account takeover: why payment fraud protection is...
TRANSCRIPT
1
Account Takeover: Why Payment
Fraud Protection is Not Enough
Cybercrime Protection
April 2014
Mustafa Rassiwala, ThreatMetrix, Inc.
2
Agenda
1. Customer Accounts – Blessing or Curse?
2. Passwords – Weakest Link
3. Account Takeover – Data Breaches – Vicious Cycle
4. Authentication Alternatives
5. ThreatMetrix Approach
6. Examples of Account Takeover Prevention
6
Customer Account Curse -
Cybercriminals and Account Takeover
Cybercriminals access genuine customer accounts using stolen
identity credentials – Username and Password
Account Takeover
7
Secure Web Application?
Sql Injection
Cross-site Scripting
Broken Session Management
Insecure Direct Object Reference
Security Misconfigurations
Insecure Storage
Account Takeover is not an Application Security Issue...
8
Identity and Trust
Password – Weakest Link in
Security
Cybercriminals enter through
the front door
9
Authentication Principle
1. Something the user
Knows
2. Something the user
Has
3. Something the user Is
or Does
Password = Something Only the User Knows. Is it true?
10
Password Security – Relies on Your
Customers
they will be phishedtheir passwords will
be stolenthey will get malware on their computers
they will lose their mobile device
they will reuse passwords at multiple sites
other sites frequented by your
visitors will be hacked
their personal info (name, emails,
address, maiden name, etc.) is
accessible
they will not be up to date on their OS and
anti-virus
they will get frustrated if they
cannot login
11
Password Security – 25 Worst
Passwords in 2013
Rank Password
1 123456
2 Password
3 12345678
4 qwerty
5 abc123
6 123456789
7 111111
8 1234567
9 Iloveyou
10 adobe123
11 12312312
12 admi
13 1234567890
Rank Password
14 Letmein
15 photoshop
16 1234
17 Monkey
18 shadow
19 sunshine
20 12345
21 password1
22 princess
23 Azerty
24 trustno1
25 000000
http://splashdata.com/press/worstpasswords2013.htm
13
Malware
● Trojans that have traditionally targeted banks are now targeting retailers, payment providers
● Due to easily available malware kits, sophisticated attacks become very easy
● More and more sophisticated MitB attacks against retailers
14
Phishing
● Phishing is still highly effective
– Especially hybrid approaches to get around two-factor authentication
15
Data Breach
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
18
Organized Crime – Data Breaches & Fraud
•Data Breaches
•Steal Credit Card Data in Millions
•Steal Identities by Millions
•Underground Forums
•$10-$15 per Credit Card
•$5-$10 per Identity
•Card Not Present
•Account Takeover
•Financial Fraud – Money Transfer
•Drop Zones for Physical Goods
•Knock-off Sites for Digital Goods
•Classified Ads
Steal Sell
FraudCash
19
Underground Forums
• Buy/Sell Stolen
Credit Card Data
• Rent Bot
Infrastructure
• Matching Identity
Data with Credit
Card Details
• Identity Data
(Email/logins/Passw
ords)
http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-
target/#more-24130
20
The Criminals’ Efforts are Paying Off
Source: Aite Group, 2012
$409.4$454.8
$523
$627
$721.8
$794
2011 e2012 e2013 e2014 e2015 e2016
Global Corporate Account Takeover Losses, 2011 to e2016(In US$ millions)
21
Breaches – Attack Surface
Cybercriminals have a Significant Advantage
Pervasive Enterprise Technology = Larger Attack Surface
22
22
Availability
Information Security CIA Triad
Note: From “Information Security Illuminated”(p.3), by Solomon and Chapple, 2005, Sudbury, MA: Jones and Bartlett.
Ensure information is protected from exposure to unauthorizedindividuals
Prevent unauthorizedchanges to information
Ensure information access by authorized usersfor legitimate purposes
Information Security Framework
23
Breaches – Security Paradox
Regulations and Security Controls – More than
Ever Before
Yet Number and Impact of Breaches Increasing
Each Day
24
Authentication - Alternatives
Something the User Has
- SMS OTP
- Software OTP
- Hardware OTP
- Smart Card
- USB Token
- X.509 Certificates
Something the User Is
- Human Fingerprint
- Face Recognition
- Voice Recognition
26
ThreatMetrix – Context Based
Authentication
Friction-less 2-Factor Authentication
Something the User Has
• Persona/Identity
• Device Fingerprint
• Device Threats
• Network Attributes
• Geo-Location Attributes
Something the User Does
• Behavior over time
• Actions
• Associations
• Reputation
27
Real-time Cybercrime Prevention
Advanced Fraud Prevention
Context-Based Authentication
Sensitive Data Protection
Device &
Location
MITM &
Proxies
MITB &
Malware
Identities
& Personas
Attributes
& Activities
Associations &
Related Events
Patterns &
Anomalies
Behavior &
VelocitiesCustomer Defined
Policies
Analyst & Trust
FeedbackWorlds Largest Trusted Identity Network
Device Analytics
Identity Analytics
Behavior Analytics
TrustedUser?
Cyber Threat?
