1 / 65

Electronic Fraud – Techniques, Methodologies, and Countermeasures

Electronic Fraud – Techniques, Methodologies, and Countermeasures. Michael Schirling April 2008. Context. Extortion Credit card generators Fraud Schemes Trojan Horse scenarios Stock Trading Scams Murder Child Exploitation Fraud Identity Theft. Context.

hogan
Download Presentation

Electronic Fraud – Techniques, Methodologies, and Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Fraud – Techniques, Methodologies, and Countermeasures Michael Schirling April 2008

  2. Context • Extortion Credit card generators • Fraud Schemes • Trojan Horse scenarios • Stock Trading Scams • Murder • Child Exploitation • Fraud • Identity Theft

  3. Context • Armed bank robberies net an average of $7,500 each for an annual total of approximately $60 million. One-sixth of the money is recovered and 80% of offenders are incarcerated. • The FBI estimates that cyber criminals net $10 billion annually, averaging $250,000.00 per heist with less than one percent of offenders going to jail (old figure circa 2000).

  4. Cyberspace offenders: A non-exhaustive list • Preferential sex offenders • Terrorists • Spies • Hackers – trespasses for achievement • Pranksters – defies authority • Phreakers/Crackers • Common criminals – for profit • Disgruntled insiders *****

  5. In August of 2001, a few men were hanging out in a parking lot near the Arlington, Virginia, Department of Motor Vehicles (DMV) office. This was nothing new. Their fee was no more than $100 and most of their customers were illegal immigrants. “According to an FBI affidavit, on August 2, the men in the parking lot were approached by “three Arab males” in a van. The three men were asking about acquiring official identity cards. They accompanied the men in the van to a nearby attorney’s office and swore to their Virginia state residency. The three men in the van returned to the DMV offices with the proper documentation and were issued Virginia identification cards…….”

  6. “On September 11, they were among the 19 terrorists who hijacked the jetliners that crashed into the World Trade Center and the Pentagon. Apparently, more than half of the 19 hijackers boarded the aircraft with phony ID’s. Moreover, the terrorist who was convicted last year in the plot to blow up Los Angels International Airport used 13 identities that were pilfered from the membership roster of a Boston, Massachusetts, health club.” “Clearly, identity theft is no longer confined to computer hackers and scam artist who are out to make a fast buck….” Sanford Wexler, Law Enforcement Technology, April 2002, P28

  7. STEALING THE OLD FASHIONED WAY • Small gain, great risk • Victim can ID you • Victim can fight back • Police can chase you • Gun enhancements • Long prison terms

  8. STEALING VIA ELECTRONIC MEANS • High profit- low risk • No victim contact • No weapon use • Police undermanned and overwhelmed • If caught- probation or misdemeanor • The loot is delivered!

  9. Top Personal Fraud Schemes Based on Yahoo Internet Life Assessment

  10. Top Schemes • Identity Theft • Work at Home Fraud • Credit Card Fraud • Medical Treatments / Weight Loss • Chain Letters • Multilevel Marketing • Free Goods • Bioterrorism Products • Auction Fraud

  11. Top Schemes • Advance Fee Loans • Credit Repair • Vacation Prize Promotion • Advance-Fee Fraud • International Sweepstakes • Web Cramming

  12. Common fraud mechanisms • Acquiring key pieces of someone’s identifying information in order to impersonate them • Name • Address • Date of Birth • SSN • Mother’s maiden name • Account Numbers • PIN’s/Passwords

  13. Frauds • Take over financial accounts • Open new bank accounts • Applying for loans • Applying for credit cards • Applying for social security benefits • Purchase/Sell cars & merchandise • Renting apartments

  14. Renting apartments to further other criminal enterprise • Establishing services with utility and phone companies • Forge/Counterfeit Checks • Fraudulent use of stolen credit (checks/credit cards/etc) • Commit crimes in another name

  15. How They Do It • Use low and high tech methods • Shoulder surfing at ATMs • Steal your mail • Stealing your pocketbook/wallet • Dumpster diving • Corrupting employees with access to data • Check washing • Check creation software

  16. Hacking • Unlawful entry, trespass, damage to computer systems • Leaving/taking/changing information on the computers that are infiltrated

  17. Computer Viruses • Computer programs that can damage computer systems • Virus’s spread from one computer to another via media, network, internet • Virus Software protects your computer (Norton, McAfee, PCcillin and Others) • Updates – ensure your software is updated at least weekly

  18. Web Page Fraud / Phishing

  19. “Nigerian” Letter Scam

  20. Protecting Yourself - Businesses

  21. Business Exposure • Hardware theft • Software theft • Data theft • Data corruption • Loss of competitive/proprietary information • Loss of employee productivity

  22. Business Fraud Damages • Your reputation • Productivity • Profitability

  23. Cost of Workplace Fraud • $400 billion annually according to the Association of Certified Fraud Examiners • Insurance Fraud alone = $120 billion • Approximately 6% of a companies annual revenue is lost to fraud

  24. Preventing Internal Fraud – Your #1 Exposure • Hiring practices • Know your people • Treat people fairly (FBI Espionage Examples) • Implement and maintain controls • Require countersignatures & stamp incoming checks “deposit only” • Have a code of ethics • Conduct random audits • Use passwords protection and encryption • Define the consequences

  25. Avenues of Deception • Live – insiders and associates • Social engineering attack • On-line

  26. Policies • Have a policies • Post the policies • Enforce the policies • Make it known that you enforce the policies • Revisit the policies regularly

  27. Response Procedures • Have an incident response protocol • Practice it • Keep good logs, even it it costs you a bit more to store them • Train your response personnel • Develop a relationship with law enforcement and security vendors BEFORE an incident occurs

  28. Check Fraud • Risk • Checks stored with other material accessible to unauthorized employees (or individuals). • Maintenance & service personnel have access to that area. • Both blank checks & outgoing written checks are left unattended. • Creates employee temptation. • PR aspect of fraudulent checks with your company name on them being returned to victims.

