Account Takeover: Why Payment Fraud Protection is Not Enough

Size: px

Start display at page:

Download "Account Takeover: Why Payment Fraud Protection is Not Enough"

Sybil Hawkins
5 years ago
Views:

1 Cybercrime Protection Account Takeover: Why Payment Fraud Protection is Not Enough Mustafa Rassiwala, ThreatMetrix, Inc. April

2 Agenda 1. Customer Accounts Blessing or Curse? 2. Passwords Weakest Link 3. Account Takeover Data Breaches Vicious Cycle 4. Authentication Alternatives 5. ThreatMetrix Approach 6. Examples of Account Takeover Prevention 2

3 Customer Accounts - Blessing 3

4 Customer Accounts - Blessing Removing Customer Friction for Online Transactions 4

5 Customer Benefits Money Transfer Bill Pay and Account Pay Ease of doing online business 5

6 Customer Account Curse - Cybercriminals and Account Takeover Account Takeover Cybercriminals access genuine customer accounts using stolen identity credentials Username and Password 6

7 Secure Web Application? Sql Injection Cross-site Scripting Broken Session Management Insecure Direct Object Reference Security Misconfigurations Insecure Storage Account Takeover is not an Application Security Issue... 7

8 Identity and Trust Password Weakest Link in Security Cybercriminals enter through the front door 8

9 Authentication Principle 1. Something the user Knows 2. Something the user Has 3. Something the user Is or Does Password = Something Only the User Knows. Is it true? 9

sites frequented by your visitors will be hacked their personal info (name, emails, address, maiden name, etc.

10 Password Security Relies on Your Customers they will be phished their passwords will be stolen they will get malware on their computers they will lose their mobile device they will reuse passwords at multiple sites other sites frequented by your visitors will be hacked their personal info (name, s, address, maiden name, etc.) is accessible they will not be up to date on their OS and anti-virus they will get frustrated if they cannot login 10

Password Security 25 Worst Passwords in 2013 Rank Password Rank Password 1 123456 2 Password 3 12345678 4 qwerty 5 abc123 6 123456789 7 111111 8 1234567 9 Iloveyou 10 adobe123 11 12312312 12 admi

11 Password Security 25 Worst Passwords in 2013 Rank Password Rank Password Password qwerty 5 abc Iloveyou 10 adobe admi Letmein 15 photoshop Monkey 18 shadow 19 sunshine password1 22 princess 23 Azerty 24 trustno

12 How Does Account Takeover Happen? Data breach Malware Phishing 12

13 Malware Trojans that have traditionally targeted banks are now targeting retailers, payment providers Due to easily available malware kits, sophisticated attacks become very easy More and more sophisticated MitB attacks against retailers 13

14 Phishing Phishing is still highly effective Especially hybrid approaches to get around two-factor authentication 14

15 Data Breach 15

16 Complete List of Data Breaches - US 16

17 2 Sides of the Same Coin Data Breach Credit Card/Account Takeover Fraud 17

18 Organized Crime Data Breaches & Fraud Steal Data Breaches Steal Credit Card Data in Millions Steal Identities by Millions Underground Forums $10-$15 per Credit Card $5-$10 per Identity Sell Cash Drop Zones for Physical Goods Knock-off Sites for Digital Goods Classified Ads Card Not Present Account Takeover Financial Fraud Money Transfer Fraud 18

19 Underground Forums Buy/Sell Stolen Credit Card Data Rent Bot Infrastructure Matching Identity Data with Credit Card Details Identity Data ( /logins/Passw ords) 19

20 The Criminals Efforts are Paying Off Global Corporate Account Takeover Losses, 2011 to e2016 (In US$ millions) $721.8 $794 $627 $409.4 $454.8 $ e2012 e2013 e2014 e2015 e2016 Source: Aite Group,

21 Breaches Attack Surface Cybercriminals have a Significant Advantage Pervasive Enterprise Technology = Larger Attack Surface 21

22 Information Security Framework Ensure information is protected from exposure to unauthorized individuals Information Security CIA Triad Prevent unauthorized changes to information Availability Ensure information access by authorized users for legitimate purposes Note: From Information Security Illuminated (p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett

23 Breaches Security Paradox Regulations and Security Controls More than Ever Before Yet Number and Impact of Breaches Increasing Each Day 23

24 Authentication - Alternatives Something the User Has - SMS OTP - Software OTP - Hardware OTP - Smart Card - USB Token - X.509 Certificates Something the User Is - Human Fingerprint - Face Recognition - Voice Recognition 24

25 Balancing Act Security Customer Experience 25

26 ThreatMetrix Context Based Authentication Friction-less 2-Factor Authentication Something the User Has Persona/Identity Device Fingerprint Device Threats Network Attributes Geo-Location Attributes Something the User Does Behavior over time Actions Associations Reputation 26

Real-time Cybercrime Prevention Trusted User? Cyber Threat?

