social engineering mitigating human risk in …...social engineering mitigating human risk in...

eBOOK

SOCIAL ENGINEERINGMITIGATING HUMAN RISK IN BANKING TRANSACTIONS

SOCIAL ENGINEERING MITIGATING HUMAN RISK IN BANKING TRANSACTIONS SHARE THIS 2

Exploiting the Desire to Trust Social engineering is not a new concept, but it is an enduring one that is steadily growing, with no end in sight.

It works because we all have a natural human tendency to trust. And hackers manipulate the human factor and exploit trust to steal valuable information.

One of the most common social engineering schemes is phishing, which is defined as “the use of social engineering and technical subterfuge to defraud an online account holder of their financial information by posing as a trusted identity.”

Phishing can be executed through multiple means, including spoofed emails, spoofed phone calls, web link manipulation and website forgeries; all with the goal of convincing your users to divulge confidential information, or participate unknowingly in fraudulent transactions.

“Social Engineering ... the art of manipulating people into performing actions or divulging confidential information”.


The Real Targets In these social engineering attacks, the end user seems to be the obvious victim, but the actual target of the attack is the organization.

For financial services companies, few things are as potentially damaging as social engineering schemes like phishing. In 2017, the percentage of phishing attacks targeting banking and credit accounts increased from 47.5% to almost 54% of all phishing detections [1]. Year over year, 2017 saw a 59% increase in total number of phishing attempts [2].

These types of attacks undermine consumer confidence in a brand, put customers at great risk of identity theft and cost the financial industry billions of dollars each year. As phishing and other forms of social engineering attacks continue to escalate, financial institutions find themselves constantly battling to find better ways to track the attacks and mitigate the potential damage.

[1] https://www.finextra.com/pressarticle/72837/financial-phishing-accounts-for-over-50-of-all-phishing-attacks-for-the-first-time[2] https://usa.kaspersky.com/about/press-releases/2018_fifa-2018-and-bitcoin-among-2017-most-luring-topics

Types of organizations affected77% of Phishing Attempts Fall into 1 of 4 Sectors

Business andProfessional Services

Government

Health Care

Retail 28%

19%15%

15% 28 %Business andProfessional

Services

19 %Government

15 %Healthcare

15 %Retail

In Q2 2017

67%of Malware Hitting

Organizations Was a Part of a

Phishing Attempt

Sources: NTT Security & Cisco


Evolving Attack Methods

The mass mail approach to phishing has also evolved into other very effective varieties.

Spear phishing continues to be a favored method of attackers. Through highly targeted email messages, recipients are persuaded through clever social engineering tactics to click links that take them to spoofed sites containing malware, or provide logins, passwords or other credentials that the attackers can use to compromise online banking accounts.

Voice phishing, or Vishing, is a method of social engineering that is designed to steal payment card data and credentials over the phone or via SMS text messages. Fraudsters pose as banks or other institutions in order to trick victims into divulging their card information, and the data is then used for card-not-present transactions (e.g. shopping online or via phone) or it is encoded onto new cards to purchase goods or withdraw cash from ATMs.

Spear Phishing Voice Phishing (“Vishing”)

70%open rate,

compared with a 3% open rate for mass spam

emails

23%of people in the

UK have receiced a cold call requesting personal or financial

information

39%admitted they

found it hard to tell the difference

between a genuine and fraudulent call

Sources: McAfee, Cisco, UK Payments


The Cost of an AttackPhishing can cost organizations millions per attack in fraud-related losses and mitigation. Gartner Group estimates that phishing activities cost U.S. banks and credit card issuers $2.8 billion annually. In addition, victims incur direct losses of between $61 million and $3 billion per year in the U.S. alone[3].

Although some of the costs can be measured easily, others are far more difficult to quantify. Hard costs associated with phishing can be measured directly in terms of dollars, time and effort.

• Fraudulent charges associated with compromised credit cards

• Cash withdrawals or “pump and dump” schemes from compromised online trading accounts

• Employee time spent dealing with the fraudulent transactions

• Customer support calls

Soft costs, or intangible costs, are much more difficult to measure and can have a long-term impact on an organization’s brand.

COMPARISON BETWEEN TARGETED & SPEARPHISHING ATTACKS

Example of a Typical Campaign

Mass Phishing Attack (Single Campaign)

Spearphishing Attack (Single Campaign)

(A) Total Messages Sent in Campaign 1,000,000 1,000

(B) Block Rate 99% 99%

(C) Open Rate 3% 70%

(D) Click Through Rate 5% 50%

Victims 8 2

Value per Victim $2,000 $80,000

Total Value from Campaign $16,000 $160,000

Attacks per Year 10 10

Total Potential Annual Loss $160,000 $160,000,000

Source: © Cisco Security White Paper Email Attacks: This Time It’s Personal

[3] https://www.hubinternational.com/blog/2016/10/email-phishing-cyber-attacks-go-mobile


Why Attacks are Still Successful In social engineering attacks, it’s important to remember that the user is the weak point, but the bank is the ultimate target.

Many banking institutions have taken steps to address social engineering by strengthening security for users. Approaches include educating users through e-mail communications or adding security awareness education resources on websites, and even deployment of user-oriented security controls, like strong authentication.

But even with education and additional user controls, social engineering attacks are still successful, because the final decisions is made by the user - the user authenticates to their bank, but the bank does not authenticate to the user. “Protecting clients in phishing scenarios is

often outside the control of the organization being phished.

