catella e-crime london2015
TRANSCRIPT
MODERN BANK ROBBERY 101: THE INTRODUCTORY COURSE
Patrick WheelerMar2015
v1.2
• Historical bank robbery & sociological underpinnings
• Why digital robbery is the 'Perfect Crime'
• Some modern evolutions & why our traditional defenses are failing
• Where we can see solutions…
DISCLAIMER - Doing the Necessary• This is not a How-To Manual and any effort to replicate
techniques and methods herein may be met with variable success (and interest by law enforcement) …
• This is an effort to share one person’s experience in hopes it helps us all…
• These are largely my opinions (except where they aren’t)…
• These are definitely not the opinions of my employer (except where they are)…
• I may make mistakes and be factually incorrect (except where I ain’t & don’t)…
• I will by relying upon publicly available information (for some reason I hesitate to share specific company information in a public forum) …
• If I appropriated your images, my thanks (and apologies if I misuse, offend or fail to attribute) …
Patience Please:• I tend to speak quickly …• I abuse analogies and esoteric references …• I apologize in advance if I stutter or stumble a
little bit …
Please let me know if I can clarify anything… … you can usually find me wherever someone is serving food or
coffee
About what I do …BIO –Patrick Wheeler has been involved in IT Consulting, Business, Engineering and Security for over 20 yrs. He has a Bachelors in Environmental Engineering, an MBA and is a registered professional Civil Engineer. His background includes fun job titles like Security Architect, Audit Manager, Inspector, Systems and Security Analyst, Project Manager, Operations Director, VP of Operations and Chief Information Security Officer.
•His business, IT and best practices focus is on information security, risk and compliance including PCI and security program management as well as internal and external financial & technology audits. With a legal support background he serves as an expert witness to courts on various aspects of best practices and industry standards.
•He has been involved in many industries from government agencies, financial services, and banking through fashion, retail and technology startups. Prior to moving to Europe he served in California’s Silicon Valley and San Francisco Bay Area specializing in security, compliance and operational efficiency topics.
•Personal interests include driving old cars too fast while taking photographs (in a well-controlled secure environments). Oh, and waterwheels. He now regrets this hobby after writing a successful EU grant of 2.5€M to identify and convert old watermills to generate renewable electricity …
Andre Van Bever ©
…&who I do it for
FraudTriangle
Justification
Motivation€ $
Opportunity/ Deterrence
The Fire Triangle
… & Bank Robbery
"Other People's Money, A Study in the Social Psychology of Embezzlement" … fraud problem as a "violation of a position of financial trust" that the person originally took in good faith.
1. Motivation ‘That’s Where The Money Is’Andrew Stone (1996), a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million by pointing high definition video cameras at ATMs from a considerable distance, and by recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered … produce clone cards … withdraw the full daily limit for each account … also allowed him to sidestep withdrawal limits by using multiple copied cards.
In court, it was shown that he could withdraw as much as £10,000 per hour by using this method.
Stone was sentenced to five years and six months in prison.
vs.
Dishonesty is the new Honesty:…how getting caught matters less than we think in whether we cheat; and how business practices pave the way for unethical behavior, both intentionally and unintentionally. … how unethical behavior works in the personal, professional, and political worlds, and how it affects all of us. The RSA Animate Version.
Cheating is the new Fair Play:… some behavioral ethics researchers were startled by a study published recently in The Journal of Personality and Social Psychology by researchers at the University of Washington, the London Business School, Harvard and the University of Pennsylvania. The title: “The Cheater’s High: The Unexpected Affective Benefits of Unethical Behavior.” http://well.blogs.nytimes.com/2013/10/07/in-bad-news-cheating-feels-good/?_r=0
…. Banks are evil ….
2. Justification: Sociologically, to get really depressed…
3. Deterrence / OpportunityDigital Crime: … a little less physical …•No need to be present at the site of the criminal act–No person-to-person interactions (individuals being robbed are unpredictable!) so no heroes and less potential for violence …–No chance of accidental weapons discharge and murder charges–No Local Police who pursue robbers diligently–No Video cameras and witnesses
• Perceived as protected from identification and prosecution• State Lines?
… while Americans struggled during the height of the Great Depression, the Dillinger gang stole … from Midwestern banks … made a crucial mistake… Dillinger fled jail in a stolen car and drove from Indiana to Illinois… a Federal offense to transport a stolen motor vehicle across state lines … enabled the FBI to lead the nationwide manhunt. Director J. Edgar Hoover made Dillinger’s capture the FBI’s top priority.
…. Banks are evil ….
Three Technological evolutions: Fast Cars Interstate Highways and Overwhelming Firepower. Legal justice system slow to
adjust to new reality…
4. Capability ‘democratization’ of Fraud: Fraud as a Service (FaaS) / Communities of Crime / Getting Social Increased commercialization and ‘business’ driven approach …
• ‘Supported’ Fraud Tools with Trouble Ticketing
• Bot Networks for Hire• Networks of Money Mules and Bank
Accounts for Hire• ‘Getaway Drivers’ and Denial of Service
for Hire• Advertising Services within and to the
Criminal Community
Can outsource the difficult and parts• Zero Day Attacks and initial compromise
Money Mules for hire• Distributed Denial of Service attacks to
masque getaway• Can re-use attack methodology and tools
again and again and • can become RESELLERS (entrepreneurs)
… Sutherland's differential association theory can be summarized as: (Sutherland and Cressey, 1978)
• Criminal behavior is learned; it's not inherited, and the person who isn't already trained in crime doesn't invent criminal behavior.
