390 likes | 407 Views
The e-banking antifraud solution. The intelligent software that protects consumers and banks from the most sophisticated hacker attacks. SCENARIO. Online fraud.
E N D
Thee-banking antifraudsolution The intelligent software that protects consumers and banks from the most sophisticated hacker attacks
SCENARIO Online fraud The increase in online banking transactions and the resulting movement of cash via the Net have shifted the focus of organised crime from bank robberies to online fraud, which is just as lucrative but far less risky. 1
SCENARIO Fraud mechanisms The following mechanisms are used to perpetrate online fraud: Unauthorised access to online current accounts via: • Theft and subsequent use of Credentials • Web-in-the-Middle And subsequent transfer of money by three different means: • The money is transferred through a chain of decoy accounts and finally credited to a foreign bank (often by recruiting current account holders online, not always in good faith). • The money is used to buy multiple phone top-ups and the resulting credit immediately spent using premium phone numbers. • The money is used to load prepaid Credit Cards and immediately use to buy easily resellable goods (such as jewellery or electronic goods). 2
SCENARIO Theft and subsequent use of Credentials Data theft by cracking Bank Databases This is the most brutal but often the most effective mechanism, allowing thousands of authentication details to be obtained in one go. (Latest known event, 12 December 2008, 450,000 Accounts, Germany) E-mail phishing The most commonly used method for spying and collecting authentication credentials in online banking. Banking Trojans These incorporate various different mechanisms for capturing and sending access data: from keyloggers to generating films of mouse movements on the screen. They began to spread four years ago and have recently reached a critical level of penetration. (According to an empirical assessment carried out in November 2008, approximately 1% of end-user PCs are affected ) 3
SCENARIO Banking Trojans Trojans act by transferring Usernames, Passwords and Digital Signature Certificates, as well as screenshots and all the characters typed, to pirate sites created to gather this kind of information. The list of these Trojans is long and well documented, although they are fairly unknown to the vast majority of Internet users and antivirus tools often fail to pick them up. Their operating principle is not too dissimilar from the one introduced by Bancos.NL, the first of the documented Trojans. The most widespread forms remain in standby mode until the browser connects to one of the addresses listed in the code. At this point, when the user browses an Internet banking site, the Trojans activate by sending his or her Username and Password, plus any other confidential information, to the pirate sites that collect them. 4
SCENARIO Web-in-the-middle Trojan.Silentbanker, and its subsequent variants, affect innocent users of online banking services by intercepting client current account information before it is coded and sending it to a central attack database. They have the ability to intercept online banking transactions which are normally well protected by two level authentication procedures. During a banking transaction, Silentbanker replaces the user account with the hacker's account, while the user continues to perceive a perfectly normal banking transaction. Since they have no inkling that their details have been hacked, users unknowingly send money to the hacker's account after having accessed the second level of authentication. 5
SCENARIO Countermeasures Banks lack the means to combat this phenomenon. This is because the infection affects their customers' computers, without any anomaly being picked up on the Internet Banking server. Only occasionally will the bank perceive the presence of malware on a customer's computer in a log file. This happens when the Trojan modifies website pages to request additional information, and consequently the web server receives POST fields which do not appear in "clean" transactions. Analysing these POST fields allows customers with infected PCs to be identified, although it may be difficult to determine how to proceed: • Notify the user: there is a risk that this operation will be perceived by users as an attack on their privacy. They may think that the bank has hacked into their PC in order to get hold of this information. • Manually monitor the relevant account to identify any fraudulent activity. 6
