1. Cyber FraudChallenges & SolutionsK. K. MookheyPrincipal ConsultantNetwork Intelligence India Pvt. Ltd.

2. Agenda Ground Reality Digesting the Hard Facts Online Banking Fraud The Data Theft Epidemic Skimming & ATM Fraud Spear Phishing & APT Identifying Technology Red Flags Technology Fraud Risk Management Resources 3. Online Banking Fraud 4. Primary fix? 2-factorOr OTP User Awareness 5. The Data Theft Epidemic 6. What price India? Online examples 7. Fresh record price = Rs. 75Converted customer price = Rs. 150 8. Skimming Basic & Advanced 9. THE TRAP The trap is made up of XRAY film, which is the preferred material by thieves; Simply because of the black color which is similar in appearance to the slot on the card reader. 10. Placing the TRAP The trap is then inserted into the ATM slot. Care is taken not to insert the entire film into the slot, the ends are folded and contain glue strips for better adhesion to the inner and outer surface of the slots. 11. INVISIBLE Once the ends are firmly glued and fixed to the slot, it is almost impossible to detect by unsuspecting clients. 12. How is your card confiscated? Slits are cut into both sides of the trap, This prevents your card being returned prior to completing your transaction. 13. Retrieval of Confiscated card. As soon as the Customer has gone, and they have your PIN , The thief can remove the glued trap, by grasping the folded tips, he simply pulls the trap out that has retained your card.. 14. Advanced skimming - video 15. Wheres the silver lining?! 16. Technology Red Flags Systems crashing Audit trails not available Mysterious system user IDs Weak password controls Simultaneous logins Across-the-board transactions Transactions that violate trends weekends, excessive amounts, repetitive amounts Reluctance to take leave or accept input/help Reluctance to switch over to a new system 17. The IIA IT & Fraud RisksFraudulent Financial Reporting Unauthorized access to accounting applications Personnel with inappropriate access to the general ledger,subsystems, or the financial reporting tool can post fraudulententries. Override of system controls General computer controlsinclude restricted system access, restricted application access,and program change controls. IT personnel may be able toaccess restricted data or adjust records fraudulently. 18. The IIA IT & Fraud RisksMisappropriation of Assets Theft of tangible assets Individuals who have access to tangible assets (e.g., cash, inventory, and fixed assets) and to the accounting systems that track and record activity related to those assets can use IT to conceal their theft of assets. Theft of intangible assets Given the transition to a services-based, knowledge economy, more and more valuable assets of organizations are intangibles such as customer lists, business practices, patents, and copyrighted material.Corruption Misuse of customer data Personnel within or outside the organization can obtain employee or customer data and use such information to obtain credit or for other fraudulent purposes. 19. As part of an organizations governance structure, a fraud riskmanagement program should be in place, including a written policyPrinciple 1 to convey the expectations of the board of directors and seniormanagement regarding managing fraud risk. Fraud risk exposure should be assessed periodically by thePrinciple 2 organization to identify specific potential schemes and events thatthe organization needs to mitigate. Prevention techniques to avoid potential key fraud risk eventsPrinciple 3 should be established, where feasible, to mitigate possible impactson the organization. Detection techniques should be established to uncover fraud eventsPrinciple 4 when preventive measures fail or unmitigated risks are realized. A reporting process should be in place to solicit input on potentialfraud, and a coordinated approach to investigation and correctivePrinciple 5 action should be used to help ensure potential fraud is addressedappropriately and timely. 20. Leveraging Technology Data Leakage Prevention Email Gateway Filtering Security & Controls by Design Information Rights Management Identity & Access Control Management Data Encryption Business Intelligence Solutions Revenue Assurance & Fraud Management Solutions Forensic Investigation Capabilities 21. Chapter 6 Cyber Frauds Special Committee of the Board to be briefed separately Independent Fraud Risk Management Group (FRMG) Fraud Review Councils to be set up Fraud Vulnerability Assessments New products to be reviewed by (FRMG) Banks to share details of fraudulent employees Transaction monitoring group/system Continuous trainings Employee awareness and rewarding whistleblowers Training institute for financial forensic investigation Sharing of fraud management experiences State-level Financial Crime Review Committee Multi-lateral arrangement amongst banks to deal with online frauds 22. Resources Fraud Risk Management System in Banks http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=527 3&Mode=0 IIA Fraud Prevention and Detection in an Automated World http://www.theiia.org/guidance/technology/gtag13/ 23. Thank you!Questions?kkmookhey@niiconsulting.comInformation Security Information Security TrainingConsulting ServicesServices