Financial crime A changing landscape Ed Rosenberg VP & CSO BMO Financial Group Presentation to AFP Ottawa October 21, 2015 Agenda • • • • • • • • • Evolution of crime Overview of cyber crime Meet the hackers/the Dark Web Malicious insiders Social Engineering Business Email Compromise (BEC) Email Account Compromise (EAC) Ways to mitigate email compromise Q&A Disclaimer: The material in this presentation provides commonly known information about fraud trends, and BMO’s observations about controls and activities. This presentation is intended to provide you and your companies with information and helpful tips, but it does not purport to be complete or provide advice or recommendations to you or your company. You should always seek independent legal or professional advice when implementing fraud or risk initiatives. Meet the new face of crime Evolution of crime, 1970s to the present 1970s – when kiting had a different meaning… 1980s – credit card fraud increases; vigilante groups pop up 1990s– Violence in the Workplace enters the lexicon; Internet takes shape 2000s – cyber crime emerges; skimming is a problem 2010s – the age of the faceless criminal “The lines separating the intents of nation-states, hacktivists and organized crime are beginning to blur...”* *“US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey”, p.4. PwC July 2015 Cyber crime The World Wide Web of deceit Email Takeover s THE WORLD WIDE WEB Doppelgangers OF DECEIT Look-aLike Sites Social Engineering Malware Phishing Online Session Takeover Compromised Websites Fraudulent Payment Requests Spear Phishing Unsecur e Wi-Fi Interception Data Breaches FRAUDULENT PAYMENTS Interception Trends in corporate cyber crime WHAT THE INDUSTRY IS SEEING EMAIL TAKEOVERS TARGETED SPEAR PHISHING ATTACKS ADVANCED SOCIAL ENGINEERING TECHNIQUES CUSTOMER DATA THEFT & BREACHES ✓ X DOPPELGANGERS (LOOK-A-LIKE SITES) IDENTITY THEFT The costs of cyber crime Average Annualized Cyber Crime Costs Per Incident* CYBER CRIME IS COSTLY Taken from 2013 Cost of Cyber Crime Study: Global Report. Ponemon Institute, October 2013, p 12 Cyber crime: A closer look FINANCIAL COSTS OF CYBERCRIME USD 0 40% USD 1K-50K 16% USD 50K-100K 4% USD 100K-1M 4% 3% OF ORGANIZATIONS SUFFERED FINANCIAL LOSSES OF MORE THAN US $1 MILLION IN 2014 INDIRECT COSTS OF CYBERCRIME OF GREATER CONCERN 2% USD 1M-5M 1% USD 5M-100M 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Companies greatest concerns related to cybercrime 2014 Global % 24 PREVALENCE OF CYBERCRIME Companies experienced cybercrime % 48 INCREASED CONCERN Source: Global Economic Crime Survey, 2014, PWC, pages 5, 6, 29 Perception of cybercrime risk has increased Meet the hackers Means and motives WHY Market Advantage, Corporate Secrets, Revenge, Business MEET THE HACKERS HO W Disruption, Cyber Terrorism, Hactivism Network (Denial of Service, network intrusions); Infrastructure – Servers, desktops, mobile devices; Applications (e.g. website intrusion); Employees (spear phishing) WHAT Corporate Secrets, Intellectual property, Business Plans, Identity Information, Strategic & Financial Data; Client information, Access to Accounts IMPAC Systems Unavailable, Regulatory sanctions, Litigation, Increased T Competition, Revenue Loss; Increased Costs, Reputation Loss; Brand Damage; Loss of Share ? ORGANIZE D CRIME OTHER GOVERNME NTS OTHER COMPANIE S MALICIOUS INSIDERS CARELES S EMPLOYE ES The Dark Web: where the hackers ply their goods • Deep Web: collection of all sites on the web that aren’t reachable by a search engine • Tor – network developed with funding from the U.S. Navy, it uses multiple relay servers and layers of encryption to create a parallel, anonymous Internet. Tor networks are used to access the Dark Web1 • Dark Web: Not to be mistaken with the Deep Web, the Dark Web is a collection of websites that are publicly visible, but the IP addresses of the servers that run them are hidden.2 • It’s believed the Deep Web (which includes the Dark Web) accounts for 90% of all Internet sites. from “Touring the Deep Web” by Adam Rice, in Information Security, February 2014, pp 22-26 Lexicon: What is the Dark Web? Andy Greenberg, November 19, 2014. http://www.wired.com/2014/11/hackerlexicon-whats-dark-web 1Taken 2Hacker The cyber underworld Connection with organized crime • Criminal activity via the Dark Web adds additional