Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraudsters Out
-
Upload
ibm-security -
Category
Technology
-
view
327 -
download
2
Transcript of Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraudsters Out
Outsmart FraudstersGIVING CUSTOMERS A GREAT USER EXPERIENCE WHILE KEEPING FRAUDSTERS OUT
Shaked Vax
June 2016
Trusteer Product Strategist - IBM Security
Brian MulliganOffering Manager Access and Directory - IBM Security
2 IBM Security
Agenda
• The evolution of online fraud vs. identity verification
• Fraud is a problem of establishing an identity claim̶5 Applying intelligent access management̶5 Adding frictionless identity assurance
• An integrated identity-focused approach to fraud reduction
Online FraudEVOLUTION VS. IDENTITY VERIFICATION SOLUTIONS
4 IBM Security
Account Takeover, New Account
Fraud
Credentials,
Data
Cybercrime Attack Vectors
Advanced Threats (Employees)
WWW
Online/Mobile Banking
Money, Intellectual Property, Business Data
Mobile Fraud Risk
Attack
AttackCross Channel
Fraud
Phishing and Malware Fraud
5 IBM Security
Financial cybercrime trends
• Malware eco-system managed like Software & SaaS commodity5̶ Agile development cycle – Dyre, Ramnit, Bugat updates weekly5̶ Gangs with Start-up mentality. Use analytics to track success 5̶ Malware is built to bypass dynamic analysis5̶ Malware is environment-aware
• Region-specific cybercrime intensifies : Targeted malware campaigns
• Phishing… the same old phish with twists
• Mobile threats rising : Cross channel fraud
• Social engineering + Mobile malware = Broken 2 factor authentication
• Fraud via user’s device on the rise – RAT/Proxy
• Focusing on high value targets
Cybercrime gangs are relentlessly, successfully focused towards fraud
6 IBM Security
Dyre – A global 2014-2015 rock star
US Department of Homeland
SecurityDyre Alert
October
First reports of attacks against US/UK targets
June
Attacks against Targets in
Australia and China
December 2014
Over 100 firms targeted
November
Used as APT in Attack againstsalesforce.com
SeptemberAttacks against
Romanian, German and Swiss Banks
October
2014 2015
Dyre Wolf against high value targets incl. DDOS ($5M
from Ryanair)
April 2015
Dridex Malware launches Dyre
like attacks
January 2016
Keeps evolving with innovations: Server Side web-injects, Anti-
sandboxing, Randomized Config File Names
March-June 2015
2016
Dyre Gang takedown in
Moscow. Code Leaked?
November 2015
Attacks against Spanish & LATAM Spanish speaking
Banks
July
7 IBM Security
Dyre data collection
==Programs==
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Dyre collects…
• OS attributes
• Browser attributes
• Installed programs
• Services
• Passwords over secure connection
8 IBM Security
Device forging
9 IBM Security
April-May 2016 GozNym attacking world wide
10 IBM Security
Meet GozNym – the new “two-headed beast”
• Malware Installer (“Dropper”) active since mid-2013
• Highly effective infector and powerful launcher for other malware
• Infiltrating computers through exploit kits̶5 Drive by infections, Spam campaigns and poisoned Word
documents, launched into action when users enable macros
• Stealthy and highly persistent on infected machines̶5 Uses heavy obfuscation techniques via encryption, anti VM and
anti-research capabilities to evade analysis and AV detection
• Connection with Gozi banking Trojans debuted in Q4-2015̶5 Until then was recognized as a ransomware dropper
• Believed to be operated by one group, and developed on an ongoing basis by the same developer(s).
