Account Takeover: Why Payment Fraud Protection is Not Enough

Similar documents
Keep the Door Open for Users and Closed to Hackers

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Copyright

RSA Fraud & Risk Intelligence Solutions

RSA Web Threat Detection

Web Application Security. Philippe Bogaerts

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Best Practices Guide to Electronic Banking

Unique Phishing Attacks (2008 vs in thousands)

Authentication Technology for a Smart eid Infrastructure.

RSA Web Threat Detection

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

The Role of PNT in Cybersecurity Location-based Authentication

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

Accelerating growth and digital adoption with seamless identity trust

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

How Cyber-Criminals Steal and Profit from your Data

How Next Generation Trusted Identities Can Help Transform Your Business

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

How technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011

Whitepaper on AuthShield Two Factor Authentication with SAP

Fraud Risks Facing Credit Unions. ALLIED SOLUTIONS LLC SERVICE CENTER 210 East Main Street, Suite 200, Niles, MI Fax:

January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Fighting Fraud with Behavioral Biometrics and Cognitive Fraud Detection. IBM Security s Brooke Satti Charles on the Power of These New Capabilities

Addressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Authentication Methods

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

Vidder PrecisionAccess

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Office 365 Buyers Guide: Best Practices for Securing Office 365

P2_L12 Web Security Page 1

paladin vendor report 2017

The Top 6 WAF Essentials to Achieve Application Security Efficacy

The Double Edged Sword of Mobile Banking

Fraud Update: Why Fraudsters Love Wires and How to Stop Them. Luis Rojas, Director, Product Management WesPay 2014

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

Web Cash Fraud Prevention Best Practices

Business Online Banking & Bill Pay Guide to Getting Started

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

Computer Security 3/20/18

Panda Security 2010 Page 1

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

Protecting Against Online Banking Fraud with F5

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Troubleshooting and Cyber Protection Josh Wheeler

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Application Layer Security

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Vulnerabilities in online banking applications

Service Provider View of Cyber Security. July 2017

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Modern two-factor authentication: Easy. Affordable. Secure.

Multi-Factor Authentication (MFA)

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Automated Context and Incident Response

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

Guide to Getting Started. Personal Online Banking & Bill Pay

WHAT IS MALICIOUS AUTOMATION? Definition and detection of a new pervasive online attack

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

FAQ. Usually appear to be sent from official address

Behavioral Biometrics. Improve Security and the Customer Experience

We will divide the many telecom fraud schemes into three broad categories, based on who the fraudsters are targeting. These categories are:

2015 Q4 CYBERCRIME REPORT

COMPLETING THE PAYMENT SECURITY PUZZLE

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Intelligent and Secure Network

A STUDY OF TWO-FACTOR AUTHENTICATION AGAINST ON-LINE IDENTITY THEFT

Topics. Ensuring Security on Mobile Devices

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Adaptive Authentication Adapter for Juniper SSL VPNs. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Authentication and Fraud Detection Buyer s Guide

Introduction to Information Security Dr. Rick Jerz

ASSESSMENT LAYERED SECURITY

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Lecture 14 Passwords and Authentication

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS


How to Catch a Thief. Trends & Technologies in the Fight Against Fraud. Rohan Langley SAS

Put Identity at the Heart of Security

Personal Cybersecurity

Steven D Alfonso Financial Crimes Intelligence Specialist IBM RedCell

Making Passwordless Possible. How SecureAuth is eliminating passwords while improving security and user experience

Certified Secure Web Application Engineer

Norse IPViking Technical Overview

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

The Cyber War on Small Business

CSWAE Certified Secure Web Application Engineer

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Digital Identity Trends in Banking

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

How. Biometrics. Expand the Reach of Mobile Banking ENTER

Transcription:

Cybercrime Protection Account Takeover: Why Payment Fraud Protection is Not Enough Mustafa Rassiwala, ThreatMetrix, Inc. April 2014 1

Agenda 1. Customer Accounts Blessing or Curse? 2. Passwords Weakest Link 3. Account Takeover Data Breaches Vicious Cycle 4. Authentication Alternatives 5. ThreatMetrix Approach 6. Examples of Account Takeover Prevention 2

Customer Accounts - Blessing 3

Customer Accounts - Blessing Removing Customer Friction for Online Transactions 4

Customer Benefits Money Transfer Bill Pay and Account Pay Ease of doing online business 5

