Winning the war on cybercrime: Keys to holistic fraud prevention

Transcription

1 IBM Software Thought Leadership White Paper December 2013 Winning the war on cybercrime: Keys to holistic fraud prevention To combat growing cyber threats, holistic solutions provide the most accurate fraud-detection capabilities for financial institutions Introduction Cybercriminals are stepping up their attacks on financial institutions by gaining control of customer devices with highly advanced man-in-the-browser malware and spear-phishing attacks. They then conduct real-time credential theft and take over accounts. Until recently, technologies simply have not been capable of identifying and preventing such attacks, and instead have been overloading bank fraud-prevention operation teams with unnecessary false positive alerts. In a recent real-time account takeover scheme, cybercriminals used malware to steal user credentials at login and block users from logging in to online banking, after which the criminals used the stolen credentials in real time to log in to victims accounts and pass back any secondary authentication requests to users in order to bypass the bank s security and gain full access to accounts. Trusteer, an IBM company, 1 has pioneered a holistic, integrated fraud-prevention platform that has been successfully battletested in hundreds of financial institutions globally. This platform effectively protects financial institutions against the full range of attack vectors responsible for the majority of online and cross-channel fraud, including account takeover. Moreover, the Trusteer platform processes real-time intelligence from a vast global network to provide highly adaptable, flexible protection, minimizing the involvement of bank fraud operations and preventing disruptions to end users. The evolving fraud landscape Cyber-security practitioners know that fraudsters continually evolve their attack targets and methods as their victims, in turn, continually evolve their defense methods. Today, cybercriminals are expanding their attack surfaces by launching fraud attacks from the compromised devices of financial institutions customers and employees, as well as from criminal devices. The first two of the three primary attack methods utilize advanced malware that wrests control of the operating system and/or browser from the victim and transfers it to the criminal. The third method uses malware or phishing. Cybercriminals have been successfully defrauding bank customers with all of these methods. The main reason for cybercriminals continued success is that highly evasive advanced financial malware allows for a wide variety of attacks that are very difficult to detect with traditional fraud-prevention technologies. Cybercriminals are acutely aware of the technologies deployed by most financial institutions and simply design attacks to circumvent these controls. Bypassing them remains relatively straightforward because the controls are typically isolated, rather than integrated with one another.

2 2 Winning the war on cybercrime: Keys to holistic fraud prevention Four keys to holistic fraud prevention A holistic platform designed to prevent fraud should be built on four key elements that help ensure sustainable cybercrime prevention in light of the rapidly evolving threat environment. Incorporating these elements helps ensure a solution that provides critical benefits, including: 3. Adaptable controls and defense tactics against rapidly evolving cybercrime techniques, which often span multiple attack vectors and methods 4. Transparent protection that helps minimize disruption to customers performing legitimate transactions, and that requires minimal resources to operate 1. Comprehensive coverage and protection across the attack vectors predominantly used to commit cyber fraud 2. Real-time intelligence to help track and foresee emerging attack tactics and preemptively implement appropriate mitigating controls Four keys to holistic fraud protection Conclusive detection Malware, phishing, account takeover Customer, employee, criminal devices Full remediation Comprehensive coverage Trusteer Pinpoint Rapid countermeasure deployment Flexibility Configurability Proven effectiveness Adaptable solutions Trusteer Rapport TRX Trusteer Mobile Real-time intelligence 100 million endpoints Data correlation Crime Logic library Extensive threat intelligence Customer Employee Criminal Transparent protection Root-cause focus Highly accurate Virtually no customer disruption Minimal staff involvement

3 IBM Software 3 Financial institutions that adopt such a holistic solution acquire highly accurate fraud-detection capabilities that entail negligible customer involvement. Customers are typically involved only when attempted fraud, malware or phishing has been conclusively determined. Additionally, a solution s fraud-prevention capabilities need to meet the critical regulatory requirements delineated in the Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance Supplement. 1. Comprehensive coverage A comprehensive fraud-prevention platform can help protect organizations from fraud attempts across the full range of access devices and attack methods. Fraud attempts on financial institutions come from three primary attack vectors: customer devices, criminal devices and employee devices. Although the cybercrime attack surface is limited, the array of attack techniques is wide. Man-in-the-browser malware continues to be a highly effective and highly evasive method for committing fraud directly from a customer s device. For example, man-in-the-browser malware can inject fraudulent transactions into a fully authenticated session or can open a back door allowing the criminal to operate the customer endpoint. Because the transaction is routed through a known customer device, device ID approaches are not effective against this type of attack. Increasingly, criminals use malware or phishing on client devices to compromise credentials that they then use to fraudulently access client accounts from the criminal device. In geographies that allow expanded mobile banking capabilities and mobile payments, access to mobile devices in account takeover attacks is more frequent than elsewhere because it is harder to identify mobile devices than PCs. Another attack vector was highlighted in September 2012, when the FBI issued a warning that cybercriminals were using standard financial malware to compromise bank-employee devices in order to access customer accounts. This scheme resulted in a number of successful fraud incidents, each yielding several hundred thousand dollars. 2

