using big data to detect & reduce fraud, 9th april 2014welcome & introductions using big...

Welcome & Introductions

Using Big Data to Detect & Reduce Fraud, 9th April 2014

On the Internet…

Mission statement: To provide expert advice and consultancy for fraud detection & prevention and to be recognised as industry experts

• Key offerings

– Operational & strategic reviews, gap analysis – Vendor neutral advice & vendor engagement – Specification & delivery support – Investigations – Project management – Training & awareness

• Experience cross-sector in multiple geographies

Fraud Consulting Ltd

©Fraud Consulting 2013 3

Our team members engage, contribute and collaborate with like-minded bodies, associations and thought leaders

Participation with Anti-Fraud Associations & Forums

Introductions

• When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

Chatham House Rule

• What is your experience level with regards to fraud, cybercrime & big data?

• What are you goals?


Quick Questions

Agenda

• 09:00 Introductions

• 09:10 Key Factors Surrounding Cybercrime & Fraud

• 10:30 Coffee & Networking Break

• 10:45 Tools & Technology

• 12:15 Lunch

• 13:15 Compliance, Regulation & the Law

• 14:45 Coffee & Networking Break

• 15:00 Operational Challenges

• 16:30 Workshop Close

Key Factors Surrounding Cybercrime & Fraud


• Some Definitions

• True Costs

• Current Trends

• Defining threats & risks for your organisation

Topics

• Workshop Objectives

• What does “Big Data” mean to you?

• What does Fraud mean to you?

Discussion

• Put simply: “The obtaining of services or facilities that you are not entitled to.”

• Cybercrime and fraud have become highly interrelated

– Anonymous nature of the internet

– Changes in the way we live and work

What is Fraud

The Fraud Triangle

Fraud

Pressure

(Motive)

• Exercise: What types of cybercrime are you familiar with?

Some Terms & Definitions

Some Terms & Definitions

Malware

Phishing

Back door

Man in the middle

Hacking

Domain Hijacking

Typo-squatting

SMiShing

Spoofing

Tabnapping

Trojans

SIM box

VoIP

Vishing

Spamming

Randsomware

Snarfing

DoA / DoS attack

Social engineering

Internal & staff

Pharming

Boiler room

Data leaking

Cyber bulling

Scareware

Pod slurping

Tapping

SQL Injection

Money Laundering

The basic money laundering process has three steps:

1. Placement 2. Layering 3. Integration In recent years there has been a steady increase in regulation around Anti-Money Laundering, however the open and anonymous nature of the internet provides many challenges

Bribery & Corruption

• EU Anti-Corruption report: – Costs: €120b a year?

– Urban development and construction are sectors where corruption

vulnerabilities are usually high across the EU. They are identified in the report as being particularly susceptible to corruption in some Member States where many corruption cases have been investigated and prosecuted in recent years.

– The Report calls for stronger integrity standards in the area of public procurement and suggests improvements in control mechanisms in a number of Member States.

– http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/organized-crime-and-human-trafficking/corruption/anti-corruption-report/index_en.htm

http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/organized-crime-and-human-trafficking/corruption/anti-corruption-report/index_en.htm




















Defining Cybercrime

• What are the drivers & motivations? – To make a gain or profit

– Political statements / Hacktivism

– Terrorism

– Espionage, spying

– Governments, cyberwarfare

• The term “cyber” for many is scary and worrying. In reality our use of technology is a facilitator for age old crimes and risks.

• Tendency to focus on the technical elements and forget the human factors


• True Costs

• Current Trends


Topics

Fraud in the UK: A £52b Problem?

“Identified Fraud” “Hidden Fraud”

Stats, Stats, Stats

• UK: Action Fraud received 58,662 cyber-enabled frauds and 9,898 computer misuse crime reports from the period March 2012 to February 2013

• $114 Billion cost worldwide (Norton)

• Cybercrime may reach$100 Billion annually (CSIS)

While useful, use industry stats with caution!

