Authentication The Weak Link in the Battle Against Online Fraud

Document Sample
Authentication The Weak Link in the Battle Against Online Fraud Powered By Docstoc
					Authentication: The Weak Link
in the Battle Against Online Fraud

           April 2010
                     Cyber criminals are waging war against your institutions and your customers. And they
                     are winning. They are directing a highly successful assault on multi-factor authentication,
                     the primary method most institutions have in place to protect their retail and business
                     customers from fraud.

                     The result? Criminals have been able to successfully compromise online accounts and
                     walk away with millions, hundreds of millions, by committing wire, ACH, bill pay and other
                     fraud. The FDIC, in a security conference keynote presentation in March 2010,
                     announced that online banking fraud attacks totaled $120M in just the third quarter of

                     Experts predict it will only get worse and are encouraging financial institutions (FIs) to
                     assume the end user has been compromised.
                     Additionally, they are urging FIs to and add a new
                     layer of security that use behavioral analytics to         “Fraudsters have been raiding
                     identify fraudulent account access and stop
                     fraudsters in their track before money leaves the
                                                                                user bank accounts that
                     institution.                                               seemingly were protected by
                     Understanding the style and nature of todayʼs on-         strong two-factor
                     going and insidious fraud attacks will make it clear
                     why current techniques are unable to stop them and        authentication…”
                     why continuing to find-tune these current techniques                 Avivah Litan, Gartner
                     are only short term tactical “fix-its” to a bigger more
                     costly problem.

                     This paper will explain the methods criminals are using to compromise accounts, what
                     they do when they get into accounts, and how they get the money out. It will also explain
                     a new style of fraud prevention technology – Dynamic Account Modeling™ – and how
                     focusing on the behavior of your real users using predictive analytics can help you more
                     proactively find the fraudulent ones, before it is too late.

                     The End Point is Compromised. And It’s Not Your Customers’ Fault.
                     There is a debate raging in the industry right now over ʻ”reasonable security” and who is
                     truly responsible for protecting online banking accounts. One thing is certain: cyber
                     criminals are ruthlessly targeting your end users, using clever approaches to get the
                     latest banking trojans on their machines. It is unreasonable to solely blame end users for
                     getting infected considering the methods fraudsters are using. Even with the latest anti-
                     virus anti-malware software, end users are still vulnerable. By the time consumers and
                     businesses install the latest, criminals have already released new strains. End point
                     security is an exercise of building higher walls, while criminals build higher ladders and
                     find weaknesses in the wall.

                     Fraudsters use a variety of methods to infect machines in order to ultimately gain access
                     to online banking accounts undetected. Gone are the days of simplistic, easily
                     identifiable spam emails to Yahoo! and Gmail accounts. Fraudsters today are using

Authentication: The Weak Link
in the Battle Against Online Fraud
Page 2
                     sophisticated techniques and leveraging the web to
                     itʼs fullest. And according to a recent Websense
                     study, they are experiencing quite a bit of success.

                         Email phishing – This classic form of trickery is
                          alive and well, but is now much more
                          sophisticated using highly designed messages
                          luring victims to very authentic-looking websites
                          laden with malicious code.

                          In business banking, fraudsters use spear-
                          phishing attacks – targeted emails sent to
                          specific executives appearing to be from the
                          IRS, FDIC, NACHA, ABA or the FBI.

                         SEO Poisoning - Fraudsters are taking
                          advantage of search engines popularity and use
                          top search terms as a vehicle to drive
                          consumers to malicious fake websites. They
                          prey on search terms that are timely – like The
                          Winter Olympics, Haiti Relief, or never ending
                          celebrity drama. As soon as a malicious
                          campaign is recognized and removed from
                          search results, the attackers automatically
                          redirect their botnets to another new timely,

                         Trusted sites - Fraudsters are not only building
                          fake websites, they are also using real websites
                          to their advantage, too. In fact, the majority of
                          websites with malicious code are trusted,
                          legitimate sites. The most famous example in
                          2009 was the Paul McCartney site that infected
                          visitors worldwide.

