Beyond the Patch – Heartbleed Drives New Security Requirements

In the last 18 months we have seen some of the largest data breaches ever, and now the Heartbleed bug further erodes the small amount of remaining  trust we might have had that sensitive information and access to critical systems is protected. Given the scope of the hardware and software impacted by the Heartbleed bug and the time it will take to address the bug, companies and consumers are exposed more than ever to criminal attacks, even after patches are in place, new keys are issued and passwords are reset.

The impact of Heartbleed, the massive number of identities exposed in 2013 through data breaches – 552M – and the ongoing attacks on our sensitive information and systems will be long term and far reaching, ultimately requiring a rethinking of the fundamentals we use to protect ourselves and our customers.

The flaw and the successful exploitation of it calls into question the effectiveness of the controls and tools enterprises use to detect attacks on consumer accounts and corporate networks.   At the heart of the issue:

  1. The bug exposes information used to validate users – usernames, passwords, personal information, payment information, health and medical information.
  2. The bug allows criminals to attack and highjack traffic to gain access to networks and systems.
  3. It is unknown how much information has already been exposed and how long internal systems will take to patch.

Given these, criminals can successfully access consumer applications and corporate networks and go undetected by most common authentication and network and security controls.  With access to credentials, authentication-related information and network traffic, criminals will look just like legitimate users – no malware used, no other attacks on networks or servers needed.

Companies can no longer have confidence that users (consumers, employees, vendors, partners) are who they say they are.

The immediate focus was naturally been on stopping the bleeding through patches, new keys and password changes. While the majority of websites have been fixed, enterprises face the daunting task of identifying all of the software and equipment exposed and implementing patches.  In the meantime, they are exposed.

Enterprises, therefore, need to think “beyond the patch” and also implement a more comprehensive, effective and resilient change to their approach to securing access to applications and systems.   In the wake of this flaw, malware detection, network monitoring, sandboxing, and authentication all fail to detect the unauthorized access.   Companies cannot rely on looking for known patterns of bad actors – they won’t find any. Rather, they need to start with the perceived good actor and look for anomalies in their behavior as a signal of unauthorized access.

Bad actors hide behind legitimate credentials – but behavior never lies.

Companies at the forefront of security have already adopted user based behavioral analytics to strengthen consumer and corporate security. The Heartbleed bug means this approach is a new fundamental security requirement for all.

 

Were forgotten passwords really forgotten? Or were they never known in the first place?

While fraudsters continually develop new schemes, they also persist in using older techniques that have proven to be effective. Our latest Fraud Informer, Fake Forgetfulness Flags Fraud, describes how criminals are defeating authentication by using a feature that is available on every online banking system: the Forgotten Password reset.

Our fraud intelligence group has witnessed ongoing attacks against hundreds of retail clients plus a smaller number of commercial accounts at over 50 banks and credit unions. The pattern is very similar across all of them, and surprisingly, the attacks don’t include transactions.

This scheme is a good reminder of two important factors in detecting fraud attacks: 1) fraudsters can defeat authentication, and 2) you can’t detect fraud by only monitoring transactions. Make no mistake, this is fraud. And to detect it and prevent resulting offline fraudulent transactions you have to be monitoring the behavior taking place during online banking sessions.

Read on in the full Fraud Factor.

Fraudulent Needles in ACH Haystacks

We’ve been talking with a wide variety of financial institutions for a number of weeks leading up to the announcement of our latest anomaly detection solution, FraudMAP ACH.  We’ve heard story after story of the time consumed by staff manually combing through exception reports or Excel spreadsheets looking for the high risk transactions or batches in an growing and increasingly dynamic stack of ACH payments.  We’ve heard of the complexities of staff trying to maintain “fraud rules” or wait for their vendors to do it for them.

And it’s only going to get harder.  As criminals more eloquently tamper with ACH files, batches and transactions, they will more readily bypass caps, limits, and calendar validations. Realistically it is becoming more and more untenable for operational staff to hunt and peck for fraud in the manner in which they are today.  The fraudulent needles are getting smaller as the haystack of payments is growing larger.

