© 2009 securematrix : proprietary & confidential page 1 welcome ! we have something for...
Post on 22-Dec-2015
212 views
TRANSCRIPT
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 1
Welcome !
We have something for everyone here !
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 2
YOU ARE ALL WINNERS !
The graphic on this slide has been deleted from this presentation. You may click the link above to view the cartoon.
http://www.cartoonstock.com/cartoonview.asp?catref=grin691
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 3
THOUGHTS TO SET THE TONE
It is human nature to think wisely and act foolishly.
- Anatole France (1844 - 1924)
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 4
“ to provide the most trusted information security services in the world.”
Threat of frauds in online transactions
Preventing Fraud When Transacting
Online
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 5
Secure Matrix India Private Limited specializes in IT & IS Audit, Security Consulting and Technical Security Services across all industry and business segments
We are headquartered in Mumbai and operate a Technology Centre cum Security Lab out of Pune. We have offices in Delhi and Chennai. International locations are London, Dubai and Atlanta.
Our management and consulting team comprise professionals certified in Information Security, Governance Risk, Compliance having extensive industry experience covering Technology, Banking, Finance, Government , Media & Entertainment etc
An extensive service offering includes Technical Security Services for Vulnerability Assessment, Penetration Testing, Application Security, Cyber Forensics, off-site and on-site Security Monitoring and Management.
REGIONAL OFFICE
TECHNOLOGY CENTRE
HEADQUARTERS
CHENNAIPUNE
MUMBAI
DELHI
Secure MatrixIndia Pvt Ltd
Secure MatrixUK
(100%)
Secure MatrixUSA
(100%)
Secure MatrixUAE
(100%)
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 6
A man is his own easiest dupe,
for what he wishes
to be true
he generally
believes to be true.
CONSIDER THIS…
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 7
Agenda .. Fraud Threats Online and Discuss Prevention
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 8
The internet provides convenience, speed and efficiency in transactions… with internal or external customers, vendors, government and growing exponentially
Every query at the public interface can be a risk - malicious hacker ? malicious insider ? ignorant user ? smart hobbyist ? human error ? trojan / logic bomb (command / plant)?
Let’s keep our fingers crossed – it is a legitimate user knocking at your door and not one of the above !
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 9
THREATS, FRAUDS, SCAMS …. IT’S ALL OVER
The fraud can start in a parking lot …
The parking ticket has a website address where you will get details of the violation and pay the fine. On the site you are asked to install a toolbar that will enable the incident to be processed. Of course, you are expected to provide some personal info and use your credit card to pay the fine !
….. The rest is left to your imagination.
Even governments can be scammed ….
State of Utah paid $ 2.5 m into the scam bank account. Key loggers captured information and this was used to create and pay fake invoices. Luckily the transactions were spotted by a bank manager and the department managed to save about $ 1.8 m
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 10
Starting off we take a look at some numbers …..
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 11
SOME FACTS & FIGURES
Internet Crime Complaint Center
2007: 206,8842008: 275,284 (+ 33.1%) Total $ loss: 265 million Avg $ 931 per complaint
Fraud Delivery MechanismEmail 70% Webpage 25%
Victims : 55.4% MalesPerpetrators: 77% males from CA, FL, DC, TX, WA
Men lost more money than women… $ 1.69 to every $1
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 12
More than 75% of all malicious threats were aimed at compromising end users for financial gain
China accounted for almost half of all malicious activity within Asia Pacific
Symantec created 1,656,227 new malicious code signatures - a 265% increase over 2007
Malicious code development is now a professional business, supporting the demand for goods and services that facilitate online fraud
Variants of existing threats are the preferred and most cost-effective way to create new attacks, instead of creating totally new threats
- Symantec Internet Security Threat Report Volume XIV
2008 POINTERS…
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 13
Categorization of Motives of Cyber Crimes
No of Cases
Perpetrators
Revenge / Settling scores 13 Foreign National /Group 8
Greed/ Money 62 Disgruntled Employee / Employee 23
Extortion 2 Cracker / Student / Professional learners 46
Cause Disrepute 25 Business Competitor 65
Prank/ Satisfaction of Gaining Control 0 Neighbours / Friends & Relatives 70
Fraud / Illegal Gain 216 Others 151
Eve Teasing / Harassment 56
Others 85
- National Crime Records Bureau Report 2009
SOME FACTS & FIGURES (INDIA – breakdown for 2007)
Cybercrime Cases registered under IT Act in 2007 increased 53% over 2006
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 14
SOME FACTS & FIGURES (INDIA – citywise breakdown for 2007)
City Total
Bhopal 163
Bangalore 41
Pune 14
Mumbai 10
Kochi 9
Nagpur 8
Delhi 5
Vijayawada, Chennai, Amritsar, Lucknow, Ahmedabad, Ludhiana, Patna, Kolkatta, Kanpur, Indore
23
273
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 15
Malicious users in India yet to reach a high level of sophistication.