Fraud Prevention Context-Based Authentication Sensitive Data Protection

Associations & Related Events Behavior Analytics Behavior & Velocities

27 Real-time Cybercrime Prevention Trusted User? Cyber Threat? MITM & Proxies Device & Location Device Analytics MITB & Malware Advanced Fraud Prevention Context-Based Authentication Sensitive Data Protection Attributes & Activities Identity Analytics Identities & Personas Associations & Related Events Behavior Analytics Behavior & Velocities Worlds Largest Trusted Identity Network Patterns & Anomalies Customer Defined Policies Analyst & Trust Feedback 27

28 Building Trust On The Internet Frictionless Access for Trusted Users Drive More Revenue and Profitability 28

29 ThreatMetrix Solution Persona ID Online Identity Login Credit Card Data Account Ship To Address 29

Detection Location Intelligence True IP based Location GPS on mobile Network

30 ThreatMetrix Solution Device and Threat Device Identity Browser OS PC/Mobile Device Fingerprint IP Address VPN/Proxies Threat Intelligence Malware Detection Location Intelligence True IP based Location GPS on mobile Network Intelligence Proxy-Piercing Device Intelligence Cookie-less Device Identification 30

ThreatMetrix Solution Malware Detection Honeypot Detects Malware (MitB attacks) on devices targeting common highprofile sites Page Fingerprinting Detects

31 ThreatMetrix Solution Malware Detection Honeypot Detects Malware (MitB attacks) on devices targeting common highprofile sites Page Fingerprinting Detects Man-in-the- Browser (MitB) Attacks Cloud Based Malware Detection Whitelisting Technique does not rely on signatures Detects malware targeted to your specific site 31

32 ThreatMetrix Solution Transaction Data Online Payment Money Transfer New Account Login $50 Credit Card Bill To Ship To ACH Number Payee Info $500 Online ID Location Login Name Password 32

33 Examples Real-world scenarios from Global Trust Intelligence Network 33

34 Identity Spoofing Anomaly Indicators N Logins from same IP in a Time Period N Accounts accessed on the same device User Behavior Anomaly Distance Travelled Description Velocity rule triggers if the same IP address exceeds a configurable threshold (n) for logins within a configurable time period, eg: 1 day, 2 days, week, etc. Velocity rule detects if a single device is being used to access a configurable number of accounts (n) within a configurable time period. This typically indicates that the person using this device is exploiting multiple stolen account details. Detects if the same device has been used with N or more Persona attributes such as address, phone number, Bill To or Ship To Address etc within a configurable time period Detects if the same account login was used in N transactions that originated more than 100 miles apart 34

35 Device Spoofing Anomaly Indicators Images Disabled Geo Language Mismatch No Device ID Description Images could not be rendered on the connecting device. This typically indicates that a bot or script is being used to execute this transaction. Rule triggers if there is a discrepancy between the detected device language and the expected language for their True IP geographical region Rule triggers if a profiled device is lacking sufficient available attributes to form a complete device identifier. This indicates that the device is missing commonly available attributes (e.g no user agent, fonts or screen resolution is detected). 35

36 IP Spoofing Anomaly Indicators Proxy Detection VPN Detection IP Negative History Description ThreatMetrix uses multiple techniques to detect proxies. This rule triggers when anonymous or hidden proxies are detected Rule Triggers if VPN Detected This rule triggers if Proxy IP is on a local or Global Blacklist 36

37 Attack vectors 5.0% % transactions per attack vector 4.5% 4.0% 3.5% 3.0% 2.5% 2.0% 1.5% 1.0% 0.5% 0.0% geo_spoofing identity_spoofing ip_spoofing device_spoofing mitb_or_bot 37

38 Attack vectors event type 7% 6% % transactions per event type per attack vector 5% 4% 3% 2% 1% 0% account_creation login payment 7% 6% 5% 4% 3% 2% 1% 0% device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per event type per attack vector account_creation login payment 38

39 18% 16% 14% 12% 10% 8% 6% 4% 2% 0% Attack vectors continent % transactions per attack vector per continent Africa Asia Australia Europe North America 18% 16% 14% 12% 10% 8% 6% 4% 2% 0% South America device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per attack vector per continent Africa Asia Australia Europe North America South America 39

40 Attack vectors industry % transactions per attack vector per industry 8% 7% 6% 5% 4% 3% 2% 1% 0% Ecommerce Finance Other device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per attack vector per industry 8% 7% 6% 5% 4% 3% 2% 1% 0% Ecommerce Finance Other 40

41 Attack vectors US vs. European enterprises 6% % transactions per attack vector US vs. European companies 5% 4% device_spoofing 3% geo_spoofing identity_spoofing 2% 1% ip_spoofing mitb_or_bot 0% Europe US % transactions per attack vector US vs. European companies 6% 5% 4% 3% 2% 1% Europe US 0% 41

42 Business Benefit Frictionless Customer Experience Transparent and Frictionless Authentication for Customers 42

43 Business Benefit Customer Protection Protect Customers Bad Things Happen to Good People Context Based Authentication Protect against Password Compromise 43

44 Business Benefit Protect from any Device Context Based Authentication from any device including mobile apps 44

45 The Global Trust Intelligence Network Questions Type questions into the Question feature in GoToWebinar We ll answer as many questions as time permits Remaining questions will be answered with follow-up s

46 Thank You For Attending 46

Keep the Door Open for Users and Closed to Hackers

Keep the Door Open for Users and Closed to Hackers A Shift in Criminal Your Web site serves as the front door to your enterprise for many customers, but it has also become a back door for fraudsters. According