the fraud economy - 2015 the year of spear phishing

2015 The Year of Spear Phishing

The Fraud Economy

Deirdre “Dee” Millard

Senior Fraud Prevention Consultant

info@easysol.net

In this presentation we will discuss:

Common Methods of Payment Card Fraud

How the Black Market Economy Operates

Impact of Card Fraud on Financial Institutions

Protection from Payment Card Fraud

Phase 1: Payment Card Theft

Phase 2: Payment Card Sale

Phase 3: Cashing

Phases of Fraud

Common Methods:

• Physical Theft (ex. lost or stolen card)

• Skimming (ex. ATM or gas pump)

• Malware on consumer computer or mobile device

• Data breaches Malware on point-of-sale device Network compromise Database or web site compromise

Phase 1: Payment Card Theft

Card-not-present fraud

New account fraud

http://www.statista.com/statistics/419628/payment-card-fraud-losses-usa-by-type/

Phase 1: Payment Card Theft

Shift from face to face fraud to card not present online fraud.

Skimming:

Phase 1: Payment Card Theft

http://krebsonsecurity.com/tag/atm-skimmer/

Devices are small, compact and easy to get.

Skimmers have been found on ATM, POS terminals to steal credentials.

Malware on Consumer Computer or Mobile Device:

Phase 1: Payment Card Theft

2015 The Year of Spear Phishing

• All the latest breaches linked to malware

• Trend of targeting employees

• Harvest info on social networks to customize attacks

• Multi-factor authentication often not required for employees

Malware on Consumer Computer or Mobile Device:

Phase 1: Payment Card Theft

Rogue Mobile Apps Emerge:

• 86% of Android malware was repackaged legitimate apps

• 77% of top 50 free apps in Google’s Play Store have fake versions elsewhere

• Trend Micro cataloged 890,482 fake apps (59,185 aggressive adware & 394,263 were malware)

http://www.zdnet.com/article/android-malwares-dirty-secret-repackaging-of-legit-apps/

http://www.pcworld.com/article/2454980/theres-almost-a-million-fake-apps-targeting-your-phone.html

Data Breaches:

Phase 1: Payment Card Theft

Recent breaches have been the result of malware that was placed on Point of Sale systems. Often the breached organization has been certified as having the appropriate security controls in place.

Phase 2: Black Market Sale

Easy Checkout

.

Customer Support

.

Money Back Gurantee

Technical Support

The rise of online card shops in recent years provides secure forums for buyers and sellers.

How Much is a Card Worth?

Factors affecting price:

Validity Rate

Supply &

Demand

Issuing Region

Phase 2: Black Market Sale

“A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each.”

http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf

Phase 2: Black Market Sale

How Much is a Personal Data Worth?

Phase 3: Cashing

Image Source: http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/

Stolen credit cards are used to charge pre-paid cards which then purchase store specific gift cards.

Credit to Gift Card Shell Game

Impact on Financial Institutions

Of financial institutions in a recent survey were impacted by the Target breach*

*ISMG Faces of Fraud Survey

Impact on Financial InstitutionsTop types of fraud experienced?

Impact on Financial Institutions

How did these breaches impact your organization or customers?

Impact on Financial InstitutionsHow is a fraud incident typically detected?

“Too often institutions learn of fraud incidents only after their customers notify them.”

• Be sure to have a plan in place• Make sure you are covering all bases• Tackle the problem from beginning to end• Evaluate current tools and look for constant innovation• Speed and flexibility are critical when fighting back fraud• Awareness & Visibility• Proactive Approach

How to Protect Your Customers

Questions?Contact:Dee MillardSenior Fraud Prevention Consultantinfo@easysol.net

More Info:

Thank You

Detect Monitoring Service