In an infographic that we just released, we call out the four levels of fraud infiltration.  You’ll see as you study the diagram, that criminals are moving further and further into the files, making it harder for traditional “hunting and pecking” approaches to finding fraud an unsustainable model.

Here’s a sneak peak at the four levels.

  • LEVEL ONE – Fraudster submits a new ACH Batch file, all of which is fraudulent. Fraudulent files may or may not violate caps or calendar rules.
  • LEVEL TWO – Fraudster breaks into an existing batch file and adds a new payments which will change the number of transactions in the file and the total amount of all transactions in the file. Files may still be below established caps/limits.
  • LEVEL THREE – Fraudster breaks into an existing batch file and adds some new credit transactions (steals some money), but simultaneously adds some new debit transactions that leave the total dollar movement for the file as a whole unchanged.
  • LEVEL FOUR – Fraudster breaks into an existing batch file and edits specific parts of existing transactions (e.g. The payee account number), which leaves the number of transactions and the total dollar movement for the file as a whole unchanged.

Guardian Analytics was founded to turn online banking fraud prevention upside. Using behavioral analytics, our solution has turned two hundred financial institutions into highly proactive organizations that have high-risk activity detected FOR them before money leaves the bank.  With FraudMAP ACH, we are again fundamentally changing how FI’s manage their risk, this time by applying our proven anomaly detection capabilities to ACH transactions.  Regardless of how deep the criminals go, or how stealthy they are, FraudMAP ACH will surface any unusual activity and prioritize it for review. No more hunting and pecking.  The needles stand out bright red no matter how big you

 

PATCO ACH Fraud Ruling – Lessons Learned

As you’ve probably read by now, on July 3 the First Circuit Court of Appeals in Boston ruled in favor of PATCO in their lawsuit against Ocean Bank over fraud losses, reversing the U.S. District Court‘s 2011 judgment that favored the bank. Rather than merely rehashing the ruling, I’d like to offer some lessons learned and thoughts on how financial institutions can respond.

Where this all began – a  fraud attack

In a series of 6 fraudulent ACH transfers in 2009, fraudsters were able to drain $580,000 out of PATCO’s commercial account with the former Ocean Bank (now People’s United Bank). The bank was able to recover $243,000, leaving approximately $340,000 in losses.

The Initial Ruling

In 2010 PATCO file suit against Ocean Bank to recover its losses.  In the original ruling in August 2011, the District Court ruled in favor of Ocean Bank based stating that the bank did, in its opinion, have “commercially reasonable” security in place.  This opinion stemmed primarily from the fact that PATCO had signed a contract with the bank agreeing to the security procedures at the bank and also that the bank had common security solution in place.

With that said, the ruling did go out of its way to note that the bank probably should have detected the unusual activity since it was so unusual for PATCO’s typical behavior.

The Reversal on Appeal

Interestingly, the appellate court took a much broader view of what a “commercially reasonable” security solution offered and paid greater attention to the bank’s actions in utilizing the technology solutions that they had in place, not just the technology itself.

Here are some noteable examples from the latest ruling:

  • The bank used what the court calls a “one-size-fits-all” approach to monitoring and authenticating transactions. All ACH and wire transactions over $1 triggered a challenge question. The original intent was to increase security, but the actual impact was an increase in the chance that the response would be compromised, ultimately weakening this defense.
  • The bank had the ability to monitor high-risk transactions through its transaction-profiling and risk-scoring system, but chose not to do so. As one example, Ocean Bank’s scoring system gave the first fraudulent transaction a risk score of 790; PATCO’s usual risk scores ranged between 10 and 214.
  • The fraudulent ACH transfers out of PATCO’s account went to numerous individuals PATCO had never paid before. The perpetrators also logged in from devices and IP addresses never used by PATCO.