Trend Micro


Traditional Transaction Authorization - Exploiting the Weaknesses

Challenge for the user: No message authenticity

RISK: The hacker can present the user with a fraudulent transaction context by redirecting him to a fake web page.

It’s very difficult for the user to tell the difference between their real banking website and a fraudulent one. When a user receives a message or instructions from what looks like their banking organization, they often don’t question the authenticity of the message. This leaves them exposed to social engineering schemes.

Challenge for the Bank: No control on authorization decision

RISK: The hacker can convince the user to generate a signature and authorize a fraudulent transaction without the bank’s involvement

In a typical transaction process, the bank has zero control over the authorization decision. The user is in the driver’s seat, they can authorize any request at any given time, also fraudulent ones. This is the main reason why social engineering schemes like phishing continue to be so successful.

Sign TransactionCard number589 425 971 565One-Time Password174 261

P A S S C O D EGENERATOR

Your Passcode

174261


Addressing the Transaction Authorization Weaknesses

OneSpan CrontoSign has been designed to thwart social engineering and phishing attacks by taking the “trust” decisions out of the hands of the user, and ensuring only the bank can initiate a transaction signature request.” The presented visual CrontoSign cryptogram contains all transaction data, including: the device used, the transaction amount, and recipient account details.

Establish a secure communication channel that enables message authenticity.Cronto assures the user that the transaction authorization request is coming from the bank.

Enhanced WYSIWYS process.Cronto provides a complete and accurate picture of the transaction to the user for review and authorization. To eliminate the “authorization routine”, banks can visualy and dynamicaly alert users of high-risk transactions.

Bank controls the authorization process.Cronto assures the bank that a user can only authorize a legitimate transaction.

BankB Y VA S C O

MY

Scan & Sign

Scan & SignCard number589 425 971 565Amount$1.500,00

Foreign transaction

TRANSACTION OVERVIEW

Card number589 425 971 565

Amount$1.500,00

Name BeneficiaryJim R.D. Huffelton

Adress Beneficiary114 Wallton Road


Benefits of CrontoSign

Mitigate human risk in online banking transactions CrontoSign shifts transaction authorization control from the user to the trusted device and the bank.

Improves user experience through scan & sign CrontoSign enables fast adoption and brings both safety and simplicity to your users when signing online transcations.

Enables flexible deployments CrontoSign works on any screen and is available on both OneSpan hardware and software products. No data connection required.

Combats social engineering and other online banking threats CrontoSign helps to prevent fraud and strengthens protection against phishing attacks, Trojans, Man in the Middle (MitM) and Man in the Browser (MitB) attacks.

Works with push notifications CrontoSign can be used in a connected mobile mode, delivering secure, out-of-band (OOB) push notifications.


Hardware

CrontoSign Product Suite

Software

OneSpan Mobile Security Suite

Complete mobile application protection in

an SDK form factor

OneSpan Mobile Authenticator Studio

Visual transaction signing in software

Digipass 760 Portable visual transaction

signing device

Digipass 780 Portable visual transaction signing device with secure

PIN pad

Digipass 880 Smart Card Reader with

touch screen

Digipass 882 Smart Card Reader with

PIN pad


Related Use Case: Secure PIN DeliveryInstead of delivering a user’s PIN in clear text via regular mail, banks can now deliver the PIN via an encrypted color Cronto image. Only the intended user with his secure device (mobile or hardware) will be able to scan and read the new PIN.

Banks can also choose to deliver the encrypted PIN via their online banking channel or email, thus eliminating the additional costs related to hardcopy PIN mailers.


Related Use Case: Mobile Cash

For cardless, mobile cash, a user simply opens their banking app, enters their PIN, and selects the account and the amount of withdrawal. A secure QR code is generated, containing the details of the transaction.

The user scans the QR code on the ATM with his device. Once the user confirms their request via a mobile PIN, the ATM dispenses cash.


Proven Technology, Proven Results

Trusted by Leading Brands Worldwide

Financial Institutionsrely on OneSpan

1.7K+

50 Consecutive Quartersof Profitability

21% Compound Annual Growth rate in Revenues

from 2004-2014

10K+Customers in more than

100 countries

+50%of the top 100 Banks

rely on OneSpan

+200MAuthenticators sold

Worldwide


Proven Results

“We are constantly looking for new methods to provide our customers with the convenience of conducting online banking transactions with simplicity and safety.

Marielle Lichtenstein, Head of Marketing - Rabobank


Proven Results

SHARE THIS 16

OneSpan enables financial institutions and other organizations to succeed by making bold advances in their digital transformation. We do this by establishing trust in people’s identities, the devices they use, and the transactions that shape their lives. We believe that this is the foundation of enhanced business enablement and growth. More than 10,000 customers, including over half of the top 100 global banks, rely on OneSpan solutions to protect their most important relationships and business processes. From digital onboarding to fraud mitigation to workflow management, OneSpan’s unified, open platform reduces costs, accelerates customer acquisition, and increases customer satisfaction.

Copyright © 2018 OneSpan North America Inc., all rights reserved. OneSpan™, DIGIPASS® and CRONTO® are registered or unregistered trademarks of OneSpan North America Inc. and/or OneSpan International GmbH in the U.S. and other countries. All other trademarks or trade names are the property of their respective owners. OneSpan reserves the right to make changes to specifications at any time and without notice. The information furnished by OneSpan in this document is believed to be accurate and reliable. However, OneSpan may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use.

Last Update May 2018

CONTACT US

For more information:[email protected]

social engineering mitigating human risk in …...social engineering mitigating human risk in...

Documents