Were forgotten passwords really forgotten? Or were they never known in the first place?

While fraudsters continually develop new schemes, they also persist in using older techniques that have proven to be effective. Our latest Fraud Informer, Fake Forgetfulness Flags Fraud, describes how criminals are defeating authentication by using a feature that is available on every online banking system: the Forgotten Password reset.

Our fraud intelligence group has witnessed ongoing attacks against hundreds of retail clients plus a smaller number of commercial accounts at over 50 banks and credit unions. The pattern is very similar across all of them, and surprisingly, the attacks don’t include transactions.

This scheme is a good reminder of two important factors in detecting fraud attacks: 1) fraudsters can defeat authentication, and 2) you can’t detect fraud by only monitoring transactions. Make no mistake, this is fraud. And to detect it and prevent resulting offline fraudulent transactions you have to be monitoring the behavior taking place during online banking sessions.

Read on in the full Fraud Factor.

Fraudulent Needles in ACH Haystacks

We’ve been talking with a wide variety of financial institutions for a number of weeks leading up to the announcement of our latest anomaly detection solution, FraudMAP ACH.  We’ve heard story after story of the time consumed by staff manually combing through exception reports or Excel spreadsheets looking for the high risk transactions or batches in an growing and increasingly dynamic stack of ACH payments.  We’ve heard of the complexities of staff trying to maintain “fraud rules” or wait for their vendors to do it for them.

And it’s only going to get harder.  As criminals more eloquently tamper with ACH files, batches and transactions, they will more readily bypass caps, limits, and calendar validations. Realistically it is becoming more and more untenable for operational staff to hunt and peck for fraud in the manner in which they are today.  The fraudulent needles are getting smaller as the haystack of payments is growing larger.

In an infographic that we just released, we call out the four levels of fraud infiltration.  You’ll see as you study the diagram, that criminals are moving further and further into the files, making it harder for traditional “hunting and pecking” approaches to finding fraud an unsustainable model.

Here’s a sneak peak at the four levels.

  • LEVEL ONE – Fraudster submits a new ACH Batch file, all of which is fraudulent. Fraudulent files may or may not violate caps or calendar rules.
  • LEVEL TWO – Fraudster breaks into an existing batch file and adds a new payments which will change the number of transactions in the file and the total amount of all transactions in the file. Files may still be below established caps/limits.
  • LEVEL THREE – Fraudster breaks into an existing batch file and adds some new credit transactions (steals some money), but simultaneously adds some new debit transactions that leave the total dollar movement for the file as a whole unchanged.
  • LEVEL FOUR – Fraudster breaks into an existing batch file and edits specific parts of existing transactions (e.g. The payee account number), which leaves the number of transactions and the total dollar movement for the file as a whole unchanged.

Guardian Analytics was founded to turn online banking fraud prevention upside. Using behavioral analytics, our solution has turned two hundred financial institutions into highly proactive organizations that have high-risk activity detected FOR them before money leaves the bank.  With FraudMAP ACH, we are again fundamentally changing how FI’s manage their risk, this time by applying our proven anomaly detection capabilities to ACH transactions.  Regardless of how deep the criminals go, or how stealthy they are, FraudMAP ACH will surface any unusual activity and prioritize it for review. No more hunting and pecking.  The needles stand out bright red no matter how big you

 

PATCO ACH Fraud Ruling – Lessons Learned

As you’ve probably read by now, on July 3 the First Circuit Court of Appeals in Boston ruled in favor of PATCO in their lawsuit against Ocean Bank over fraud losses, reversing the U.S. District Court‘s 2011 judgment that favored the bank. Rather than merely rehashing the ruling, I’d like to offer some lessons learned and thoughts on how financial institutions can respond.

Where this all began – a  fraud attack

In a series of 6 fraudulent ACH transfers in 2009, fraudsters were able to drain $580,000 out of PATCO’s commercial account with the former Ocean Bank (now People’s United Bank). The bank was able to recover $243,000, leaving approximately $340,000 in losses.