What is Fraud Costing You?

• Goods, Lost revenue

• Staff / time, Intellectual property Direct costs

• Reputational Damage

• Goodwill Indirect Costs

• Sanctions, Fines

• Legal, Compensation Regulatory

• Hardware, Software

• Staff, Investigations Cost of controls

Are you making the right measures? What are your KPIs?


• True Costs

• Current Trends


Topics

Trends: Internet Growth

Source: United Nations / International Telecommunications Union

©Fraud Consulting 2013

Trends: Internet Growth

Source: United Nations / International Telecommunications Union

0

50

100

150

200

250

300

350

400

450

500

Brazil China India Iran Mexico Nigeria Pakistan Philippines Russia USA

2007-2010 New Additions (m)

2010 Total Internet Users (m)

Trends: “Hacktavism”

Trends: Malware

Trends: Data Breaches

Trends: Data Breaches

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/












Trends: Criminal Underground Economy

34 Quatrro Confidential

Trends: How We Work Today

• Bring Your Own Device

• Cloud computing

• Remote working

• Device diversity: Laptop, smartphone, tablet…

Case Study: Identity Theft

Identity Thief

Prospective Customer

Broker / Agent

Existing Customer

Trusted 3rd Party

Member of Staff (Willing or

Forced)

Hacker

Confidence Trickster

Impersonation (Living or

Deceased)

Opportunist

Methods

Dumpster Diving

Redirections (eg Post)

Public Data Records

Data Theft,

Hacking

Internet / Social

Networks

Phishing, Pharming

Cold Calling,

Grooming

Inside Information

/ Access

Infiltration

Malware

Purchasing

Synthetic Identity

Identity Fraudster

Harvest / Acquire Data

Corporate Identity Theft

Obtain Goods / Services

Contact Customers

Extortion Fake Invoice /

Hijack VAT / Tax

Fraud

Personal Identity Theft

Credit / Debit Card Fraud

Account Takeover

Impersonation Application

Fraud Mail

Redirection

An Example Theft

Cybercriminals

• “Professional” Industry

• Global & co-ordinated

• Well funded

• Excellent marketing and distribution of tools, techniques

and data

• Non-competitive

• Share / Sell Data

• Not constrained by bureaucracy

Key Players in Criminal Underground

Hackers/Malware & Exploit Creators

Identify weaknesses and exploits and create malware or hack in to payments systems and other systems to acquire data

Malware Distributors & Phishers

Distribute malware through phishing, smishing, drive-by downloads, watering hole attacks and other social engineering schemes

C&C/VPN/Bulletproof Hosting

Provide the tools to maintain anonymity and reduce chance of being shut down

Money Mules Perform the money movement – cash out at ATMs, accepting electronic transfers

Mule Recruiters Provide a pool of money mules acquired through work from home schemes, social engineering or compromised accounts

Skimmers Build or buy and place skimming devices to collect track data and PINs

Marketplace Operators Provide online stores for skimming devices, fraud services, malware and personal information

Criminal Underground Economy Example

44

Quatrro Confidential

Quatrro Confidential 47



• True Costs

• Current Trends


Topics

• What fraud issues have you experienced?

• What fraud typologies are applicable to your organisation? – Eg Phishing, hacking, money laundering, first party

fraud

• What are the possible fraud risks for your organisation? – Website offline due to attack, customer identity

stolen, staff collusion

Defining threats & risks for your organisation

Key Factors Surrounding Cybercrime & Fraud


Tools & Technology


• Challenges

• Type of tools for “Big Data”

• Big Data Approaches for Fraud Detection

• Data Sources

Topics

Challenges

• Moore's law is the observation that, over the history of computing hardware, the number of transistors on integrated circuits doubles approximately every two years.

