Information Technology Fraud Prevention and Detection

1
Information Technology Fraud Prevention and
Detection

• Sujith Ambady

2
Agenda

• Real-world Case Studies
• Lessons Learnt
• Types of Fraud
• Fraud Prevention and Detection
• Conclusions
• QA

3
Speaker Profile Sujith Ambady

• Head Trainer at Institute of Information
  Security(Training wing of Network Intelligence)
  and Security Analyst at Network Intelligence.
• Over 9 years of experience in
• Electronic Banking Operations and Security
• IT Infrastructure Design and Training Consultant
• Certifications
• RHCE
• RHCSA
• Speaker at Mumbai Null Chapter
• Trained corporate SOC and Software team on
  Reverse Engineering, Malware analysis, Secure
  Coding and Web Application Penetration Testing
• MBA in Information Management

4
Fraud

• Fraud encompasses a wide range of irregularities
  and illegal acts characterized by intentional
  deception or misrepresentation.
• The IIAs IPPF defines fraud as Any illegal act
  characterized by deceit, concealment, or
  violation of trust. These acts are not dependent
  upon the threat of violence or physical force.
  Frauds are perpetrated by parties and
  organizations to obtain money, property, or
  services to avoid payment or loss of services
  or to secure personal or business advantage.
• A knowing misrepresentation of the truth or
  concealment of a material fact to induce another
  to act to his or her detriment. - Bryan Garner,
  ed., Blacks Law Dictionary. 8th Ed. (2004),
  s.v., fraud. 

5
Types of Fraud

• Internal Fraud or occupational fraud
• Corporate Espionage
• Data Leakage and Theft
• Intellectual Property and Trade Secret Theft
• Financial Fraud
• External Fraud
• Identity Theft
• Malware Attacks
• Amateur Fraud all CNP sales channels
• Phishing
• Fraud Against Individuals

6
Why does Fraud Occur?

• Fraud triangle - Dr. Donald Cressey

7
How Technology Impact Financial Fraud?
8
Corporate Espionage

• Case Study 1

9
Targeting and Exploitation Cycle
10
It could be in your backyard!
11
(No Transcript)
12
Conmen used 580 duplicate cards to dupe bank of
Rs 2.84cr

• Kotak Mahindra Bank - 1,730 transactions worth Rs
  2.84 crore using Credit Cards that were not
  issued.
• 580 Cards used in seven countries -- Canada, USA,
  UK, Germany, Brazil, France and India - between
  July 2 and September 10.
• An internal probe by the bank revealed that the
  cards were created by stealing data from a newly
  created series of unissued cards, all within the
  BIN (Bank Identification Number) range.

13
Conmen used 580 duplicate cards to dupe bank of
Rs 2.84cr(cont..)

• The new card series order was raised by the
  bank's product team and an order was given to DZ
  Card India Ltd at Gurgaon that has acquired the
  contract to create bank's cards. Bank had
  generated and registered three BIN Range
  (numbers) of the new cards (Visa and
  MasterCard)... Unknown fraudsters forged and
  fabricated (the) cards and used the same as
  genuine.

14
Shoulder surfing
15
Phishing
16
(No Transcript)
17
Fake Book
18
Solutions

• Increasing user awareness
• Strong policies against misuse of end-point
  systems
• Strong monitoring controls
• Personnel security controls
• Run social engineering tests as part of your
  audits

19
Cyber-Crime and

• Case Study 2

20

21
(No Transcript)
22
The biggest hack in history

• How to build a multinational multi-billion dollar
  enterprise overnight!

23
Gonzalez, TJX and Heart-break-land

• gt200 million credit card number stolen
• Heartland Payment Systems, 7-Eleven, and 2 US
  national retailers hacked
• Modus operandi
• Visit retail stores to understand workings
• Hack wireless networks
• Analyze websites for vulnerabilities
• Hack in using SQL injection
• Inject malware
• Sniff for card numbers and details
• Hide tracks

24
The hacker underground

• Albert Gonzalez
• a/k/a segvec,
• a/k/a soupnazi,
• a/k/a j4guar17
• Malware, scripts and hacked data hosted on
  servers in
• Latvia
• Netherlands
• IRC chats
• March 2007 Gonzalez planning my second phase
  against Hannaford
• December 2007 Hacker P.T. thats how HACKER 2
  hacked Hannaford.

Ukraine New Jersey California
25
TJX direct costs
200 million in fines/penalties
41 million to Visa
24 million to Mastercard
26
Solutions

• A single vulnerability in an Internet-facing web
  application could lead to disaster
• Blind reliance on technology based on
  product/vendor reputation is a bad idea
• Strong logging controls
• Fraud risk assessment is different from a regular
  audit
• Think like a fraudster to identify fraudulent
  areas and implement adequate controls
• Concurrent monitoring via ACL or BI tools is
  also important
• Identify red flags and put in place systems to
  monitor for these

27
Leveraging Technology

• Data Leakage Prevention
• Information Rights Management
• Email Gateway Filtering
• Security Controls by Design
• Identity Access Control Management
• Encryption
• Business Intelligence Solutions
• Revenue Assurance Fraud Management Solutions

28
Technology Red Flags

• Systems crashing
• Audit trails not available
• Mysterious system user IDs
• Weak password controls
• Simultaneous logins
• Across-the-board transactions
• Transactions that violate trends weekends,
  excessive amounts, repetitive amounts
• Reluctance to take leave or accept input/help
• Reluctance to switch over to a new system

29
Fraud Prevention Strategies

• Set Purchase Limits
• Monitor Bill to/Ship to Mismatches
• Pay Attention to the Time of Day
• Ask a Secret Question
• Manage Passwords
• Account Change Notification
• Use Proxy Piercing/IP Geo location Technology
• Apply Device Fingerprinting Technology

30
Conclusions

• Governances Policies, Procedures and
  Organizational Framework
• Application Controls
• Infrastructure Controls
• Server
• Network
• End-point
• Technological Controls for Fraud Detection,
  Prevention and Data Security
• Training Awareness
• Fraud-focused Reporting
• Audit Trail Forensics

31
QAThank you!

• Sujith Ambady
• Head Trainer and Security Analyst
• Sujith.Ambady_at_niiconsulting.com
• https//in.linkedin.com/pub/sujith-ambady/9b/245/a
  bb
• http//itsecuritymonk.wordpress.com