The Initial Ruling

In 2010 PATCO file suit against Ocean Bank to recover its losses.  In the original ruling in August 2011, the District Court ruled in favor of Ocean Bank based stating that the bank did, in its opinion, have “commercially reasonable” security in place.  This opinion stemmed primarily from the fact that PATCO had signed a contract with the bank agreeing to the security procedures at the bank and also that the bank had common security solution in place.

With that said, the ruling did go out of its way to note that the bank probably should have detected the unusual activity since it was so unusual for PATCO’s typical behavior.

The Reversal on Appeal

Interestingly, the appellate court took a much broader view of what a “commercially reasonable” security solution offered and paid greater attention to the bank’s actions in utilizing the technology solutions that they had in place, not just the technology itself.

Here are some noteable examples from the latest ruling:

  • The bank used what the court calls a “one-size-fits-all” approach to monitoring and authenticating transactions. All ACH and wire transactions over $1 triggered a challenge question. The original intent was to increase security, but the actual impact was an increase in the chance that the response would be compromised, ultimately weakening this defense.
  • The bank had the ability to monitor high-risk transactions through its transaction-profiling and risk-scoring system, but chose not to do so. As one example, Ocean Bank’s scoring system gave the first fraudulent transaction a risk score of 790; PATCO’s usual risk scores ranged between 10 and 214.
  • The fraudulent ACH transfers out of PATCO’s account went to numerous individuals PATCO had never paid before. The perpetrators also logged in from devices and IP addresses never used by PATCO.

“The payment orders at issue were entirely uncharacteristic of PATCO’s ordinary transactions,” the ruling states. “These collective failures, taken as a whole, rendered Ocean Bank’s security procedures commercially unreasonable.”

I’m not trying to paint Ocean Bank as a ‘bad guy’ but more express a challenge the whole industry is facing. With criminal attacks growing more stealthy and more speedy every day and without the right tools to pinpoint the bad actors, it difficult for any bank to stay on top of the ever-growing online and mobile activity.

Lessons Learned

With that said, here are a few some takeaways from this whole situation.

  • Having a lot of technology is not enough. The courts are setting the stage that they will look for how the use of technology impacts the overall security.
  • The courts are shifting expectations of banks. Taken in conjunction with two other high-visibility lawsuits – EMI v. Comerica and Village View Escrow v. Professional Business Bank – the courts are expanding what is expected of financial institutions, or at least setting precedents that define terms such as “reasonable security” or “good faith”.  In both cases with judgements, the courts mention that the banks should have been able to detect the fraudulent activity because it was so unusual relative to typical customer behavior.
  • “One size fits all” doesn’t work. Security solutions and policies must be dynamic and tuned to each customer, situation, transaction, or online banking session. In other words, financial institutions need better tools to avoid having to consider such a “one size fits all” approach. On this point Gartner’s Avivah Litan commented, “Small banks just don’t have any resources to monitor 15-20 percent of the log-ins every day; they need better tools.”
  • Monitor. Monitor. Monitor. The fraudsters are clever and sophisticated, and unfortunately, financial institutions cannot let up for a minute. In the PATCO case, the fraudsters got through user ID & password, cookie-based device authentication, IP address profiling, challenge questions, and risk scoring, which taken together satisfied the “commercially reasonable” litmus test. And while fraudsters have repeatedly demonstrated the ability to surmount these defenses, they stand a better chance of detecting fraud only when the financial institution is actively monitoring activities and alerts.
  • Total losses are much higher than the fraudulent transfer. While the ruling did not award specific damages, instead simply encouraging the two parties to settle out of court, the legal costs, productivity losses, and negative PR dwarf the nominal fraud loss.

What’s a Financial Institution to Do?

I doubt anyone would debate that fraud prevention is a responsibility shared between the financial institution and their commercial clients. And when things go bad, it’s clearly a point of contention – often a severely divisive one – as to how this responsibility is shared. I encourage bankers to thoroughly consider how they can use the lessons learned from this case to do their part, and maybe even more than their part.