• Criminal behavior is learned through interaction with other people through the processes of … communication and example.
• The principle learning of criminal behavior occurs with intimate personal groups.
• The learning of crime includes learning the techniques of committing the crime and the motives, drives, rationalizations and attitudes that accompany it…
…. Banks are evil ….
While the street crews were taking money out of bank machines, the computer experts were watching the financial transactions from afar, ensuring that they would not be short-changed … the leader of the New York cashing crew … fled the United States just as the authorities were starting to make arrests of members of his crew … gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched.
The Perfect Crime - ATM Breach - 45M$ Single Day ATM Cash-Out
?NOT a Great Bank Robbery
The Perfect Crime – Carbanak/Anunak
?Ocean’s 1
1 Caper
The Perfect Crime - ATM Jack-potting Vendor
Y E S
Controlled Recurring Revenue
Electronic Bank Robberies [30c3] – YouTube 56:19▶
Analogy of
Castle &Moat
DefenseDMZ
Customer Channels
(e.g. online banking)
Partner Channels
Central Bank Processes (e.g. backend processing, HR,
finance, etc)
Feeling ‘Outgunned’•Is our financial industry ready to prevent a ‘Nation State’ backed compromise?
•How about the tools released ‘into the wild’ by nation states?
•Or the teams trained by them?
•The damages from the NSA (and affiliates) actions (stuxnet, cryptography, backdoors, distrust) but even more importantly the tools re-purposed and in the hands of mal-intended persons are hard to prepare for …
•Just as Vauban’s fortifications became obsolete with military evolution, our digital defences must evolve, somehow drastically, to a new reality …
Solutions (Today !)Jean-Baptiste Alphonse Kerr, 1849
plus ça change, the more things change,plus c'est la même chose the more things stay the same
– There is no room for complacency …
– The targets, the methods and the actors may evolve …
– A coordinated, active and evolving defence is required …
– We must keep getting better and better at what we are doing …
– We will only get better by cooperating, learning and evolving our defences …
Deeper/Taller/Wider/Harder Defensive Layers With Hardened Crunchy Interiors – Fortresses are Today’s Reality –
Tip: how to stop targeted (APT) attackshttp://www.asd.gov.au/infosec/mitigationstrategies.htm
Looking backwards to look forward:• Many Security and Operational Best Practices Standards Exist, are Being Created &
Updated– International (e.g. ISO - International Standards Organization, NIST - National Institute
of Standards)– Governmental & Quasi-Governmental (e.g. EPC - European Payments Council & SEPA-
Single European Payments Area)– Channel Specific (e.g. EMV Chip & PIN and 3DS, PCI – Payment Card Industry)
Vauban’s Layered Defenses at Rocroi
Vauban’s ‘Other’ Defensive Layers
A Coordinated Societal Response:We need to see ourselves into the future we want to live in …
• Critical National Infrastructure (CNI) learning & information sharing / CERTs • Police Computer Crimes Units (CCU) – real, rapid and substantive deterrence and criminal
punishments• Industry working collaboratively; sharing information, standards bodies and frameworks,
encryption and data de-valuation and building rapid internal response capabilities, minimise impacts on customers
• Proposed European rules; emphasis on self certification schemes, breach notification and stiff penalties
Summary
References & Credits:• Fraud Triangle – Donald Cressey & Diamond
• Andrew Stone & Willie Sutton & John Dillinger
• Dishonesty Animated & Dan Ariely & Cheating is Fun & Sutherland & Cressey
• Zeus Trojan, Man-in-Browser & Spear Phishing
• Botnets for rent, DDoS & Citadel
Yes, systemic fraud and ‘modern’ Bank Robbery hurts society and <!fluffy kittens!> …
Old fashioned bank robbery only went away with community support and organised policing… Yes, look to your Citadel and your Castle and Your Moat, Understand your Enemy … but …
…Look over your citadel walls and find your friends …
Q&A: (you can usually find me wherever there is food or coffee being served ;-)
• NYTimes $45M in 1-Day & ‘New Bank Robbery’ & ATM
• Carbanak / Anunak
• ATM Jackpotting Commercial Software – Electronic Bank Robberies [30c3] – YouTube 56:19▶
• Tommy Gun & Stuxnet & Regin Banking Malware
• ‘Standards’: ISO, NIST, PCI & Circl.lu, EU Data Privacy
• Vauban Fortifications & New Brisach & Luxembourg
fini
My lessons learned
… ‘X’ is a BaFin regulated and monitored payment institute there is no need for any auditing at ‘X’ premises and ‘X’ is not authorized to allow such audits (e.g.PCI-DSS)… http://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Fachartikel/2013/fa_bj_2013_11_it_sicherheit_en.html
(Not) Sun Tzu: Keep your friends close, but your enemies closer