Payment Heists: A Layered Defense Approach to Fraud Management

In May 2013, US prosecutors unveiled a sophisticated “Ocean’s Eleven” type scheme where hackers stole $45 Million by hacking into two credit card processors that processed prepaid card accounts and compromised 17 accounts belonging to two banks.

These Cybercriminals increased the account balances and removed withdrawal limits for these accounts, essentially creating prepaid cards with infinite value. They then transmitted the card account numbers to groups of ‘cashers’ around the world through carder forums, emails or chat sessions. Then, at a specified time, they disseminated the PIN for each of these accounts to the ‘casher’ groups, who then made the ATM withdrawals within a 24 hour period.

How did this work?

Based on what is publicly known, the hackers were able to penetrate the systems of these processors, and also gained access to the databases that stored account level information, and authorization rules, such as velocity thresholds or daily limits.

It is possible that they were able to do this by downloading specific malware on to the processors’ systems to collect login credentials of people who had access to these databases, and subsequently used these credentials to alter the databases.

To compromise card credentials, the hacker groups could have obtained legitimate cards from the banks involved, and then distributed the magnetic stripe information and the PIN to the carder groups to manufacture duplicate cards. Another possibility is that they collected magnetic stripe information associated with legitimate customers as they had access to the customer databases. A third, more insidious, possibility is that they could have changed the authorization rules in the system so as to not validate the card parameters of the stolen accounts at the time of the transaction, and only needed the account number and the PIN to complete the transaction.

It is interesting to note that they needed to use legitimate PINs associated with the accounts so that they could monitor the withdrawals made by the criminal parties who received them.

The third possibility mentioned above makes chip cards vulnerable as well. For the hackers have modified the logic in the issuers’ authorization system, which now allows any card with a magnetic stripe to go through. The presence of a magnetic stripe on any chip card to allow for fallback transactions makes issuers of chip cards vulnerable to this type of attack.

So, what can financial institutions do to thwart such attacks?

Prevention: The first step in thwarting such attacks is preventing an intrusion. This is easier said than done. The attack on RSA and the Mandiant report on cyber espionage show the ease with which sophisticated hackers can enter a system. Authentication controls for employees with access to sensitive information is essential in preventing an intrusion. At a minimum two-factor authentication is necessary to thwart sophisticated malware from compromising employee login credentials. Biometric 3-Factor authentication controls could be used for select employees that access critical data.

Detection: While authentication controls are a necessary first step, a layered defense approach warrants analytical capability to detect an intrusion. Any detection framework should possess the capability to generate real-time or near real-time alerts. What is needed are real-time alerts based on a risk based adaptive authentication process for employees to avoid take-over of these employee accounts even with two factor authentication. Risk based scoring is capable of evaluating each login attempt based on a multitude of parameters, such as, geographic location, IP address, time of day, and device profile to determine the riskiness of a login attempt.

Mitigation: While risk scoring of login attempts is essential in detecting an intrusion, organizations need to have real-time capability in mitigating the threat posed by an intrusion or a rogue employee. For example, in this case, a frequent comparison of hashed archives of authorization rules and customer credit limits with the rules in production may have allowed the processors to block those accounts that were modified. (The fraud alerts that are usually generated when accounts show abnormal activity would not have identified any out of pattern behavior on these customer accounts as the definition of what is abnormal was changed.) Even if they were not successful in preventing an intrusion, they might have been successful in preventing a withdrawal and mitigating the loss.

Integration: It is imperative that fraud groups not focus their fraud detection only on customer account level or transactional activity, but do a comprehensive analysis including employee activity, internal and external network activity on a real-time or near-real-time basis. Most organizations usually have disparate mainframe file systems or databases that store all pertinent information to monitor activity. Organizations need to combine disparate databases or mainframe files, combine structured customer account level and transactional data with unstructured web session logs, emails and network data to monitor abnormal activity effectively.

The future of fraud mitigation relies on this layered defense approach to protect employee accounts, systems, or customer accounts from internal or external threats. Fraudsters will always be creative in the way they attack an institution. It is impossible to determine the next scheme that they will use to steal an institution’s assets. It is therefore imperative the organizations embrace this methodology with haste to avoid being the next victim.

Prakash Santhana is a Director at Deloitte’s Financial Advisory Services LLP and leader of the Fraud Management Practice.