Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Financial crime A changing landscape

advertisement 
Financial crime
A changing landscape
Ed Rosenberg
VP & CSO
BMO Financial Group
Presentation to AFP Ottawa
October 21, 2015
Agenda
•
•
•
•
•
•
•
•
•
Evolution of crime
Overview of cyber crime
Meet the hackers/the Dark Web
Malicious insiders
Social Engineering
Business Email Compromise (BEC)
Email Account Compromise (EAC)
Ways to mitigate email compromise
Q&A
Disclaimer: The material in this presentation provides commonly known information about fraud trends, and BMO’s observations about
controls and activities. This presentation is intended to provide you and your companies with information and helpful tips, but it does not
purport to be complete or provide advice or recommendations to you or your company. You should always seek independent legal or
professional advice when implementing fraud or risk initiatives.
Meet the new face of crime
Evolution of crime,
1970s to the present
1970s – when kiting had a different meaning…
1980s – credit card fraud increases; vigilante groups pop up
1990s– Violence in the Workplace enters the lexicon;
Internet takes shape
2000s – cyber crime emerges; skimming is a problem
2010s – the age of the faceless criminal
“The lines separating the intents of nation-states, hacktivists
and organized crime are beginning to blur...”*
*“US cybersecurity: Progress stalled. Key findings from the 2015 US
State of Cybercrime Survey”, p.4. PwC July 2015
Cyber crime
The World Wide Web of deceit
Email
Takeover
s
THE WORLD
WIDE WEB
Doppelgangers
OF DECEIT
Look-aLike Sites
Social
Engineering
Malware
Phishing
Online
Session
Takeover
Compromised
Websites
Fraudulent
Payment
Requests
Spear
Phishing
Unsecur
e Wi-Fi
Interception
Data
Breaches
FRAUDULENT
PAYMENTS
Interception
Trends in corporate cyber crime
WHAT THE
INDUSTRY IS
SEEING
EMAIL
TAKEOVERS
TARGETED SPEAR
PHISHING ATTACKS
ADVANCED SOCIAL
ENGINEERING
TECHNIQUES
CUSTOMER DATA
THEFT & BREACHES
✓
X
DOPPELGANGERS
(LOOK-A-LIKE SITES)
IDENTITY THEFT
The costs of cyber crime
Average Annualized Cyber Crime Costs Per
Incident*
CYBER
CRIME IS
COSTLY
Taken from 2013 Cost of Cyber Crime Study: Global Report. Ponemon Institute, October 2013, p 12
Cyber crime: A closer look
FINANCIAL
COSTS
OF
CYBERCRIME
USD 0
40%
USD 1K-50K
16%
USD 50K-100K
4%
USD 100K-1M
4%
3% OF ORGANIZATIONS
SUFFERED FINANCIAL LOSSES
OF MORE THAN US $1 MILLION
IN 2014
INDIRECT COSTS OF
CYBERCRIME OF
GREATER CONCERN
2%
USD 1M-5M
1%
USD 5M-100M
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Companies greatest concerns
related to cybercrime
2014 Global
%
24
PREVALENCE OF
CYBERCRIME
Companies
experienced
cybercrime
%
48
INCREASED
CONCERN
Source: Global Economic Crime Survey, 2014, PWC, pages 5, 6, 29
Perception
of cybercrime risk
has increased
Meet the hackers
Means and motives
WHY Market Advantage, Corporate Secrets, Revenge, Business
MEET THE
HACKERS
HO
W
Disruption,
Cyber Terrorism, Hactivism
Network (Denial of Service, network intrusions); Infrastructure –
Servers, desktops, mobile devices; Applications (e.g. website
intrusion); Employees (spear phishing)
WHAT Corporate Secrets, Intellectual property, Business Plans, Identity
Information, Strategic & Financial Data; Client information,
Access to Accounts
IMPAC Systems Unavailable, Regulatory sanctions, Litigation, Increased
T
Competition, Revenue Loss; Increased Costs, Reputation Loss;
Brand Damage; Loss of Share
?