This does not remove the risk of the “foreign hand” that we are always referring to… in this case the “FH” will refer to USA, Russia, China and a number of Eastern Europe countries
Examples of outsourced malicious work in India : Indian IT worker may be coding for overseas buyer; Team works on ‘captcha’ breaking;
EVERYONE LOSES
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 16
SL.No Cities Revenge / Settling Scores Greed/Money Extortion Cause Disrepute Fraud / Illegal Gain Eve Teasing
/Harassement Others Total
1 Bhopal 0 0 0 0 158 3 2 163
2 Bangaluru 1 25 0 1 5 9 0 41
3 Pune 1 4 0 5 2 2 0 14
4 Mumbai 0 0 0 1 0 7 2 10
5 Kochi 0 2 0 0 0 1 6 9
6 Nagpur 1 0 0 2 1 4 0 8
7 Delhi (City) 0 4 0 0 0 0 1 5
8 Vijayawada 0 0 0 0 4 0 0 4
9 Chennai 2 0 0 0 1 0 1 4
10 Amristar 0 3 0 0 0 0 1 4
11 Lucknow 1 0 2 0 0 0 0 3
12 Ahmedabad 0 1 0 0 0 0 2 3
13 Ludhiana 0 2 0 0 0 0 0 2
14 Patna 0 0 0 0 0 0 0 0
15 Kolkata 0 0 0 0 0 1 0 1
16 Kanpur 0 1 0 0 0 0 0 1
17 Indore 0 0 0 0 1 0 0 1
Total (Cities) 6 42 2 9 179 22 13 273
SOME FACTS & FIGURES (INDIA – citywise detailed breakdown for 2007)
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 17
IN THE NEWS FOR THE WRONG REASONS
• Get-Rich Quick• Work-at-home• 419 Scams• Lottery Winners• Online Pharmacies• Phishing• Spear Phishing• Hoax Bomb Threats• Stolen Credit Card• Data Manipulation• Data Leakage• Impersonation / Identity
Fraud• Brand Hijacking• Job Frauds• Marriage • Sale frauds • Stock Scams• Online Degrees• Check Cashing / Fraud• Domain Name Renewal
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 18
Lottery scam attempt at ACFE !
The fraudster seems to be too intelligent for his own business !
HOT OFF THE PRESS….
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 19
Get Rich Quick
Me Smartest of Them All
Lucky Me !
No One Can See Me
It Can’t Happen To Me
He Was a Fool He Got Caught
KEYWORDS
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 20
Institutions are drawn into the fraud due to the omissions and commissions of their constituents
Institutions may be contributing to their fraud threat quotient due to lax security practices and a laissez faire attitude towards IT security / risk management / awareness
Effort and resource cost cause losses to both – customers and institutions (even if the money is recovered). Investigation and recovery is expensive !Add the cost of loss of credibility and brand / image value
EVERYONE LOSES
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 21
Malicious Insider … is by far the biggest threat and source of frauds on
connected and non-connected systems.