                         Twishing - Fraudsters like to get maximum
                          impact for minimum effort and they are hitting the
                          jackpot with social networking sites. The
                          explosive growth of traffic on sites such as
                          Facebook, Twitter and LinkedIn and the nature of
                          interactions on social sites lend themselves to
                          infecting more people in a single stroke. The
                          goal of the fraudsters is to trick the recipient into
                          thinking they are getting something trusted from a

Authentication: The Weak Link
in the Battle Against Online Fraud
Page 3
                     Behind the scenes of these clever infection points are sophisticated, well funded
                     criminals that are part of international cyber gangs, buying and selling the credentials
                     theyʼve stolen on the black market. Their efforts have paid off in growing numbers of
                     infected end user machines:

                               o     APWG noted in their 1H 200 Phishing Report that Banking
                                     Trojan/password-stealing crimeware infections detected have nearly
                                     tripled, increasing 186%.

                               o     According to the Cisco 2009 Annual Security Report, over 3.4 million
                                     computers were infected with Zeus, the most popular banking trojan.

                     These infections are leading to a growing number of compromised accounts and
                     subsequent fraud losses. In the 2010 Business Banking Trust Study conducted by the
                     Ponemon Institute, 55% of respondents reported experiencing a fraud attack. In
                     80% of those attacks, money left the bank before anyone noticed. Why? The
                     malware downloaded through these infection points are designed to allow fraudsters to
                     get into accounts undetected, successfully bypassing multi-factor authentication, even
                     one-time passwords.

                     Retail Banking: Getting Past Challenge Questions
                     This is a classic (and real-world) example of criminals stealing username and password
                     credentials and gaining access to the answers to a userʼs challenge questions.

                     1. Through one of the means discussed above, a userʼs machine is infected.

                     2. The software that infected the machine deletes the userʼs cookie to force the
                        authentication system to ask the challenge questions. When the user logs into online
                        banking, the malicious software copies not only the username/password, but also the
                        answers to the challenge questions.

                     3. The fraudster uses the
                        credentials to access the
                        account. Although they donʼt
                        have a cookie on their
                        computer, because they
                        have the answer to the
                        challenge questions, they
                        can still successfully access
                        the account.

                     4. Fraudsters often take the
                        time to do some account
                        reconnaissance to ensure
                        they move money at the
                        most lucrative time, based on
                        when account balances are
                        at their peak.

Authentication: The Weak Link
in the Battle Against Online Fraud
Page 4
                     5. This offers also the opportunity steal personal information they can and change
                        information such as passwords and contact information. This aids in moving money
                        without the user or the bank detecting any fraudulent activity, even with a verification
                        phone call.

                     6. In this example, the criminal viewed checks, and stole the victimʼs signature. Using
                        the signature and other personal information obtained, the criminal was able to open
                        another account a different institution in the victimʼs name.

                     7. The criminal then initiated a wire transfer from the originally compromised account to
                        the new account. When the bank checked the signature on the wire transfer, it
                        matched what they had on file, and the wire went through. The funds were then
                        immediately transferred out of the second bank to a bank overseas.

                     Business Banking: Man-In-The-Browser Defeats One-Time Passwords
                     At the beginning of 2009, check fraud was the top of mind fraud issue for most
                     businesses. By the end of 2009, the situation was entirely different, with phrases such as
                     money mules, Man-in-the-Browser, and spear-phishing everyday vocabulary for small to
                     medium businesses (SMBs) and the banks that serve them. The FBI was tracking $100M
                     in fraud attacks in the first half of 2009 and announced at the beginning of 2010 that fraud
                     had reached over $120M in just Q3 alone.

                     Because of the big payload, fraudsters, however, have put the full force of their efforts
                     into defeating strong authentication, even tokens, and dual controls. The latest attacks,
                     dubbed Man-in-the-Browser attacks, use malware that provide criminals varying levels of
                     access to and control over the browserʼs connection to the online banking system. While
                     the largest horror stories are of automated “once and done” session hi-jacking scenarios,
                     most man in the browser attacks are executed by a human over short periods of time.