“The payment orders at issue were entirely uncharacteristic of PATCO’s ordinary transactions,” the ruling states. “These collective failures, taken as a whole, rendered Ocean Bank’s security procedures commercially unreasonable.”

I’m not trying to paint Ocean Bank as a ‘bad guy’ but more express a challenge the whole industry is facing. With criminal attacks growing more stealthy and more speedy every day and without the right tools to pinpoint the bad actors, it difficult for any bank to stay on top of the ever-growing online and mobile activity.

Lessons Learned

With that said, here are a few some takeaways from this whole situation.

  • Having a lot of technology is not enough. The courts are setting the stage that they will look for how the use of technology impacts the overall security.
  • The courts are shifting expectations of banks. Taken in conjunction with two other high-visibility lawsuits – EMI v. Comerica and Village View Escrow v. Professional Business Bank – the courts are expanding what is expected of financial institutions, or at least setting precedents that define terms such as “reasonable security” or “good faith”.  In both cases with judgements, the courts mention that the banks should have been able to detect the fraudulent activity because it was so unusual relative to typical customer behavior.
  • “One size fits all” doesn’t work. Security solutions and policies must be dynamic and tuned to each customer, situation, transaction, or online banking session. In other words, financial institutions need better tools to avoid having to consider such a “one size fits all” approach. On this point Gartner’s Avivah Litan commented, “Small banks just don’t have any resources to monitor 15-20 percent of the log-ins every day; they need better tools.”
  • Monitor. Monitor. Monitor. The fraudsters are clever and sophisticated, and unfortunately, financial institutions cannot let up for a minute. In the PATCO case, the fraudsters got through user ID & password, cookie-based device authentication, IP address profiling, challenge questions, and risk scoring, which taken together satisfied the “commercially reasonable” litmus test. And while fraudsters have repeatedly demonstrated the ability to surmount these defenses, they stand a better chance of detecting fraud only when the financial institution is actively monitoring activities and alerts.
  • Total losses are much higher than the fraudulent transfer. While the ruling did not award specific damages, instead simply encouraging the two parties to settle out of court, the legal costs, productivity losses, and negative PR dwarf the nominal fraud loss.

What’s a Financial Institution to Do?

I doubt anyone would debate that fraud prevention is a responsibility shared between the financial institution and their commercial clients. And when things go bad, it’s clearly a point of contention – often a severely divisive one – as to how this responsibility is shared. I encourage bankers to thoroughly consider how they can use the lessons learned from this case to do their part, and maybe even more than their part.

In today’s competitive, tight-margin banking environment, this ruling suggests to me an opportunity to use security as a differentiator to win new accounts and expand services (i.e. increase revenue). This is the ideal time to first put in place truly effective fraud prevention solutions across online, mobile and ACH channels, and then feature your commitment to preventing fraud in your communications to customers and prospects.  And, there are modern tools available that deliver efficient and effective fraud prevention.

Your business clients are not experts in security, which is why they are under attack from criminals. And again, security today is a shared responsibility, but the reality is that they are dependent upon you, their banking institution, and they (quite reasonably) expect you to be an expert (keep an eye out for more stats on this from our upcoming business banking trust study).

So, I encourage you to be the expert. Put in place outstanding layered security with the people and policies to ensure it works as designed. And then use that investment to gain new business and improve customer trust, loyalty, and longevity.

New Online Banking Attacks – Criminals in the Cloud

Today, the Guardian Analytics Fraud Intelligence team and McAfee released a joint fraud report, “Dissecting Operation High Roller,” describing a new generation of attacks against online banking. Criminals are evolving Man-in-the-Browser schemes to move execution of key criminal activity away from the PC and into the cloud, using new servers dedicated to automating and executing fraudulent transactions. The attacks described in the report target the elite – commercial accounts and high net worth consumers – in Europe, Latin America and the United States, hence the name “Operation High Roller.”