Credit Cards… stolen cards used online
Letters of Credit .. Investor is offered a highly discounted “purchase” price
Ponzi Schemes… high interest rate is offered and is paid from investor
money in the beginning. The scheme falls apart in some time and the
scamster disappears
Identity Data Theft … provides personal information to the fraudster who
can then engage in phishing, vishing, spear-phishing
THREATS & FRAUDS …
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 22
Money Laundering & Money Mules … individuals are conned into working
to launder money and become part of the criminal network
FRAUDS…
Re-shipping … similarly individuals become part of a criminal chain by
accepting and shipping stolen goods
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 23
Check Fraud … a lawyer is asked to cash a high
value check and remit the funds after deduction of
handling fees. The check is cleared, you wait 5 or
10 days for a clear balance and then remit the
funds. A month later the bank reverses the amount,
because the check was fraudulent !
A variation is when an individual is “hired” as a
‘payment processor’ and gets checks that he/she
cashes and transfers to other accounts. The
checks are usually stolen and the individual
becomes a part of the crime as a “Money Mule”
FRAUDS…
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 24
Mobile Phone Insurance … UK consumers get calls offering cheap
insurance for the new phone purchased. They asked for card information
and the card is scammed
Medical Insurance …. customer purchased a policy online and when he
made a claim it was not accepted since he had not declared his medical
condition at the time of purchasing the policy – the agent sold the policy
without providing proper information or sold inadequate cover
Insurance frauds … false declarations and staged accidents against
insurance purchased online – healthcare, auto insurance
Stock market – forums, spam send out recommendations and the whole
world starts discussing how “hot” that scrip is. Of course, everyone buys and
it tanks when the scamster has made his million.
FRAUDS…
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 25
PHISHING … the nemesis of modern day transactions
Banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)
The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers)
- Gartner
I would highly recommend not entering a PIN number anywhere on the Internet, unless it was hardware based.
- Avivah Litan, Analyst at Gartner
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 26
STOCK MARKET FRAUD THREATS
Threats are lurking for the gullible investor at every corner… - Investment Newsletters… hyping stocks, false information, company promotion - Bulletin Boards / Forums … discussions are very heated and dubious - Spam …. mass mailing
Typically these are called “Pump and Dump” scams since they work to build a hype around a ‘dabba’ company to push up the share price. The scammer sells and exits and the share price tanks !
October 2000:A bogus online press release caused Emulex Corp., a California firm that designs and develops fiber optics, to lose more than $2 billion in value during a single day of trading.
It stated that the company was reducing its earnings estimates and that its chief executive was stepping down.
A 23-year old student used a computer at his community college to distribute the release and earned a $240,000 profit from the resulting price fluctuations before he was caught.
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 27
Spear Phishing (report of Jun ‘09)
The attached file is, naturally, a Trojan horse that steals stored user names and passwords, and looks for victims logging in at commercial banks.
If the victim logs in to a bank that requires two-factor authentication -- such as the input of a one-time pass phrase or random number from a supplied hardware token -- the Trojan re-writes the bank's Web page on the fly, inserting a form that requests the information.
http://isc.sans.org/diary.html?storyid=6511
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 28
Continuous network monitoring … internal and external; automated /
manual; Planned and periodic Vulnerability Assessment / Penetration Testing
on infrastructure and Web Applications
Device based monitoring… systems (FW/IDS/IPS/UTM)
Logging and log analysis… use of SIM/SIEM tools
Proactive Incident Management… to identify, contain, learn and update
Backup, Patch, Change Management, Continuity and Recovery…. use
appropriate technologies and processes with regular testing schedules and
drills
Secure Software Development… build security in – purchase software that
has undergone security testing
PREVENTION– Corporate / Institutional Vigilance
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 29
IF IT SOUNDS TOO GOOD TO BE TRUE ……… IT’S NOT TRUE !
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 30
NIGERIAN SCAM or 419 SCAM … was a $ 5 billion industry in 1996 !