ORGANIZE
D CRIME
OTHER
GOVERNME
NTS
OTHER
COMPANIE
S
MALICIOUS
INSIDERS
CARELES
S
EMPLOYE
ES
The Dark Web: where the hackers ply their goods
• Deep Web: collection of all sites on the
web that aren’t reachable by a search
engine
• Tor – network developed with funding from
the U.S. Navy, it uses multiple relay
servers and layers of encryption to create a
parallel, anonymous Internet. Tor networks
are used to access the Dark Web1
• Dark Web: Not to be mistaken with the
Deep Web, the Dark Web is a collection of
websites that are publicly visible, but the IP
addresses of the servers that run them are
hidden.2
• It’s believed the Deep Web (which includes
the Dark Web) accounts for 90% of all
Internet sites.
from “Touring the Deep Web” by Adam Rice, in Information Security, February 2014, pp 22-26
Lexicon: What is the Dark Web? Andy Greenberg, November 19, 2014. http://www.wired.com/2014/11/hackerlexicon-whats-dark-web
1Taken
2Hacker
The cyber underworld
Connection with organized crime
• Criminal activity via the Dark Web adds additional complexity in terms
of both internal and external threats -- or a combination of both
• Organized crime buys and sells credit and debit cards, customer
information and other data on Dark Web forums such as the Silk
Road
• Dark Web is also a repository of sites selling counterfeit prescription
drugs – a huge problem for the pharmaceutical industry – as well as
guns, narcotics and pornography etc.
Internal threats
• Dark Web usage often goes undetected on corporate networks,
raising security risks, liability and potential litigation for companies
• Employees access TOR on company computers to:
•Purchase illegal goods and services
•Get around security controls
•Establish Tor hidden services on company networks
*Taken from “Touring the Deep Web” by Adam Rice, in Information Security, February 2014, pp 22-26.
Malicious insiders
Insider threats are real
• External and internal threats often share one key motive – the desire
to profit from data1
• In the underworld, customer data is Big Money -- potential $$$
payout for employees who sell company secrets2
• Insiders are capable of more harm than outside hackers – they
already have access to the network
• Information theft is often an inside job; when the attacker is known,
39% say it was the result of employees3
• Employee malfeasance remains the most common driver of
information theft
• Insiders that lead or join an organized crime group can be more
difficult to detect than a lone insider in an organization.4
1“Are
your biggest security threats on the inside?” David Weldon, csoonline.com, September 24, 2015.
2013 Kroll survey of 901 global senior executives, taken from 2013/14 Kroll Global Fraud Report, p.6
3 2013 Kroll survey of 901 global senior executives, taken from 2013/14 Kroll Global Fraud Report, p.7
4 Quoted from “Spotlight On: Malicious Insiders and Organized Crime Activity” p.9 by Chris King, Software Engineering Institute, January 2012.
2
Insiders and organized crime
When insiders have ties to existing organized crime
groups, the risks are that much greater:
• “A motivated group of insiders can bypass normal checks
and balances by reaching across departmental boundaries.
• Insiders affiliated with external organized crime groups have
the resources of a large organization available to help
them in their crime.
• This can include multiple insiders working for several
organizations that are all part of the same criminal group.
• The impact of insiders and organized crime exceeds a
normal fraud case and can cause $3M in damages on
average and up to $50M in the most extreme case.”*
*Quoted from “Spotlight On: Malicious Insiders and Organized Crime Activity” p.9 by Chris King, Software Engineering Institute, January 2012.
Some general employee controls
•
•
•
•
Make fraud prevention everyone’s responsibility:
Enforce a workplace fraud prevention policy
Ensure fraud prevention controls are inherent in a process
Implement a Whistleblower Hotline or other communication
channel
• Design controls to cover vacations and urgent emergency
situations
• Be alert for behaviour cues
• Do rigorous pre-employment screening.
21
Social engineering
Meet the Social Engineer’s
New Best Friends
SOCIAL
ENGINEERIN
G
SOCIAL
ENGINEERIN
G…
INCREASINGLY
TARGETED
 Online profiles such as LinkedIn – critical tool in the social engineer’s
arsenal
 Targeting certain job profiles in your organization: Security Analyst, Help
Desk Analyst, IT Operations  hackers are looking for Full Admin
Rights
 Titles aid in determining who to target
 Info gleaned from profiles also used to personalize spear phishing
emails and hack passwords
 One of the best chances of getting access to company
networks is through an email spear phishing attack
SPEAR
PHISHING
 Spear phishing is becoming increasingly
sophisticated, hard to spot a fake
 Getting into the company’s system can also enable
email account takeovers and other fraud
Encryption helps but…
 Strong encryption is a strong defense against hacking
– it’s difficult to break – but it’s not foolproof
 Encryption’s weak link: social engineering
Business Email
Compromise
Business email compromise – what it is
Business Email Compromise (BEC) - defined as a
sophisticated scam targeting businesses
working with foreign suppliers and/or businesses
that regularly perform wire transfer payments.
The scam is carried out by compromising
legitimate business e-mail accounts through social
engineering or computer intrusion techniques to
conduct unauthorized transfers of funds.1
1 This definition was revised to emphasize the different techniques used to compromise victim e-mail accounts. Taken from the FBI’s
Public Service Announcement August 27, 2015, 1-082715a-PSA.
