News & Commentary

10:45 AM
Prakash Santhana, Deloitte Financial Advisory Services
Prakash Santhana, Deloitte Financial Advisory Services
Commentary
50%
50%

Payment Heists: A Layered Defense Approach to Fraud Management

As fraudsters grow more creative in their attacks banks have to invest in multiple layered approaches for defense.

In May 2013, US prosecutors unveiled a sophisticated “Ocean’s Eleven” type scheme where hackers stole $45 Million by hacking into two credit card processors that processed prepaid card accounts and compromised 17 accounts belonging to two banks.

These Cybercriminals increased the account balances and removed withdrawal limits for these accounts, essentially creating prepaid cards with infinite value. They then transmitted the card account numbers to groups of ‘cashers’ around the world through carder forums, emails or chat sessions. Then, at a specified time, they disseminated the PIN for each of these accounts to the ‘casher’ groups, who then made the ATM withdrawals within a 24 hour period.

How did this work?

Based on what is publicly known, the hackers were able to penetrate the systems of these processors, and also gained access to the databases that stored account level information, and authorization rules, such as velocity thresholds or daily limits.

It is possible that they were able to do this by downloading specific malware on to the processors’ systems to collect login credentials of people who had access to these databases, and subsequently used these credentials to alter the databases.

To compromise card credentials, the hacker groups could have obtained legitimate cards from the banks involved, and then distributed the magnetic stripe information and the PIN to the carder groups to manufacture duplicate cards. Another possibility is that they collected magnetic stripe information associated with legitimate customers as they had access to the customer databases. A third, more insidious, possibility is that they could have changed the authorization rules in the system so as to not validate the card parameters of the stolen accounts at the time of the transaction, and only needed the account number and the PIN to complete the transaction.

It is interesting to note that they needed to use legitimate PINs associated with the accounts so that they could monitor the withdrawals made by the criminal parties who received them.

The third possibility mentioned above makes chip cards vulnerable as well. For the hackers have modified the logic in the issuers’ authorization system, which now allows any card with a magnetic stripe to go through. The presence of a magnetic stripe on any chip card to allow for fallback transactions makes issuers of chip cards vulnerable to this type of attack.

So, what can financial institutions do to thwart such attacks?

Prevention: The first step in thwarting such attacks is preventing an intrusion. This is easier said than done. The attack on RSA and the Mandiant report on cyber espionage show the ease with which sophisticated hackers can enter a system. Authentication controls for employees with access to sensitive information is essential in preventing an intrusion. At a minimum two-factor authentication is necessary to thwart sophisticated malware from compromising employee login credentials. Biometric 3-Factor authentication controls could be used for select employees that access critical data.

Detection: While authentication controls are a necessary first step, a layered defense approach warrants analytical capability to detect an intrusion. Any detection framework should possess the capability to generate real-time or near real-time alerts. What is needed are real-time alerts based on a risk based adaptive authentication process for employees to avoid take-over of these employee accounts even with two factor authentication. Risk based scoring is capable of evaluating each login attempt based on a multitude of parameters, such as, geographic location, IP address, time of day, and device profile to determine the riskiness of a login attempt.

Mitigation: While risk scoring of login attempts is essential in detecting an intrusion, organizations need to have real-time capability in mitigating the threat posed by an intrusion or a rogue employee. For example, in this case, a frequent comparison of hashed archives of authorization rules and customer credit limits with the rules in production may have allowed the processors to block those accounts that were modified. (The fraud alerts that are usually generated when accounts show abnormal activity would not have identified any out of pattern behavior on these customer accounts as the definition of what is abnormal was changed.) Even if they were not successful in preventing an intrusion, they might have been successful in preventing a withdrawal and mitigating the loss.

Integration: It is imperative that fraud groups not focus their fraud detection only on customer account level or transactional activity, but do a comprehensive analysis including employee activity, internal and external network activity on a real-time or near-real-time basis. Most organizations usually have disparate mainframe file systems or databases that store all pertinent information to monitor activity. Organizations need to combine disparate databases or mainframe files, combine structured customer account level and transactional data with unstructured web session logs, emails and network data to monitor abnormal activity effectively.

The future of fraud mitigation relies on this layered defense approach to protect employee accounts, systems, or customer accounts from internal or external threats. Fraudsters will always be creative in the way they attack an institution. It is impossible to determine the next scheme that they will use to steal an institution’s assets. It is therefore imperative the organizations embrace this methodology with haste to avoid being the next victim.

Prakash Santhana is a Director at Deloitte’s Financial Advisory Services LLP and leader of the Fraud Management Practice.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JCaddellNexidia
50%
50%
JCaddellNexidia,
User Rank: Apprentice
11/18/2013 | 2:12:15 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
I can tell you for a fact that interaction data (calls, emails, chats etc.) are recorded and are increasingly used for customer experience and, now, for fraud prevention as well. The state of the art is to use predictive modeling to find fraud signatures within calls, and then identify those signatures in calls while they are occurring, so that new attempts to compromise security through the phone network can be identified instantly and routed for special handing.

If you work for a bank and you are using call center data for quality monitoring or simple reporting, there's a ton more value that you can unleash from that data.

regards, John
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
11/18/2013 | 2:10:45 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
Yes, the calls are being recorded, but companies are having a hard time making sense of all of the data -- especially when it comes to sifting through the data to find trends related to fraud.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
11/15/2013 | 9:35:06 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
From what I've heard call center data is being recorded and compiled more than ever for compliance reasons now. That data, as you say Randy, definitely presents major opportunities for banks in fraud and customer experience.
Randy Holl
50%
50%
Randy Holl,
User Rank: Apprentice
11/15/2013 | 4:04:16 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
Critical
levels of fraud occur in the contact center - from identify theft to account
takeovers G but the manual approach to dealing with contact center fraud is
both inefficient and ineffective. Each contact center processes millions of
calls per year providing a large set of data interactions. When that data is
properly sifted and analyzed, and combined with other external data, it
provides the best forms of business intelligence (BI) and customer analytics
that can be used to stop fraud through an automated risk reduction system.

One way to
detect and eliminate fraud is through a BI system that detects and scores
possible fraud, applies business rules to each call, and takes real-time action
to modify the call treatment based on these rules. While most companies ignore call center IVR
data, we have found that this is one critical part of the fraud detection
equation.

Properly
designed, such a system can stop fraudsters while delivering a great experience
to legitimate callers. And the cost to
improve fraud management in this automated manner is more operationally
efficient and cost-effective than the manual processes in place today.

Randy Holl,
Contact Solutions
Byurcan
50%
50%
Byurcan,
User Rank: Author
11/11/2013 | 9:41:55 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
It is true that this day and age, the fraud prevention team can't solely just took at activity at the customer account level, a deep analysis and analytical comprehension is required.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video
Bank Systems & Technology Radio