finance, hacking & cybercrime: pagamen & sicurezza ulmi ... · modelli di business...
TRANSCRIPT
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Finance,Hacking&Cybercrime:PagamenB&Sicurezza
UlBmiapproccitecnologicienuovimodellidibusinessdell'UndergroundEconomy
RaoulChiesaPresident,SecurityBrokersSCpA
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Disclaimer
● Theinforma,oncontainedwithinthispresenta,ondonotinfringeonanyintellectualpropertynordoesitcontaintoolsorrecipethatcouldbeinbreachwithknownlaws.
● The sta,s,cal data presented belongs to the Hackers ProfilingProjectbyUNICRIandISECOM.
● Quotedtrademarksbelongstoregisteredowners.● Theviewsexpressedarethoseoftheauthor(s)andspeaker(s)and
do not necessary reflect the views of UNICRI or others UnitedNaBonsagenciesandins,tutes,northeviewofENISAanditsPSG(Permanent Stakeholders Group), neither Security Brokers, itsAssociatesandAssociatedCompanies,andTechnicalPartners.
● Contentsofthispresenta,oncannotbequotedorreproduced.
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Agenda
§ Cybercrime§ Evolvingscenariosinthecounter-fraudBankingEnvironments:somereal-lifeexamples§ Cards§ POS§ NFC
§ Conclusioni§ ReadingRoom§ Contacts
Agenda
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Ilrelatore§ President, Founder, The Security Brokers § Indipendent Special Senior Advisor on Cybercrime @ UNICRI (United Nations Interregional Crime & Justice Research Institute) § Former PSG Member, ENISA (Permanent Stakeholders Group @ European
Union Network & Information Security Agency) § Founder, @ CLUSIT (Italian Information Security Association) § Steering Committee, AIP/OPSI, Privacy & Security Observatory § Board of Directors, ISECOM § Board of Directors, OWASP Italian Chapter § Cultural Attachè. Scientific Committee, APWG European Chapter § Board Member, AIIC (Italian Association of Critical Infrastructures) § Roster of Experts, ITU (International Telecommunication Union) § Supporter at various security communities
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Cybercrime:ModusOperandi(MO)
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Evolvingscenariosinthecounter-fraudBankingEnvironments
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Evoluzionedel«perimetro» Nelmondodell’Informa,onSecuritysichiama«evoluzionedelperimetro». E’laconseguenzadell’evoluzionetecnologicaedell’impa_odellac.d.«DigitalSociety»sulmondodelbusiness: BYOL(BringYourOwnLaptop) BYOD(BringYourOwnDevice) RemoteWorking RemoteCo-Working SocialNetworksCloud …………
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
L’anB-frodedinuovagenerazione Allostessomodo,ilmondobancariohadovutorivedereipropriapproccianBfrode. Oggiè:
(molto)rarocheaZackersviolinoisistemimainframe; (abbastanza)rarocheavvenganoviolazioniaggirandoisistemididifesaperimetralepos,inessere(Firewall,xIDS,etc).
E’all’ordinedelgiornocheTTP(third-trustedparty)venganoviolateascapitodell’is,tutobancarioefinanziario,comeadesempioiCardProcessingCenter(gliesempisonopurtroppodecineedecine). E’all’ordinedelgiornocheilclientefinaledell’is,tuzionefinanziariavengaviolato(malware,trojan,keyloggers,botnet,etc) E’all’ordinedelgiornochedisposiBvia_endededuna_ended,qualiPOSeTotemdipagamento,venganocompromessiediflussidicartedicredito/debitointerceZa,.
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Bot ID: 59123a946d2d6ff7af589b1dcf9881e719161db4 Botnet: JUDY Version: 58
OS Version: Seven x64,SP 1,Lang 1040,ProductType 3,Build 7601 Computer ID UTENTE-PC_05227AE9F7A667719588FBC19FEDF31A
GMT: +1:00 Time start system 00:00:22
Local time 17.03.2014 18:39:51 Report time: 17.03.2014 18:10:09
Country: IT IPv4: 151.xxx.xxx.xxx
Comment for bot: - In the list of used: No
Process name: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE User of process: Utente-PC\Utente
Enviroment "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:996370 /prefetch:2 PID 2188 Level 3
Time process 17.03.2014 17:38:31 Lang process 1040
Source: https://youwebcard.bancopopolare.it/WEBHT/cc/movimentiConto.do https://youwebcard.bancopopolare.it/WEBHT/cc/movimentiConto.do Referer: https://youwebcard.bancopopolare.it/WEBHT/homepage.do
User input: 6481121029866388207861 POST data:
compilazione=S
codContoCorrente=001%7C2180%7C2180002578
E-banking(botnet)
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
X
Cards,POS,NFC
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
JackPOS,«primigiornidivita»
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Cards,POS(Totem),NFC
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Cards,POS(Totem),NFC
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Cards,POS(Totem),NFC
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Cards,POS(Totem),NFC
ANSA,29seZembre2014hZp://www.ansa.it/sito/no,zie/tecnologia/soeware_app/2014/09/29/parcheggi-e-biglieZerie-nuovo-obiegvo-hacker_8c6b810d-c10e-45b7-9fd0-839bff92b5b0.html
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Cards,POS,NFC
La beffa dei pagamenti con il cellulare all'avanguardia sì, ma facili da hackerare
La fretta di introdurre i sistemi Nfc, che permettono di pagare con lo smartphone nei negozi, ha aperto una falla di sicurezza: i dati non vengono crittografati e quindi si possono rubare. Ma non è un problema dell'Nfc, garantiscono gli esperti. E in Italia siamo al sicuro, solo perché ancora non sono attivi questi servizi.
By la Repubblica.it - Tecnologia, 7 agosto 2012
http://www.repubblica.it/tecnologia/2012/08/07/news/rischi_pagamenti_nfc-40330153/?ref=fbpr
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Mass-CardingLalimitazioneall’importopagabilemedianteNFCpotrebbecausareunaso_ovalutazionedelproblema.Inrealtà,propriograzieallaspintadatadalmarke,ngedallepromozioniperinvogliarel’utenteapagareconlacartaNFC,sipossonodisegnarescenaricriminosidi«Mass-Carding»econseguenteindustrializzazionedelcash-out.D’altr’onde, basta leggere un libro come«Kingpin» (Kevin Poulsen, Hoepli editore) perrendersi conto di come i modelli «classici» dicash-out si applicano perfe_amente anche ai«dump» di carte NFC-based, senza dovercomprome_ereilleZoreNFC(POS,etc).
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Modellocriminosoperilcash-outmassivo
A_acker
(setupdimini-PCconbaZeriaalungaduratae/oalimentazionedireZa,celatonellevicinanzedei
targetNFC)
TargetNFC
(BiglieZerieautoma,cheNFC,POSNFCpresen,in
luoghiadaltafrequentazione,po
Autogrill,ChefExpress,McDonald’s,librerie,etc)
ExploitaBon
(collec,ngautoma,coemassivodiPANdacartedi
credito/debitoNFC,anchesenonu,lizzateperil
pagamentodeiservizi)
Cash-out
(u,lizzodeiPANeda,intestataricarteperacquis,on-linedibenierivenditadeglistessii.e.E-bay;
NOTA:nonserveilCVV)
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Conclusioni
§ IlmondobancariodeveeffeZuareunfortecambiodivisione,ponendol’aZenzioneversonuove,pologiediservizidiinformazione,chesipongonoatotalesupportodell’an,frode«classica».
§ IlClientevadifesooltreilclassico«perimetro»bancario.§ MaicomeoggièessenzialeessereunpassoavanBalCybercrime.§ Ibeneficiperl’is,tutobancariopossonoesseremolteplici:
§ Immagine§ Prevenzionefrodi§ NonsuperamentodelteZocopertodall’insurance§ ………..
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Readingroom/1● SpamNaBon,BrianKrebs,2014
● Kingpin:lastoriadellapiùgranderapinadigitaledelsecolo,KevinPoulsen,Hoepli,2013
FatalSystemError:theHuntforthenewCrimeLordswhoarebringingdowntheInternet,JosephMenn,PublicAffairs,2010
● ProfilingHackers:theScienceofCriminalProfilingasappliedtotheworldofhacking,RaoulChiesa,StefaniaDucci,SilvioCiappi,CRCPress/Taylor&FrancisGroup,2009
● H.P.P.QuesBonnaires2005-2010
● StealingtheNetwork:Howto0wnaConBnent,(anIdenBty),(aShadow)(V.A.),SyngressPublishing,2004,2006,2007
● StealingtheNetwork:Howto0wntheBox,(V.A.),SyngressPublishing,2003
● Underground:TalesofHacking,MadnessandObsessionontheElectronicFronBer,SueleZeDreyfus,RandomHouseAustralia,1997
● TheCuckoo’sEgg:TrackingaSpyThroughtheMazeofComputerEspionage,CliffordStoll,DoubleDay(1989),Pocket(2000)
● MastersofDecepBon:theGangthatRuledCyberspace,MichelleStalalla&JoshuaQuinZner,Harpercollins,1995
● KevinPoulsen,SerialHacker,JonathanLiZman,LiZle&Brown,1997
● Takedown,JohnMarkoffandTsutomuShimomura,Sperling&Kupfler,(HyperionBooks),1996
● TheFugiBveGame:onlinewithKevinMitnick,JonathanLiZman,LiZle&Brown,1997
● TheArtofDecepBon,KevinD.Mitnick&WilliamL.Simon,Wiley,2002
● TheArtofIntrusion,KevinD.Mitnick&WilliamL.Simon,Wiley,2004
● @Large:theStrangeCaseoftheWorld’sBiggestInternetInvasion,CharlesMann&DavidFreedman,Touchstone,1998
©2014-2017RaoulChiesa,SecurityBrokersSCpASalonedeiPagamenB2017,24Novembre2017–MILANO
Readingroom/2● TheEstoniaa_ack:Ba_lingBotnetsandonlineMobs,GadiEvron,2008(whitepaper)● Whois“n3td3v”?,byHackerFactorSolu,ons,2006(whitepaper)● Mafiaboy:HowIcrackedtheInternetandWhyit’ssBllbroken,MichaelCalcewithCraigSilverman,2008● TheHackerDiaries:ConfessionsofTeenageHackers,DanVerton,McGraw-HillOsborneMedia,2002● Cyberpunk:OutlawsandHackersontheComputerFronBer,Ka,eHafner,Simon&Schuster,1995
● CyberAdversaryCharacterizaBon:audiBngthehackermind,TomParker,Syngress,2004● InsidetheSPAMCartel:tradesecretsfromtheDarkSide,bySpammerX,Syngress,2004● HackerCracker,EjovuNuwerewithDavidChanoff,HarperCollins,2002● Compendiodicriminologia,Pon,G.,RaffaelloCor,na,1991● Criminalitàdacomputer,TiedemannK.,inTraZatodicriminologia,medicinacriminologicaepsichiatriaforense,vol.X,Ilcambiamentodelleformedicriminalitàedevianza,Ferracu,F.(acuradi),Giuffrè,1988
● UnitedNaBonsManualon thePrevenBonandControlofComputer-relatedCrime, in Interna,onalReviewofCriminalPolicy–Nos.43and44● CriminalProfiling:dall’analisidellascenadeldeli_oalprofilopsicologicodelcriminale,MassimoPicozzi,AngeloZappalà,McGrawHill,2001
● DeducBve Criminal Profiling: Comparing AppliedMethodologies Between InducBve and DeducBve CriminalProfilingTechniques,TurveyB.,KnowledgeSolu,onsLibrary,January,1998● MaliciousHackers:aframeworkforAnalysisandCaseStudy,LauraJ.Kleen,Captain,USAF,USAirForceIns,tuteofTechnology
● Criminal Profiling Research Site. ScienBfic Offender Profiling Resource in Switzerland. Criminology, Law,Psychology,Täterpro