Working with the banking sector to prevent and detect criminal money flows on the Internet Dave O’Reilly, Chief Technologist, FTR Solutions Co-funded by the Justice Programme of the European Union
Introduction The mission of FTR Solutions is to increase the security of financial services. Established by Dave O’Reilly in Anti-fraud/security technology evaluation and selection. Online banking (authentication/authorisation solutions), mobile banking solutions, ATMs (skimming, card trapping, malware solutions). Also expertise in IT/information security and data protection.
WORKING WITH FINANCIAL INSTITUTIONS
Working with Financial Institutions Who? –Different public institutions will engage with financial institutions in different ways. Some examples: Crime prevention or investigation Intelligence gathering Compliance reporting or investigation “Working with financial institutions to prevent and detect criminal money flows on the Internet”
Working with Financial Institutions Who? –Different financial institutions will require different types of engagement. Some examples: Banks Card schemes Payment service providers Foreign financial institutions “Working with financial institutions to prevent and detect criminal money flows on the Internet”
Working with Financial Institutions “Working with financial institutions to prevent and detect criminal money flows on the Internet” AwarenessPreventionDetectionResponse Public-private information sharing and analysis. Awareness campaigns for financial institutions. Public-public, public-private and private- private cooperation and information exchange Joint public awareness campaigns. Regulatory and supervisory measures. Appropriate legal framework. Reporting requirements. Analysis for criminal money on the Internet red flags. Specialised high-tech crime units. Appropriate legal framework. Specialised high-tech crime units. Public-public, public-private and private- private response coordination.
UNDERSTANDING THE PROBLEM: CRIMINAL MONEY FLOWS ON THE INTERNET
Criminal Money Tools and Infrastructure Predicate Offences Laundering Typologies
Example Predicate Offences Identity Theft Payment Card Fraud Online Banking Attacks, Misuse and Account Take- Over Confidence Fraud, Including Advance- Fee Fraud and Auction Fraud Investment Fraud, Including Stock Market Manipulation Pyramid and Other Multi-Level Marketing Schemes Child Abuse Materials Sale of Counterfeit Pharmaceuticals Violation of Copyrights and Related Rights Online Extortion
Laundering Typologies Money Remittance Providers Wire Transfers Bank Account Take- Over Cash Withdrawals Internet Payment Services Money MulesInternational Transfers Digital/Electronic Currency Purchase Through the Internet Shell CompaniesPrepaid Cards Online Gaming and Online Trading Platforms Third Party Funding (including straw men and nominees) Exploitation of non- face-to-face nature of new payment method (NPM) accounts Complicit NPM Providers or Their Employees
Tools and Infrastructure Identity Theft Card Fraud Banking Attacks ConfidenceFraud InvestmentFraud MLM Schemes Child Abuse CounterfeitPharmaceuticals CopyrightInfringement OnlineExtortion Botnets ✔✔✔✔✔✔✔ Malware ✔✔✔✔ Spam ✔✔✔✔ Proxies ✔✔✔✔✔✔✔✔✔✔ Bulletproof Hosting ✔✔✔✔✔✔ Undergroun d Economy ✔✔✔✔ Other ✔✔✔✔✔✔✔✔✔✔
CASE STUDY: BANKING MALWARE
What is Malware? Malware = “Malicious Software” Many types of malware: viruses, worms, trojans, spyware, adware, rootkits, ransomware. In 2015 over 140 million new types of malware identified, with almost 500 million different types of malware identified in total. –Source: In 2015 Kaspersky alone registered almost 2 million attempted malware infections that aimed to steal money via online access to bank accounts. –Source: security-bulletin-2015-overall-statistics-for-2015/
What is Malware? Once infected, PCs can be used by fraudsters to perform a variety of tasks. For example: –Send spam –Attack other computers –Monitor user activity –Steal credentials –Install further malware –Pop up ads –Hold customer files for ransom
Banking Malware The category of malware specifically designed to target customer’s online banking activity. Principally used to steal customer’s money. However, theft of the customer’s credentials may also allow of transfer funds through the customer’s account.