• The worlds technological per-capita capacity to store information has roughly doubled every 40 months. (Wikipedia)

• In 2012 2.5 quintillion bytes of data were created (2.5 x 1018) daily (Wikipedia, IBM)

Challenges: Moore's Law

Quatrro Confidential 56

Challenges: Layered Security

Layered Security

People

Process Tech

Challenges: Layered Security

Onboarding & CDD

Customer Authentication

Transaction Monitoring

Behavior Monitoring Session Monitoring

Incident Analysis

Insider Monitoring

Risk Assessment

• Fraud patterns can be difficult to model

• Take care not to make false correlations

• Evaluate the data quality

Challenges: Modelling Fraud


http://wp-abtesting.com/correlation-vs-causality-and-why-this-matters-in-conversion-optimization/
























http://blogs.scientificamerican.com/the-curious-wavefunction/2012/11/20/chocolate-consumption-and-nobel-prizes-a-bizarre-juxtaposition-if-there-ever-was-one/































• Data retention – Physical storage – Backups

• Searching data / algorithms. Say we have a 100 fold increase in data – Linear algorithm: Takes 100 times longer – O(N^2) algorithm: Takes 10,000 times longer

• Moore’s law doesn’t help when it comes to an explosion of data volume! We have to be smart in our strategies

Challenges: Cost of Data

Challenges: Turning Data into Intelligence

• Evaluate the data, turn data into information

• Understand how to query the information, what is the underlying data telling us?

• Convert information into intelligence

• Challenges



• Data Sources

Topics

• Many organisations have enterprise data warehouses (EDWs) and using business intelligence (BI) tools, however…

• Big Data is about predictive analytics and making the most from data. This may include: – Advanced statistical algorithms – Data mining – Machine learning algorithms

• Many of these techniques are not new, but big data has

breathed new life into the possibilities – More data can mean more and better predictive models.

Types of Tools

• Data quality, cleansing, ETL (extract, transform, load)

• Tools for structured data

• Tools for unstructured data

Types of Tools

• Analytical Tools – Discover, evaluate, optimise

• Operational Tools – Deploy models against live data, events, transactions

• Are you making the most out of off the shelf tools and existing solutions?...

Types of Tools

PivotChart: Time Analysis

0

5

10

15

20

25

30

35

40

00:00 01:01 02:19 04:11 05:46 06:46 07:46 08:46 09:46 10:46 11:46 12:46 13:46 14:46 15:46 16:46 17:46 18:46 19:46 20:46 21:46 22:46 23:46

Count of AD ID Sum of Is Fraud 60 per. Mov. Avg. (Count of AD ID)

©Fraud Consulting 2013

• Challenges



• Data Sources

Topics

• Data Matching – Rules based

– Fuzzy logic

– Machine learning

• Data Modelling – Mining

– Statistical modelling

– Scorecards

– AI, Neural Networks

Approaches

Approaches: Identity & Authentication

We are in authentication hell! Online Identity Schemes

• NSTIC

• Open Identity Exchange

• Global Trust Centre

• Paypal access

• Unipass / Identrust

• “Digital Passports” – Verified / validated claims

– Akin to a physical passport



Biometrics: Voice, facial recognition, Iris, fingerprints…


Social Media Analysis

• User Activity

• Device Activity

• Network Traffic

Approaches: Monitoring


Fine Grained IP-Geolocation


Device Reputation 76

Approaches: Data Visualisation

Face to Face Frauds Online Frauds

Source: CIFAS, June 2012

Approaches: Data Visualisation

• Challenges



• Data Sources

Topics

• Data sources

– What do you use currently?

– What sources are you considering?

• What are your experiences with big data tools

– Challenges?

– Success stories?

Discussion

• Beware of Buzzwords

● Business Intelligence

● Threat Intelligence

● Open Source Intelligence

● CyberIntelligence

● Data Fusion

Tools & Technology

• Beware Single Source Analysis

● Even in a technical analysis, there should be multiple sources of data

● When all analysis is based on ONE THING it stands the highest possibility of being wrong.