4 4 Winning the war on cybercrime: Keys to holistic fraud prevention Cybercrime attack vectors Online banking Fraud from customer device TRX ATO Fraud from criminal device Customer Attack Attack Internet Credentials data Criminal Cross-channel fraud Employee Fraud from employee device TRX Malware install Credential phishing Wire, automated clearing house, internal, applications As financial institutions expand mobile payment capabilities, an increase in fraud involving compromised mobile devices is expected. Some institutions are beginning to allow clients to set up new electronic bill payees. Others are launching mobile peer-to-peer payment capabilities. When these mobile capabilities become widely adopted, cybercriminals are likely to focus attacks directly on mobile devices or incorporate the mobile channel into broader fraud schemes. In geographies that allow mobile payments, criminals use mobile devices in account takeover attacks because mobile device characteristics are very similar across device types, making them look identical to device ID technologies. Mobile devices allow for evasion of device ID solutions unless proper protections are applied, such as clientbased mobile device ID. A holistic solution for preventing fraud can quickly incorporate appropriate protection to defend this attack vector. Recognizing that attacks will emanate from one of the three attack vectors allows for highly focused prevention and detection techniques. Back-end statistical approaches that analyze data across a variety of sources to identify potentially fraudulent transactions are often inaccurate, costly, disruptive, rigid and reactive. Instead, focusing on fraud protection from this well-defined, limited attack surface can offer tremendous improvements in accuracy and efficiency.

5 IBM Software 5 Comprehensive Trusteer solutions Trusteer Pinpoint, Trusteer Rapport, Trusteer Mobile App, Trusteer Apex and the Trusteer global intelligence platform provide an industry-leading cybercrime prevention architecture. These solutions directly address the three vectors responsible for the vast majority of online and cross-channel fraud today: compromised customer devices, compromised employee devices and criminal access to bank systems across all access devices. For example: Trusteer Pinpoint Malware Detection provides highly accurate detection of financial malware on devices accessing online banking. Trusteer Pinpoint Account Takeover Detection correlates complex device fingerprinting with account compromise data to help detect account takeover attempts from a criminal device. Trusteer Mobile App extends this protection by providing self-service account lockdown and secure out-of-band authentication. Trusteer Rapport helps protect user devices from malware and phishing; it can instantly remove existing malware and immunize the endpoint against future infection. Trusteer Apex helps protect enterprise endpoints against application exploits (including zero-day) and data exfiltration. 2. Real-time intelligence An intelligent fraud-prevention platform can correlate data from multiple sources, including malware infection, phishing incidents and device fingerprinting, to help detect and prevent attacks. Staying ahead of the evolving threat landscape is extremely challenging, especially for financial institutions with limited resources. Fraudsters continuously test the defensive abilities of financial institutions to find weaknesses they can exploit. Likewise, malware is constantly evolving to evade common anti-virus solutions and to launch new and unexpected attack configurations. This is why Trusteer monitors customer endpoints to provide real-time intelligence of shifting attack tactics and configurations. Trusteer also monitors the underground fraud economy to help provide advanced notification of newly developed and planned attack tactics and configurations. Most financial institution programs aimed at fraud prevention consist of multiple siloed authentication and fraud detection technologies. Sometimes these systems are loosely coupled in an attempt to improve the institution s security posture. More frequently, however, communication between these point solutions is difficult to achieve because they were not designed to cooperate with one another. Unfortunately, cybercriminals know this and therefore purposely design attacks that exploit the limitations inherent in an environment with loosely coupled controls. One example of a frequently bypassed control is device identification. The identification approach is useful for determining whether the device accessing a user account is a recognized or a new device. However, malware can easily bypass this approach and even so-called complex device fingerprinting by using a number of schemes.