Criminals in the Cloud – Disguise and Adaptability
In “server-side attacks”  the fraudsters use automated logic on a server in the cloud to identify targets and subsequently compromise the account, find mules, initiate transactions and mask account balances. This is a new server in the criminals’ arsenal, purpose-built and solely dedicated to processing fraudulent transactions (unlike typical  multi-purpose botnet servers used for spam, DDOS, credential harvesting). This means fewer signals for researchers or detection tools to find.

With server-based attacks, criminals are highly adaptable. They can readily modify their attack code to adapt to any workflow or security changes at a financial institution and dynamically adjust communications to clients as servers are moved around, without having to update code on every infected client.

Targeting the Elite Across the Globe
This fraud campaign started with automated attacks against wealthy consumers in Italy (balances of €200,000-€500,000) and then evolved to use server-side automated attacks against businesses in the Netherlands, Germany, and Columbia and the US. The most recent attacks started in March with an new evolution – criminals employed hybrid automated/manual scheme targeting high-balance U.S. businesses (assets in the tens of millions of dollars).  Overall,  the limited, targeted approach creates a highly favorable risk-reward scenario for the criminals- big payoffs with reduced chances of detection.

A few key takeaways for the industry:

  • Criminals are not sitting still: they are continually innovating their attacks to increase their paydays and reduce detection.
  • Every financial institution should be prepared for this and other attacks: The attacks hit financial institutions of all sizes including community banks and credit unions in the United States that use common online banking platforms
  • The industry needs collaboration on threat research: By working together, as McAfee and Guardian Analytics did on this project, we can improve the industry’s ability to understand quickly detect new schemes and alert the rest of the industry and law enforcement
  • Criminals still look like criminals, not like real users: Despite the sophistication of these attacks, behavior-based anomaly detection solutions like FraudMAP will still detect the subtle differences in behavior that can tip off FIs that a specific banking session may a fraud attack, not the legitimate account holder

Read the full report: Dissecting Operation High Roller

Beware the Business Mule: Why Commercial Payees Merit Vigilance

Fraudsters increasingly are targeting the larger account balances of commercial banking customers and hiding behind the more frequent account activity present in business-to-business transactions. The large, frequent fund movements common between organizations are making fraud harder to detect by financial institutions until the money is gone. As with consumer banking fraud schemes, the crooks rely on money mules to break the final bottleneck – getting the money out. However, because of the complexity of corporate transactions, fraudsters are employing human actors earlier in the process… and closer than ever to the victimized company.

Lately our fraud researchers have noticed a disturbing trend toward “inside jobs” – schemes that rely on money mules recruited from within the legit business’ own employee ranks.  Enlisting them is difficult, so mule handlers offer higher commissions to their traitorous partners. The more common commercial account fraud method is the use of professional mules who set up fictitious companies specifically to receive stolen payouts.

Corporate account credentials command a higher price on the criminal black market. Why? Business-to-business accounts typically transfer higher dollar amounts, more frequently, than retail accounts.  International transfers are easier. Repetitive transactions in a short period of time are easier. These realities all provide more incentive for business mules to complete fraudulent transfers… again and again. Repeat use of business mules is becoming disturbingly common.

These witting mules are hard to detect. The fraudster is relying on a business mule’s seemingly legitimate actions to bypass any security controls. Anti-fraud technology often focuses on business-to-consumer fraud, so B2B transactions receive less scrutiny. The best method of detecting and preventing a mule from emptying your corporate account is to detect account takeover attempts early, before the money is gone. Early fraud setup activity – such as creating a new (fraudulent) payee – can be detected using anomaly detection technology that monitors account activity from login to logout.

My colleague Craig Priess explains business mule scenarios in this video explaining their tactics. Check back with this blog for the latest cybercrime tools and techniques from our fraud and threat research teams.

Online Banking Fraud News Roundup

2012 started with an explosion of new malware variants. It’s clear already that banking Trojans are propagating at an alarming rate while the ongoing rapid expansion of mobile banking will open a particularly threatening new front in the war on fraud.

Recent industry coverage has only reinforced the continued increase in the overall volume of fraud attacks. In addition, fraudsters are becoming annoyingly adept at covering their tracks with smokescreen methods such as distributed denial-of-service (DDoS) attacks.

