Outsmart FraudstersGIVING CUSTOMERS A GREAT USER EXPERIENCE WHILE KEEPING FRAUDSTERS OUT

Shaked Vax

June 2016

Trusteer Product Strategist - IBM Security

Brian MulliganOffering Manager Access and Directory - IBM Security

2 IBM Security

Agenda

• The evolution of online fraud vs. identity verification

• Fraud is a problem of establishing an identity claim̶5 Applying intelligent access management̶5 Adding frictionless identity assurance

• An integrated identity-focused approach to fraud reduction

Online FraudEVOLUTION VS. IDENTITY VERIFICATION SOLUTIONS

4 IBM Security

Account Takeover, New Account

Fraud

Credentials,

Data

Cybercrime Attack Vectors

Advanced Threats (Employees)

WWW

Online/Mobile Banking

Money, Intellectual Property, Business Data

Mobile Fraud Risk

Attack

AttackCross Channel

Fraud

Phishing and Malware Fraud

5 IBM Security

Financial cybercrime trends

• Malware eco-system managed like Software & SaaS commodity5̶ Agile development cycle – Dyre, Ramnit, Bugat updates weekly5̶ Gangs with Start-up mentality. Use analytics to track success 5̶ Malware is built to bypass dynamic analysis5̶ Malware is environment-aware

• Region-specific cybercrime intensifies : Targeted malware campaigns

• Phishing… the same old phish with twists

• Mobile threats rising : Cross channel fraud

• Social engineering + Mobile malware = Broken 2 factor authentication

• Fraud via user’s device on the rise – RAT/Proxy

• Focusing on high value targets

Cybercrime gangs are relentlessly, successfully focused towards fraud

6 IBM Security

Dyre – A global 2014-2015 rock star

US Department of Homeland

SecurityDyre Alert

October

First reports of attacks against US/UK targets

June

Attacks against Targets in

Australia and China

December 2014

Over 100 firms targeted

November

Used as APT in Attack againstsalesforce.com

SeptemberAttacks against

Romanian, German and Swiss Banks

October

2014 2015

Dyre Wolf against high value targets incl. DDOS ($5M

from Ryanair)

April 2015

Dridex Malware launches Dyre

like attacks

January 2016

Keeps evolving with innovations: Server Side web-injects, Anti-

sandboxing, Randomized Config File Names

March-June 2015

2016

Dyre Gang takedown in

Moscow. Code Leaked?

November 2015

Attacks against Spanish & LATAM Spanish speaking

Banks

July

7 IBM Security

Dyre data collection

==Programs==

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

Dyre collects…

• OS attributes

• Browser attributes

• Installed programs

• Services

• Passwords over secure connection

8 IBM Security

Device forging

9 IBM Security

April-May 2016 GozNym attacking world wide

10 IBM Security

Meet GozNym – the new “two-headed beast”

• Malware Installer (“Dropper”) active since mid-2013

• Highly effective infector and powerful launcher for other malware

• Infiltrating computers through exploit kits̶5 Drive by infections, Spam campaigns and poisoned Word

documents, launched into action when users enable macros

• Stealthy and highly persistent on infected machines̶5 Uses heavy obfuscation techniques via encryption, anti VM and

anti-research capabilities to evade analysis and AV detection

• Connection with Gozi banking Trojans debuted in Q4-2015̶5 Until then was recognized as a ransomware dropper

• Believed to be operated by one group, and developed on an ongoing basis by the same developer(s).

• Alter web sessions and trick users into divulging authentication details

• Capable of 5̶ Web-form grabbing5̶ Social engineering5̶ Redirection and session manipulation

• Like Dyre and Dridex 5̶ Screen grabbing (screenshots)

• Used to execute banking account takeover attacks

• LogMeIn remote desktop tool (RAT) may be used by operators

5̶ Perform fraud directly from the infected device

• April 2016, IBM Trusteer research discover an unprecedented code merge between Gozi ISFB and the Nymaim downloader Trojan

• Combining two top-notch malware strains:

Gozi ISFBNaymaim

11 IBM Security

Mobile fraud: The appearance of PC-grade mobile malware

• “GM Bot” / “Mazar Banking Software”

