Gestion de Crise Sociale - Par Emmanuelle Herve - iCompetences HCM2013
Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference -...
-
Upload
farid-yandouz -
Category
Documents
-
view
214 -
download
0
Transcript of Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference -...
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 1/50
Information Systems Fraud &Security Analysis
by Michalis Mavis, MSc, MScf. Chairman of Hellenic Fraud Forum
M-Commerce
Banking, Finance & Insurance
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 2/50
The current landscape
• The landscape today is characterized byconvergence of IT, Telecom, Entertainment andFinancial services.
• There is an explosive growth of smartphonescapabilities including, banking transactions andpayment possibilities, now performed basically by
various types of cards (credit/debit, magnetic, chipcards, etc.).• Some countries also in Africa already
applied mobile commerce technologies.
• Fraudsters are already present...in all banking activities.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 3/50
Agenda• Specific security risks in banking systems
& m-commerce threats will be described.
• Business cases of relevant attacks andfraudulent activities will be given.
• Conclusions & recommendations.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 4/50
M-Commerce & Micropayments
• According to the MPF (Mobile Payment Forum)mobile commerce is applicable to both
– micro (<$10) and – macro (>$10) payments.
both in a proximity and remote payment context.
• Most people have already experienced simple m-commerce transactions like ring tones, wallpaperdownload for their mobile phone.
• Banks face new security and fraud challengesrequiring changes in the mode of operations.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 5/50
Definitions according to• M-Commerce
Electronic purchase of hard or soft goods, using amobile telecom device where mobile operator hasfull/partial financial stake/liability/responsibility.
• Micro-paymentsA micro-payment is defined as a low cost transaction(typically ranging from a few cents up to 10 Euro), for aphysical or digital item bought via or downloaded -recorded onto a mobile device and paid in a cashequivalent (i.e. a prepaid phone account, stored valueaccount or phone bill).
• M-Wallet
A payment platform from which subscribers can pay for
M-commerce transactions. Commonly set-up with atop-up arrangement from the subscriber’s bank orcredit card.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 6/50
M-Commerce customer benefits
Mobile infrastructure provides the platformfor financial services, giving a lot of benefitsto the customers.
– There is no need to carry cash. It is cheap, fastand secure, to send money over distances.
– Security is provided by various ways (PIN, chip
set, etc.). – There is a user friendly interface.
– Convenience – deposit / withdraw
money or pay bills without havingto move or prepare a cheque.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 7/50
The vision• Within the next years, the majority of
mobile devices (especially smartphones)will be capable of supporting mobilebanking transactions without importanttechnical modification.
• In this way, they will be able tosecurely authenticate theaccount holder
(e.g. “credit card” owner),to the “bank card” issuer.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 8/50
M-commerce General info
• Content types• “ Soft” products - media, video clips, pre-paid
accounts, etc.
• “ Hard” products at POS: supermarkets, parking,tickets, vending machines.
• “ Hard” products with shipment: e.g. books,
appliances.• Payment methods
• Via the monthly phone bill or Prepaid account.
• M-commerce application i.e. M-wallet• Credit or debit card
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 9/50
Proximity payment technology
• With the new generation of smartphones and mobilenetworks there is an increase of mobile internet bankingoperations.
• The key driver for growth is the proximity NFC paymenttechnology (based on RFID, contactless systems).
• The embedded chip and antenna enable consumers towave their card over a reader at the point of sale.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 10/50
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 11/50
Cyber Crime increase• Cyber crime is a growing phenomenon in
diversity and sophistication.• Hackers are already present in Mobile
banking operations.
• POS, ATM Systems are targetedby various criminals groups, with
high tech capabilities.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 12/50
Threats and various risksto Finance Critical
Infrastructures
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 13/50
Initial step
• Some well known threats used to
penetrate security of banking systems. – Initial step: SQL injection (one of the most
common attack methods).
– Criminals then try to steal data fromdatabases including log-in user-id / passwdand other payment card information.
• Various types of vulnerabilities areexploited.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 14/50
SQL injection• A successful SQL injection attack enables a
malicious user to execute commands in yourapplication's database by using the privilegesgranted to your application's login.
• The problem is more severe if your applicationuses an over-privileged account to connect tothe database.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 15/50
A recent case
• A bank employee in cooperation with cybercriminals hacked the bank corporate network inthe following way:
– A USB stick including a WiFi unit was insertedin the bank server, by the bank employee
(internal fraud). – The criminals in the car outside the bankhacked the bank network
immediately.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 16/50
Other types of attacks• Common types of attacks include:
– Cross-site scripting.
– Click-jacking.
– Skimming. – Phising attacks.
– Other IT infrastructure
attacks.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 17/50
Cross-site scripting (XSS)
• XSS is a type of computer security vulnerabilitytypically found in web applications, that enablesattackers to inject client-side script into Web pages,
viewed by other users.• By finding ways of injecting malicious scripts into web
pages, an attacker can gain access-privileges tosensitive page-content, session cookies, and a variety
of other information maintained by the browser onbehalf of the user.
• Cross-site scripting carried out on websites accounted
for roughly 80% of all security vulnerabilities,documented by Symantec, as of 2007. (Wiki)
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 18/50
Click-jacking• A clickjacked page tricks a user into performing
undesired actions by clicking on a concealed link.
• On a clickjacked page, the attackers show a set of
dummy buttons, then load another page over it in atransparent layer. The users think that they areclicking the visible buttons, while they are actually
performing actions on the hidden page. (Wiki)
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 19/50
Skimming
• Skimming includes theft of credit card
information used in an otherwise legitimatetransaction.
• Sometimes, but not always, It is typically
an "inside job" by a dishonest employee.
• The purpose may be to obtain goods
without paying, or to obtain unauthorizedfunds from an account.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 20/50
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 21/50
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 22/50
To which account to transfer the money ?
• They are not so crazy to transfer themoney to an account that was opened
under their name (with their ID-card orpassport).
• They are using other more advanced
techniques so that theymay get the money with-out been traced.
• How is it possible ?
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 23/50
How to transfer money without traces ?
• The fraudsters build a web site pretending theyare a big company looking for new employees.
• They provide forms to be filled in by candidates.• Then a candidate (victim-2) is “employed” by the
“company” and he is getting his first advance
salary (those are money taken from victim-1).• He is asked to keep a part
of the money and send the
rest to another location.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 24/50
The money path is lost !• Victim-2 is asked to use Western union or
Moneygram money transfer systems (outsidethe normal banking sector), so that anybody witha false ID-card or passport may get the money.
• The money path is lost and there is no way tofind out who actually got the money !
• The money went somewhere in Africa...
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 25/50
Victim against Victim• Victim-1 finds out his money is gone from
his bank account.
• He ask assistance from the police.
• Following a short investigation victim-2 is
arrested.• There is no possibility for victim-2 to prove
that he is not guilty. He sent the money to
Africa to somebody that DOES NOTEXIST…
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 26/50
The “clever” scenario… diagram
Victim-1Provided by mistakehis Bank Account
credentials.
Victim-2Got the money from theVictim’s-1 Bank Accountfor a service that he
thought was legitimate
Fraudster
Got the money from victim-2and disappeared
Victim-1 sends the police to arrest victim-2thinking he is the fraudster …
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 27/50
Another scenario against Victim-2
• The previous scenario became known, so thefraudsters started using a more clever one,
connected with second hand car sellingbusiness.
• The car owners are selling their cars by using a
suitable web application.• The fraudster visits on-line car selling web
pages and buys a car on behalf of “his
customer”.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 28/50
Buying and selling used cars online
• He sends more money from what the carowner requests, pretending that the restmoney should be sent to a person that will
undertake the car refreshing and shipping.• So, they ask from the receiving person to
send the excess money to a person via
Western union.• Look on an Email message received by
the car owner !
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 29/50
A very “honest”… Email• “I am delighted to tell you that my client appreciates
and commends your vehicle, with full interest. I havefinalized with my client on the price of 16,000 eurowhich is the last asking price for your vehicle and its okby him.
• He also instructed me to inform you that paymentwill get to you in an bank money transfer, at the amount
of 25,000 euro.• So you are required to deduct the cost of your
vehicle which is 16,000 euro, when payment gets to youand refund balance 9,000 euro to the Agent (our
shipper) for him to be able to offset shipping & taxcharges, and other cosmetic repair costs.”
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 30/50
Money Laundering
• In this way victim-2 is used as a moneylaundering tool for victim’s-1 money.
• The victim-2 gets 25.000 € and sends9.000 € to the fraudster.
• The fraudster’s real name remainsunknown even though the WesternUnion branch (where the money
were transferred) is known.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 31/50
The poor Victim-2
• The car owner (victim-2) goes to prison
as responsible for the fraud, even thoughhe did not performed any illegal action(according to his understanding).
• The money he got (16.000 €) are takenback by the police and on top of that, he
lost 9.000 € and his car is unsold…
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 32/50
ID-theft for various crimes
Id tit Th ft
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 33/50
Identity TheftIs not only stealing our ID card but any other personaldocuments or data including :
– Our Name
– Date of birth – Nationality
– Fiscal Number (tax number)
– Credit card numbers and card secret numbers,
– e-mail data
– Signature
– Photograph
– Driving Licence and other documents – data that may beused to commit criminal activities.
Id theft by using Social
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 34/50
Id-theft by using Social
Networks• A lot of personal information may be found
unprotected in SocialNetworking sites.
• Proof of address by
stealing Power Billfrom user’s house.
• Faked documents not sodifficult to be produced.
H ki SN
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 35/50
Hacking SNs users
accountsBy using simple programs like Firesheep a hacker
may steal personal information contained in : – Social Networking Sites (like FaceBook, Twitter etc.)
– Email accounts (Google, Yahoo, etc.) and so on...