In today’s competitive, tight-margin banking environment, this ruling suggests to me an opportunity to use security as a differentiator to win new accounts and expand services (i.e. increase revenue). This is the ideal time to first put in place truly effective fraud prevention solutions across online, mobile and ACH channels, and then feature your commitment to preventing fraud in your communications to customers and prospects.  And, there are modern tools available that deliver efficient and effective fraud prevention.

Your business clients are not experts in security, which is why they are under attack from criminals. And again, security today is a shared responsibility, but the reality is that they are dependent upon you, their banking institution, and they (quite reasonably) expect you to be an expert (keep an eye out for more stats on this from our upcoming business banking trust study).

So, I encourage you to be the expert. Put in place outstanding layered security with the people and policies to ensure it works as designed. And then use that investment to gain new business and improve customer trust, loyalty, and longevity.

New Online Banking Attacks – Criminals in the Cloud

Today, the Guardian Analytics Fraud Intelligence team and McAfee released a joint fraud report, “Dissecting Operation High Roller,” describing a new generation of attacks against online banking. Criminals are evolving Man-in-the-Browser schemes to move execution of key criminal activity away from the PC and into the cloud, using new servers dedicated to automating and executing fraudulent transactions. The attacks described in the report target the elite – commercial accounts and high net worth consumers – in Europe, Latin America and the United States, hence the name “Operation High Roller.”

Criminals in the Cloud – Disguise and Adaptability
In “server-side attacks”  the fraudsters use automated logic on a server in the cloud to identify targets and subsequently compromise the account, find mules, initiate transactions and mask account balances. This is a new server in the criminals’ arsenal, purpose-built and solely dedicated to processing fraudulent transactions (unlike typical  multi-purpose botnet servers used for spam, DDOS, credential harvesting). This means fewer signals for researchers or detection tools to find.

With server-based attacks, criminals are highly adaptable. They can readily modify their attack code to adapt to any workflow or security changes at a financial institution and dynamically adjust communications to clients as servers are moved around, without having to update code on every infected client.

Targeting the Elite Across the Globe
This fraud campaign started with automated attacks against wealthy consumers in Italy (balances of €200,000-€500,000) and then evolved to use server-side automated attacks against businesses in the Netherlands, Germany, and Columbia and the US. The most recent attacks started in March with an new evolution – criminals employed hybrid automated/manual scheme targeting high-balance U.S. businesses (assets in the tens of millions of dollars).  Overall,  the limited, targeted approach creates a highly favorable risk-reward scenario for the criminals- big payoffs with reduced chances of detection.

A few key takeaways for the industry:

  • Criminals are not sitting still: they are continually innovating their attacks to increase their paydays and reduce detection.
  • Every financial institution should be prepared for this and other attacks: The attacks hit financial institutions of all sizes including community banks and credit unions in the United States that use common online banking platforms
  • The industry needs collaboration on threat research: By working together, as McAfee and Guardian Analytics did on this project, we can improve the industry’s ability to understand quickly detect new schemes and alert the rest of the industry and law enforcement
  • Criminals still look like criminals, not like real users: Despite the sophistication of these attacks, behavior-based anomaly detection solutions like FraudMAP will still detect the subtle differences in behavior that can tip off FIs that a specific banking session may a fraud attack, not the legitimate account holder

Read the full report: Dissecting Operation High Roller

Beware the Business Mule: Why Commercial Payees Merit Vigilance

Fraudsters increasingly are targeting the larger account balances of commercial banking customers and hiding behind the more frequent account activity present in business-to-business transactions. The large, frequent fund movements common between organizations are making fraud harder to detect by financial institutions until the money is gone. As with consumer banking fraud schemes, the crooks rely on money mules to break the final bottleneck – getting the money out. However, because of the complexity of corporate transactions, fraudsters are employing human actors earlier in the process… and closer than ever to the victimized company.