• Extensive PC malware-like capabilities including:5̶ Dynamic configuration via C&C5̶ Configurable banking app injection/overlay capabilities 5̶ Ready made modules being sold to attack WW banks and financial services 5̶ On-Mobile full fraud lifecycle – Credential stealing, 2FA circumvent, block user/authorization5̶ Flash News: GM Bot Code Leak !! 5̶ Flash News 2: GM BOT 2.0 released

• A few months ago Trusteer Intelligence team identified a dispute between a customer of the GMBot and "Gangaman“

• The customer was very disappointed from the level of service, it was hard to deploy and bad support• So… the customer posted the full source code in the underground

• Since it was leaked, this malware is very trendy and effective, and now it will reach the hands of fraudsters for free

12 IBM Security

The mobile channel threats

Understanding the mobile risk landscape

Customer

Sensitive Information Stealing Mobile Channel Misuse Cross-Channel Fraud

• Credentials stealing

• Personal Identifiable Information (PII)

• Financial records

• Full account takeover on mobile channel

• Use of mobile by fraudsters as an anonymous channel to perform the ATO

• Leverage mobile to enable fraud on other channels (e.g. web)

• Circumvent Out of Band (OOB) two-factor authentication (2FA)

Criminal

13 IBM Security

Online Banking

Cross Channel Attacks – OOB pin stealing via mobile malware

CredentialsTheft

LOG

IN

App

Lo

gin

Mobile Device Risk Factors

Device Attributes• Jailbroken /

Rooted Device• Malware

Infection• New device ID• Unpatched OS• Unsecure Wi-Fi

connection• Rogue App

Account Risk Device Risk+

Account Compromise

History

Phished Credentials

Malware Infections, Phishing Incident(stolen credentials)

The bank’s mobile banking

app

Credentials, data

Customer Criminal

OOB SMS

14 IBM Security

Viruses & wormsFocused on nuisance& damage

2003

APT/High-value targeted attacksBusiness email compromise, Dyre Wolfbank employees/systems compromise

2015

Online/Mobile cross-channel attacksLeverage mobile anonymity, bypass SMS OTP, 2FA

2012MiTM/MiTBInject transactionssteal secondaryauthentication

2006

Online fraud methodologies vs. identity verification

2nd Factor Auth Circumvention

Device ID & Risk Engine Evasion

RATs - RDP/VNC, PC-grade mobile malwareBypass device ID, overlay mobile app

2014

Single Factor Auth Stealing

Phishing & keyloggersBypass static username/password

2004

MitB with login blocking, automated scriptsSteal credentials, bypassdevice ID & risk engines

2009

Leveraging Mobile Channel

Fraud is a problem of establishing an identity claim

BALANCING FRAUD PREVENTION AND BUSINESS NEEDS

16 IBM Security

Stopping fraud means accurately identifying the user

?

17 IBM Security

The traditional security vs. convenience tradeoff

High Usability Expectations Demand for Increased Assurance

18 IBM Security

Embrace context for intelligent, risk-based access

• Dynamic user risk assessment using contextual information̶5 Device, user, environment, resource, malware, device management status and past user behavior

• Protect critical sensitive assets depending on the risk context̶5 Strong and multi-factor authentication, limit access to sensitive information/operations

• Central integration and enforcement ̶5 No need to modify backend applications̶5 Unified risk-based access policy management and enforcement

MobileWeb

Hybrid

Native Apps

19 IBM Security

Assess risk use context. What is context?

IdentityGroups, roles, credential attributes, organization

EndpointsDevice fingerprint, Screen resolution, Fonts, OS, Browser, Plugins etc

EnvironmentGeographic location, network, local time . . . etc

Resource / ActionThe application being requested and what is being done.

BehaviorAnalytics of user historical and current resource usage.

20 IBM Security

Recognize that achieving absolute certainty about an identity's legitimacy is impossible. Focus instead on assessing the probability that an identity claim is legitimate.