Customer Account Curse - Cybercriminals and Account Takeover Account Takeover Cybercriminals access genuine customer accounts using stolen identity credentials Username and Password 6

Secure Web Application? Sql Injection Cross-site Scripting Broken Session Management Insecure Direct Object Reference Security Misconfigurations Insecure Storage Account Takeover is not an Application Security Issue... 7

Identity and Trust Password Weakest Link in Security Cybercriminals enter through the front door 8

Authentication Principle 1. Something the user Knows 2. Something the user Has 3. Something the user Is or Does Password = Something Only the User Knows. Is it true? 9

Password Security Relies on Your Customers they will be phished their passwords will be stolen they will get malware on their computers they will lose their mobile device they will reuse passwords at multiple sites other sites frequented by your visitors will be hacked their personal info (name, emails, address, maiden name, etc.) is accessible they will not be up to date on their OS and anti-virus they will get frustrated if they cannot login 10

Password Security 25 Worst Passwords in 2013 Rank Password Rank Password 1 123456 2 Password 3 12345678 4 qwerty 5 abc123 6 123456789 7 111111 8 1234567 9 Iloveyou 10 adobe123 11 12312312 12 admi 13 1234567890 14 Letmein 15 photoshop 16 1234 17 Monkey 18 shadow 19 sunshine 20 12345 21 password1 22 princess 23 Azerty 24 trustno1 25 000000 http://splashdata.com/press/worstpasswords2013.htm 11

How Does Account Takeover Happen? Data breach Malware Phishing 12

Malware Trojans that have traditionally targeted banks are now targeting retailers, payment providers Due to easily available malware kits, sophisticated attacks become very easy More and more sophisticated MitB attacks against retailers 13

Phishing Phishing is still highly effective Especially hybrid approaches to get around two-factor authentication 14

Data Breach http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 15

Complete List of Data Breaches - US 16

2 Sides of the Same Coin Data Breach Credit Card/Account Takeover Fraud 17

Organized Crime Data Breaches & Fraud Steal Data Breaches Steal Credit Card Data in Millions Steal Identities by Millions Underground Forums $10-$15 per Credit Card $5-$10 per Identity Sell Cash Drop Zones for Physical Goods Knock-off Sites for Digital Goods Classified Ads Card Not Present Account Takeover Financial Fraud Money Transfer Fraud 18

Underground Forums Buy/Sell Stolen Credit Card Data Rent Bot Infrastructure Matching Identity Data with Credit Card Details Identity Data (Email/logins/Passw ords) http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-fromtarget/#more-24130 19

The Criminals Efforts are Paying Off Global Corporate Account Takeover Losses, 2011 to e2016 (In US$ millions) $721.8 $794 $627 $409.4 $454.8 $523 2011 e2012 e2013 e2014 e2015 e2016 Source: Aite Group, 2012 20

Breaches Attack Surface Cybercriminals have a Significant Advantage Pervasive Enterprise Technology = Larger Attack Surface 21

Information Security Framework Ensure information is protected from exposure to unauthorized individuals Information Security CIA Triad Prevent unauthorized changes to information Availability Ensure information access by authorized users for legitimate purposes Note: From Information Security Illuminated (p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett. 2 2 22

Breaches Security Paradox Regulations and Security Controls More than Ever Before Yet Number and Impact of Breaches Increasing Each Day 23

Authentication - Alternatives Something the User Has - SMS OTP - Software OTP - Hardware OTP - Smart Card - USB Token - X.509 Certificates Something the User Is - Human Fingerprint - Face Recognition - Voice Recognition 24

Balancing Act Security Customer Experience 25

ThreatMetrix Context Based Authentication Friction-less 2-Factor Authentication Something the User Has Persona/Identity Device Fingerprint Device Threats Network Attributes Geo-Location Attributes Something the User Does Behavior over time Actions Associations Reputation 26

Real-time Cybercrime Prevention Trusted User? Cyber Threat? MITM & Proxies Device & Location Device Analytics MITB & Malware Advanced Fraud Prevention Context-Based Authentication Sensitive Data Protection Attributes & Activities Identity Analytics Identities & Personas Associations & Related Events Behavior Analytics Behavior & Velocities Worlds Largest Trusted Identity Network Patterns & Anomalies Customer Defined Policies Analyst & Trust Feedback 27

Building Trust On The Internet Frictionless Access for Trusted Users Drive More Revenue and Profitability 28