Lately our fraud researchers have noticed a disturbing trend toward “inside jobs” – schemes that rely on money mules recruited from within the legit business’ own employee ranks.  Enlisting them is difficult, so mule handlers offer higher commissions to their traitorous partners. The more common commercial account fraud method is the use of professional mules who set up fictitious companies specifically to receive stolen payouts.

Corporate account credentials command a higher price on the criminal black market. Why? Business-to-business accounts typically transfer higher dollar amounts, more frequently, than retail accounts.  International transfers are easier. Repetitive transactions in a short period of time are easier. These realities all provide more incentive for business mules to complete fraudulent transfers… again and again. Repeat use of business mules is becoming disturbingly common.

These witting mules are hard to detect. The fraudster is relying on a business mule’s seemingly legitimate actions to bypass any security controls. Anti-fraud technology often focuses on business-to-consumer fraud, so B2B transactions receive less scrutiny. The best method of detecting and preventing a mule from emptying your corporate account is to detect account takeover attempts early, before the money is gone. Early fraud setup activity – such as creating a new (fraudulent) payee – can be detected using anomaly detection technology that monitors account activity from login to logout.

My colleague Craig Priess explains business mule scenarios in this video explaining their tactics. Check back with this blog for the latest cybercrime tools and techniques from our fraud and threat research teams.

Online Banking Fraud News Roundup

2012 started with an explosion of new malware variants. It’s clear already that banking Trojans are propagating at an alarming rate while the ongoing rapid expansion of mobile banking will open a particularly threatening new front in the war on fraud.

Recent industry coverage has only reinforced the continued increase in the overall volume of fraud attacks. In addition, fraudsters are becoming annoyingly adept at covering their tracks with smokescreen methods such as distributed denial-of-service (DDoS) attacks.

What we’re reminded of repeadedly is that financial institutions must be prepared to defend against a wide range of sophisticated attacks plus new schemes that emerge regularly. Here are a few articles that may be of interest as you develop risk mitigation strategies this year:

New Strains of Malware Emerge…

New Mac Malware Exploits Java Bugs to Steal Credentials
Flashback.G is the first Trojan variant of a well-known family of Mac malware to use an attack vector that doesn’t require any user interaction. This new version exploits Java vulnerabilities in Mac’s legacy operating system to keylog usernames and passwords for online payment, banking, and credit card websites.

Citadel Banking Malware Is Evolving and Spreading Rapidly
Malware development has gone open source. Citadel, a new ZeuS variant, is evolving and spreading rapidly because its creators adopted a community-based development model. Each version of Citiadel adds new modules and features, some submitted by “customers” themselves.

Banking Malware Finds New Weakness
A new ZeuS variant called Ice IX (“ice-9”) automates the process of stealing and changing account holder phone numbers to defeat two-factor authentication. Fraudsters are using it to intercept verification phone calls and pose as the customer to approve their own fraudulent transactions.

….While New Attacks Demonstrate Fraudsters’ Perseverence…

Banking Trojan Hijacks Live Chat to Run Real-time Fraud
A new attack on the Shylock malware platform is hijacking live chat sessions to get business banking customers to hand over their credentials or authorize fraudulent transactions. This Man-In-the-Browser assault interrupts an online session to chat up the victim about a “system check” while the cybercrook simultaneously completes the theft in real-time.

New Cyber Scam Is More Polished than Most
More professional and elaborate than most social engineering scams, a realistic-looking shopping scam email disguises its executable payload as a harmless PDF where “your recent order can be viewed.” It’s really a nasty Trojan with bot and keylogging capabilities that steals banking credentials.

New Malware Attacks Target Online Banking
A new Man-In-the-Browser attack tricks users who log into a bank’s real site with an offer of training in a new “upgraded security system.” After stealing account holder funds it changes on-screen balances to hide its activities, rendering evidence of the theft invisible.