GARTNER 2015

21 IBM Security

Balancing identity verification and usability

of users areGOOD

Let them in with a great user experience

of users suspected as

rogueOnly subject them to adaptive,

dynamic authentication

Based on suspicion level – trigger additional authentication challenges

22 IBM Security

Frictionless authentication through a new factor: Something you DO!

Comprehensive Behavioral Based Profile Profile

Anomalies detection

Rogue Activity Identification

23 IBM Security

Behavior based profiling

• Proactively analyze hundreds of parameters to authenticate users against a uniquely created user profile

• Profile is based on user interaction patterns, account usage and frequently used devices, learned during service accesses

• User is authenticated by a much richer identifying data set that can augment traditional authentication factors

• No user interaction is required in most logins

5̶ Only when suspicion arises – user is presented with authentication challenges

24 IBM Security

User identity verification through anomaly detection

• Different devices / accounts• Deviation in access times / locations• Velocity – irrational location change• Language

User/Account behavior anomalies

• Navigation patterns – jumping between unlinked pages• Clipboard – pasting page address• Automation – link clicking• User interaction – deviation in typing/mouse movements

Session flow anomalies

• Device ID spoofing• Interaction patterns• Suspicious geographies• Proxy usage• RAT usage

Device

25 IBM Security

Identifying rogue activity

• Clientless detection of MitB malware• Detecting PC, Mac and mobile devices malware• Detection updates, addressing evolving threats and new attack

vectors, deployed automatically• No customer interaction or business interruption required

Malware detection

• Unique detection of machine remote take over by RATs

Remote Access Trojans (RATs) use detection

• Identifying known attackers using a world wide fraudsters database

Known fraudsters detection

Identity-focused approach to fraud reduction

27 IBM Security

Holistic fraud protection solution

• Detect identity and fraud accurately• Manage centralized context based access policies balancing security

and usability• Enforce fraud prevention measures using explicit-authentication and access-authorization • E.g. require additional 2nd factor authentication via SMS on access to highly sensitive

operations (money transfers) • Limit operations if there is a significant risk a particular user is compromised (prevent “add

payee”)• Provide remediation facilities to infected user to regain full business activity• Clean and re-credential

Addressing the cycle - Detect–Prevent–Remediate

• Deploy Trusteer’s Pinpoint fraud protection and dynamic authentication via ISAM• Allows integrating and protecting multiple applications at once (without any changes to their

application)

Accelerate deployment of fraud protection and dynamic authentication

Full Fraud Lifecycle

management

Detect

Prevent

Rem

edia

te

28 IBM Security

How it works? Trusteer Pinpoint & IBM Security Access Manager

X-Force / Trusteer Security Research

customerAuthentication,

Verification, Access Policy Management

Web/Mobile Application

snippet

Pinpoint Identify Detection Service

Ses

sion

as

sess

men

t

Line of Business / Fraud departm

ent

Session

Ses

sion

&

devi

ce d

ata

Session

Managem

entOn-demand remediation

(Rapport for remediation)

ISAM

29 IBM Security

Additional benefits from IBM Security Access Manager (ISAM)

Enforce identity- and risk-aware application access for web and mobile devices

Secure identity assurance with built-in mobile authentication service and one-time-passwords

Centrally manage policies to protect enterprise from fraud and malware: Deploy Trusteer Pinpoint without modifying apps Block the OWASP top 10 vulnerabilities

Reduce TCO and time to value with an modular “all-in-one” access appliance in virtual and hardware form factors

Deliver built-in integrations with, MobileFirst Platform, MobileFirst Protect, Microsoft Office 365, SAP, Websphere and more

Web & Mobile Access / SSO

Risk-based Enforcement

Web, Fraud & Malware Protection

IBM Security Access Manager

Identity Federation

30 IBM Security

Use a pre-integrated, holistic solution that addresses business needs and securityDon’t prototype integrating multiple point solutions to protect critical assets

VS.

Seamless identity

verification

Centralized fraud

prevention

Extensive authentication

tools

Holistic toolset

Address full compromise

cycle

Accurate fraud

detection

Questions?IBM SECURITY

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

FOLLOW US ON:

THANK YOU