What we’re reminded of repeadedly is that financial institutions must be prepared to defend against a wide range of sophisticated attacks plus new schemes that emerge regularly. Here are a few articles that may be of interest as you develop risk mitigation strategies this year:

New Strains of Malware Emerge…

New Mac Malware Exploits Java Bugs to Steal Credentials
Flashback.G is the first Trojan variant of a well-known family of Mac malware to use an attack vector that doesn’t require any user interaction. This new version exploits Java vulnerabilities in Mac’s legacy operating system to keylog usernames and passwords for online payment, banking, and credit card websites.

Citadel Banking Malware Is Evolving and Spreading Rapidly
Malware development has gone open source. Citadel, a new ZeuS variant, is evolving and spreading rapidly because its creators adopted a community-based development model. Each version of Citiadel adds new modules and features, some submitted by “customers” themselves.

Banking Malware Finds New Weakness
A new ZeuS variant called Ice IX (“ice-9”) automates the process of stealing and changing account holder phone numbers to defeat two-factor authentication. Fraudsters are using it to intercept verification phone calls and pose as the customer to approve their own fraudulent transactions.

….While New Attacks Demonstrate Fraudsters’ Perseverence…

Banking Trojan Hijacks Live Chat to Run Real-time Fraud
A new attack on the Shylock malware platform is hijacking live chat sessions to get business banking customers to hand over their credentials or authorize fraudulent transactions. This Man-In-the-Browser assault interrupts an online session to chat up the victim about a “system check” while the cybercrook simultaneously completes the theft in real-time.

New Cyber Scam Is More Polished than Most
More professional and elaborate than most social engineering scams, a realistic-looking shopping scam email disguises its executable payload as a harmless PDF where “your recent order can be viewed.” It’s really a nasty Trojan with bot and keylogging capabilities that steals banking credentials.

New Malware Attacks Target Online Banking
A new Man-In-the-Browser attack tricks users who log into a bank’s real site with an offer of training in a new “upgraded security system.” After stealing account holder funds it changes on-screen balances to hide its activities, rendering evidence of the theft invisible.

…And the Volume of Attacks Continues to Increase.

780 New Malicious Internet Banking Programs Every Day
Kaspersky Labs reported on the recent explosion of banking malware: 1.1 percent of all malicious programs detected – or 780 new programs EACH day – target financial data. A malicious program of this kind is detected on an average of 2,000 unique users’ computers every day.

Mobile Malware Doubled in 2011  
The 2011 Mobile Threats Report from Juniper Networks found that the amount of malware created for mobile devices across all operating systems more than doubled in 2011. 63 percent of the malware found could collect financial information.

Anomaly Detection Demystified [infographic]

In its updated guidance issued June 2011, the FFIEC specifically identified anomaly detection as one of the two minimum components of a layered security program required for any financial institution offering online banking (see page 5!).

We recently released an Anomaly Detection Toolkit to help educate financial institutions on the topic. Here is our infographic on what anomaly detection is, how it works to detect fraud attacks, and how financial institutions can respond to any anomalous, or suspicious, online banking activity. 

We here at Guardian Analytics know a little something about anomaly detection. We’ve pioneered use of this technology to detect online banking fraud, and currently deliver this powerful capability to about 150 banks and credit unions – day in and day out.

If you want to hear this graphic come to life, here’s a video with voiceover that explains the whole process.

(click to enlarge the infographic in a new window)

Anomaly Detection infographic

Mules & Jewels: “Gameover” in 9 Steps

The new “Gameover” malware driving online banking fraud has gotten much attention in the press lately, but I realized that most of it has focused on the distributed denial of service (DDoS) attacks launched by this malware variant to bypass common controls.  Another important element of the total scheme that I think is worth highlighting is a new twist on how criminals are using money mules to “pick up” and move stolen funds.