"419 fraud" so called after Section 419 of the Nigerian Penal code, the section that specifically prohibits this type of crime
Variations of the scam mails carry an ‘emotional’ appeal
- Deposed Leaders and their families ( widows, sons ) and associates ( aides, lawyers).- Over-invoiced contracts and government employees (NNPC, Central Bank of Nigeria ).- Forgotten accounts, wills and inheritances, death-bed claims of wealth.- Trade deals.- Assistance getting stolen assets ( cash, diamonds ) out of the country- Gifts to charitable or religious organizations.
- Scholarships
!! scam
med !!
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 31
THE FIVE RULES FOR DOING BUSINESS WITH NIGERIACourtesy of The 419 Coalition
1. NEVER pay anything up front for ANY reason.2. NEVER extend credit for ANY reason.3. NEVER do ANYTHING until their check clears.4. NEVER expect ANY help from the Nigerian Government.5. NEVER rely on YOUR Government to bail you out.
Mountains of goldAn exploratory research on Nigerian 419-fraud: backgrounds http://419.swpbook.com/Research was carried out in 2008 by Bureau Beke and the Police Academy. It is in Dutch and the first English edition is due any time.
Not just Nigeria !These rules apply to doing
business with anyone !
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 32
A fool and his money are easily parted
AN UNFORTUNATE FACT …. TRUE THROUGH THE AGES
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 33
We have to smarten up not to be fooled and win the game …
Prevention measures primarily require the tweaking of people, process
and technology….. the triumvirate on which all security best practices
rest.
WINNING THE FRAUD GAME USING THE PREVENTION STRATEGY
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 34
Continuous network monitoring … internal and external; automated /
manual; Planned and periodic Vulnerability Assessment / Penetration Testing
on infrastructure and Web Applications
Device based monitoring… systems (IDS/IPS/UTM)
Logging and log analysis… use of SIM/SIEM tools
Proactive Incident Management… to identify, contain, learn and update
Backup, Patch, Change Management, Continuity and Recovery…. use
appropriate technologies and processes with regular testing schedules and
drills
Secure Software Development… build security in – purchase software that
has undergone security testing
FRAUD PREVENTION– Corporate / Institutional Vigilance
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 35
Awareness & Training for users at all levels – there is nothing like low end
or high-end training. Use Mailers and Seminars to reach out.
Banks – online issues and how-to practice safe surfing
Stock & Shares - do your own research don’t rely on gossip
Identity / Access Management … role based access control
Policies and Procedures to detect, respond, neutralize (or) remediate,
report and learn. In addition to the IT use / security policy
Monitoring behavior, activity, markets, trends, internal controls, technology
Risk Management should be proactively built into controls that can alert
responsible persons when a threshold is breached
FRAUD PREVENTION– Corporate / Institutional Vigilance
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 36
Anti Phishing… guidelines (gyaan) must be highlighted on login page
Website Design must be simple… There is too much noise so the user
does not care about any announcement or warnings. Don’t make life difficult
for the user – e.g. a frequent password change is no guarantee against
compromise but if you log out the user after he / she has logged in and made
a password change you are creating an unnecessary step in the process
Provide Visible Links… for Statements, Password Change etc and inform
customers that NO email will ever carry a clickable link
Auto Logout ... Inactive log-in is automatically logged out
Communicate… proactively about any problems on the website (downtime,
hack etc) and seek to educate the user (but this must be in plainspeak)
Endpoint Security… regularly check for virus, keyloggers, spyware
FRAUD PREVENTION– Corporate / Institutional Vigilance
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 37
THE USER
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 38
Personal Vigilance
Rely on Common Sense
Check the URL you are going to
click (if it is in a mail)
Bookmark bank URLs and use it
to visit the site
Do not save passwords using
the browser save password
feature
Careful about social engineering
BEATING FRAUD
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 39
Watch out for “phishy/ scammy” emails and sites
Don’t click on links within emails that ask for your personal information
Block Pop-ups and never trust a site that is asking for your sensitive information on a
pop-up – if you must then verify the pop-up source and “allow” only those instances
Secure your system by using anti-virus, anti-spam, firewall and keep updated
Email Attachments from known people ? Trust it only if it is a known file type. Your
system will show a cute program icon. In any case why do you want to mess with
unknown file types when you have enough troubles already !