Customer PC Online Bank C&C Server Mule Criminal How does it work? - Example
Criminal Money Flows Banking malware (and the corresponding account takeover) represents a challenge by facilitating both a predicate offence (theft of customer funds) and a laundering typology (layering transactions through compromised accounts). AwarenessPreventionDetectionResponse
Awareness FI Awareness –Information and intelligence sharing Customer Awareness –Customer education campaigns Public Sector Awareness –Involvement in information sharing initiatives –Public-private cooperation
Prevention Customer endpoint protection –Free anti-virus or other software Online banking technical controls –2 factor authentication Transaction controls –Do not allow setting up beneficiaries, particularly international beneficiaries, online
Detection Technical controls to detect deviations in customer transaction patterns. For example: –Logins from unusual locations –Unusual transaction patterns –Setting up of unusual beneficiaries
Response Public-private cooperation to target criminal infrastructure. –Robust command-and-control (C&C) infrastructure –Often has a limited impact on criminal operations. International investigations
Infected PCs “Front end” C&C Server “Back end” Web Server Database Server DNS Server Firewall Infrastructure
CASE STUDY: PAYMENT CARD FRAUD
Payment Card Fraud Any one of a number of techniques can be used to compromise a customer’s card details; ATM skimming and POS malware being two examples. Captured card details are then frequently traded or sold online using specific websites (carder forums, underground economy).
Criminal Money Flows How fraudsters monetise captured card data relates directly to multiple online laundering typologies. Specifically: –Purchases through the Internet –Cash withdrawals –Prepaid cards –Online gaming and online trading platforms –Internet payment services AwarenessPreventionDetectionResponse
Awareness FI Awareness –Information and intelligence sharing –Understanding of the criminal use of compromised card details –Understand the relationship between fraud and money laundering Customer Awareness –Customer education campaigns –In particular “cover your PIN” messaging Public Sector Awareness –Involvement in information sharing initiatives –Public-private cooperation
Prevention Anti-fraud countermeasures –Anti-skimming –Anti-card trapping –Anti-malware –PIN shields Appropriate information security measures PCI standards, including PCI DSS
Detection Technical controls to detect deviations in customer transaction patterns. For example: –Cash withdrawals from unexpected locations –Uncharacteristic purchases –Purchases of goods that are easily resold
Response Public-private cooperation to target criminal infrastructure. –Takedown of criminal websites, carding forums International investigations
CASE STUDY: ATTACK SIMULATION
Responding to Cyber Incidents In 2015, a survey of 1,000 IT Security professionals reported that: –70% of breaches are detected by a third party. –In 46% of cases it took more than four months to detect an incident (and a further three months to mitigate the risk). –73% of respondents believed that their company’s data was vulnerable to being hacked.
Case Study: Attack Simulation In 2010, a major cybercrime incident was simulated by Irish financial institutions to assess their readiness. The aim was to explore the impact of a major cybercrime incident on each institution but also on the wider banking sector and the Irish economy.
Case Study: Attack Simulation Attendees included all retail financial institutions, industry organisations, law enforcement and prosecutors. Attendees were asked to record their decisions while responding to the incident, which were then analysed and categorised by business function.
Case Study: Attack Simulation
Key Messages The threat of cyber attacks should not be ignored, even if you have not yet suffered from a cyber incident. A multidisciplinary approach is essential to adequately respond to cyber incidents.
Responding to Cyber Incidents Prevention, prevention, prevention: –Employee education –Public education (if applicable) –Security policies/procedures –Strong audit/compliance function –Penetration testing/simulated incidents
Responding to Cyber Incidents Detection and Response: –Investment in capability –Intelligence gathering and analysis –Response infrastructure –Evidence preservation –Simulated incidents/exercises
SUMMARY
Summary A structured approach is needed involving all stakeholders, encompassing awareness, prevention, detection and response. Public sector stakeholders have key roles to play: –Neutral third parties facilitating cooperation and information exchange between competitors –Representing societal interest in reduced levels of financial crime and money laundering –Investigative and prosecutorial expertise, guiding the activities of the private sector actors and leading to increased number of successful prosecutions.
Thank You! Any Questions? Dave O’Reilly Chief Technologist FTR Solutions +353 (87) m