• Alter web sessions and trick users into divulging authentication details
• Capable of 5̶ Web-form grabbing5̶ Social engineering5̶ Redirection and session manipulation
• Like Dyre and Dridex 5̶ Screen grabbing (screenshots)
• Used to execute banking account takeover attacks
• LogMeIn remote desktop tool (RAT) may be used by operators
5̶ Perform fraud directly from the infected device
• April 2016, IBM Trusteer research discover an unprecedented code merge between Gozi ISFB and the Nymaim downloader Trojan
• Combining two top-notch malware strains:
Gozi ISFBNaymaim
11 IBM Security
Mobile fraud: The appearance of PC-grade mobile malware
• “GM Bot” / “Mazar Banking Software”
• Extensive PC malware-like capabilities including:5̶ Dynamic configuration via C&C5̶ Configurable banking app injection/overlay capabilities 5̶ Ready made modules being sold to attack WW banks and financial services 5̶ On-Mobile full fraud lifecycle – Credential stealing, 2FA circumvent, block user/authorization5̶ Flash News: GM Bot Code Leak !! 5̶ Flash News 2: GM BOT 2.0 released
• A few months ago Trusteer Intelligence team identified a dispute between a customer of the GMBot and "Gangaman“
• The customer was very disappointed from the level of service, it was hard to deploy and bad support• So… the customer posted the full source code in the underground
• Since it was leaked, this malware is very trendy and effective, and now it will reach the hands of fraudsters for free
12 IBM Security
The mobile channel threats
Understanding the mobile risk landscape
Customer
Sensitive Information Stealing Mobile Channel Misuse Cross-Channel Fraud
• Credentials stealing
• Personal Identifiable Information (PII)
• Financial records
• Full account takeover on mobile channel
• Use of mobile by fraudsters as an anonymous channel to perform the ATO
• Leverage mobile to enable fraud on other channels (e.g. web)
• Circumvent Out of Band (OOB) two-factor authentication (2FA)
Criminal
13 IBM Security
Online Banking
Cross Channel Attacks – OOB pin stealing via mobile malware
CredentialsTheft
LOG
IN
App
Lo
gin
Mobile Device Risk Factors
Device Attributes• Jailbroken /
Rooted Device• Malware
Infection• New device ID• Unpatched OS• Unsecure Wi-Fi
connection• Rogue App
Account Risk Device Risk+
Account Compromise
History
Phished Credentials
Malware Infections, Phishing Incident(stolen credentials)
The bank’s mobile banking
app
Credentials, data
Customer Criminal
OOB SMS
14 IBM Security
Viruses & wormsFocused on nuisance& damage
2003
APT/High-value targeted attacksBusiness email compromise, Dyre Wolfbank employees/systems compromise
2015
Online/Mobile cross-channel attacksLeverage mobile anonymity, bypass SMS OTP, 2FA
2012MiTM/MiTBInject transactionssteal secondaryauthentication
2006
Online fraud methodologies vs. identity verification
2nd Factor Auth Circumvention
Device ID & Risk Engine Evasion
RATs - RDP/VNC, PC-grade mobile malwareBypass device ID, overlay mobile app
2014
Single Factor Auth Stealing
Phishing & keyloggersBypass static username/password
2004
MitB with login blocking, automated scriptsSteal credentials, bypassdevice ID & risk engines
2009
Leveraging Mobile Channel
Fraud is a problem of establishing an identity claim
BALANCING FRAUD PREVENTION AND BUSINESS NEEDS
16 IBM Security
Stopping fraud means accurately identifying the user
?
17 IBM Security
The traditional security vs. convenience tradeoff
High Usability Expectations Demand for Increased Assurance
18 IBM Security
Embrace context for intelligent, risk-based access
• Dynamic user risk assessment using contextual information̶5 Device, user, environment, resource, malware, device management status and past user behavior
• Protect critical sensitive assets depending on the risk context̶5 Strong and multi-factor authentication, limit access to sensitive information/operations
• Central integration and enforcement ̶5 No need to modify backend applications̶5 Unified risk-based access policy management and enforcement
MobileWeb
Hybrid
Native Apps
19 IBM Security
Assess risk use context. What is context?
IdentityGroups, roles, credential attributes, organization
EndpointsDevice fingerprint, Screen resolution, Fonts, OS, Browser, Plugins etc
EnvironmentGeographic location, network, local time . . . etc
Resource / ActionThe application being requested and what is being done.
BehaviorAnalytics of user historical and current resource usage.
20 IBM Security
Recognize that achieving absolute certainty about an identity's legitimacy is impossible. Focus instead on assessing the probability that an identity claim is legitimate.