Tools & Technology

Tools & Technology


Compliance, Regulation & The Law


• Key Areas of Law

• Evolving Areas of Regulation

• PCI-DSS v3.0

• ISO27001

Topics

• Is big data a big gain? Is it just yet more fool’s gold from a security perspective?

• Data in isolation may not necessarily be initially identified as sensitive but what about when data sets are processed and combined?

Key Areas of Law

Exercise: What are the key areas of law to consider for big data and fraud risk management?

Key Areas of Law

• Data Protection Act 1998

• Fraud Act 2006

• The Proceeds of Crime Act 2002 (POCA) – The Money Laundering Regulations 2003, 2007

• Bribery Act 2010

• Human Rights Act 1998

• The Police and Criminal Evidence Act 1984

• The Public Interest Disclosure Act 1998

• The Regulation of Investigatory Powers Act 2000

Key Areas of Law



• PCI-DSS v3.0

• ISO27001

Topics

“Consider the risks for sharing data, but also consider consequences for NOT sharing data…”

Deciding to Share Data

Iain Bourne, ICO Group Manager, Policy & Delivery speaking in July 2012

Make the most of available data and look for connections • Schemes for sharing data

– Verification: Companies House, UKBA, Criminal Records Bureau, HMRC

– Sector specific: Insurance Fraud Bureau, TUFF (Telecoms UK Fraud Forum)…

– Cross sector: CIFAS, Credit Bureau (consumer and business)

• National Fraud Authority

– Action Fraud (national fraud reporting centre) – National Fraud Intelligence Bureau – Working groups, looking at barriers to data sharing and possible

resolutions

Deciding to Share Data

• Not a directive but a single regulation in the EU – Harmonization at European level…but with challenges

• Applies to companies based outside of the EU if personal

data is handled abroad by companies that are active in the EU and offer services to EU citizens

• Right to be forgotten

• Controllers responsibilities – Policies & procedures – Staff Training

Changes to Data Protection in the EU

• Data processing impact assessment – Does data present any risk to individuals

• Security – Both processor and controllers must put security

measures in place

• Data Breach Notification – Within 24 hours of noticing the breach

• Data Protection Officers

Changes to Data Protection in the EU

Cyber-security “kitemark”

• Other areas for consideration

– Sector specific regulators (eg FCA, PRA)

– 4th EU Money Laundering Directive (4MLD)

Evolving Areas of Regulation



• PCI-DSS v3.0

• ISO27001

Topics

• Although PCI-DSS is defined specifically for payments security, the principles can be applied more generally

• New Guidance papers from the Council – 2011-13

– Tokenization

– Wireless

– Virtualization – Cloud

– Mobile

PCI-DSS v3.0

1. Build & Maintain a Secure Network

2. Protect Sensitive Data

3. Maintain a Vulnerability Management Programme

4. Implement Strong Access

Control Measures

5. Regularly Monitor & Test

Networks

6. Maintain an Information

Security Policy

PCI-DSS Core Principles

• Risk based approach

• PCI DSS Controls can be categorized as follows – Technical Controls – Policies & Procedures – User Awareness & Training

• Some controls are inherently requiring recurring tasks,

– Quarterly Scans – Log Analysis – Yearly training

• Know where the data comes from, where it might transit through, where it may be stored/copied, where it ends up


• The drivers for change in v3.0

– Lack of Education & Awareness

– Weak Passwords, weak authentication

– Third Party Security Challenges

– Malware Issues

– Inconsistency in Assessments & QA




• PCI-DSS v3.0

• ISO27001

Topics

• Best practise for an ISMS (Information Security Management System)

