Network Intelligence India Pvt. Ltd.

Download Report

Transcript Network Intelligence India Pvt. Ltd.

Sujith Ambady






Real-world Case Studies
Lessons Learnt
Types of Fraud
Fraud Prevention and Detection
Conclusions
Q&A


Head Trainer at Institute of Information
Security(Training wing of Network Intelligence) and
Security Analyst at Network Intelligence.
Over 9 years’ of experience in
◦ Electronic Banking Operations and Security
◦ IT Infrastructure Design and Training Consultant

Certifications
◦ RHCE
◦ RHCSA



Speaker at Mumbai Null Chapter
Trained corporate SOC and Software team on Reverse
Engineering, Malware analysis, Secure Coding and Web
Application Penetration Testing
MBA in Information Management
Fraud encompasses a wide range of irregularities and illegal acts
characterized by intentional deception or misrepresentation.
The IIA’s IPPF defines fraud as: “Any illegal act characterized by
deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds
are perpetrated by parties and organizations to obtain
money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.“
A knowing misrepresentation of the truth or concealment of a
material fact to induce another to act to his or her detriment. Bryan Garner, ed., Black’s Law Dictionary. 8th Ed. (2004), s.v.,
“fraud.”
4



Internal Fraud or occupational fraud
◦ Corporate Espionage
◦ Data Leakage and Theft
◦ Intellectual Property and Trade Secret Theft
◦ Financial Fraud
External Fraud
◦ Identity Theft
◦ Malware Attacks
◦ Amateur Fraud all CNP sales channels
◦ Phishing
Fraud Against Individuals
5

Fraud triangle - Dr. Donald Cressey
6
7
Case Study 1



Kotak Mahindra Bank - 1,730 transactions
worth Rs 2.84 crore using Credit Cards that
were not issued.
580 Cards used in seven countries -Canada, USA, UK, Germany, Brazil, France and
India - between July 2 and September 10.
An internal probe by the bank revealed that
the cards were created by stealing data from
a newly created series of unissued cards, all
within the BIN (Bank Identification Number)
range.

The new card series order was raised by the
bank's product team and an order was given
to DZ Card India Ltd at Gurgaon that has
acquired the contract to create bank's cards.
Bank had generated and registered three BIN
Range (numbers) of the new cards (Visa and
MasterCard)... Unknown fraudsters forged
and fabricated (the) cards and used the same
as genuine.





Increasing user awareness
Strong policies against misuse of end-point
systems
Strong monitoring controls
Personnel security controls
Run social engineering tests as part of your
audits
Case Study 2
How to build a multinational
multi-billion dollar enterprise
overnight!



>200 million credit card number stolen
Heartland Payment Systems, 7-Eleven, and 2
US national retailers hacked
Modus operandi
◦
◦
◦
◦
◦
◦
◦
Visit retail stores to understand workings
Hack wireless networks
Analyze websites for vulnerabilities
Hack in using SQL injection
Inject malware
Sniff for card numbers and details
Hide tracks

Albert Gonzalez
◦ a/k/a “segvec,”
◦ a/k/a “soupnazi,”
◦ a/k/a “j4guar17”

Malware, scripts and hacked data hosted on servers in:
◦ Latvia
◦ Netherlands

Ukraine
New Jersey
California
IRC chats
◦ March 2007: Gonzalez “planning my second phase against
Hannaford”
◦ December 2007: Hacker P.T. “that’s how [HACKER 2] hacked
Hannaford.”
$200 million in
fines/penalties
$41 million to
Visa
$24 million to
Mastercard




A single vulnerability in an Internet-facing web
application could lead to disaster
Blind reliance on technology based on
product/vendor reputation is a bad idea
Strong logging controls
Fraud risk assessment is different from a regular
audit
◦ Think like a fraudster to identify fraudulent areas and
implement adequate controls


Concurrent monitoring – via ACL or BI tools is
also important
Identify red flags and put in place systems to
monitor for these








Data Leakage Prevention
Information Rights Management
Email Gateway Filtering
Security & Controls by Design
Identity & Access Control Management
Encryption
Business Intelligence Solutions
Revenue Assurance & Fraud Management
Solutions









Systems crashing
Audit trails not available
Mysterious “system” user IDs
Weak password controls
Simultaneous logins
Across-the-board transactions
Transactions that violate trends – weekends,
excessive amounts, repetitive amounts
Reluctance to take leave or accept input/help
Reluctance to switch over to a new system








Set Purchase Limits
Monitor Bill to/Ship to Mismatches
Pay Attention to the Time of Day
Ask a Secret Question
Manage Passwords
Account Change Notification
Use Proxy Piercing/IP Geo location Technology
Apply Device Fingerprinting Technology
29
Governances – Policies, Procedures and
Organizational Framework
Application Controls
Infrastructure Controls
1.
2.
3.
◦
◦
◦
4.
5.
6.
7.
Server
Network
End-point
Technological Controls for Fraud Detection,
Prevention and Data Security
Training & Awareness
Fraud-focused Reporting
Audit Trail & Forensics
Sujith Ambady
Head Trainer and Security Analyst
[email protected]
https://in.linkedin.com/pub/sujithambady/9b/245/abb
http://itsecuritymonk.wordpress.com