Fraudsters are getting creative and employing a new, retail-based approach. Why? To decrease the risk of their mules getting caught. They are using high-end jewelry stores to essentially launder their loot.

Here’s how it works:

  1. The fraud victim – typically a business banking customer – gets a phishing email that appears to originate from reputable organizations like the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC). When this attack was first launched, all emails appeared to originate from NACHA. The email may claim that there is problem with a recent transaction that requires the user’s attention.
  2. When the link in the email is clicked, the victim is sent to a bogus website and inadvertently downloads a new variant of the notorious ZeuS malware called “Gameover”.
  3. Once infecting the victim’s PC, “Gameover” keylogs all online banking activity and sends stolen account credentials to the criminal.
  4. In a new wrinkle, the criminal employs a DDoS attack to cover their tracks. When the attack begins, the victim’s business may be hit with DDoS to prevent Internet access so they don’t notice the attack and can’t reverse the transaction.
  5. In a more sophisticated version of the scheme, the financial institution is included in the DDoS attack, further decreasing the likelihood of the fraudulent transfers being noticed.
  6. The criminal wires money to a high-end jewelry store and then places an order for precious stones or expensive watches.
  7. A mule physically visits the store to pick up the order.  The jeweler checks their account, sees that the funds are there, and delivers the merchandise to the mule.
  8. The mule may then turn the jewelry over to the fraudster or sell it for cash.
  9. When the fraud is discovered, it can be the account holder or the jewelry store itself that’s hit with the loss.

It’s definitely “game over” for the victims of this fraud scheme.

This use of the Gameover Trojan was recently written up by the FBI and my colleague Craig Priess explains it nicely in a video explaining this attack. Our fraud and threat research teams stay up to date on the latest cybercrime tools and techniques and I hope you will use this blog as a resource for combating fraud at your financial institution.

A Tale of Two Banks (A True Story)

We hear often from our bank and credit union clients about the account takeover and fraud they’ve stopped using our anomaly detection solution, FraudMAP.  Normally the movie plays out roughly the same: fraudster meets bank account, fraudster likes bank account, FraudMAP detects the fraudster’s suspicious or anomalous activity, FI looks like a hero to their account holder, fraudster goes home with no money.

Recently we heard a tale from one of our customers with an interesting twist. At Guardian Analytics we are passionate about the concept of great security AND a great account holder experience.  The plot twist in this fraud story highlights how the right protections can create the right customer experience that builds trust and loyalty. And lack of the right protections creates, well, something very different.

The movie begins with one of our customers, Bank A, a mid-sized bank using FraudMAP that proactively detected suspicious activity in an account.  FraudMAP alerted the bank to unusual behavior before any sort of transaction was initiated.

Based on the suspicious behavior, the bank called the account holder to inquire about the activities.  The account holder confirmed that they had not logged in to their account at that time or from that location. He was thrilled that the bank was proactively looking out for his safety and was able to catch this before any money was moved.

Now for the twist: while they were on the phone discussing next steps, the account holder realized that if his account at Bank A had been compromised, it was likely his account at Bank B had been compromised as well.

He logs into his account at Bank B, a much larger national bank, and discovers that a very large wire transfer had been initiated through his account and released by the bank. He had to make “the call” that far too many banks receive – according to a survey done by ISMG – 76% of FIs find out about fraud from their customers.

One client, two banks. One happy ending, one nightmare.  The FFIEC got it right. In their new Guidance for online banking security, they call for all banks to have anomaly detection as the foundational component of their security strategy.  This account holder’s money was clearly safer in the bank with sophisticated anomaly detection looking for signs of suspicious activity before money leaves the bank.  Powerful protections and a great customer experience can and do co-exist.

Which movie would you star in? The fairy tale? Or the horror story?

About Guardian Analytics

Guardian Analytics is the technology leader in the prevention of online account fraud, providing real-time risk management solutions that protect online channels. The company supports the end-to-end online risk management process with rich analytics and behavior-based modeling. We offer an analytics-based software solution that addresses the entire risk management lifecycle.