670 likes | 1.1k Views
Electronic Fraud – Techniques, Methodologies, and Countermeasures. Michael Schirling April 2008. Context. Extortion Credit card generators Fraud Schemes Trojan Horse scenarios Stock Trading Scams Murder Child Exploitation Fraud Identity Theft. Context.
E N D
Electronic Fraud – Techniques, Methodologies, and Countermeasures Michael Schirling April 2008
Context • Extortion Credit card generators • Fraud Schemes • Trojan Horse scenarios • Stock Trading Scams • Murder • Child Exploitation • Fraud • Identity Theft
Context • Armed bank robberies net an average of $7,500 each for an annual total of approximately $60 million. One-sixth of the money is recovered and 80% of offenders are incarcerated. • The FBI estimates that cyber criminals net $10 billion annually, averaging $250,000.00 per heist with less than one percent of offenders going to jail (old figure circa 2000).
Cyberspace offenders: A non-exhaustive list • Preferential sex offenders • Terrorists • Spies • Hackers – trespasses for achievement • Pranksters – defies authority • Phreakers/Crackers • Common criminals – for profit • Disgruntled insiders *****
In August of 2001, a few men were hanging out in a parking lot near the Arlington, Virginia, Department of Motor Vehicles (DMV) office. This was nothing new. Their fee was no more than $100 and most of their customers were illegal immigrants. “According to an FBI affidavit, on August 2, the men in the parking lot were approached by “three Arab males” in a van. The three men were asking about acquiring official identity cards. They accompanied the men in the van to a nearby attorney’s office and swore to their Virginia state residency. The three men in the van returned to the DMV offices with the proper documentation and were issued Virginia identification cards…….”
“On September 11, they were among the 19 terrorists who hijacked the jetliners that crashed into the World Trade Center and the Pentagon. Apparently, more than half of the 19 hijackers boarded the aircraft with phony ID’s. Moreover, the terrorist who was convicted last year in the plot to blow up Los Angels International Airport used 13 identities that were pilfered from the membership roster of a Boston, Massachusetts, health club.” “Clearly, identity theft is no longer confined to computer hackers and scam artist who are out to make a fast buck….” Sanford Wexler, Law Enforcement Technology, April 2002, P28
STEALING THE OLD FASHIONED WAY • Small gain, great risk • Victim can ID you • Victim can fight back • Police can chase you • Gun enhancements • Long prison terms
STEALING VIA ELECTRONIC MEANS • High profit- low risk • No victim contact • No weapon use • Police undermanned and overwhelmed • If caught- probation or misdemeanor • The loot is delivered!
Top Personal Fraud Schemes Based on Yahoo Internet Life Assessment
Top Schemes • Identity Theft • Work at Home Fraud • Credit Card Fraud • Medical Treatments / Weight Loss • Chain Letters • Multilevel Marketing • Free Goods • Bioterrorism Products • Auction Fraud
Top Schemes • Advance Fee Loans • Credit Repair • Vacation Prize Promotion • Advance-Fee Fraud • International Sweepstakes • Web Cramming
Common fraud mechanisms • Acquiring key pieces of someone’s identifying information in order to impersonate them • Name • Address • Date of Birth • SSN • Mother’s maiden name • Account Numbers • PIN’s/Passwords
Frauds • Take over financial accounts • Open new bank accounts • Applying for loans • Applying for credit cards • Applying for social security benefits • Purchase/Sell cars & merchandise • Renting apartments
Renting apartments to further other criminal enterprise • Establishing services with utility and phone companies • Forge/Counterfeit Checks • Fraudulent use of stolen credit (checks/credit cards/etc) • Commit crimes in another name
How They Do It • Use low and high tech methods • Shoulder surfing at ATMs • Steal your mail • Stealing your pocketbook/wallet • Dumpster diving • Corrupting employees with access to data • Check washing • Check creation software
Hacking • Unlawful entry, trespass, damage to computer systems • Leaving/taking/changing information on the computers that are infiltrated
Computer Viruses • Computer programs that can damage computer systems • Virus’s spread from one computer to another via media, network, internet • Virus Software protects your computer (Norton, McAfee, PCcillin and Others) • Updates – ensure your software is updated at least weekly
Business Exposure • Hardware theft • Software theft • Data theft • Data corruption • Loss of competitive/proprietary information • Loss of employee productivity
Business Fraud Damages • Your reputation • Productivity • Profitability
Cost of Workplace Fraud • $400 billion annually according to the Association of Certified Fraud Examiners • Insurance Fraud alone = $120 billion • Approximately 6% of a companies annual revenue is lost to fraud
Preventing Internal Fraud – Your #1 Exposure • Hiring practices • Know your people • Treat people fairly (FBI Espionage Examples) • Implement and maintain controls • Require countersignatures & stamp incoming checks “deposit only” • Have a code of ethics • Conduct random audits • Use passwords protection and encryption • Define the consequences
Avenues of Deception • Live – insiders and associates • Social engineering attack • On-line
Policies • Have a policies • Post the policies • Enforce the policies • Make it known that you enforce the policies • Revisit the policies regularly
Response Procedures • Have an incident response protocol • Practice it • Keep good logs, even it it costs you a bit more to store them • Train your response personnel • Develop a relationship with law enforcement and security vendors BEFORE an incident occurs
Check Fraud • Risk • Checks stored with other material accessible to unauthorized employees (or individuals). • Maintenance & service personnel have access to that area. • Both blank checks & outgoing written checks are left unattended. • Creates employee temptation. • PR aspect of fraudulent checks with your company name on them being returned to victims.