Business email compromise – the statistics
• The BEC scam continues to grow and targets businesses of all
sizes: 270% increase in identified victims and exposed loss since
January 2015
• The scam has been reported in all 50 states and in 79 countries
• Fraudulent transfers have been reported going to 72 countries
with majority of transfers going to Asian banks (China and Hong
Kong)
• The following BEC statistics were reported to the Internet Crime
Complaint Center from October 2013 to August 2015:
o Combined victims (U.S. and non-U.S): 8,179
o Combined exposed dollar loss (U.S. and non-U.S): ~$800
million.1
1 Exposed
dollar loss includes actual and attempted loss in United States dollars.
Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715a-PSA.
Email account compromise
Email Account Compromise (EAC) - is a sophisticated
scam that targets the general public and professionals
associated with, but not limited to, financial and lending
institutions, real estate companies and law firms.
• The EAC scam is very similar to the BEC scam except
that it targets individuals rather than businesses.
• Some common examples include:
• Financial/Brokerage Services
• Real Estate
• Legal
Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715b-PSA.
Email account compromise – some examples
Financial/Brokerage Services
• An individual’s e-mail account is compromised. The criminal poses as the
victim and sends an e-mail to the victim’s FI or brokerage firm requesting a
wire transfer to an account under the control of the criminal
• An accounting firm’s e-mail account is compromised and used to request a
wire transfer from a client’s bank, supposedly on behalf of the client.
Real Estate
• A seller’s or buyer’s e-mail is compromised. The criminal intercepts
transactions between the two and alters instructions for the transfer of funds
• A realtor’s e-mail address is used to contact an escrow company to redirect
commission proceeds to a bank account associated with the criminal.
• A realtor receives a link within an e-mail from an unknown person requesting
info related to property. When the realtor clicks on the link, the criminal gains
access to the realtor’s e-mail and obtains client information. The criminal uses
this when e-mailing the clients and attempts to change wire instructions for
loan processing proceeds.
Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715b-PSA.
When receiving instructions by email
or fax, validate! Implement a
mandatory callback policy if you
receive a request from a supplier –
might not be who you think it is…
✓
BEC and EAC
XXX
MITIGATIO
N
Subscribe to
balance and
transaction
threshold alerts,
such as any debits
above a certain $
amount
VALIDATE REQUESTS
TRANSACTION
LIMIT
$
!
Re-evaluate
dollar limits –
existing limits may
be too high
IMPLEMENT LIMITS
SUBSCRIBE TO
ALERTS
DUAL
AUTHENTICATION
Ask a secondary
wire reviewer to
approve any wire
requests through
online banking
32
Resources
White papers and publications
FBI’s Public Service Announcement, August 27, 2015, 1-082715a-PSA and 1-082715b-PSA.
Hacker Lexicon: What is the Dark Web? Andy Greenberg, November 19, 2014. http://www.wired.com/2014/11/hacker-lexiconwhats-dark-web/ .
2013/14 Global Fraud Report. Ernest E.J. Hilbert, Kroll, p. 6, 7, p.39.
“Spotlight On: Malicious Insiders and Organized Crime Activity” by Chris King, Software Engineering Institute, January 2012, p.9.
“How do companies navigate bribery and corruption? 2015 Anti-Bribery and Corruption Benchmarking Report” A collaboration
between Kroll and Compliance Week, p.11.
2013 Cost of Cyber Crime Study: Global Report. Ponemon Institute, October 2013, p 12.
“US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey”, PwC July 2015, p.4.
Economic crime is on the rise – but you can fight back. PwC’s 2014 Global Economic Crime Survey Canadian supplement, p.10.
Economic crime: a threat to business processes. PwC’s 2014 Global Economic Crime Survey U.S. Supplement.
“Touring the Deep Web” Adam Rice, in Information Security, February 2014, pp 22-26.
Top Ten Cybersecurity Risks: How Prepared Are You for 2013? James Michael Stewart , Global Knowledge Training LLC, 2013.
www.globalknowledge.com.
“Are your biggest security threats on the inside?” David Weldon, csoonline.com, September 24, 2015.
Q&A
Related documents
Why does crime happen at certain places?
Why does crime happen at certain places?
Unit 9-10 Vocab List - Kenston Local Schools
Unit 9-10 Vocab List - Kenston Local Schools
CHAPTER 1 QUESTIONS
CHAPTER 1 QUESTIONS
Digital Crime Scene
Digital Crime Scene
Crime Scene Investigator
Crime Scene Investigator
International Cyber Crime
International Cyber Crime
A large community of plants and animals that occupies a distinct
A large community of plants and animals that occupies a distinct
Download
advertisement