                     Here is how these attacks work:

                     1. Following a targeted spear-phishing attack, an executive at an SMB is infected with

Authentication: The Weak Link
in the Battle Against Online Fraud
Page 5
                     2. When that user next logs into online banking, the malware wakes up, copies the
                        users credentials as the user types them in – including the one time password – and
                        instantly IMs the credentials to the criminal.
                     3. The malware blocks the transmission of the login request and the credentials so that
                        the one time password is never registered and sends a page back to the user listing
                        the service as currently unavailable.
                     4. The fraudster logs in right away using the stolen credentials, and does so quickly
                        enough to ensure the one-time password has not expired. Making matters worse,
                        they are often able to spoof elements of the real userʼs device and location data,
                        rendering them almost identical to a real user to authentication, device id, and rules
                        based fraud detection systems.
                     5. Funds are transferred out, through wire, ACH, bill pay or other means. Often,
                        fraudsters change contact information, circumventing out of band authentication as

                     Business Banking Double Whammy: Defeating Dual Controls
                     Most banks encourage their business banking customers to implement dual controls, a
                     process where one user must initiate a transaction and another separate user must
                     approve. To circumvent this process, criminals simply add another user and use that
                     new user to either tee up or approve a fraudulent transaction. Often, criminals increase
                     limits, allowing both the existing user and new user to move high dollar amounts through
                     wire and ACH networks.

                     On the Backs of Mules: ACH Fraud
                     Prior to Man-in-the-Browser attacks gaining attention, the big story of 2009 was large
                     scale ACH fraud facilitated by the use of “money mules”, people recruited to help move
                     money quickly through the system.

                     In these attacks, after compromising the accounts and doing account reconnaissance to
                     identify when the account is at its peak balance, criminals send batch ACH transfers to
                     multiple, individual personal accounts held by money mules (unwitting participants in
                     many cases), who are standing by ready to wire money out of the country, keeping a
                     small percentage for themselves.

                     Attacks using money mules deliver big bang for the buck. One single breach can lead to
                     six-figure fraud.

Authentication: The Weak Link
in the Battle Against Online Fraud
Page 6
                     Lessons Learned from These Attacks
                     There are a number of variations on the themes mentioned above, but these core
                     examples get to the heart of the matter and point out the key issues facing institutions

                     Key takeaways from these examples:

                          1. Authentication is not keeping criminals out. Fraudsters have developed the
                             methods needed to log into your customers accounts undetected and are using
                             your customers against you. Additional layers of security in addition to anti-
                             virus/anti-malware, secure clients, and authentication are required to protect your
                             customers and your institution.

                          2. Criminals can spoof location and network information, limiting the ability of
                             geo-location based technologies to spot fraud. Recent fraud examples show
                             fraudsters are using trusted IP addresses and can even hi-jack sessions to bear
                             almost the same technical footprint as the actual user. Fraud detection solutions
                             must look deeper than location information to spot the fraudster.

                          3. Fraudsters understand how your online banking platforms work. In order to
                             maximize their effectiveness and streamline their ability to move money quickly,
                             criminals take the time to learn your online banking platform, your typical policies
                             and the policies of your customers.

                          4. Most fraud attacks have some level of account reconnaissance associated
                             with them, opening an opportunity to catch them. Fraudsters are accessing
                             the account to look for peak balances, controls, personal information and more.
                             This represents a unique opportunity to identify them, before they have the
                             chance to transfer funds.

                          5. Fraud is dynamic – it is almost impossible to keep rules in rules-based
                             systems that characterize fraud up to date with the latest attacks. Money
                             mule schemes appeared mid 2009 and took the banking industry by storm and
                             Man-in-the-Browser attacks appeared with the force of a wildfire at the end of
                             2009 and into 2010. Companies need a platform for fraud detection that can be
                             as dynamic as the fraudsters themselves without generating an unmanageable
                             number of alerts.

                     In short, yesterdayʼs solutions are not enough to stop todayʼs online banking attacks.

                     Modern Attacks Require Proactive, Modern Defenses
                     Security and industry experts agree – a layered security approach is best. But with so
                     many options out there, where should institutions start? What class of technology will
                     provide the biggest bang for the buck? What will provide a platform for protection not
                     only for todayʼs online capabilities and fraud attacks, but for those of the future?

