Sujith Ambady
Jan 20, 2016
Sujith Ambady
Real-world Case Studies Lessons Learnt Types of Fraud Fraud Prevention and Detection Conclusions Q&A
Head Trainer at Institute of Information Security(Training wing of Network Intelligence) and Security Analyst at Network Intelligence.
Over 9 years’ of experience in ◦ Electronic Banking Operations and Security◦ IT Infrastructure Design and Training Consultant
Certifications◦ RHCE◦ RHCSA
Speaker at Mumbai Null Chapter Trained corporate SOC and Software team on Reverse
Engineering, Malware analysis, Secure Coding and Web Application Penetration Testing
MBA in Information Management
Fraud encompasses a wide range of irregularities and illegal acts characterized by intentional deception or misrepresentation. The IIA’s IPPF defines fraud as: “Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.“
A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment. - Bryan Garner, ed., Black’s Law Dictionary. 8th Ed. (2004), s.v., “fraud.”
4
Internal Fraud or occupational fraud◦ Corporate Espionage ◦ Data Leakage and Theft◦ Intellectual Property and Trade Secret Theft◦ Financial Fraud
External Fraud◦ Identity Theft◦ Malware Attacks◦ Amateur Fraud all CNP sales channels◦ Phishing
Fraud Against Individuals
5
Fraud triangle - Dr. Donald Cressey
6
7
Case Study 1
Kotak Mahindra Bank - 1,730 transactions worth Rs 2.84 crore using Credit Cards that were not issued.
580 Cards used in seven countries -- Canada, USA, UK, Germany, Brazil, France and India - between July 2 and September 10.
An internal probe by the bank revealed that the cards were created by stealing data from a newly created series of unissued cards, all within the BIN (Bank Identification Number) range.
The new card series order was raised by the bank's product team and an order was given to DZ Card India Ltd at Gurgaon that has acquired the contract to create bank's cards. Bank had generated and registered three BIN Range (numbers) of the new cards (Visa and MasterCard)... Unknown fraudsters forged and fabricated (the) cards and used the same as genuine.
Increasing user awareness Strong policies against misuse of end-point
systems Strong monitoring controls Personnel security controls Run social engineering tests as part of your
audits
Case Study 2
How to build a multinational multi-billion dollar enterprise overnight!
>200 million credit card number stolen Heartland Payment Systems, 7-Eleven, and
2 US national retailers hacked Modus operandi
◦ Visit retail stores to understand workings◦ Hack wireless networks◦ Analyze websites for vulnerabilities◦ Hack in using SQL injection◦ Inject malware◦ Sniff for card numbers and details◦ Hide tracks
Albert Gonzalez◦ a/k/a “segvec,”◦ a/k/a “soupnazi,”◦ a/k/a “j4guar17”
Malware, scripts and hacked data hosted on servers in:◦ Latvia◦ Netherlands
IRC chats◦ March 2007: Gonzalez “planning my second phase against
Hannaford”◦ December 2007: Hacker P.T. “that’s how [HACKER 2] hacked
Hannaford.”
UkraineNew JerseyCalifornia
$24 million to Mastercard
$41 million to Visa
$200 million in fines/penalties
A single vulnerability in an Internet-facing web application could lead to disaster
Blind reliance on technology based on product/vendor reputation is a bad idea
Strong logging controls Fraud risk assessment is different from a
regular audit◦ Think like a fraudster to identify fraudulent areas and
implement adequate controls Concurrent monitoring – via ACL or BI tools is
also important Identify red flags and put in place systems to
monitor for these
Data Leakage Prevention Information Rights Management Email Gateway Filtering Security & Controls by Design Identity & Access Control Management Encryption Business Intelligence Solutions Revenue Assurance & Fraud Management
Solutions
Systems crashing Audit trails not available Mysterious “system” user IDs Weak password controls Simultaneous logins Across-the-board transactions Transactions that violate trends – weekends,
excessive amounts, repetitive amounts Reluctance to take leave or accept input/help Reluctance to switch over to a new system
Set Purchase Limits Monitor Bill to/Ship to Mismatches Pay Attention to the Time of Day Ask a Secret Question Manage Passwords Account Change Notification Use Proxy Piercing/IP Geo location Technology Apply Device Fingerprinting Technology
29
1. Governances – Policies, Procedures and Organizational Framework
2. Application Controls3. Infrastructure Controls
◦ Server◦ Network◦ End-point
4. Technological Controls for Fraud Detection, Prevention and Data Security
5. Training & Awareness6. Fraud-focused Reporting7. Audit Trail & Forensics
Sujith AmbadyHead Trainer and Security [email protected]://in.linkedin.com/pub/sujith-ambady/9b/
245/abbhttp://itsecuritymonk.wordpress.com