Cybercrime Protection Account Takeover: Why Payment Fraud Protection is Not Enough Mustafa Rassiwala, ThreatMetrix, Inc. April 2014 1
Agenda 1. Customer Accounts Blessing or Curse? 2. Passwords Weakest Link 3. Account Takeover Data Breaches Vicious Cycle 4. Authentication Alternatives 5. ThreatMetrix Approach 6. Examples of Account Takeover Prevention 2
Customer Accounts - Blessing 3
Customer Accounts - Blessing Removing Customer Friction for Online Transactions 4
Customer Benefits Money Transfer Bill Pay and Account Pay Ease of doing online business 5
Customer Account Curse - Cybercriminals and Account Takeover Account Takeover Cybercriminals access genuine customer accounts using stolen identity credentials Username and Password 6
Secure Web Application? Sql Injection Cross-site Scripting Broken Session Management Insecure Direct Object Reference Security Misconfigurations Insecure Storage Account Takeover is not an Application Security Issue... 7
Identity and Trust Password Weakest Link in Security Cybercriminals enter through the front door 8
Authentication Principle 1. Something the user Knows 2. Something the user Has 3. Something the user Is or Does Password = Something Only the User Knows. Is it true? 9
Password Security Relies on Your Customers they will be phished their passwords will be stolen they will get malware on their computers they will lose their mobile device they will reuse passwords at multiple sites other sites frequented by your visitors will be hacked their personal info (name, emails, address, maiden name, etc.) is accessible they will not be up to date on their OS and anti-virus they will get frustrated if they cannot login 10
Password Security 25 Worst Passwords in 2013 Rank Password Rank Password 1 123456 2 Password 3 12345678 4 qwerty 5 abc123 6 123456789 7 111111 8 1234567 9 Iloveyou 10 adobe123 11 12312312 12 admi 13 1234567890 14 Letmein 15 photoshop 16 1234 17 Monkey 18 shadow 19 sunshine 20 12345 21 password1 22 princess 23 Azerty 24 trustno1 25 000000 http://splashdata.com/press/worstpasswords2013.htm 11
How Does Account Takeover Happen? Data breach Malware Phishing 12
Malware Trojans that have traditionally targeted banks are now targeting retailers, payment providers Due to easily available malware kits, sophisticated attacks become very easy More and more sophisticated MitB attacks against retailers 13
Phishing Phishing is still highly effective Especially hybrid approaches to get around two-factor authentication 14
Data Breach http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 15
Complete List of Data Breaches - US 16
2 Sides of the Same Coin Data Breach Credit Card/Account Takeover Fraud 17
Organized Crime Data Breaches & Fraud Steal Data Breaches Steal Credit Card Data in Millions Steal Identities by Millions Underground Forums $10-$15 per Credit Card $5-$10 per Identity Sell Cash Drop Zones for Physical Goods Knock-off Sites for Digital Goods Classified Ads Card Not Present Account Takeover Financial Fraud Money Transfer Fraud 18
Underground Forums Buy/Sell Stolen Credit Card Data Rent Bot Infrastructure Matching Identity Data with Credit Card Details Identity Data (Email/logins/Passw ords) http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-fromtarget/#more-24130 19
The Criminals Efforts are Paying Off Global Corporate Account Takeover Losses, 2011 to e2016 (In US$ millions) $721.8 $794 $627 $409.4 $454.8 $523 2011 e2012 e2013 e2014 e2015 e2016 Source: Aite Group, 2012 20
Breaches Attack Surface Cybercriminals have a Significant Advantage Pervasive Enterprise Technology = Larger Attack Surface 21
Information Security Framework Ensure information is protected from exposure to unauthorized individuals Information Security CIA Triad Prevent unauthorized changes to information Availability Ensure information access by authorized users for legitimate purposes Note: From Information Security Illuminated (p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett. 2 2 22
Breaches Security Paradox Regulations and Security Controls More than Ever Before Yet Number and Impact of Breaches Increasing Each Day 23
Authentication - Alternatives Something the User Has - SMS OTP - Software OTP - Hardware OTP - Smart Card - USB Token - X.509 Certificates Something the User Is - Human Fingerprint - Face Recognition - Voice Recognition 24
Balancing Act Security Customer Experience 25
ThreatMetrix Context Based Authentication Friction-less 2-Factor Authentication Something the User Has Persona/Identity Device Fingerprint Device Threats Network Attributes Geo-Location Attributes Something the User Does Behavior over time Actions Associations Reputation 26
Real-time Cybercrime Prevention Trusted User? Cyber Threat? MITM & Proxies Device & Location Device Analytics MITB & Malware Advanced Fraud Prevention Context-Based Authentication Sensitive Data Protection Attributes & Activities Identity Analytics Identities & Personas Associations & Related Events Behavior Analytics Behavior & Velocities Worlds Largest Trusted Identity Network Patterns & Anomalies Customer Defined Policies Analyst & Trust Feedback 27