Firesheep hi-jacks other peoples session. Inorder to break into someones account justopen up FireSheep, click ‘Start Capturing’ and
it will list all the users in your network that arecurrently logged on.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 36/50
The ring tone was deactivated from the US Cardphones
USA JFK airport(credit cards public
payphones)
PSTN
Portugal(fraudsters)
RINGTONE
OFF
Heavy trafficof unanswered calls.
Stealing Credit Cards…
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 37/50
Risks & roles in m-commerce
–Mobile Subscriber as fraudster.
–Mobile Subscriber as victim. –Content Provider as fraudster.
Value added services with mobile phones
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 38/50
Value added services with mobile phones
• Mobile phones may be used to : – buy a coca-cola from a venting machine (just
make a call to the number on the machine).
– Buy theater tickets
– Play in the Internet Casino, and many more
applications.• In many of those cases fraudsters have been
very active already (the casino case).
ON-LINE CASINO
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 39/50
ON LINE CASINO
How it works.
• Connect to Casino web site.• Then you are asked to send an SMS message using your
mobile phone, to a specific number, to get credit (marks). Forexample you get 100 € credit (charged to your mobile phone).
• You play games (you loose – you win).• At the end you may exchange the remaining marks (credit) if
any, with money that will be sent to your bank account, by thecasino.
• Fraudsters arrested in a European country.
INTENTITY THEFT AND SUBSCRIPTIONINTENTITY THEFT AND SUBSCRIPTION
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 40/50
INTENTITY THEFT AND SUBSCRIPTIONINTENTITY THEFT AND SUBSCRIPTIONFRAUD IN MOBILE PHONESFRAUD IN MOBILE PHONES……
S bscriber as fra dster cases
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 41/50
Subscriber as fraudster, cases
• Repeated downloads by subscriber, but onlybilled once. Fraudster apply technical ways ofrepeating a download already completed without
additional billing.• Fraudster makes money by illegally reselling
the digital product he bought.
• Billing records may be manipulated (internalfraud). No bill for m-commerce.
• Avoid being billed for content by falsifyingsuccessful download as unsuccessful.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 42/50
More subscriber m-commerce frauds
• Cloned SIM cards used for m-commerce,billing the legitimate subscriber.
• IP spoofing: IP Packets from one deviceare made to appear as if coming from
another trusted device.• Attackers can use sniffers to
record traffic and steal credit
card details.
C t t P id f d
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 43/50
Content Provider fraud
(examples) – Goods purchased from Content Provider and
subscriber billed for content (as expected). Thensubscriber is billed illegally for repetitions of thefirst transaction.
– A rogue Content Provider may find ways of
delivering content without subscriberauthorisation or request, thereby inflating revenue.
– Content Provider falsifies a download failure, to justify additional uploads, whilst billing subscriber for
every upload.
M-commerce PRS fraud modus operandi
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 44/50
M-commerce PRS fraud modus operandi(Content Provider fraud)
• The content provider gets a lot of phones-SIM cards bysubscription fraud.
• He uses the fraudulent lines to make a lot of calls to his ownservices until their disconnection.
• The content provider is paid, even though the operator was not paidby the customer.
• The main concern of m-commerce PRS fraud is the speed at whichthe fraud loss can accumulate.
• An automatic device (a PC connected to a SIM card) is technicallyable to send at least one SMS per second.
• If micropayments are based on SMS, a fraudulent GSM line can
generate a tremendous loss at the end of one day.
PRS Fraud players
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 45/50
PRS Fraud players
Fraudster
Never paid
Telecom Operator
Paid
Content Provider
Money lost by the
Telecom Operator
Telecom Fraud & Money Laundering
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 46/50
y g
• PRS (Premium Rare telecom Services)are used for money laundering.
• How it is done ?
tax paradise islands
How money laundering is performed
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 47/50
How money laundering is performed …
• The PRS content provider has a lot of moneydue to illegal activities (drugs, guns etc.) andwants to legalize them.
• He builds a PRS service and starts making calls,at his own expenses, to his own services.
• The money earned
by the PRS contentprovider are nowlegal and clear !
Risks in M-commerce
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 48/50
Risks in M commerce
• Known types of Frauds (Subscriber as fraudster) – Subscription fraud / Roaming fraud
– Subscriber Content Theft (IPRs)
– Download without correct billing. – Content Duplication for distribution
• Technical Frauds (Subscriber as victim) – Session stealing
– Identity Spoofing (IP Spoofing) – Man-in-middle
– Electronic eavesdropping
– Billing inflation attack
– Receipt of goods not requested – Content with Trojan.
Conclusions
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 49/50
Conclusions• Banking activities and especially Mobile Commerce &Micropayments are continuously targeted services by
cyber criminals.
• There are a lot of security threats and risks associated
with those services.
• Fraudsters are already present and active in the area.
• The basic players should take all necessary measures
for protecting security and mitigate risks.• Banking security experts should have good
IT security but also telecom and mobilefraud background.
7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation
http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 50/50
Thank youMichalis Mavis, MSc, MSc//gr.linkedin.com/in/mmavis