ANALYSIS Analysis of real cases Identifying the presence of these additional POST fields allows the percentage of infected computers between customers and banks to be estimated. Between September and November 2008, by analysing the log files of some of our client banks, we estimated that: • Approximately 0.5% of users are infected withTrojan.silentbanker. • 0.5% of transactions may potentially become fraudulent. • A further 0.5% appear to be infected by other Trojans that modify access pages but which we were unable to identify. Considering the country as a whole, we can calculate the following: • Since there are between 5 and 10 million online banking accounts in Italy, 50,000 computers could potentially be infected. • Fraud is normally committed by ordering three or more bank transfers for variable amounts of between 2,000 and 5,000 €. • The turnover of this kind of fraud is 300,000,000 €. 7
RAKE The winning solution Rake allows unusual behaviour by users to be identified by using clustering and classification techniques that are specific to Data Mining; the same ones that are employed by the fraud detection products implemented by major credit card operators • Automatic monitoring of current accounts and reporting of all unusual movements based on data mining procedures aimed at identifying the behavioural profile of each individual user • Automatic clustering of user behaviour: allows habitual behaviour to be identified and anything that deviates from this to be recognised; • Historical analysis of typical user parameters, in order to reduce the presence of false positives and increase the effectiveness of the tool itself. This method is successful even in dealing with new kinds of misappropriation, specifically because it is based on analysing user behaviour rather than knowing the procedure by which fraud is committed. Fraud which has already taken place and has known behavioural patterns can be incorporated into a second assessment step for further verification. 8
RAKE How it works Data collection stage • Loading and storage of transactions carried out over a number of weeks, in order to provide a minimum number of transactions. Data collection Clustering Processes • Clusters are calculatedbyusingonly the movementsthatrelateto the last 6 months, so thatonly "recent" behaviouristakeninto account. • Usingthesemovements, statisticalclusters are examinedusing the E.M. (ExpectationMaximisation) algorithm, afterexcludinganyOutliers (eventsthatfalloutside the clusters) usingotherclusteringalgorithms (OPTICSLOF or DENCLUE). • The clusteringprocessiscarried out everyday, after the logshavebeenobtained and processed, and the results are saved on a second DB toimprove the performance of the system. • The clusteringresults are entered in a DB so thatcomparisons can easilybedrawnbetweennewtransactionorders and pre-calculatedclusters and a weighting can thereforebeassignedto the transactions. 9
RAKE How it works Pattern RecognitionMechanisms In ordertoidentifysuccessionsofeventswhichhavepreviously led tomisappropriations A seriesofmisappropriationshavetakenplacebymeansof a seriesofbanktransfers, carried out on consecutive days, foramountsthatincreasesteadilyby 1,000 € a time. This can beincorporated in the fraud detection mechanisms, but a searchhastobecarried out first tofindanyeventsof the same nature in the previoushistory, in ordertodeterminewhetherthey are truly "dangerous". In fact, if the previoussuccessionprovedtobe a verywidespreadeventthatisnotconnectedwithattemptedfraud, itwouldbepointlesstosearchforitamongnewtransactions. IP GeoreferencingMechanisms In ordertoidentifysuddenchanges in Internet Banking accesslocations (or providers) Thisfeatureisincorporated in the analysisofbeneficiaries (and possiblyuserAgents) in ordertoselect false positives. The system allows the user's IP addresstobecheckedagainst a blacklist containingaddressesusedby the TORanonymising service (otheranonymisers are due tobeadded at a later date). 10
RAKE Anonymiser search mechanisms In order to identify transactions originating from IP address concealment services Intelligrate collects the IP addresses of the leading anonymisation services, such as TOR, updating RAKE on a daily basis. This allows the origin of various transactions to be analysed, blocking or blacklisting any that originate from the aforesaid services. How it works Whitelists and Blacklists In order to allow the separate management of specific current accounts if necessary RAKE allows specific accounts to be added to whitelists if they are to be completely excluded from any checks, while allowing any particularly suspicious bank details, telephone numbers or the numbers of reloadable cards to be added to blacklists... 11
RAKE How it works Various different mechanisms are used to assess the "deviation" between an individual movement and normal behaviour: Cluster EM (Expectation Maximization) Cluster 2D-GridClustering OPTICSLocalOutlier Detection Assessment of whether the movement comes within the combination of normal distributions identified by E.M. clustering (with different weightings depending on the degree of deviation from the cluster average and edges). This assessment is made without any reassessment of the clusters. Calculation of the deviations from the clusters using OPTICS to determine whether the individual event comes within the cluster or can be identified as an Outlier. • Geometric assessment of the deviation from existing clusters using a two-dimensional version of GridClustering algorithms. • This assessment is also carried out without recalculating the clusters. By applying the three mechanisms, a "Minority Report" policy can be adopted to report the anomaly and call the user, if necessary, only when three positives occur. 12