Building Trust On The Internet Frictionless Access for Trusted Users Drive More Revenue and Profitability 28
ThreatMetrix Solution Persona ID Online Identity Login Email Credit Card Data Account Ship To Address 29
ThreatMetrix Solution Device and Threat Device Identity Browser OS PC/Mobile Device Fingerprint IP Address VPN/Proxies Threat Intelligence Malware Detection Location Intelligence True IP based Location GPS on mobile Network Intelligence Proxy-Piercing Device Intelligence Cookie-less Device Identification 30
ThreatMetrix Solution Malware Detection Honeypot Detects Malware (MitB attacks) on devices targeting common highprofile sites Page Fingerprinting Detects Man-in-the- Browser (MitB) Attacks Cloud Based Malware Detection Whitelisting Technique does not rely on signatures Detects malware targeted to your specific site 31
ThreatMetrix Solution Transaction Data Online Payment Money Transfer New Account Login $50 Credit Card Bill To Ship To ACH Number Payee Info $500 Online ID Email Location Login Name Password 32
Examples Real-world scenarios from Global Trust Intelligence Network 33
Identity Spoofing Anomaly Indicators N Logins from same IP in a Time Period N Accounts accessed on the same device User Behavior Anomaly Distance Travelled Description Velocity rule triggers if the same IP address exceeds a configurable threshold (n) for logins within a configurable time period, eg: 1 day, 2 days, week, etc. Velocity rule detects if a single device is being used to access a configurable number of accounts (n) within a configurable time period. This typically indicates that the person using this device is exploiting multiple stolen account details. Detects if the same device has been used with N or more Persona attributes such as email address, phone number, Bill To or Ship To Address etc within a configurable time period Detects if the same account login was used in N transactions that originated more than 100 miles apart 34
Device Spoofing Anomaly Indicators Images Disabled Geo Language Mismatch No Device ID Description Images could not be rendered on the connecting device. This typically indicates that a bot or script is being used to execute this transaction. Rule triggers if there is a discrepancy between the detected device language and the expected language for their True IP geographical region Rule triggers if a profiled device is lacking sufficient available attributes to form a complete device identifier. This indicates that the device is missing commonly available attributes (e.g no user agent, fonts or screen resolution is detected). 35
IP Spoofing Anomaly Indicators Proxy Detection VPN Detection IP Negative History Description ThreatMetrix uses multiple techniques to detect proxies. This rule triggers when anonymous or hidden proxies are detected Rule Triggers if VPN Detected This rule triggers if Proxy IP is on a local or Global Blacklist 36
Attack vectors 5.0% % transactions per attack vector 4.5% 4.0% 3.5% 3.0% 2.5% 2.0% 1.5% 1.0% 0.5% 0.0% geo_spoofing identity_spoofing ip_spoofing device_spoofing mitb_or_bot 37
Attack vectors event type 7% 6% % transactions per event type per attack vector 5% 4% 3% 2% 1% 0% account_creation login payment 7% 6% 5% 4% 3% 2% 1% 0% device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per event type per attack vector account_creation login payment 38
18% 16% 14% 12% 10% 8% 6% 4% 2% 0% Attack vectors continent % transactions per attack vector per continent Africa Asia Australia Europe North America 18% 16% 14% 12% 10% 8% 6% 4% 2% 0% South America device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per attack vector per continent Africa Asia Australia Europe North America South America 39
Attack vectors industry % transactions per attack vector per industry 8% 7% 6% 5% 4% 3% 2% 1% 0% Ecommerce Finance Other device_spoofing geo_spoofing identity_spoofing ip_spoofing mitb_or_bot % transactions per attack vector per industry 8% 7% 6% 5% 4% 3% 2% 1% 0% Ecommerce Finance Other 40
Attack vectors US vs. European enterprises 6% % transactions per attack vector US vs. European companies 5% 4% device_spoofing 3% geo_spoofing identity_spoofing 2% 1% ip_spoofing mitb_or_bot 0% Europe US % transactions per attack vector US vs. European companies 6% 5% 4% 3% 2% 1% Europe US 0% 41
Business Benefit Frictionless Customer Experience Transparent and Frictionless Authentication for Customers 42
Business Benefit Customer Protection Protect Customers Bad Things Happen to Good People Context Based Authentication Protect against Password Compromise 43
Business Benefit Protect from any Device Context Based Authentication from any device including mobile apps 44
The Global Trust Intelligence Network Questions Type questions into the Question feature in GoToWebinar We ll answer as many questions as time permits Remaining questions will be answered with follow-up emails www.threatmetrix.com +1.408.200.5700 sales@threatmetrix.com 45
Thank You For Attending 46