
– Combined with new forms of commerce;– With questionable oversight & regulation;– And no clear audit or policing mechanisms;
• Constitutes a risk management issue that:– May expose consumers;– May also expose investors, and;– Could potentially create many new opportunities
for criminals of all descriptions
How to respond?
The Key first steps• An international effort at governmental level
• Classify ‘virtual’ currencies as real currency
• Classify virtual accounts as bank accounts
• Enforce banking standards for reporting and customer identification
• Employ tax assessments as a primary mechanism for collections
• Make virtual hosts legally liable for all activity on their sites
Agenda
• Part 1: The evolution of communications
fraud
• Part 2: Online threats and 3G convergence
• Part 3: Current commercial and security risks
in virtual online communities
• Part 4: From Cybercrime to Cyber-terrorism
Questions and comments