6 6 Winning the war on cybercrime: Keys to holistic fraud prevention Fraudsters utilize man-in-the-browser malware to inject transactions into authenticated sessions from a customer device. They can fool device ID technology with this approach because they are committing fraud from a legitimate source. Additionally, fraudsters can use man-in-the-browser malware as a proxy to remotely access a bank s site. Man-in-the-browser malware detection is necessary to recognize this type of attack, since most device ID technologies cannot reliably detect the proxy. Fraudulent access from a new device using stolen credentials will indicate an unknown device ID. Because customers sometimes access their banks from new devices, secondary authentication is often used to validate users. However, man-in-the-browser and phishing techniques are routinely used to steal secondary authentication credentials, allowing criminals to gain access and bypass the device ID control. Device identification is a very important tool in the arsenal of fraud-prevention technology, but it can easily be bypassed when it is used in isolation. The same holds true for most other fraudprevention technologies, which are particularly vulnerable to man-in-the-browser malware techniques designed to circumvent isolated controls. Intelligent Trusteer solutions Trusteer s roots in global fraud intelligence and malware research drive its expertise and continued success in helping customers prevent fraud. Through the intelligence gathered from more than 100 million protected endpoints, Trusteer owns and maintains a vast collection of cybercrime targets and tactics in its Crime Logic library. Its threat intelligence and product teams leverage this data to maintain sustainable fraud-prevention solutions for customers. Trusteer fraud-prevention solutions use this global protection and intelligence to focus exclusively on financial fraud. Trusteer Pinpoint Account Takeover Detection, for example, correlates complex device fingerprinting with an account s compromise history of phishing and malware to help detect account takeover attempts. Trusteer Pinpoint Malware Detection recognizes indications of malware infection and feeds this information to Trusteer Pinpoint Account Takeover Detection. When a criminal logs in, the malware event is correlated with the device fingerprint to reveal that a criminal is attempting to use the stolen credentials. Known devices are flagged as suspicious, but they are allowed access because they could be legitimate. New devices are allowed access only when malware is removed and credentials are changed.

7 IBM Software 7 Typical account takeover attempt to steal credentials Online banking LOGIN Trusteer Pinpoint Malware Detection LOGIN Trusteer Pinpoint Account Takeover Detection Account risk Device risk Customer Credentials Criminal Account compromise history Complex device fingerprinting Phished credentials Malware infections (stolen credentials) Device attributes New device Spoofed device Fraudster device User attributes Interaction patterns Geolocation Time of access Access denied 3. Adaptable controls An effective fraud-prevention platform should adapt to changes in fraud attacks by rapidly deploying countermeasures without overloading internal resources. Because fraud tactics are constantly changing, fraud-prevention platforms need to rapidly adapt without burdening financial institution resources. Man-in-the-browser malware, for example, is extremely adaptable and can change without notice. It can be used to: Invisibly inject fraudulent transactions into an authenticated online banking session Keep an authenticated online banking session secretly open after users think they have logged out Redirect the login to a spoofed online banking site, while blocking a user s access Inject pages or fields into a legitimate online banking session in order to steal credentials, personally identifiable information, credit card information or secondary authentication credentials Employ social engineering to trick users into downloading additional malicious software to other devices, including mobile It is critical for financial institutions to stay abreast of newly created malware that traditional anti-virus software cannot detect, as well as evolving malware attack tactics especially those targeting a specific institution. Cybercriminals rely on financial institutions lack of preparedness for new attack methods and can be expected to constantly change tactics.

8 8 Winning the war on cybercrime: Keys to holistic fraud prevention For example, distributed denial-of-service attacks that overburden targeted sites with communications requests, in order to render the site unavailable, have been used as a cover for malware-driven bank fraud. By using distributed denial-of-service attacks immediately after perpetrating fraud, cybercriminals can overload and redirect bank resources toward reacting to the distributed denial-of-service attack. In the process, they prevent customers from accessing their online bank accounts to see recently conducted transactions. Solutions that are immune to this ploy, or that can quickly adapt, help prevent fraud despite the blindness created by distributed denial of service. Some fraud-prevention technologies, such as hardware tokens, are rigid, costly and disruptive to modify. Other approaches, such as risk engines, require banks to make constant adjustments and updates. They also require banks to adopt highly specialized mathematical capabilities to optimize rules and algorithms. Defenses that cannot rapidly and continually adapt as necessitated by cybercrime are simply not sustainable, at best, and are highly susceptible to major fraud incidents, at worst. Adaptable Trusteer solutions Trusteer solutions are designed and developed to adapt to the ever-changing threat landscape. In the financial services industry, phishing and malware have managed to bypass strong authentication, one-time passwords, tokens, behavioral analytics and other solutions. Although the ability to adapt a security control to a change in the threat can be challenging, Trusteer solutions contain flexible software protection layers that can be rapidly configured and/or replaced by Trusteer Research and Intelligence operations without involving the bank or end users. Over the past six years, proven Trusteer solutions have consistently maintained near-100 percent effectiveness, despite the rapid evolution of the threat landscape. For example, a large European bank client was barraged with malware attacks. The bank implemented Trusteer Pinpoint Malware Detection to transparently detect malware on infected devices accessing online banking. Upon the solution s initial deployment, the bank successfully detected virtually all malwareinfected devices attempting to access online banking. Rather than give up, the cybercriminals changed the malware configurations in an attempt to evade detection by Trusteer Pinpoint. Over the course of two months, a battle ensued. Every time the cybercriminal updated malware attack configurations, Trusteer updated Pinpoint detection versions with several new scripts in reserve. Ultimately, the cybercriminal removed the bank from its configuration file, fearing that this particular bank would block the attack and then reveal the malware configuration to peer institutions targeted by the attackers.

