sujith ambady. real-world case studies lessons learnt types of fraud fraud prevention and...

Sujith Ambady

Real-world Case Studies Lessons Learnt Types of Fraud Fraud Prevention and Detection Conclusions Q&A

Head Trainer at Institute of Information Security(Training wing of Network Intelligence) and Security Analyst at Network Intelligence.

Over 9 years’ of experience in ◦ Electronic Banking Operations and Security◦ IT Infrastructure Design and Training Consultant

Certifications◦ RHCE◦ RHCSA

Speaker at Mumbai Null Chapter Trained corporate SOC and Software team on Reverse

Engineering, Malware analysis, Secure Coding and Web Application Penetration Testing

MBA in Information Management

Fraud encompasses a wide range of irregularities and illegal acts characterized by intentional deception or misrepresentation. The IIA’s IPPF defines fraud as: “Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.“

A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment. - Bryan Garner, ed., Black’s Law Dictionary. 8th Ed. (2004), s.v., “fraud.” 

4

Internal Fraud or occupational fraud◦ Corporate Espionage ◦ Data Leakage and Theft◦ Intellectual Property and Trade Secret Theft◦ Financial Fraud

External Fraud◦ Identity Theft◦ Malware Attacks◦ Amateur Fraud all CNP sales channels◦ Phishing

Fraud Against Individuals

5

Fraud triangle - Dr. Donald Cressey

6

7

Case Study 1

Kotak Mahindra Bank - 1,730 transactions worth Rs 2.84 crore using Credit Cards that were not issued.

580 Cards used in seven countries -- Canada, USA, UK, Germany, Brazil, France and India - between July 2 and September 10.

An internal probe by the bank revealed that the cards were created by stealing data from a newly created series of unissued cards, all within the BIN (Bank Identification Number) range.

The new card series order was raised by the bank's product team and an order was given to DZ Card India Ltd at Gurgaon that has acquired the contract to create bank's cards. Bank had generated and registered three BIN Range (numbers) of the new cards (Visa and MasterCard)... Unknown fraudsters forged and fabricated (the) cards and used the same as genuine.

Increasing user awareness Strong policies against misuse of end-point

systems Strong monitoring controls Personnel security controls Run social engineering tests as part of your

audits

Case Study 2

How to build a multinational multi-billion dollar enterprise overnight!

>200 million credit card number stolen Heartland Payment Systems, 7-Eleven, and

2 US national retailers hacked Modus operandi

◦ Visit retail stores to understand workings◦ Hack wireless networks◦ Analyze websites for vulnerabilities◦ Hack in using SQL injection◦ Inject malware◦ Sniff for card numbers and details◦ Hide tracks

Albert Gonzalez◦ a/k/a “segvec,”◦ a/k/a “soupnazi,”◦ a/k/a “j4guar17”

Malware, scripts and hacked data hosted on servers in:◦ Latvia◦ Netherlands

IRC chats◦ March 2007: Gonzalez “planning my second phase against

Hannaford”◦ December 2007: Hacker P.T. “that’s how [HACKER 2] hacked

Hannaford.”

UkraineNew JerseyCalifornia

$24 million to Mastercard

$41 million to Visa

$200 million in fines/penalties

A single vulnerability in an Internet-facing web application could lead to disaster

Blind reliance on technology based on product/vendor reputation is a bad idea

Strong logging controls Fraud risk assessment is different from a

regular audit◦ Think like a fraudster to identify fraudulent areas and

implement adequate controls Concurrent monitoring – via ACL or BI tools is

also important Identify red flags and put in place systems to

monitor for these

Data Leakage Prevention Information Rights Management Email Gateway Filtering Security & Controls by Design Identity & Access Control Management Encryption Business Intelligence Solutions Revenue Assurance & Fraud Management

Solutions

Systems crashing Audit trails not available Mysterious “system” user IDs Weak password controls Simultaneous logins Across-the-board transactions Transactions that violate trends – weekends,

excessive amounts, repetitive amounts Reluctance to take leave or accept input/help Reluctance to switch over to a new system

Set Purchase Limits Monitor Bill to/Ship to Mismatches Pay Attention to the Time of Day Ask a Secret Question Manage Passwords Account Change Notification Use Proxy Piercing/IP Geo location Technology Apply Device Fingerprinting Technology

29

1. Governances – Policies, Procedures and Organizational Framework

2. Application Controls3. Infrastructure Controls

◦ Server◦ Network◦ End-point

4. Technological Controls for Fraud Detection, Prevention and Data Security

5. Training & Awareness6. Fraud-focused Reporting7. Audit Trail & Forensics

Sujith AmbadyHead Trainer and Security AnalystSujith.Ambady@niiconsulting.comhttps://in.linkedin.com/pub/sujith-ambady/9b/

245/abbhttp://itsecuritymonk.wordpress.com