ThreatMetrix Solution Persona ID Online Identity Login Email Credit Card Data Account Ship To Address 29

ThreatMetrix Solution Device and Threat Device Identity Browser OS PC/Mobile Device Fingerprint IP Address VPN/Proxies Threat Intelligence Malware Detection Location Intelligence True IP based Location GPS on mobile Network Intelligence Proxy-Piercing Device Intelligence Cookie-less Device Identification 30

ThreatMetrix Solution Malware Detection Honeypot Detects Malware (MitB attacks) on devices targeting common highprofile sites Page Fingerprinting Detects Man-in-the- Browser (MitB) Attacks Cloud Based Malware Detection Whitelisting Technique does not rely on signatures Detects malware targeted to your specific site 31

ThreatMetrix Solution Transaction Data Online Payment Money Transfer New Account Login $50 Credit Card Bill To Ship To ACH Number Payee Info $500 Online ID Email Location Login Name Password 32

Examples Real-world scenarios from Global Trust Intelligence Network 33

Identity Spoofing Anomaly Indicators N Logins from same IP in a Time Period N Accounts accessed on the same device User Behavior Anomaly Distance Travelled Description Velocity rule triggers if the same IP address exceeds a configurable threshold (n) for logins within a configurable time period, eg: 1 day, 2 days, week, etc. Velocity rule detects if a single device is being used to access a configurable number of accounts (n) within a configurable time period. This typically indicates that the person using this device is exploiting multiple stolen account details. Detects if the same device has been used with N or more Persona attributes such as email address, phone number, Bill To or Ship To Address etc within a configurable time period Detects if the same account login was used in N transactions that originated more than 100 miles apart 34

Device Spoofing Anomaly Indicators Images Disabled Geo Language Mismatch No Device ID Description Images could not be rendered on the connecting device. This typically indicates that a bot or script is being used to execute this transaction. Rule triggers if there is a discrepancy between the detected device language and the expected language for their True IP geographical region Rule triggers if a profiled device is lacking sufficient available attributes to form a complete device identifier. This indicates that the device is missing commonly available attributes (e.g no user agent, fonts or screen resolution is detected). 35

IP Spoofing Anomaly Indicators Proxy Detection VPN Detection IP Negative History Description ThreatMetrix uses multiple techniques to detect proxies. This rule triggers when anonymous or hidden proxies are detected Rule Triggers if VPN Detected This rule triggers if Proxy IP is on a local or Global Blacklist 36

Attack vectors 5.0% % transactions per attack vector 4.5% 4.0% 3.5% 3.0% 2.5% 2.0% 1.5% 1.0% 0.5% 0.0% geo_spoofing identity_spoofing ip_spoofing device_spoofing mitb_or_bot 37

Attack vectors event type 7% 6% % transactions per event type per attack vector 5% 4% 3% 2% 1% 0% account_creation login payment 7% 6% 5% 4% 3% 2% 1% 0% device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per event type per attack vector account_creation login payment 38

18% 16% 14% 12% 10% 8% 6% 4% 2% 0% Attack vectors continent % transactions per attack vector per continent Africa Asia Australia Europe North America 18% 16% 14% 12% 10% 8% 6% 4% 2% 0% South America device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per attack vector per continent Africa Asia Australia Europe North America South America 39

Attack vectors industry % transactions per attack vector per industry 8% 7% 6% 5% 4% 3% 2% 1% 0% Ecommerce Finance Other device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per attack vector per industry 8% 7% 6% 5% 4% 3% 2% 1% 0% Ecommerce Finance Other 40

Attack vectors US vs. European enterprises 6% % transactions per attack vector US vs. European companies 5% 4% device_spoofing 3% geo_spoofing identity_spoofing 2% 1% ip_spoofing mitb_or_bot 0% Europe US % transactions per attack vector US vs. European companies 6% 5% 4% 3% 2% 1% Europe US 0% 41

Business Benefit Frictionless Customer Experience Transparent and Frictionless Authentication for Customers 42

Business Benefit Customer Protection Protect Customers Bad Things Happen to Good People Context Based Authentication Protect against Password Compromise 43

Business Benefit Protect from any Device Context Based Authentication from any device including mobile apps 44

The Global Trust Intelligence Network Questions Type questions into the Question feature in GoToWebinar We ll answer as many questions as time permits Remaining questions will be answered with follow-up emails www.threatmetrix.com +1.408.200.5700 sales@threatmetrix.com 45

Thank You For Attending 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback