Classification: //Dell SecureWorks/Confidential - Limited External … · 2015. 10. 6. ·...

Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

WRITTEN IN CONCRETE? AN EXAMINATION

OF ACTUAL HARM IN DATA BREACHES

• John Hutchins

– Atlanta Office Leader

– Privacy Team Leader

• Anton Mlaker – Special Agent

– FBI Cyber Action Team

• William Nuland – Leader

– CTU Surveillance Team


WHERE WE ARE HEADED

• Three data breach case studies

• Actual harm – What Happens Downstream?

• What Remedial Measures Work/Don’t Work?


CASE STUDIES – NO TWO

BREACHES ARE ALIKE

• Three Breaches


THE DATA

• Customer names, phone numbers, addresses, credit or debit card

numbers, card expiration dates, card security codes

• “Up to 70 million people” had personal data stolen, including

name, address, email, and phone number

– 40 million credit and debit cards stolen

• Unauthorized access took place between Nov. 27, 2013 and Dec.

15, 2013


THE RESPONSE

• Notification 5 days after breach

• Spent $100 million to “fast track” upgrade to POS for Chip-and-PIN

• Free credit monitoring services for everyone impacted

• East-West Bank issued new cards to customers who shopped at Target — “some

accounts may have been compromised”

• Citibank reissued cards possibly involved in the breach

• Credit unions and community banks reissued 21.8 million cards ($200 million)

• Paid $10 million into settlement fund - Impacted customers must submit proof of

harm


THE DATA

• Names, DOBs, medical IDs, SSNs, home addresses,

email addresses, employment and income information

• No evidence of credit card or PHI

• Approximately 80 million people

• Hacking began “as early as 4/14” - Breach made public

@ 2/4/15


THE RESPONSE

• Pledged to individually notify current and former

customers whose data was stolen

• Offered AllClear ID for two years at no cost

– ID theft repair and credit monitoring services

– Additional ID theft insurance policy at no cost

• Set up toll-free line (877-263-7995)

• Set up anthemfacts.com


THE DATA

• Customer names, last four digits of SSN, and CPNI

• Inside job— three call center employees (Columbia, Mexico and

Philippines) accessed CPNI and other personal information on

280,000 customers

• Sold that data to third parties trafficking in phones they wanted to

unlock, who submitted 291,000 handset unlock requests through

AT&T website


THE RESPONSE

• Notified all affected customers

• Offered one year of free credit monitoring

• Appointed senior compliance manager to file

regular security reports with the FCC

• $25 million fine paid to FCC


WHAT HAPPENS DOWNSTREAM?


WHAT HAPPENS DOWNSTREAM?

Underground Hacking Markets Report http://www.secureworks.com/assets/pdf-store/white-papers/wp-

underground-hacking-report.pdf

http://www.secureworks.com/assets/pdf-store/white-papers/wp-underground-hacking-report.pdf












FROM BREACH TO CASH-OUT?


THE TARGET EFFECT

• Underground actors sold ‘Target

cards’ days after the breach

• Fraud attempts showed smart

geolocation to affected POS

• Wide press coverage

• Awareness of underground

criminal services

• Public perception shift:

• Conclusion: breach

underground sale


WELCOME TO THE HACKER MARKETPLACE

A Well-oiled Machine

Hacker Business

Infrastructure Marketing With steep competition, many hacker organizations leverage marketing techniques to bring in business.

Research & Design

Hackers are currently

researching new areas to

attack. They will release

new products as apart of

their business cycle.

Flexible Shopping Having many options available with a click of a mouse based off your hacking needs and desires.

Product Deployment Ensuring that hacker clients are receiving the requested products and can answer any additional questions.

Service Excellence As the hacker market place matured, along came the need to provide 100% satisfaction Guarantees.

Training Interested in hacking? Now there is class and training documents you can purchase.


UNDERGROUND HACKER MARKET IS BOOMING

• Our CTU Researchers went undercover to explore the depths of the underground hacker markets

• They were astonished with what they found…

Underground Hacker Market

Customer Service

Counterfeit Documents

Hacker Tutorials

Premium Card Sale


COUNTERFEIT CREDENTIALS: IDENTITY FOR SALE

Use

Cost

All types of fraud: credit

card fraud, check fraud,

government assistance

fraud, etc…

Common use: Check fraud and credit fraud.

File fraudulent tax

returns, open a variety of

financial accounts, etc.

Apply for government

assistance programs, as

well other types of fraud.

$200-$500

$250

+

$100 utility bill identity

verification

New Identity

Passports

Drivers License

Social Security Cards

$100-$150

$250-$400


HACKER TRAINING TUTORIALS

• Training Tutorials can run anywhere from $1

to $30.

• Tutorials teach beginner hackers how to carry

out almost all types of fraud.

• One tutorial topic, “How to do ATM Hacks and

Get Much More Money than you Withdraw.”

• Hacker tools are not only explained but

described how they are used, which are the

most popular, and the going rate hackers should

pay.

Hacker Tutorials


UNDERGROUND MARKETPLACE EXAMPLES


UNDERGROUND HACKER MARKET: ONE STOP SHOP

Need Help? Hackers are for Hire.

Website

Hacking

DDoS Attacks

Doxing


UNDERGROUND HACKER MARKET: ONE STOP SHOP

Infected Computers for Sale…

BOTs 2014 Rate

US (unique installs) 1K ($140-$190)

5K ($600-$1,000) 10K ($1,100-

$2,000) UK (unique installs) 1K ($100-$120) 5K ($400-$500) 10K ($700-$1,100)

AISA (unique installs) 1K ($4-$12)

2014 bot pricing has increased year over year.

Bots located in specific countries are considerably more expensive. How bots are used:

• Access to financial sites • Compromising coinbase bitcoin

accounts • Obtain credit card data to make

fraudulent cards

Due to security enhancements with EMV it is more difficult to make a fraudulent card in UK.


PREMIUM CREDIT CARDS FOR SALE: BULK DISCOUNTS

10 cards = $13 each 50 cards = $12 each 100 cards = $11.50 each 500 cards = $11 each 1000 cards = $10 each 2000 cards = $9 each


UNDERGROUND MARKETPLACE EXAMPLES


EXCELLENT CUSTOMER SERVICE

Hackers provide guarantees on the validity of their products sold.

•Examples:

•“100% Valid Rate” on stolen Premium Cards for sale.

•“All dead cards will be replaced!”

•“Credit Card Guarantees.” If a credit card doesn’t pass a $200 charge test it

will be replaced.

•Only Premium Cards .


THE MORE INTERESTING QUESTIONS

• What other motivations exist?

– Strategic?

– Brand degradation?

• What next?


KNEE-JERK REACTIONS?

• “Free Credit Monitoring After Data Breaches is

More Sucker than Succor” – June 10, 2015

– “A knee-jerk reaction” – John Ulzheimer, Pres.

Consumer Education


CREDIT MONITORING . . . PLUS

• Credit Monitoring - PLUS

– Breach Notification

– Call Center

– Crisis Management Services


IS FREE CREDIT MONITORING

WORTHWHILE? • “Free Credit Monitoring” - typically only monitors one credit

bureau for 1-2 years

–John Ulzheimer

• Alerts – don’t stop someone from opening new account

• Doesn’t track fraudulent credit card charges

• Available for free

• Doesn’t prevent “Hard Pulls”


FRAUD/SECURITY ALERT OR

FREEZE • Alert - Available every 90 days

• One Alert good for all three major credit

bureaus:

• Fourth credit bureau

• Requires separate request for Alert

• No automatic services for 90-day alerts

• Freeze has downsides – cost/inconvenience


WHAT WORKS?

• Credit Monitoring/Fraud Alerts & Freezes Don’t:

– Monitor bank account, credit cards, retirement accounts or

brokerage accounts

– Prevent ID theft for non-financial purposes, i.e. new DL,

passport, etc.

– Stop tax refund fraud, or other gov’t benefit fraud (Medicare,

Medicaid, SS fraud)


WHAT’S THE REAL IMPACT?

• 2012 – 7% were victims of credit card fraud, other account fraud or ID theft

• 85% involved fraudulent use of existing account, such as credit card or bank

account

• 66% of cases involve stolen credit card/card numbers

• Less than 1% experienced true “ID theft” - using name, DOB and SSN to open new

LOC, tap health insurance, or tax return fraud

• Only about 14% of victims experienced out-of-pocket losses of $1 or more. Of these

victims, half suffered losses of less than $100

• Over half of victims were able to resolve associated problems in one day or less;

29% spent one month or more resolving problems


CREDIT CARD FRAUD DETECTION

• Charge pattern - history, frequency, dollar amounts, merchant

location and distance from card holder’s home

• Balance between need for security and false positives



• Balance between speed, efficacy and cost

• It works – And It’s Getting Better ($0 liability)

– For every dollar lost to fraud in 2012, $10 of fraudulent

transactions prevented

– 1997 - ratio was 1:1

Mobile Location Confirmation

https://vimeo.com/117020386






• Free apps


CREDIT CARD FRAUD PREVENTION

• EMV (“Chip & Pin”)

– Liability Shift – October 1

• Party, either the issuer or merchant, not supporting EMV, assumes

liability for counterfeit card transactions

– Still, not widely adopted before 2020

– Cumbersome technology for Card Not Present

– Mobile & Contactless > EMV by 2025


CREDIT CARD FRAUD PREVENTION

• EMV Implementation

• Annual U.S. cost for card-related fraud =$10

billion


TAKEAWAYS

• Knee-Jerk Reactions ineffective

• Invest in post-breach education —

consumer in best position to protect

themselves

– Data Breach Notification Statutes

• Continued and accelerated investments

in new authentication technologies to

prevent financial fraud


WRITTEN IN CONCRETE? AN EXAMINATION

OF ACTUAL HARM IN DATA BREACHES

• John Hutchins [email protected]

• Anton Mlaker [email protected]

• William Nuland [email protected]

Classification: //Dell SecureWorks/Confidential - Limited External … · 2015. 10. 6. ·...

Documents

Transcript of Classification: //Dell SecureWorks/Confidential - Limited External … · 2015. 10. 6. ·...