Classification: //Dell SecureWorks/Confidential - Limited External … · 2015. 10. 6. ·...
Transcript of Classification: //Dell SecureWorks/Confidential - Limited External … · 2015. 10. 6. ·...
Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
WRITTEN IN CONCRETE? AN EXAMINATION
OF ACTUAL HARM IN DATA BREACHES
• John Hutchins
– Atlanta Office Leader
– Privacy Team Leader
• Anton Mlaker – Special Agent
– FBI Cyber Action Team
• William Nuland – Leader
– CTU Surveillance Team
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
WHERE WE ARE HEADED
• Three data breach case studies
• Actual harm – What Happens Downstream?
• What Remedial Measures Work/Don’t Work?
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
CASE STUDIES – NO TWO
BREACHES ARE ALIKE
• Three Breaches
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
THE DATA
• Customer names, phone numbers, addresses, credit or debit card
numbers, card expiration dates, card security codes
• “Up to 70 million people” had personal data stolen, including
name, address, email, and phone number
– 40 million credit and debit cards stolen
• Unauthorized access took place between Nov. 27, 2013 and Dec.
15, 2013
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
THE RESPONSE
• Notification 5 days after breach
• Spent $100 million to “fast track” upgrade to POS for Chip-and-PIN
• Free credit monitoring services for everyone impacted
• East-West Bank issued new cards to customers who shopped at Target — “some
accounts may have been compromised”
• Citibank reissued cards possibly involved in the breach
• Credit unions and community banks reissued 21.8 million cards ($200 million)
• Paid $10 million into settlement fund - Impacted customers must submit proof of
harm
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
THE DATA
• Names, DOBs, medical IDs, SSNs, home addresses,
email addresses, employment and income information
• No evidence of credit card or PHI
• Approximately 80 million people
• Hacking began “as early as 4/14” - Breach made public
@ 2/4/15
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
THE RESPONSE
• Pledged to individually notify current and former
customers whose data was stolen
• Offered AllClear ID for two years at no cost
– ID theft repair and credit monitoring services
– Additional ID theft insurance policy at no cost
• Set up toll-free line (877-263-7995)
• Set up anthemfacts.com
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
THE DATA
• Customer names, last four digits of SSN, and CPNI
• Inside job— three call center employees (Columbia, Mexico and
Philippines) accessed CPNI and other personal information on
280,000 customers
• Sold that data to third parties trafficking in phones they wanted to
unlock, who submitted 291,000 handset unlock requests through
AT&T website
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
THE RESPONSE
• Notified all affected customers
• Offered one year of free credit monitoring
• Appointed senior compliance manager to file
regular security reports with the FCC
• $25 million fine paid to FCC
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
WHAT HAPPENS DOWNSTREAM?
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
WHAT HAPPENS DOWNSTREAM?
Underground Hacking Markets Report http://www.secureworks.com/assets/pdf-store/white-papers/wp-
underground-hacking-report.pdf
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
FROM BREACH TO CASH-OUT?
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
THE TARGET EFFECT
• Underground actors sold ‘Target
cards’ days after the breach
• Fraud attempts showed smart
geolocation to affected POS
• Wide press coverage
• Awareness of underground
criminal services
• Public perception shift:
• Conclusion: breach
underground sale
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
WELCOME TO THE HACKER MARKETPLACE
A Well-oiled Machine
Hacker Business
Infrastructure Marketing With steep competition, many hacker organizations leverage marketing techniques to bring in business.
Research & Design
Hackers are currently
researching new areas to
attack. They will release
new products as apart of
their business cycle.
Flexible Shopping Having many options available with a click of a mouse based off your hacking needs and desires.
Product Deployment Ensuring that hacker clients are receiving the requested products and can answer any additional questions.
Service Excellence As the hacker market place matured, along came the need to provide 100% satisfaction Guarantees.
Training Interested in hacking? Now there is class and training documents you can purchase.
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
UNDERGROUND HACKER MARKET IS BOOMING
• Our CTU Researchers went undercover to explore the depths of the underground hacker markets
• They were astonished with what they found…
Underground Hacker Market
Customer Service
Counterfeit Documents
Hacker Tutorials
Premium Card Sale
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
COUNTERFEIT CREDENTIALS: IDENTITY FOR SALE
Use
Cost
All types of fraud: credit
card fraud, check fraud,
government assistance
fraud, etc…
Common use: Check fraud and credit fraud.
File fraudulent tax
returns, open a variety of
financial accounts, etc.
Apply for government
assistance programs, as
well other types of fraud.
$200-$500
$250
+
$100 utility bill identity
verification
New Identity
Passports
Drivers License
Social Security Cards
$100-$150
$250-$400
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
HACKER TRAINING TUTORIALS
• Training Tutorials can run anywhere from $1
to $30.
• Tutorials teach beginner hackers how to carry
out almost all types of fraud.
• One tutorial topic, “How to do ATM Hacks and
Get Much More Money than you Withdraw.”
• Hacker tools are not only explained but
described how they are used, which are the
most popular, and the going rate hackers should
pay.
Hacker Tutorials
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
UNDERGROUND MARKETPLACE EXAMPLES
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
UNDERGROUND HACKER MARKET: ONE STOP SHOP
Need Help? Hackers are for Hire.
Website
Hacking
DDoS Attacks
Doxing
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
UNDERGROUND HACKER MARKET: ONE STOP SHOP
Infected Computers for Sale…
BOTs 2014 Rate
US (unique installs) 1K ($140-$190)
5K ($600-$1,000) 10K ($1,100-
$2,000) UK (unique installs) 1K ($100-$120) 5K ($400-$500) 10K ($700-$1,100)
AISA (unique installs) 1K ($4-$12)
2014 bot pricing has increased year over year.
Bots located in specific countries are considerably more expensive. How bots are used:
• Access to financial sites • Compromising coinbase bitcoin
accounts • Obtain credit card data to make
fraudulent cards
Due to security enhancements with EMV it is more difficult to make a fraudulent card in UK.
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
PREMIUM CREDIT CARDS FOR SALE: BULK DISCOUNTS
10 cards = $13 each 50 cards = $12 each 100 cards = $11.50 each 500 cards = $11 each 1000 cards = $10 each 2000 cards = $9 each
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
UNDERGROUND MARKETPLACE EXAMPLES
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
EXCELLENT CUSTOMER SERVICE
Hackers provide guarantees on the validity of their products sold.
•Examples:
•“100% Valid Rate” on stolen Premium Cards for sale.
•“All dead cards will be replaced!”
•“Credit Card Guarantees.” If a credit card doesn’t pass a $200 charge test it
will be replaced.
•Only Premium Cards .
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
THE MORE INTERESTING QUESTIONS
• What other motivations exist?
– Strategic?
– Brand degradation?
• What next?
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
KNEE-JERK REACTIONS?
• “Free Credit Monitoring After Data Breaches is
More Sucker than Succor” – June 10, 2015
– “A knee-jerk reaction” – John Ulzheimer, Pres.
Consumer Education
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
CREDIT MONITORING . . . PLUS
• Credit Monitoring - PLUS
– Breach Notification
– Call Center
– Crisis Management Services
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
IS FREE CREDIT MONITORING
WORTHWHILE? • “Free Credit Monitoring” - typically only monitors one credit
bureau for 1-2 years
–John Ulzheimer
• Alerts – don’t stop someone from opening new account
• Doesn’t track fraudulent credit card charges
• Available for free
• Doesn’t prevent “Hard Pulls”
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
FRAUD/SECURITY ALERT OR
FREEZE • Alert - Available every 90 days
• One Alert good for all three major credit
bureaus:
• Fourth credit bureau
• Requires separate request for Alert
• No automatic services for 90-day alerts
• Freeze has downsides – cost/inconvenience
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
WHAT WORKS?
• Credit Monitoring/Fraud Alerts & Freezes Don’t:
– Monitor bank account, credit cards, retirement accounts or
brokerage accounts
– Prevent ID theft for non-financial purposes, i.e. new DL,
passport, etc.
– Stop tax refund fraud, or other gov’t benefit fraud (Medicare,
Medicaid, SS fraud)
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
WHAT’S THE REAL IMPACT?
• 2012 – 7% were victims of credit card fraud, other account fraud or ID theft
• 85% involved fraudulent use of existing account, such as credit card or bank
account
• 66% of cases involve stolen credit card/card numbers
• Less than 1% experienced true “ID theft” - using name, DOB and SSN to open new
LOC, tap health insurance, or tax return fraud
• Only about 14% of victims experienced out-of-pocket losses of $1 or more. Of these
victims, half suffered losses of less than $100
• Over half of victims were able to resolve associated problems in one day or less;
29% spent one month or more resolving problems
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
CREDIT CARD FRAUD DETECTION
• Charge pattern - history, frequency, dollar amounts, merchant
location and distance from card holder’s home
• Balance between need for security and false positives
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
CREDIT CARD FRAUD DETECTION
• Balance between speed, efficacy and cost
• It works – And It’s Getting Better ($0 liability)
– For every dollar lost to fraud in 2012, $10 of fraudulent
transactions prevented
– 1997 - ratio was 1:1
Mobile Location Confirmation
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
CREDIT CARD FRAUD DETECTION
• Free apps
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
CREDIT CARD FRAUD PREVENTION
• EMV (“Chip & Pin”)
– Liability Shift – October 1
• Party, either the issuer or merchant, not supporting EMV, assumes
liability for counterfeit card transactions
– Still, not widely adopted before 2020
– Cumbersome technology for Card Not Present
– Mobile & Contactless > EMV by 2025
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
CREDIT CARD FRAUD PREVENTION
• EMV Implementation
• Annual U.S. cost for card-related fraud =$10
billion
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
TAKEAWAYS
• Knee-Jerk Reactions ineffective
• Invest in post-breach education —
consumer in best position to protect
themselves
– Data Breach Notification Statutes
• Continued and accelerated investments
in new authentication technologies to
prevent financial fraud
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
WRITTEN IN CONCRETE? AN EXAMINATION
OF ACTUAL HARM IN DATA BREACHES
• John Hutchins [email protected]
• Anton Mlaker [email protected]
• William Nuland [email protected]