  29. Check Fraud • Prevention Measures: • Store blank check stock in a controlled area. • Consider dual access controls • Consider a computer program to print blank checks from blank stock • Be sure to enforce the computer access controls • Review/delete bank authorization immediately after Employees leave the department.

  30. Accounts Payable Controls • Risk: • Improper wire, ACH or check payments • Internal fraud payments • Register states one payee;check another • Counterfeit bills • Prevention Measures: • Use an established institution for conducting ANH & wire transaction • Establish a secure electronic transaction system with dual signoff required • Pre-establish daily you’re a/P issue report & newly established vendors.

  31. Other Suggestions: • Encourage employees to use direct deposit • If an employee check is lost or stolen, be sure that they notify payroll immediately. • Place a stop payment on the check. • Purchase quality checks with security features: • Void feature if someone tires to copy your check. • Chemical-sensitive paper with background patterns to reduce the risk of alterations. • Eliminate duplication of already used check numbers to ensure stop payment can be detected properly.

  32. Other Suggestions: • Conduct employee screening check • Social security check • Reference checks (verify phone numbers) • Credit check • Criminal check • Document, train & enforce personnel policies & procedures

  33. On the Business Side… • People will try to defraud you of your products and money • Insist on full address and phone information on all orders – and verify it • Do not accept orders with free e-mail accounts as the return address • Use automated IP checking • Beware of new payment methods like virtual checks until they have been fully accepted and tested

  34. How to respond to a payment Fraud • Check Fraud • Contact Account Officer immediately • If a check or draft item, obtain a copy of the front & back of the item • Identify all “hands” that handled the check (Internally & externally for the investigation). • File a police report;provide a copy to your Account Officer • Obtain & complete an Affidavit of Forgery for each item (Provided by Account Officer) • Notify your insurance carrier (if applicable) • Anticipate 60-90 days to process claims

  35. How to respond to a payment Fraud • Employee fraud with loss: • Consider filing a 1099 for the amount of the loss (You have 3 years to file) • Consider offering the employee the option to pay over time within three years at a defined pace to avoid tax filing & related tax consequences

  36. ACH Debit Fraud • Contact your Banking Account Officer immediately • Account Officer can initiate an “unauthorized transaction” return • Account Officer can provide transaction detail, including the identification of the originator to enable you to approach the originator directly for repayment (be sure to ask for proof of authorization).

  37. ACH Debit Fraud • File a police report; provide your Account Officer with a copy. • Notify your insurance carrier, if applicable • Expect 60-90 days to process claims • If an employee fraud with a loss: • Consider filing a 1099 for the amount of the loss

  38. Wire Transfer Fraud: • Notify your Account Officer immediately • It may be possible for the Bank to request the funds to be returned to your account, if the receiving account has not used the funds. • Be prepared to provide enough detail to your Account Officer to identify the wire transaction • Your Bank account number • Date transaction posted to your account • Dollar amount • Currency exchange sued • Transaction reference number • Receiving beneficiary's Bank name & beneficiary's name

  39. Wire Transfer Fraud: • Bank will likely start the process of requesting the funds from the bank that initiated the wire • If a series of banks were involved, the transaction must be processed in reverse order thru each bank • Shut down the vulnerability that allowed the fraud to occur! • De-activate the breached PIN • De-activate the User ID/Password • Block the account for wire activity • If your account number was compromised, transfer to a new bank account number

  40. Wire Transfer Fraud: • If the Bank is unable to collect, you may have a loss. • If the fraud was accomplished by your employee: • Consider filing a 1099

  41. Safeguarding Your Assets • Make security of information & accounts a primary concern • Timely identification is critical • Contact your financial institution as soon as you suspect anything • Financial institutions can assist with services to help you effectively manage these risks

  42. Higher risk of accepting a counterfeit card. Check terminal Match the account number – front to back Check expiration Date Make imprint Obtain signature Verify Signature Card PresentKey Entered Transaction

  43. Card Present – Unsigned Card • Request a signature – Ask cardholder to sign card & provide current government ID • Check signature on card to ID

  44. Card Not Present • Obtain an authorization • Verify the card’s legitimacy • Use fraud prevention tools • 3 digit security code • AVS • Still questioning the transaction • Call your bank • Check telephone number • Hold item

  45. e-Commerce • Payment Card Industry Data Security Standard • Build & maintain a secure network • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Monitor and test Networks • Maintain an information security policy • Verified by Visa & MasterCard SecureCode

  46. Employee Accountability • Fraud prevention training • Posting fraud prevention reminders • Prevent employee fraud scams • Offering rewards/incentives

  47. First time shoppers Larger then normal orders Orders include several of the same items Rush or overnight shipping Shipping to international address Transactions with similar account numbers Multiple cards from a single IP address Potential Signs of Fraud

  48. Orders using free e-mail services Orders using relay call service Purchasing a lot without regard to size, style, color or quality Makes purchases, leaves the store, and returns to make more purchases Makes large purchases right at the opening of the store or the closing Customer requests additional charge to card & then wire funds to another company - ex: shipping expense. Potential Signs of Fraud (cont.)

  49. Countermeasures

  50. Computer Security • Up-to-date operating system patches • Virus Protection • Firewall • Hardware • Software

More Related