Ask Yourself… If someone can make a crore out of my thousand why does that
person look like a beggar. And if not, why is he /she doing you a favor !
BEATING FRAUD – its Common Sense (to a large extent)
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 40
Google Safe Browsing is an extension to Firefox that alerts you if a web page that
you visit appears to be asking for your personal or financial information under false
pretences.
Link Alert is a Firefox Add-on that will warn you of any phishing attempt
Phishing Filter for IE 7 and higher from Microsoft
BEATING FRAUD – some tools will help
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 41
We are in a state of denial, dispute and (many a times) over-confidence
Government / Law enforcement / Institutions currently seem to work in
reactive mode rather than proactively address threats / risks
Management purse strings have to loosen
“IT / IT Security is a business function”
Techical team members have to participate with business group and must
communicate ‘plainspeak’ rather than ‘geekspeak’ it is the only way they can
attract business managers to their table
Disciplines (Controls) in Security, Governance, Risk, Compliance, Continuity
have to be considered together to be effective
WHERE ARE WE AND WHERE DO WE GO
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 42
http://www.fraud.org
URBAN LEGENDS : http://www.snopes.com/
http://www.cambusters.org
http://www.fbi.org
INTERNET CRIME COMPLAINT CENTER: http://www.ic3.gov
NATIONAL CRIME RECORDS BUREAU: http://ncrb.nic.in/
Australian Competition and Consumer Commission:
www.scamwatch.gov.au
http://www.antiphishing.org/
http://www.banksafeonline.org.uk/
THE UK PAYMENTS ASSOCIATION : http://www.apacs.org.uk/
RESOURCES
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 43
Partner & Relationships, Clients, Locations,
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 44
Dinesh BarejaCISA, CISM, ITIL, BS: 7799 (Imp & LA)- Senior Vice President
Email: [email protected]
Information Security professional, having more than 11 years of experience in technology in commercial, operational, functional and project management roles on multiple large and small projects in global and domestic markets. Experienced in establishing ISMS (Information Security Management System), planning and implementation of large scale CobiT® implementation, ISO: 27001, ERM, BCP/DR,
BIA, Asset Management, Incident Mgt, Governance and Compliance, VA/PT, AppSec etc He is also member of ISACA, OCEG, iTSMF and co-founder of Indian Honeynet Project and Open Security Alliance. You can find him on Linked In as the owner of the India – Information Security Community group.
PRESENTED BY
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 45Global Locations
Abdul Kareem Holdings, Saudi Arabia
KSA, UAE
Omania e-Commerce Ltd, Oman
Oman
Consolidated Gulf Company, Qatar
Qatar
NextGen Technologies, South Africa
RSA, Mauritius, Botswana, Namibia and Kenya
IPMC, Ghana
Ghana and Nigeria
New Delhi
Mumbai
Pune
Malaysia
Indonesia
Chennai
London Office UK and Europe
Canada
USA
Sri Lanka
Secure Matrix Head OfficeRegional Office LocationPartner LocationPlanned Office Location
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 46
STRATEGIC RELATIONSHIPS
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 47
CONTACT US
Registered Office Mumbai: 12 Oricon House14, K. Dubash Marg, FortMumbai 400 001INDIA T +91 22 3253 7579F +91 22 2288 6152E: [email protected]
Technology Centre Chennai:Plot No. 1, Door No. 5Venkateshwara StreetDhanalakshmi ColonyVadapalani, Chennai 600 026INDIATel: +91 4465269369/4443054114Tele Fax: +91 4442048620
Technology Centre Pune:Trident TowersOffice No: 32nd Floor, Pashan RoadBavdhanPune 411 021INDIA
Dubai:P O Box 5207Dubai, UAEEmail: [email protected]
© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 48
THANK YOU