…And the Volume of Attacks Continues to Increase.

780 New Malicious Internet Banking Programs Every Day
Kaspersky Labs reported on the recent explosion of banking malware: 1.1 percent of all malicious programs detected – or 780 new programs EACH day – target financial data. A malicious program of this kind is detected on an average of 2,000 unique users’ computers every day.

Mobile Malware Doubled in 2011  
The 2011 Mobile Threats Report from Juniper Networks found that the amount of malware created for mobile devices across all operating systems more than doubled in 2011. 63 percent of the malware found could collect financial information.

Anomaly Detection Demystified [infographic]

In its updated guidance issued June 2011, the FFIEC specifically identified anomaly detection as one of the two minimum components of a layered security program required for any financial institution offering online banking (see page 5!).

We recently released an Anomaly Detection Toolkit to help educate financial institutions on the topic. Here is our infographic on what anomaly detection is, how it works to detect fraud attacks, and how financial institutions can respond to any anomalous, or suspicious, online banking activity. 

We here at Guardian Analytics know a little something about anomaly detection. We’ve pioneered use of this technology to detect online banking fraud, and currently deliver this powerful capability to about 150 banks and credit unions – day in and day out.

If you want to hear this graphic come to life, here’s a video with voiceover that explains the whole process.

(click to enlarge the infographic in a new window)

Anomaly Detection infographic

Mules & Jewels: “Gameover” in 9 Steps

The new “Gameover” malware driving online banking fraud has gotten much attention in the press lately, but I realized that most of it has focused on the distributed denial of service (DDoS) attacks launched by this malware variant to bypass common controls.  Another important element of the total scheme that I think is worth highlighting is a new twist on how criminals are using money mules to “pick up” and move stolen funds.

Fraudsters are getting creative and employing a new, retail-based approach. Why? To decrease the risk of their mules getting caught. They are using high-end jewelry stores to essentially launder their loot.

Here’s how it works:

  1. The fraud victim – typically a business banking customer – gets a phishing email that appears to originate from reputable organizations like the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC). When this attack was first launched, all emails appeared to originate from NACHA. The email may claim that there is problem with a recent transaction that requires the user’s attention.
  2. When the link in the email is clicked, the victim is sent to a bogus website and inadvertently downloads a new variant of the notorious ZeuS malware called “Gameover”.
  3. Once infecting the victim’s PC, “Gameover” keylogs all online banking activity and sends stolen account credentials to the criminal.
  4. In a new wrinkle, the criminal employs a DDoS attack to cover their tracks. When the attack begins, the victim’s business may be hit with DDoS to prevent Internet access so they don’t notice the attack and can’t reverse the transaction.
  5. In a more sophisticated version of the scheme, the financial institution is included in the DDoS attack, further decreasing the likelihood of the fraudulent transfers being noticed.
  6. The criminal wires money to a high-end jewelry store and then places an order for precious stones or expensive watches.
  7. A mule physically visits the store to pick up the order.  The jeweler checks their account, sees that the funds are there, and delivers the merchandise to the mule.
  8. The mule may then turn the jewelry over to the fraudster or sell it for cash.
  9. When the fraud is discovered, it can be the account holder or the jewelry store itself that’s hit with the loss.

It’s definitely “game over” for the victims of this fraud scheme.

This use of the Gameover Trojan was recently written up by the FBI and my colleague Craig Priess explains it nicely in a video explaining this attack. Our fraud and threat research teams stay up to date on the latest cybercrime tools and techniques and I hope you will use this blog as a resource for combating fraud at your financial institution.

A Tale of Two Banks (A True Story)

We hear often from our bank and credit union clients about the account takeover and fraud they’ve stopped using our anomaly detection solution, FraudMAP.  Normally the movie plays out roughly the same: fraudster meets bank account, fraudster likes bank account, FraudMAP detects the fraudster’s suspicious or anomalous activity, FI looks like a hero to their account holder, fraudster goes home with no money.