GARTNER 2015
21 IBM Security
Balancing identity verification and usability
of users areGOOD
Let them in with a great user experience
of users suspected as
rogueOnly subject them to adaptive,
dynamic authentication
Based on suspicion level – trigger additional authentication challenges
22 IBM Security
Frictionless authentication through a new factor: Something you DO!
Comprehensive Behavioral Based Profile Profile
Anomalies detection
Rogue Activity Identification
23 IBM Security
Behavior based profiling
• Proactively analyze hundreds of parameters to authenticate users against a uniquely created user profile
• Profile is based on user interaction patterns, account usage and frequently used devices, learned during service accesses
• User is authenticated by a much richer identifying data set that can augment traditional authentication factors
• No user interaction is required in most logins
5̶ Only when suspicion arises – user is presented with authentication challenges
24 IBM Security
User identity verification through anomaly detection
• Different devices / accounts• Deviation in access times / locations• Velocity – irrational location change• Language
User/Account behavior anomalies
• Navigation patterns – jumping between unlinked pages• Clipboard – pasting page address• Automation – link clicking• User interaction – deviation in typing/mouse movements
Session flow anomalies
• Device ID spoofing• Interaction patterns• Suspicious geographies• Proxy usage• RAT usage
Device
25 IBM Security
Identifying rogue activity
• Clientless detection of MitB malware• Detecting PC, Mac and mobile devices malware• Detection updates, addressing evolving threats and new attack
vectors, deployed automatically• No customer interaction or business interruption required
Malware detection
• Unique detection of machine remote take over by RATs
Remote Access Trojans (RATs) use detection
• Identifying known attackers using a world wide fraudsters database
Known fraudsters detection
Identity-focused approach to fraud reduction
27 IBM Security
Holistic fraud protection solution
• Detect identity and fraud accurately• Manage centralized context based access policies balancing security
and usability• Enforce fraud prevention measures using explicit-authentication and access-authorization • E.g. require additional 2nd factor authentication via SMS on access to highly sensitive
operations (money transfers) • Limit operations if there is a significant risk a particular user is compromised (prevent “add
payee”)• Provide remediation facilities to infected user to regain full business activity• Clean and re-credential
Addressing the cycle - Detect–Prevent–Remediate
• Deploy Trusteer’s Pinpoint fraud protection and dynamic authentication via ISAM• Allows integrating and protecting multiple applications at once (without any changes to their
application)
Accelerate deployment of fraud protection and dynamic authentication
Full Fraud Lifecycle
management
Detect
Prevent
Rem
edia
te
28 IBM Security
How it works? Trusteer Pinpoint & IBM Security Access Manager
X-Force / Trusteer Security Research
customerAuthentication,
Verification, Access Policy Management
Web/Mobile Application
snippet
Pinpoint Identify Detection Service
Ses
sion
as
sess
men
t
Line of Business / Fraud departm
ent
Session
Ses
sion
&
devi
ce d
ata
Session
Managem
entOn-demand remediation
(Rapport for remediation)
ISAM
29 IBM Security
Additional benefits from IBM Security Access Manager (ISAM)
Enforce identity- and risk-aware application access for web and mobile devices
Secure identity assurance with built-in mobile authentication service and one-time-passwords
Centrally manage policies to protect enterprise from fraud and malware: Deploy Trusteer Pinpoint without modifying apps Block the OWASP top 10 vulnerabilities
Reduce TCO and time to value with an modular “all-in-one” access appliance in virtual and hardware form factors
Deliver built-in integrations with, MobileFirst Platform, MobileFirst Protect, Microsoft Office 365, SAP, Websphere and more
Web & Mobile Access / SSO
Risk-based Enforcement
Web, Fraud & Malware Protection
IBM Security Access Manager
Identity Federation
30 IBM Security
Use a pre-integrated, holistic solution that addresses business needs and securityDon’t prototype integrating multiple point solutions to protect critical assets
VS.
Seamless identity
verification
Centralized fraud
prevention
Extensive authentication
tools
Holistic toolset
Address full compromise
cycle
Accurate fraud
detection
Questions?IBM SECURITY
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
FOLLOW US ON:
THANK YOU