28
Building Trust On The Internet
Drive More
Revenue and
Profitability
Frictionless
Access for
Trusted Users
29
ThreatMetrix Solution – Persona ID
Online Identity
• Login
• Credit Card Data
• Account
• Ship To Address
30
ThreatMetrix Solution – Device and
Threat
Device IntelligenceCookie-less Device Identification
Network IntelligenceProxy-Piercing
Location IntelligenceTrue IP based Location
GPS on mobile
Threat IntelligenceMalware Detection
• Browser
• OS
• PC/Mobile
• Device Fingerprint
• IP Address
• VPN/Proxies
Device Identity
31
ThreatMetrix Solution – Malware
Detection
Page Fingerprinting
• Detects Man-in-the-
Browser (MitB) Attacks
• Cloud Based Malware
Detection
• Whitelisting Technique –
does not rely on
signatures
• Detects malware
targeted to your specific
site
Honeypot
• Detects Malware
(MitB attacks) on
devices targeting
common high-
profile sites
32
ThreatMetrix Solution– Transaction
Data
• $50
• Credit Card
• Bill To
• Ship To
• ACH Number
• Payee Info
• $500
• Online ID
• Location
• Login Name
• Password
Online Payment Money Transfer New Account Login
34
Identity Spoofing
Anomaly Indicators Description
N Logins from same IP in a Time Period
Velocity rule triggers if the same IP address
exceeds a configurable threshold (n) for logins
within a configurable time period, eg: 1 day, 2
days, week, etc.
N Accounts accessed on the same
device
Velocity rule detects if a single device is being
used to access a configurable number of
accounts (n) within a configurable time period.
This typically indicates that the person using
this device is exploiting multiple stolen account
details.
User Behavior Anomaly
Detects if the same device has been used with
N or more Persona attributes such as email
address, phone number, Bill To or Ship To
Address etc within a configurable time period
Distance TravelledDetects if the same account login was used in
N transactions that originated more than 100
miles apart
35
Device Spoofing
Anomaly Indicators Description
Images Disabled
Images could not be rendered on the
connecting device. This typically
indicates that a bot or script is being
used to execute this transaction.
Geo Language Mismatch
Rule triggers if there is a discrepancy
between the detected device language
and the expected language for their True
IP geographical region
No Device ID
Rule triggers if a profiled device is
lacking sufficient available attributes to
form a complete device identifier. This
indicates that the device is missing
commonly available attributes (e.g no
user agent, fonts or screen resolution is
detected).
36
IP Spoofing
Anomaly Indicators Description
Proxy Detection
ThreatMetrix uses multiple techniques to
detect proxies. This rule triggers when
anonymous or hidden proxies are
detected
VPN Detection Rule Triggers if VPN Detected
IP Negative HistoryThis rule triggers if Proxy IP is on a local
or Global Blacklist
37
Attack vectors
0.0%
0.5%
1.0%
1.5%
2.0%
2.5%
3.0%
3.5%
4.0%
4.5%
5.0%
geo_spoofing identity_spoofing ip_spoofing device_spoofing mitb_or_bot
% transactions per attack vector
38
Attack vectors – event type
0%
1%
2%
3%
4%
5%
6%
7%
account_creation login payment
% transactions per event type per attack vector
device_spoofing
geo_spoofing
identity_spoofing
ip_spoofing
mitb_or_bot
0%
1%
2%
3%
4%
5%
6%
7%
% transactions per event type per attack vector
account_creation
login
payment
39
Attack vectors – continent
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
Africa Asia Australia Europe NorthAmerica
SouthAmerica
% transactions per attack vector per continent
device_spoofing
geo_spoofing
identity_spoofing
ip_spoofing
mitb_or_bot
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
% transactions per attack vector per continent
Africa
Asia
Australia
Europe
North America
South America
40
Attack vectors – industry
0%
1%
2%
3%
4%
5%
6%
7%
8%
Ecommerce Finance Other
% transactions per attack vector per industry
device_spoofing
geo_spoofing
identity_spoofing
ip_spoofing
mitb_or_bot
0%
1%
2%
3%
4%
5%
6%
7%
8%
% transactions per attack vector per industry
Ecommerce
Finance
Other
41
Attack vectors – US vs. European
enterprises
0%
1%
2%
3%
4%
5%
6%
Europe US
% transactions per attack vectorUS vs. European companies
device_spoofing
geo_spoofing
identity_spoofing
ip_spoofing
mitb_or_bot
0%
1%
2%
3%
4%
5%
6%
% transactions per attack vectorUS vs. European companies
Europe
US
42
Business Benefit – Frictionless
Customer Experience
Transparent and Frictionless
Authentication for Customers
43
Business Benefit – Customer Protection
Protect Customers – Bad Things Happen
to Good People
Context Based Authentication – Protect against
Password Compromise
44
Business Benefit – Protect from any
Device
Context Based Authentication
from any device including
mobile apps
45
The Global Trust Intelligence Network
Questions
● Type questions into the Question feature in GoToWebinar
● We’ll answer as many questions as time permits
● Remaining questions will be answered with follow-up emails
www.threatmetrix.com +1.408.200.5700 [email protected]