RAKE Application Modes Rake is available in two different application modes which can be chosen with the bank based on the technical features of the e-banking service, the way in which customers interact with it and the need to ensure the promptness of transactions. • Online Mode RAKE is connected directly to the e-banking application. For each transaction, RAKE is sent a string containing all the transaction data and returns a weighting of between 0 (transaction OK) and 10 (transaction with a very high probability of being fraudulent). The e-banking application can ask the customer an additional question to verify authenticity or send a confirmation text message. • Offline Mode Every evening, the day's transactions are assessed and a report is produced containing reports of any events that are probably fraudulent. This can be sent to the helpdesk for telephone verification of the most suspicious ones. 13
RAKE Online Application Mode The Online Mode requires the transaction weighting to be returned within a maximum of 1 second. This requirement makes it impossible to carry out clustering using all the available tools and therefore requires the use of EM clusters, which provide a geometric representation of the result, and GridBased clusters, which allow one to determine quickly whether each new event comes within a cluster. With EM clustering, new transaction orders are therefore compared to the elipses representing the clusters and are given an increasingly negative weighting the further they are from the centre of the clusters. 2D-GC clustering determines whether new transaction orders fall within cells that already belong to a cluster or if their presence turns groups of transactions into clusters that were not previously clusters. 14
RAKE EM Clustering – Before the Outlier Search 15
RAKE EM Clustering excluding Outliers 16
RAKE 2D-GC Clustering with 2 points per cluster 17
RAKE 2D-GC Clustering with 3 points per cluster 18
RAKE EM Clustering – Before the Outlier Search 19
RAKE EM Clustering excluding Outliers 20
RAKE 2D-GC Clustering with 2 points per cluster 21
RAKE 2D-GC Clustering with 3 points per cluster 22
RAKE OFFLINE Application Mode The Offline Mode does not require short calculation times to be respected. A complete analysis can therefore be carried out using the three methods previously described, returning more accurate "probability of fraudulent event" scores. The result is a daily report that allows the relevant departments to investigate any particularly suspicious events. 23
RAKE Search for Outliers 24
RAKE Identified Outliers 25
RAKE Search for Outliers 26
RAKE Identified Outliers 27
RAKE Installation and configuration Rake consists of three modules: • The clusteriser, which takes into account the history of each account and the list of movements, the beneficiaries, the user-agents and the IP/connection providers • The Database which, in addition to storing movements and clusters, uses Stored Procedures to produce a daily report on suspected misappropriations • The client, which provides real time responses on the degree of reliability of each transaction. The three modules can be implemented on a single machine or split between different machines to improve performance. The client component can be replicated and integrated with load sharing equipment. The DB component is implemented in MySQL or Oracle 11g and can be intetgrated into DBs supplied by the customer. 28
RAKE Installation and configuration Rake is supplied either as an application to be installed on Unix machines, whether Solaris or Linux RedHat, or as a Virtual Appliance for VMware: • CentOS + MySQL • CentOS + Oracle • Solaris 10 + Oracle • Solaris 10 + MySQL Rake can be integrated with customer applications and supplied with ad hoc communication modules if adaptation to specific Internet Banking environments is required. 29
RAKE Installation and configuration Rake can easily be administered via a Web interface. The reports can be displayed via the Web or downloaded in CSV or XLS format. If requested by the customer, the reports can be displayed by a Web Service. Screenshots of the administration and reporting displays are shown below. 30
RAKE Configuration 31
RAKE Configuration 32
RAKE Configuration 33
RAKE Configuration 34
RAKE Reports 35
RAKE Reports 36
RAKE THANK YOU! • INTELLIGRATE srl • Via XII OTTOBRE 2/9216121 GENOVAITALYTel.: +39 0105954161Fax: +39 010586753 • Email: info@intelligrate.it • Web: www.intelligrate.it 37