9 IBM Software 9 Attacks on a very large European bank, decreasing with Trusteer Pinpoint deployment July Attempted fraud August September October November (first 19 days) Malware-attempted fraud 4. Transparent protection A transparent fraud-prevention platform should not burden customers with complex authentication protocols or long delays in processing while transaction alerts are sorted out. Typical rules-based, back-end analytics systems consume a variety of data to detect transaction anomalies that may indicate fraud. Depending on how the parameters are set, this approach can reduce fraud, but it can also needlessly inconvenience legitimate customers performing legitimate transactions. For example, sending a payment to a new, out-of-state payee on a Tuesday may be out of character for a certain customer and may therefore be flagged as potential fraud even if it is actually a legitimate transaction.

10 10 Winning the war on cybercrime: Keys to holistic fraud prevention Because most fraud-prevention platforms are detective rather than preventive, they expend enormous effort finding the proverbial needle in a haystack. And because the majority of transactions are legitimate, it can be excruciatingly difficult to accurately detect one fraudulent transaction among thousands or millions of legitimate ones. In general, most transactions identified as potential fraud are legitimate but must still be investigated, often requiring verification through customer contact. False positive ratios ranging from 20:1 to 50:1 (legitimate transactions identified as potentially fraudulent) require far too many customers to be burdened with unnecessary enhanced authentication or, worse, have transactions blocked or put on hold until a bank representative can make contact. The collateral damage from the use of a detective approach is high internal resource expenditure and needless customer disruption. A holistic fraud-prevention solution focuses on conclusively detecting and preventing the root cause of cyber fraud and is therefore highly accurate and minimally disruptive. That is, detecting and eliminating information-stealing malware before credentials are stolen helps prevent a fraudulent transaction from entering the processing system. Malware does not have to be found by back-end detection systems; it simply isn t there it has been prevented. Transparent Trusteer solutions Trusteer solutions are designed to help prevent fraud rather than simply react to fraud attempts. They can stop fraud early by eliminating malware from the endpoint or providing early detection before a fraudulent transaction is even attempted. For example, Trusteer Pinpoint provides real-time data that customers can utilize to focus on truly high-risk transactions. Its ability to limit false positives to nearly zero helps customers confidently block high-risk activity. Trusteer fraud-prevention solutions can help eliminate or accurately detect threats, so fraudulent transactions can be prevented without overloading bank fraud operations and inconveniencing customers. Conclusion Fighting the war on cybercrime will not become easier for financial institutions over time. Cybercriminals use a divide-and-conquer approach through intra-financial institution attacks. They rely on poor communication of fraud methods between financial institutions and also from inter-financial institution approaches as well as poor communication about fraudulent activity between siloed fraud-prevention systems. Traditional fraud-prevention technologies may help reduce fraud, but can be easily defeated by advanced cyber-fraud techniques. To date, advanced financial malware has bypassed

11 IBM Software 11 virtually every authentication method. Malware has also bypassed risk engines that detect anomalies by learning behaviors and transaction patterns to limit fraud to tolerable statistical limits. To win the war on cybercrime, institutions must wage their battles on the front line in this case, the customer endpoint. This is where malware and phishing initiate the chain of events that ultimately lead to fraud. Breaking the first link in the chain can help prevent fraud from ever entering the system, where it can be overlooked by risk engine analytics or bypass authentication methods. Focusing fraud-prevention efforts on the customer endpoint affords the highest likelihood of preventing cyber fraud. Holistic Trusteer fraud-prevention solutions focus on helping prevent fraud at the customer endpoint. Equally important, they incorporate four key elements that help ensure maximum effectiveness with minimal disruption, today and into the future. For more information To learn more about Trusteer fraud-prevention solutions, contact your IBM representative or IBM Business Partner, or visit: ibm.com/security About IBM Security solutions IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world s broadest security research, development and delivery organizations, monitors 13 billion security events per day in more than 130 countries, and holds more than 3,000 security patents. Additionally, IBM Global Financing can help you acquire the software capabilities that your business needs in the most cost-effective and strategic way possible. We ll partner with credit-qualified clients to customize a financing solution to suit your business and development goals, enable effective cash management, and improve your total cost of ownership. Fund your critical IT investment and propel your business forward with IBM Global Financing. For more information, visit: ibm.com/financing

12 Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY Produced in the United States of America December 2013 IBM, the IBM logo, ibm.com, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. 1 Trusteer was acquired by IBM in August of Federal Bureau of Investigation, Financial Services Information Sharing and Analysis Center, and Internet Crime Complaint Center (IC3), Fraud Alert: Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud, September 17, media/2012/fraudalertfinancialinstitutionemployeecredentialstargeted.pdf Please Recycle WGW03047-USEN-00