• Domains: 1. Security policy - management direction 2. Organization of information security - governance of

information security 3. Asset management - inventory and classification of

information assets 4. Human resources security - security aspects for employees

joining, moving and leaving an organization 5. Physical and environmental security - protection of the

computer facilities

ISO 27001

• Domains: 6. Communications and operations management - management

of technical security controls in systems and networks 7. Access control - restriction of access rights to networks,

systems, applications, functions and data 8. Information systems acquisition, development and

maintenance - building security into applications 9. Information security incident management - anticipating and

responding appropriately to information security breaches 10. Business continuity management - protecting, maintaining

and recovering business-critical processes and systems 11. Compliance - ensuring conformance with information security

policies, standards, laws and regulations

ISO 27001

Plan

Do

Check

Act

ISO 27001: PDCA Cycle

• Plan – Establish the policy, the ISMS objectives, processes and procedures related to

risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization.

• Do – Implement and exploit the ISMS policy, controls, processes and procedures.

• Check – Assess and, if applicable, measure the performances of the processes against

the policy, objectives and practical experience and report results to management for review.

• Act – Undertake corrective and preventive actions, on the basis of the results of the

ISMS internal audit and management review, or other relevant information to continually improve the said system.

ISO 27001: PDCA Cycle

• Combatting a tick box culture

• What experiences do we have here?

A Tick in the Box Exercise?

Compliance, Regulation & The Law


Operational Challenges


• Getting Management Buy In

• Risk Assessments & Heatmaps

• Implementing a Solution

• Monitoring

Topics

Getting Management Buy In: Communication Problems

Getting Management Buy In: Are We Working Effectively Across Silos?

Infosec

Counter Fraud &

AML

Compliance

Audit

– Key objectives.

– Tone from the top.

– Individual responsibilities.

– Frameworks – Risks, threats.

– Corporate Needs, objectives and culture.

Getting Management Buy In: Responsibilities and Frameworks

Getting Management Buy In: Who’s Responsibility?

Issue Team / Department

Internal Audit

Credit Risk

Marketing

Operational Risk

Human Resources

Business Development

Compliance /

Governance

Information Technology

Accounts / Finance

Procurement, Supply Chain

Staff

Online Channel

Cyber / Hacking

Invoicing

Intellectual Property

Credit / Debit Payments

Recoveries

Money Laundering

©Fraud Consulting 2013 • 118

• Which policies include fraud? – HR, IT, Risk, Compliance

• Do you have a dedicated fraud policy?

• When where the policies last reviewed?

• Are your policies simply a ‘tick in the box’?

Getting Management Buy In: Policies


• The skills gap, who’s responsible?

• Corporate needs and objectives.

• Corporate responsibility - setting standards, training and monitoring staff.

• Individual responsibility – compliance with policy, taking the initiative.

• Effective Prevention – recognising issues, taking action.

• Identifying and developing staff from within or buying in expertise?

• Training or consultancy?

Getting Management Buy In: Skills and Training

Costs: Considerations

• Goods, Lost revenue

• Staff / time, Intellectual property Direct costs

• Reputational Damage

• Goodwill Indirect Costs

• Sanctions, Fines

• Legal, Compensation Regulatory

• Hardware, Software, Data

• Staff, Investigations Cost of controls



• Implementing a change project

• Monitoring

Topics

“We didn’t have a feasibility study because we were going to do it anyway”

Un-named official from the Driver and Vehicle Licensing Centre, Swansea, C 1980.

Risk Assessments & Heatmaps

Prospecting

Customer Acquisition

Customer Management

Collections

The Account Lifecycle



Prospecting


Customer Management

Collections

Q. Have we considered possible risks and mitigated them?

• Possible fraud risks

– New product / campaign; are we appealing to fraudsters?

– Marketing

– Sales incentives

– Branch / Broker behaviour

– IT and data security

– Ready to handle a peak in processing volume?