Check Fraud • Prevention Measures: • Store blank check stock in a controlled area. • Consider dual access controls • Consider a computer program to print blank checks from blank stock • Be sure to enforce the computer access controls • Review/delete bank authorization immediately after Employees leave the department.
Accounts Payable Controls • Risk: • Improper wire, ACH or check payments • Internal fraud payments • Register states one payee;check another • Counterfeit bills • Prevention Measures: • Use an established institution for conducting ANH & wire transaction • Establish a secure electronic transaction system with dual signoff required • Pre-establish daily you’re a/P issue report & newly established vendors.
Other Suggestions: • Encourage employees to use direct deposit • If an employee check is lost or stolen, be sure that they notify payroll immediately. • Place a stop payment on the check. • Purchase quality checks with security features: • Void feature if someone tires to copy your check. • Chemical-sensitive paper with background patterns to reduce the risk of alterations. • Eliminate duplication of already used check numbers to ensure stop payment can be detected properly.
Other Suggestions: • Conduct employee screening check • Social security check • Reference checks (verify phone numbers) • Credit check • Criminal check • Document, train & enforce personnel policies & procedures
On the Business Side… • People will try to defraud you of your products and money • Insist on full address and phone information on all orders – and verify it • Do not accept orders with free e-mail accounts as the return address • Use automated IP checking • Beware of new payment methods like virtual checks until they have been fully accepted and tested
How to respond to a payment Fraud • Check Fraud • Contact Account Officer immediately • If a check or draft item, obtain a copy of the front & back of the item • Identify all “hands” that handled the check (Internally & externally for the investigation). • File a police report;provide a copy to your Account Officer • Obtain & complete an Affidavit of Forgery for each item (Provided by Account Officer) • Notify your insurance carrier (if applicable) • Anticipate 60-90 days to process claims
How to respond to a payment Fraud • Employee fraud with loss: • Consider filing a 1099 for the amount of the loss (You have 3 years to file) • Consider offering the employee the option to pay over time within three years at a defined pace to avoid tax filing & related tax consequences
ACH Debit Fraud • Contact your Banking Account Officer immediately • Account Officer can initiate an “unauthorized transaction” return • Account Officer can provide transaction detail, including the identification of the originator to enable you to approach the originator directly for repayment (be sure to ask for proof of authorization).
ACH Debit Fraud • File a police report; provide your Account Officer with a copy. • Notify your insurance carrier, if applicable • Expect 60-90 days to process claims • If an employee fraud with a loss: • Consider filing a 1099 for the amount of the loss
Wire Transfer Fraud: • Notify your Account Officer immediately • It may be possible for the Bank to request the funds to be returned to your account, if the receiving account has not used the funds. • Be prepared to provide enough detail to your Account Officer to identify the wire transaction • Your Bank account number • Date transaction posted to your account • Dollar amount • Currency exchange sued • Transaction reference number • Receiving beneficiary's Bank name & beneficiary's name
Wire Transfer Fraud: • Bank will likely start the process of requesting the funds from the bank that initiated the wire • If a series of banks were involved, the transaction must be processed in reverse order thru each bank • Shut down the vulnerability that allowed the fraud to occur! • De-activate the breached PIN • De-activate the User ID/Password • Block the account for wire activity • If your account number was compromised, transfer to a new bank account number
Wire Transfer Fraud: • If the Bank is unable to collect, you may have a loss. • If the fraud was accomplished by your employee: • Consider filing a 1099
Safeguarding Your Assets • Make security of information & accounts a primary concern • Timely identification is critical • Contact your financial institution as soon as you suspect anything • Financial institutions can assist with services to help you effectively manage these risks
Higher risk of accepting a counterfeit card. Check terminal Match the account number – front to back Check expiration Date Make imprint Obtain signature Verify Signature Card PresentKey Entered Transaction
Card Present – Unsigned Card • Request a signature – Ask cardholder to sign card & provide current government ID • Check signature on card to ID
Card Not Present • Obtain an authorization • Verify the card’s legitimacy • Use fraud prevention tools • 3 digit security code • AVS • Still questioning the transaction • Call your bank • Check telephone number • Hold item
e-Commerce • Payment Card Industry Data Security Standard • Build & maintain a secure network • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Monitor and test Networks • Maintain an information security policy • Verified by Visa & MasterCard SecureCode
Employee Accountability • Fraud prevention training • Posting fraud prevention reminders • Prevent employee fraud scams • Offering rewards/incentives
First time shoppers Larger then normal orders Orders include several of the same items Rush or overnight shipping Shipping to international address Transactions with similar account numbers Multiple cards from a single IP address Potential Signs of Fraud
Orders using free e-mail services Orders using relay call service Purchasing a lot without regard to size, style, color or quality Makes purchases, leaves the store, and returns to make more purchases Makes large purchases right at the opening of the store or the closing Customer requests additional charge to card & then wire funds to another company - ex: shipping expense. Potential Signs of Fraud (cont.)
Computer Security • Up-to-date operating system patches • Virus Protection • Firewall • Hardware • Software