complexity in terms of both internal and external threats -- or a combination of both • Organized crime buys and sells credit and debit cards, customer information and other data on Dark Web forums such as the Silk Road • Dark Web is also a repository of sites selling counterfeit prescription drugs – a huge problem for the pharmaceutical industry – as well as guns, narcotics and pornography etc. Internal threats • Dark Web usage often goes undetected on corporate networks, raising security risks, liability and potential litigation for companies • Employees access TOR on company computers to: •Purchase illegal goods and services •Get around security controls •Establish Tor hidden services on company networks *Taken from “Touring the Deep Web” by Adam Rice, in Information Security, February 2014, pp 22-26. Malicious insiders Insider threats are real • External and internal threats often share one key motive – the desire to profit from data1 • In the underworld, customer data is Big Money -- potential $$$ payout for employees who sell company secrets2 • Insiders are capable of more harm than outside hackers – they already have access to the network • Information theft is often an inside job; when the attacker is known, 39% say it was the result of employees3 • Employee malfeasance remains the most common driver of information theft • Insiders that lead or join an organized crime group can be more difficult to detect than a lone insider in an organization.4 1“Are your biggest security threats on the inside?” David Weldon, csoonline.com, September 24, 2015. 2013 Kroll survey of 901 global senior executives, taken from 2013/14 Kroll Global Fraud Report, p.6 3 2013 Kroll survey of 901 global senior executives, taken from 2013/14 Kroll Global Fraud Report, p.7 4 Quoted from “Spotlight On: Malicious Insiders and Organized Crime Activity” p.9 by Chris King, Software Engineering Institute, January 2012. 2 Insiders and organized crime When insiders have ties to existing organized crime groups, the risks are that much greater: • “A motivated group of insiders can bypass normal checks and balances by reaching across departmental boundaries. • Insiders affiliated with external organized crime groups have the resources of a large organization available to help them in their crime. • This can include multiple insiders working for several organizations that are all part of the same criminal group. • The impact of insiders and organized crime exceeds a normal fraud case and can cause $3M in damages on average and up to $50M in the most extreme case.”* *Quoted from “Spotlight On: Malicious Insiders and Organized Crime Activity” p.9 by Chris King, Software Engineering Institute, January 2012. Some general employee controls • • • • Make fraud prevention everyone’s responsibility: Enforce a workplace fraud prevention policy Ensure fraud prevention controls are inherent in a process Implement a Whistleblower Hotline or other communication channel • Design controls to cover vacations and urgent emergency situations • Be alert for behaviour cues • Do rigorous pre-employment screening. 21 Social engineering Meet the Social Engineer’s New Best Friends SOCIAL ENGINEERIN G SOCIAL ENGINEERIN G… INCREASINGLY TARGETED Online profiles such as LinkedIn – critical tool in the social engineer’s arsenal Targeting certain job profiles in your organization: Security Analyst, Help Desk Analyst, IT Operations hackers are looking for Full Admin Rights Titles aid in determining who to target Info gleaned from profiles also used to personalize spear phishing emails and hack passwords One of the best chances of getting access to company networks is through an email spear phishing attack SPEAR PHISHING Spear phishing is becoming increasingly sophisticated, hard to spot a fake Getting into the company’s system can also enable email account takeovers and other fraud Encryption helps but… Strong encryption is a strong defense against hacking – it’s difficult to break – but it’s not foolproof Encryption’s weak link: social engineering Business Email Compromise Business email compromise – what it is Business Email Compromise (BEC) - defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.1 1 This definition was revised to emphasize the different techniques used to compromise victim e-mail accounts. Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715a-PSA. Business email compromise – the statistics • The BEC scam continues to grow and targets businesses of all sizes: 270% increase in identified victims and exposed loss since January 2015 • The scam has been reported in all 50 states and in 79 countries • Fraudulent transfers have been reported going to 72 countries with majority of transfers going to Asian banks (China and Hong Kong) • The following BEC statistics were reported to the Internet Crime Complaint Center from October 2013 to August 2015: o Combined victims (U.S. and non-U.S): 8,179 o Combined exposed dollar loss (U.S. and non-U.S): ~$800 million.1 1 Exposed dollar loss includes actual and attempted loss in United States dollars. Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715a-PSA. Email account compromise Email Account Compromise (EAC) - is a sophisticated scam that targets the general public and professionals associated with, but not limited to, financial and lending institutions, real estate companies and law firms. • The EAC scam is very similar to the BEC scam except that it targets individuals rather than businesses. • Some common examples include: • Financial/Brokerage Services • Real Estate • Legal Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715b-PSA. Email account compromise – some examples Financial/Brokerage Services • An individual’s e-mail account is compromised. The criminal poses as the victim and sends an e-mail to the victim’s FI or brokerage firm requesting a wire transfer to an account under the control of the criminal • An accounting firm’s e-mail account is compromised and used to request a wire transfer from a client’s bank, supposedly on behalf of the client. Real Estate • A seller’s or buyer’s e-mail is compromised. The criminal intercepts transactions between the two and alters instructions for the transfer of funds • A realtor’s e-mail address is used to contact an escrow company to redirect commission proceeds to a bank account associated with the criminal. • A realtor receives a link within an e-mail from an unknown person requesting info related to property. When the realtor clicks on the link, the criminal gains access to the realtor’s e-mail and obtains client information. The criminal uses this when e-mailing the clients and attempts to change wire instructions for loan processing proceeds. Taken from the FBI’s Public Service Announcement August 27, 2015, 1-082715b-PSA. When receiving instructions by email or fax, validate! Implement a mandatory callback policy if you receive a request from a supplier – might not be who you think it is… ✓ BEC and EAC XXX MITIGATIO N Subscribe to balance and transaction threshold alerts, such as any debits above a certain $ amount VALIDATE REQUESTS TRANSACTION LIMIT $ ! Re-evaluate dollar limits – existing limits may be too high IMPLEMENT LIMITS SUBSCRIBE TO ALERTS DUAL AUTHENTICATION Ask a secondary wire reviewer to approve any wire requests through online banking 32 Resources White papers and publications FBI’s Public Service Announcement, August 27, 2015, 1-082715a-PSA and 1-082715b-PSA. Hacker Lexicon: What is the Dark Web? Andy Greenberg, November 19, 2014. http://www.wired.com/2014/11/hacker-lexiconwhats-dark-web/ . 2013/14 Global Fraud Report. Ernest E.J. Hilbert, Kroll, p. 6, 7, p.39. “Spotlight On: Malicious Insiders and Organized Crime Activity” by Chris King, Software Engineering Institute, January 2012, p.9. “How do companies navigate bribery and corruption? 2015 Anti-Bribery and Corruption Benchmarking Report” A collaboration between Kroll and Compliance Week, p.11. 2013 Cost of Cyber Crime Study: Global Report. Ponemon Institute, October 2013, p 12. “US cybersecurity: Progress stalled. Key findings from the 2015 US State of Cybercrime Survey”, PwC July 2015, p.4. Economic crime is on the rise – but you can fight back. PwC’s 2014 Global Economic Crime Survey Canadian supplement, p.10. Economic crime: a threat to business processes. PwC’s 2014 Global Economic Crime Survey U.S. Supplement. “Touring the Deep Web” Adam Rice, in Information Security, February 2014, pp 22-26. Top Ten Cybersecurity Risks: How Prepared Are You for 2013? James Michael Stewart , Global Knowledge Training LLC, 2013. www.globalknowledge.com. “Are your biggest security threats on the inside?” David Weldon, csoonline.com, September 24, 2015. Q&A