Prospecting


Customer Management

Collections

Q. Is the prospect genuine? Is this a fraud risk? • Application fraud

– False data – Stolen identity – KYC – 3rd party (broker, solicitor,

valuer) – Hidden adverse

• ID&V – False passport / license etc – False proof of address – False proof of income



Prospecting


Customer Management

Collections

Q. Is this the genuine customer? Any suspicious behaviour? • Transactional fraud

– Unusual behaviour – CnP, 3d secure – Skimming – Fraudulent chargebacks

• Changes in details (eg address) • AML screening • Limit management, cross-sell /

upsell – Bust out fraud

• Customer contact – Authentication, verification



Prospecting


Customer Management

Collections

Q. Bad debt or fraud? • Can’t pay vs. won’t pay • Goneaways

Q. Could the fraud been spotted earlier? • Hindsight reviews • Learn from missed

frauds/mistakes – would adjustments to other controls and processes in the account lifecycle help to prevent reoccurrence?

• What are the new trends / issues?


Prospecting


Customer Management

Collections

A Holistic Strategy


A Holistic Strategy

• Audit / Threat Risk Assessments – Understand overall assets,

policies, processes, procedures

– Consider & rank crime typologies

– Identify gaps / weaknesses

– KPI’s and measures

Penetration Testing

Web Application

Testing

User Access Control

Social Engineering

Backdoor Testing

Network Architecture

Update / Patch

Management

Physical Security

Confidential Data

Encryption

Backup

Incident Response Planning

Heatmaps

Impact

Lik

elih

ood

Heatmaps

Effort

Impact

Quick Wins

Perhaps / Background

Low Priority

Strategic Projects / Perhaps

This morning we defined some risks. Plot these risks onto a heatmap…

Exercise: Heatmaps




• Monitoring

Topics

Implementing a Solution


• Maintain and regularly review and update a risk log

• Consider using “heat maps” to aid prioritisation

• Measures – Are your KPIs appropriate?

• Identify candidate data, candidate vendor solutions

• Initial data analysis – does the data work for us? Initial Analysis

• Define scope, detailed requirements

• Changes to existing processes, systems

• Impact Analysis!! Specification

• Integrate into processes, systems

• Validate against requirements Implement

• Training, user acceptance

• Monitoring Test





• Monitoring

Topics

Understand Data

Prepare Data

Model

Evaluate

Deploy

Monitor

Monitoring

• What are your KPI’s & measures for fraud?

• How are the measures communicated to the business?

• Are you sharing success stories?

Monitoring


• How effectively are staff being trained on fraud issues? – “Tick in the box” exercise?

• Are those using the data and solutions sufficiently trained?

• Are you communicating activities on fraud to the wider business?

Training, Training, Training


Operational Challenges



Closing Thoughts

• Intelligence is rarely “perfect”

• For Intelligence to have value it must be: accurate enough and early enough that leaders can act on it

• Intelligence that is 100% accurate is usually called HISTORY

Closing Thoughts

• What fraud issues have you experienced?

• What fraud typologies are applicable to your organisation? – Eg Phishing, hacking, money laundering, first party

fraud

• What are the possible fraud risks for your organisation? – Website offline due to attack, customer identity

stolen, staff collusion

Defining threats & risks for your organisation

Challenges: Turning Data into Intelligence

• Evaluate the data, turn data into information

• Understand how to query the information, what is the underlying data telling us?

• Convert information into intelligence

Understand Data

Prepare Data

Model

Evaluate

Deploy

Monitor

Monitoring Big Data Solutions

V.

Closing Thought


Remember the Human Issues!

Keep human factors in mind… there is always a person

behind cybercrime. Technology is only a facilitator

#TheFraudTube Fraud & Cybercrime Forum

CSCSS

Fraud Advisory Panel

RANT Forums

Information Sources

Thank You!


Email: [email protected] Telephone: +44 (0)20 3239 4714 Skype: fraud.consulting LinkedIn: www.linkedin.com/in/antifraud Twitter: @FraudAssist @FraudConsulting Facebook: www.facebook.com/FraudConsulting

www.fraudconsulting.co.uk

using big data to detect & reduce fraud, 9th april 2014welcome & introductions using big...

Documents