News & Commentary

10:45 AM
Prakash Santhana, Deloitte Financial Advisory Services
Prakash Santhana, Deloitte Financial Advisory Services

Payment Heists: A Layered Defense Approach to Fraud Management

As fraudsters grow more creative in their attacks banks have to invest in multiple layered approaches for defense.

In May 2013, US prosecutors unveiled a sophisticated “Ocean’s Eleven” type scheme where hackers stole $45 Million by hacking into two credit card processors that processed prepaid card accounts and compromised 17 accounts belonging to two banks.

These Cybercriminals increased the account balances and removed withdrawal limits for these accounts, essentially creating prepaid cards with infinite value. They then transmitted the card account numbers to groups of ‘cashers’ around the world through carder forums, emails or chat sessions. Then, at a specified time, they disseminated the PIN for each of these accounts to the ‘casher’ groups, who then made the ATM withdrawals within a 24 hour period.

How did this work?

Based on what is publicly known, the hackers were able to penetrate the systems of these processors, and also gained access to the databases that stored account level information, and authorization rules, such as velocity thresholds or daily limits.

It is possible that they were able to do this by downloading specific malware on to the processors’ systems to collect login credentials of people who had access to these databases, and subsequently used these credentials to alter the databases.

To compromise card credentials, the hacker groups could have obtained legitimate cards from the banks involved, and then distributed the magnetic stripe information and the PIN to the carder groups to manufacture duplicate cards. Another possibility is that they collected magnetic stripe information associated with legitimate customers as they had access to the customer databases. A third, more insidious, possibility is that they could have changed the authorization rules in the system so as to not validate the card parameters of the stolen accounts at the time of the transaction, and only needed the account number and the PIN to complete the transaction.

It is interesting to note that they needed to use legitimate PINs associated with the accounts so that they could monitor the withdrawals made by the criminal parties who received them.

The third possibility mentioned above makes chip cards vulnerable as well. For the hackers have modified the logic in the issuers’ authorization system, which now allows any card with a magnetic stripe to go through. The presence of a magnetic stripe on any chip card to allow for fallback transactions makes issuers of chip cards vulnerable to this type of attack.

So, what can financial institutions do to thwart such attacks?

Prevention: The first step in thwarting such attacks is preventing an intrusion. This is easier said than done. The attack on RSA and the Mandiant report on cyber espionage show the ease with which sophisticated hackers can enter a system. Authentication controls for employees with access to sensitive information is essential in preventing an intrusion. At a minimum two-factor authentication is necessary to thwart sophisticated malware from compromising employee login credentials. Biometric 3-Factor authentication controls could be used for select employees that access critical data.

Detection: While authentication controls are a necessary first step, a layered defense approach warrants analytical capability to detect an intrusion. Any detection framework should possess the capability to generate real-time or near real-time alerts. What is needed are real-time alerts based on a risk based adaptive authentication process for employees to avoid take-over of these employee accounts even with two factor authentication. Risk based scoring is capable of evaluating each login attempt based on a multitude of parameters, such as, geographic location, IP address, time of day, and device profile to determine the riskiness of a login attempt.

Mitigation: While risk scoring of login attempts is essential in detecting an intrusion, organizations need to have real-time capability in mitigating the threat posed by an intrusion or a rogue employee. For example, in this case, a frequent comparison of hashed archives of authorization rules and customer credit limits with the rules in production may have allowed the processors to block those accounts that were modified. (The fraud alerts that are usually generated when accounts show abnormal activity would not have identified any out of pattern behavior on these customer accounts as the definition of what is abnormal was changed.) Even if they were not successful in preventing an intrusion, they might have been successful in preventing a withdrawal and mitigating the loss.

Integration: It is imperative that fraud groups not focus their fraud detection only on customer account level or transactional activity, but do a comprehensive analysis including employee activity, internal and external network activity on a real-time or near-real-time basis. Most organizations usually have disparate mainframe file systems or databases that store all pertinent information to monitor activity. Organizations need to combine disparate databases or mainframe files, combine structured customer account level and transactional data with unstructured web session logs, emails and network data to monitor abnormal activity effectively.

The future of fraud mitigation relies on this layered defense approach to protect employee accounts, systems, or customer accounts from internal or external threats. Fraudsters will always be creative in the way they attack an institution. It is impossible to determine the next scheme that they will use to steal an institution’s assets. It is therefore imperative the organizations embrace this methodology with haste to avoid being the next victim.

Prakash Santhana is a Director at Deloitte’s Financial Advisory Services LLP and leader of the Fraud Management Practice.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/18/2013 | 2:12:15 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
I can tell you for a fact that interaction data (calls, emails, chats etc.) are recorded and are increasingly used for customer experience and, now, for fraud prevention as well. The state of the art is to use predictive modeling to find fraud signatures within calls, and then identify those signatures in calls while they are occurring, so that new attempts to compromise security through the phone network can be identified instantly and routed for special handing.

If you work for a bank and you are using call center data for quality monitoring or simple reporting, there's a ton more value that you can unleash from that data.

regards, John
Greg MacSweeney
Greg MacSweeney,
User Rank: Author
11/18/2013 | 2:10:45 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
Yes, the calls are being recorded, but companies are having a hard time making sense of all of the data -- especially when it comes to sifting through the data to find trends related to fraud.
User Rank: Author
11/15/2013 | 9:35:06 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
From what I've heard call center data is being recorded and compiled more than ever for compliance reasons now. That data, as you say Randy, definitely presents major opportunities for banks in fraud and customer experience.
Randy Holl
Randy Holl,
User Rank: Apprentice
11/15/2013 | 4:04:16 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
levels of fraud occur in the contact center - from identify theft to account
takeovers G but the manual approach to dealing with contact center fraud is
both inefficient and ineffective. Each contact center processes millions of
calls per year providing a large set of data interactions. When that data is
properly sifted and analyzed, and combined with other external data, it
provides the best forms of business intelligence (BI) and customer analytics
that can be used to stop fraud through an automated risk reduction system.

One way to
detect and eliminate fraud is through a BI system that detects and scores
possible fraud, applies business rules to each call, and takes real-time action
to modify the call treatment based on these rules. While most companies ignore call center IVR
data, we have found that this is one critical part of the fraud detection

designed, such a system can stop fraudsters while delivering a great experience
to legitimate callers. And the cost to
improve fraud management in this automated manner is more operationally
efficient and cost-effective than the manual processes in place today.

Randy Holl,
Contact Solutions
User Rank: Author
11/11/2013 | 9:41:55 PM
re: Payment Heists: A Layered Defense Approach to Fraud Management
It is true that this day and age, the fraud prevention team can't solely just took at activity at the customer account level, a deep analysis and analytical comprehension is required.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.