                     In a recent interview with Marsha Savage with, Avivah Litan from
                     Garter says, “The banks really need to step up their defenses and use more
                     sophisticated fraud detection that looks at the behavior of the transaction from login until

Authentication: The Weak Link
in the Battle Against Online Fraud
Page 7
                     logout.” Monitoring all user activities, not just transactions, can help proactively identify
                     account compromise to prevent the fraudulent transfer of funds.

                     Predictive Behavioral Analytics – Finding What Other Approaches Miss
                     There are two primary approaches to fraud prevention:

                           1. Start with known ideas about fraud and try to write rules or train algorithms to
                              catch it. This is expensive to maintain, generates a high number of false positive
                              alerts, and misses fraud that doesnʼt fit into the framework of rules.


                           2. Start with the known behaviors of your real users and analyze, using predictive
                              analytics, every activity in every session to determine if behavior seen in a
                              session maps to what that user is expected to do or if it is at high risk of being
                              fraudulent. This approach is called Dynamic Account Modeling™.

                     Through Dynamic Account Modeling, institutions can maximize detection of fraudulent
                     online banking account access, with minimal unnecessary alerts. By taking a holistic
                     view of the users behavior, from login to transaction, Dynamic Account Modeling helps
                     institutions finally get proactive about stopping fraud, before any money leaves the bank.

                     Because Dynamic Account Modeling is not dependent on knowledge of fraud to detect
                     fraud, it can stop new and emerging threats, including Man-In-The-Browser attacks and
                     money mule schemes and protect against ACH, Wire, Bill Pay and other types of
                     payments fraud.

Authentication: The Weak Link
in the Battle Against Online Fraud
Page 8
                     Success Stories
                     The Dynamic Account Modeling approach is in use at leading banks and credit unions
                     today. Success stories include:

                              A credit union identified ninety-eight accounts that had been compromised by
                               fraudsters with a little over $1,000,000 at risk.
                              A bank stopped an $800,000 fraud attempt comprised of eighty $10,000
                               transactions by identifying fraudulent behavior before the fraudulent transaction
                               was executed.
                              A credit union, within the first six months of using Dynamic Account Modeling,
                               successfully averted over $500,000 in fraud losses.
                              Another credit union identified a cross-account HELOC scam and stopped
                               $700,000 in related fraudulent transactions.
                              A bank stopped three wire fraud attacks totaling $85K based on early detection of
                               high-risk behavior.

                     2009 was banner year for fraudsters. 2010 will be a bigger year – the fraud epidemic will
                     continue to grow and accelerate. Focusing on attempting to secure the end point or the
                     front door is a losing battle. Yesterdayʼs counter-measures will not be effective against
                     current and future fraud attacks. Protecting against new, sophisticated approaches to
                     fraud, such as Man-in -the Browser, needs to be a top priority for financial institutions.
                     Criminals are evolving their strategies and financial institutions need evolve and stay
                     ahead of them.

                     The risks of ignoring the problem are real. Fraud attacks bring financial losses, customer
                     losses and reputation issues. In the 2010 Business Banking Trust Study, 40 percent of
                     SMBs who experienced a fraud attack significantly changed their relationship with their
                     institution – 11% of them changed institutions outright, and 29% of them moved their
                     primary services to another institution.

                     Itʼs time for institutions to stop being reactive and start being proactive.

                     About Guardian Analytics
                     Guardian Analytics is focused on fraud protection for financial services institutions. Weʼre proud to
                     serve banks and credit unions that are taking a proactive step to lead the way in fraud prevention.
                     Our customers take the promise of security and protection of customer assets very seriously – itʼs
                     an essential element of their brand and reputation. They share a “no compromise” attitude and will
                     do all they can to protect their institution and their customers and members from fraud attacks.
                     Our fraud prevention solution, FraudMAP is based on direct experience with online banking fraud
                     and deep predictive analytics expertise. FraudMAP uses Dynamic Account ModelingTM to
                     proactively identify online account takeover, and is protecting over hundreds of billions in assets at
                     banks and credit unions across the country. Guardian Analytics offers two unique applications –
                     FraudMAP for Retail Banking and FraudMAP for Business Banking.

                     For more information, please visit or follow us on Twitter at

Authentication: The Weak Link
in the Battle Against Online Fraud
Page 9

Shared By: