social engineering mitigating human risk in …...social engineering mitigating human risk in...
TRANSCRIPT
eBOOK
SOCIAL ENGINEERINGMITIGATING HUMAN RISK IN BANKING TRANSACTIONS
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 2
Exploiting the Desire to Trust Social engineering is not a new concept, but it is an enduring one that is steadily growing, with no end in sight.
It works because we all have a natural human tendency to trust. And hackers manipulate the human factor and exploit trust to steal valuable information.
One of the most common social engineering schemes is phishing, which is defined as “the use of social engineering and technical subterfuge to defraud an online account holder of their financial information by posing as a trusted identity.”
Phishing can be executed through multiple means, including spoofed emails, spoofed phone calls, web link manipulation and website forgeries; all with the goal of convincing your users to divulge confidential information, or participate unknowingly in fraudulent transactions.
“Social Engineering ... the art of manipulating people into performing actions or divulging confidential information”.
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 3
The Real Targets In these social engineering attacks, the end user seems to be the obvious victim, but the actual target of the attack is the organization.
For financial services companies, few things are as potentially damaging as social engineering schemes like phishing. In 2017, the percentage of phishing attacks targeting banking and credit accounts increased from 47.5% to almost 54% of all phishing detections [1]. Year over year, 2017 saw a 59% increase in total number of phishing attempts [2].
These types of attacks undermine consumer confidence in a brand, put customers at great risk of identity theft and cost the financial industry billions of dollars each year. As phishing and other forms of social engineering attacks continue to escalate, financial institutions find themselves constantly battling to find better ways to track the attacks and mitigate the potential damage.
[1] https://www.finextra.com/pressarticle/72837/financial-phishing-accounts-for-over-50-of-all-phishing-attacks-for-the-first-time[2] https://usa.kaspersky.com/about/press-releases/2018_fifa-2018-and-bitcoin-among-2017-most-luring-topics
Types of organizations affected77% of Phishing Attempts Fall into 1 of 4 Sectors
Business andProfessional Services
Government
Health Care
Retail 28%
19%15%
15% 28 %Business andProfessional
Services
19 %Government
15 %Healthcare
15 %Retail
In Q2 2017
67%of Malware Hitting
Organizations Was a Part of a
Phishing Attempt
Sources: NTT Security & Cisco
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 4
Evolving Attack Methods
The mass mail approach to phishing has also evolved into other very effective varieties.
Spear phishing continues to be a favored method of attackers. Through highly targeted email messages, recipients are persuaded through clever social engineering tactics to click links that take them to spoofed sites containing malware, or provide logins, passwords or other credentials that the attackers can use to compromise online banking accounts.
Voice phishing, or Vishing, is a method of social engineering that is designed to steal payment card data and credentials over the phone or via SMS text messages. Fraudsters pose as banks or other institutions in order to trick victims into divulging their card information, and the data is then used for card-not-present transactions (e.g. shopping online or via phone) or it is encoded onto new cards to purchase goods or withdraw cash from ATMs.
Spear Phishing Voice Phishing (“Vishing”)
70%open rate,
compared with a 3% open rate for mass spam
emails
23%of people in the
UK have receiced a cold call requesting personal or financial
information
39%admitted they
found it hard to tell the difference
between a genuine and fraudulent call
Sources: McAfee, Cisco, UK Payments
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 5
The Cost of an AttackPhishing can cost organizations millions per attack in fraud-related losses and mitigation. Gartner Group estimates that phishing activities cost U.S. banks and credit card issuers $2.8 billion annually. In addition, victims incur direct losses of between $61 million and $3 billion per year in the U.S. alone[3].
Although some of the costs can be measured easily, others are far more difficult to quantify. Hard costs associated with phishing can be measured directly in terms of dollars, time and effort.
• Fraudulent charges associated with compromised credit cards
• Cash withdrawals or “pump and dump” schemes from compromised online trading accounts
• Employee time spent dealing with the fraudulent transactions
• Customer support calls
Soft costs, or intangible costs, are much more difficult to measure and can have a long-term impact on an organization’s brand.
COMPARISON BETWEEN TARGETED & SPEARPHISHING ATTACKS
Example of a Typical Campaign
Mass Phishing Attack (Single Campaign)
Spearphishing Attack (Single Campaign)
(A) Total Messages Sent in Campaign 1,000,000 1,000
(B) Block Rate 99% 99%
(C) Open Rate 3% 70%
(D) Click Through Rate 5% 50%
Victims 8 2
Value per Victim $2,000 $80,000
Total Value from Campaign $16,000 $160,000
Attacks per Year 10 10
Total Potential Annual Loss $160,000 $160,000,000
Source: © Cisco Security White Paper Email Attacks: This Time It’s Personal
[3] https://www.hubinternational.com/blog/2016/10/email-phishing-cyber-attacks-go-mobile
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 6
Why Attacks are Still Successful In social engineering attacks, it’s important to remember that the user is the weak point, but the bank is the ultimate target.
Many banking institutions have taken steps to address social engineering by strengthening security for users. Approaches include educating users through e-mail communications or adding security awareness education resources on websites, and even deployment of user-oriented security controls, like strong authentication.
But even with education and additional user controls, social engineering attacks are still successful, because the final decisions is made by the user - the user authenticates to their bank, but the bank does not authenticate to the user. “Protecting clients in phishing scenarios is
often outside the control of the organization being phished.
Trend Micro
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 7
Traditional Transaction Authorization - Exploiting the Weaknesses
Challenge for the user: No message authenticity
RISK: The hacker can present the user with a fraudulent transaction context by redirecting him to a fake web page.
It’s very difficult for the user to tell the difference between their real banking website and a fraudulent one. When a user receives a message or instructions from what looks like their banking organization, they often don’t question the authenticity of the message. This leaves them exposed to social engineering schemes.
Challenge for the Bank: No control on authorization decision
RISK: The hacker can convince the user to generate a signature and authorize a fraudulent transaction without the bank’s involvement
In a typical transaction process, the bank has zero control over the authorization decision. The user is in the driver’s seat, they can authorize any request at any given time, also fraudulent ones. This is the main reason why social engineering schemes like phishing continue to be so successful.
Sign TransactionCard number589 425 971 565One-Time Password174 261
P A S S C O D EGENERATOR
Your Passcode
174261
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 8
Addressing the Transaction Authorization Weaknesses
OneSpan CrontoSign has been designed to thwart social engineering and phishing attacks by taking the “trust” decisions out of the hands of the user, and ensuring only the bank can initiate a transaction signature request.” The presented visual CrontoSign cryptogram contains all transaction data, including: the device used, the transaction amount, and recipient account details.
Establish a secure communication channel that enables message authenticity.Cronto assures the user that the transaction authorization request is coming from the bank.
Enhanced WYSIWYS process.Cronto provides a complete and accurate picture of the transaction to the user for review and authorization. To eliminate the “authorization routine”, banks can visualy and dynamicaly alert users of high-risk transactions.
Bank controls the authorization process.Cronto assures the bank that a user can only authorize a legitimate transaction.
BankB Y VA S C O
MY
Scan & Sign
Scan & SignCard number589 425 971 565Amount$1.500,00
Foreign transaction
TRANSACTION OVERVIEW
Card number589 425 971 565
Amount$1.500,00
Name BeneficiaryJim R.D. Huffelton
Adress Beneficiary114 Wallton Road
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 9
Benefits of CrontoSign
Mitigate human risk in online banking transactions CrontoSign shifts transaction authorization control from the user to the trusted device and the bank.
Improves user experience through scan & sign CrontoSign enables fast adoption and brings both safety and simplicity to your users when signing online transcations.
Enables flexible deployments CrontoSign works on any screen and is available on both OneSpan hardware and software products. No data connection required.
Combats social engineering and other online banking threats CrontoSign helps to prevent fraud and strengthens protection against phishing attacks, Trojans, Man in the Middle (MitM) and Man in the Browser (MitB) attacks.
Works with push notifications CrontoSign can be used in a connected mobile mode, delivering secure, out-of-band (OOB) push notifications.
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 10
Hardware
CrontoSign Product Suite
Software
OneSpan Mobile Security Suite
Complete mobile application protection in
an SDK form factor
OneSpan Mobile Authenticator Studio
Visual transaction signing in software
Digipass 760 Portable visual transaction
signing device
Digipass 780 Portable visual transaction signing device with secure
PIN pad
Digipass 880 Smart Card Reader with
touch screen
Digipass 882 Smart Card Reader with
PIN pad
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 11
Related Use Case: Secure PIN DeliveryInstead of delivering a user’s PIN in clear text via regular mail, banks can now deliver the PIN via an encrypted color Cronto image. Only the intended user with his secure device (mobile or hardware) will be able to scan and read the new PIN.
Banks can also choose to deliver the encrypted PIN via their online banking channel or email, thus eliminating the additional costs related to hardcopy PIN mailers.
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 12
Related Use Case: Mobile Cash
For cardless, mobile cash, a user simply opens their banking app, enters their PIN, and selects the account and the amount of withdrawal. A secure QR code is generated, containing the details of the transaction.
The user scans the QR code on the ATM with his device. Once the user confirms their request via a mobile PIN, the ATM dispenses cash.
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 13
Proven Technology, Proven Results
Trusted by Leading Brands Worldwide
Financial Institutionsrely on OneSpan
1.7K+
50 Consecutive Quartersof Profitability
21% Compound Annual Growth rate in Revenues
from 2004-2014
10K+Customers in more than
100 countries
+50%of the top 100 Banks
rely on OneSpan
+200MAuthenticators sold
Worldwide
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 14
Proven Results
“We are constantly looking for new methods to provide our customers with the convenience of conducting online banking transactions with simplicity and safety.
Marielle Lichtenstein, Head of Marketing - Rabobank
SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 15
Proven Results
SHARE THIS 16
OneSpan enables financial institutions and other organizations to succeed by making bold advances in their digital transformation. We do this by establishing trust in people’s identities, the devices they use, and the transactions that shape their lives. We believe that this is the foundation of enhanced business enablement and growth. More than 10,000 customers, including over half of the top 100 global banks, rely on OneSpan solutions to protect their most important relationships and business processes. From digital onboarding to fraud mitigation to workflow management, OneSpan’s unified, open platform reduces costs, accelerates customer acquisition, and increases customer satisfaction.
Copyright © 2018 OneSpan North America Inc., all rights reserved. OneSpan™, DIGIPASS® and CRONTO® are registered or unregistered trademarks of OneSpan North America Inc. and/or OneSpan International GmbH in the U.S. and other countries. All other trademarks or trade names are the property of their respective owners. OneSpan reserves the right to make changes to specifications at any time and without notice. The information furnished by OneSpan in this document is believed to be accurate and reliable. However, OneSpan may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use.
Last Update May 2018
CONTACT US
For more information:[email protected]