Recently we heard a tale from one of our customers with an interesting twist. At Guardian Analytics we are passionate about the concept of great security AND a great account holder experience.  The plot twist in this fraud story highlights how the right protections can create the right customer experience that builds trust and loyalty. And lack of the right protections creates, well, something very different.

The movie begins with one of our customers, Bank A, a mid-sized bank using FraudMAP that proactively detected suspicious activity in an account.  FraudMAP alerted the bank to unusual behavior before any sort of transaction was initiated.

Based on the suspicious behavior, the bank called the account holder to inquire about the activities.  The account holder confirmed that they had not logged in to their account at that time or from that location. He was thrilled that the bank was proactively looking out for his safety and was able to catch this before any money was moved.

Now for the twist: while they were on the phone discussing next steps, the account holder realized that if his account at Bank A had been compromised, it was likely his account at Bank B had been compromised as well.

He logs into his account at Bank B, a much larger national bank, and discovers that a very large wire transfer had been initiated through his account and released by the bank. He had to make “the call” that far too many banks receive – according to a survey done by ISMG – 76% of FIs find out about fraud from their customers.

One client, two banks. One happy ending, one nightmare.  The FFIEC got it right. In their new Guidance for online banking security, they call for all banks to have anomaly detection as the foundational component of their security strategy.  This account holder’s money was clearly safer in the bank with sophisticated anomaly detection looking for signs of suspicious activity before money leaves the bank.  Powerful protections and a great customer experience can and do co-exist.

Which movie would you star in? The fairy tale? Or the horror story?

August Fraud Roundup

For cyber criminals, security researchers, regulators and financial institutions, there’s been no summer break.  The FFIEC announced a Supplement to its 2005 Authentication Guidance, hackers produced significant volumes of new malware, more businesses lost money and another lawsuit was filed.

With so much going on, we thought we’d use the blog to regularly summarize the hot news. Welcome to our first “Fraud Roundup”:

The FFIEC raised the bar on expectations for layered security, risk assessments and customer education. Following the Supplement’s release, there has been a lot of discussion on the topic of the guidance and layered security.

In recent presentations by the FDIC, OCC and the Federal Reserve Board, the Agencies make one thing very clear about the Supplement: all institutions are expected to have layered security; layered security at a minimum is defined by the capability to detect and respond to anomalous customer behavior at login and initiation of transaction. The Agencies further clarified this is expected for retail and commercial banking and that business accounts.

For more details, resources, and to track what key topics about the Supplement, please visit our FFIEC Resource site.

In March 2010, Village View Escrow of California had its online bank account infiltrated by hackers, suffering $465,000 in losses. The company now has filed a lawsuit in the California Superior Court against its bank. This is the latest in a stream of other recent commercial banking fraud lawsuits.

The fraud losses continue. The latest theft is the latest reminder that cybercriminals are effectively bypassing existing controls.

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

End users aren’t getting any relief. A Cisco study finds that cyber fraud has shifted from mass, generalized attacks to very specific spear phishing hits that harness stolen user information to dupe unwitting consumers (such as bank customers and cardholders) into divulging account information.

Security experts are expecting a surge in SpyEye attacks this year, after the license key to SpyEye, the top rival to the ZeuS banking Trojan, was exposed. Hackers started making versions of SpyEye available for $100 (down from $10,000), making the Trojan kit much more readily available to criminal gangs. More than 2.2M computers are estimated to be infected and under the control of SpyEye botnets.

McAfee reports that the Android was the most popular target for malware developers in Q2 2011. Researchers highlight mobile crimeware on the Android that forwards SMS messages, a technique to thwart out of band authentication and verification.

 

 

About Guardian Analytics

Guardian Analytics is the technology leader in the prevention of online account fraud, providing real-time risk management solutions that protect online channels. The company supports the end-to-end online risk management process with rich analytics and behavior-based modeling. We offer an analytics-based software solution that addresses the entire risk management lifecycle.