We have something for everyone here ! - PowerPoint PPT Presentation

Loading...

PPT – We have something for everyone here ! PowerPoint presentation | free to download - id: 5c54cc-Y2I1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

We have something for everyone here !

Description:

Title: PowerPoint Presentation Author: Office 2004 Test Drive User Last modified by: Dinesh Bareja Created Date: 2/13/2009 1:42:32 PM Document presentation format – PowerPoint PPT presentation

Number of Views:188
Avg rating:3.0/5.0
Slides: 49
Provided by: Office20041476
Learn more at: http://www.securians.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: We have something for everyone here !


1
Welcome ! We have something for everyone here
!
2
YOU ARE ALL WINNERS !
http//www.cartoonstock.com/cartoonview.asp?catref
grin691
The graphic on this slide has been deleted from
this presentation. You may click the link above
to view the cartoon.
3
THOUGHTS TO SET THE TONE
It is human nature to think wisely and act
foolishly. - Anatole France (1844 - 1924)
4
Preventing Fraud When Transacting Online
Threat of frauds in online transactions
to provide the most trusted information
security services in the world.
5
  • Secure Matrix India Private Limited specializes
    in IT IS Audit, Security Consulting and
    Technical Security Services across all industry
    and business segments
  • We are headquartered in Mumbai and operate a
    Technology Centre cum Security Lab out of Pune.
    We have offices in Delhi and Chennai.
    International locations are London, Dubai and
    Atlanta.
  • Our management and consulting team comprise
    professionals certified in Information Security,
    Governance Risk, Compliance having extensive
    industry experience covering Technology, Banking,
    Finance, Government , Media Entertainment etc
  • An extensive service offering includes Technical
    Security Services for Vulnerability Assessment,
    Penetration Testing, Application Security, Cyber
    Forensics, off-site and on-site Security
    Monitoring and Management.

Secure Matrix India Pvt Ltd
Secure Matrix UK (100)
Secure Matrix USA (100)
Secure Matrix UAE (100)
DELHI
MUMBAI
PUNE
CHENNAI
HEADQUARTERS
REGIONAL OFFICE
TECHNOLOGY CENTRE
6
CONSIDER THIS
A man is his own easiest dupe, for what he
wishes to be true he generally believes to
be true.
7
Agenda .. Fraud Threats Online and Discuss
Prevention
8
The internet provides convenience, speed and
efficiency in transactions with internal or
external customers, vendors, government and
growing exponentially Every query at the public
interface can be a risk -
malicious hacker ? malicious insider ?
ignorant user ? smart hobbyist ?
human error ?
trojan / logic bomb (command / plant)? Lets
keep our fingers crossed it is a legitimate
user knocking at your door and not one of the
above !
9
THREATS, FRAUDS, SCAMS . ITS ALL OVER
The fraud can start in a parking lot The
parking ticket has a website address where you
will get details of the violation and pay the
fine. On the site you are asked to install a
toolbar that will enable the incident to be
processed. Of course, you are expected to provide
some personal info and use your credit card to
pay the fine !
.. The rest is left to your
imagination.
Even governments can be scammed . State of Utah
paid 2.5 m into the scam bank account. Key
loggers captured information and this was used to
create and pay fake invoices. Luckily the
transactions were spotted by a bank manager and
the department managed to save about 1.8 m
10
Starting off we take a look at some numbers ..
11
SOME FACTS FIGURES
2007 206,884 2008 275,284 ( 33.1) Total
loss 265 million Avg 931 per
complaint Fraud Delivery Mechanism Email 70
Webpage 25 Victims 55.4 Males Perpetrators
77 males from CA, FL, DC, TX, WA Men lost more
money than women 1.69 to every 1
Internet Crime Complaint Center
12
2008 POINTERS
More than 75 of all malicious threats were
aimed at compromising end users for financial
gain China accounted for almost half of all
malicious activity within Asia Pacific Symantec
created 1,656,227 new malicious code signatures -
a 265 increase over 2007 Malicious code
development is now a professional business,
supporting the demand for goods and services that
facilitate online fraud Variants of existing
threats are the preferred and most cost-effective
way to create new attacks, instead of creating
totally new threats - Symantec Internet Security
Threat Report Volume XIV
13
SOME FACTS FIGURES (INDIA breakdown for 2007)
Categorization of Motives of Cyber Crimes No of Cases Perpetrators
Revenge / Settling scores 13 Foreign National /Group 8
Greed/ Money 62 Disgruntled Employee / Employee 23
Extortion 2 Cracker / Student / Professional learners 46
Cause Disrepute 25 Business Competitor 65
Prank/ Satisfaction of Gaining Control 0 Neighbours / Friends Relatives 70
Fraud / Illegal Gain 216 Others 151
Eve Teasing / Harassment 56
Others 85
- National Crime Records Bureau Report 2009 - National Crime Records Bureau Report 2009 - National Crime Records Bureau Report 2009 - National Crime Records Bureau Report 2009
Cybercrime Cases registered under IT Act in 2007
increased 53 over 2006
14
SOME FACTS FIGURES (INDIA citywise breakdown
for 2007)
City Total
Bhopal 163
Bangalore 41
Pune 14
Mumbai 10
Kochi 9
Nagpur 8
Delhi 5
Vijayawada, Chennai, Amritsar, Lucknow, Ahmedabad, Ludhiana, Patna, Kolkatta, Kanpur, Indore 23
273
15
EVERYONE LOSES
Malicious users in India yet to reach a high
level of sophistication. This does not remove
the risk of the foreign hand that we are always
referring to in this case the FH will refer to
USA, Russia, China and a number of Eastern Europe
countries Examples of outsourced malicious work
in India Indian IT worker may be coding for
overseas buyer Team works on captcha breaking
16
SOME FACTS FIGURES (INDIA citywise detailed
breakdown for 2007)
SL.No Cities Revenge / Settling Scores Greed/Money Extortion Cause Disrepute Fraud / Illegal Gain Eve Teasing /Harassement Others Total
1 Bhopal 0 0 0 0 158 3 2 163
2 Bangaluru 1 25 0 1 5 9 0 41
3 Pune 1 4 0 5 2 2 0 14
4 Mumbai 0 0 0 1 0 7 2 10
5 Kochi 0 2 0 0 0 1 6 9
6 Nagpur 1 0 0 2 1 4 0 8
7 Delhi (City) 0 4 0 0 0 0 1 5
8 Vijayawada 0 0 0 0 4 0 0 4
9 Chennai 2 0 0 0 1 0 1 4
10 Amristar 0 3 0 0 0 0 1 4
11 Lucknow 1 0 2 0 0 0 0 3
12 Ahmedabad 0 1 0 0 0 0 2 3
13 Ludhiana 0 2 0 0 0 0 0 2
14 Patna 0 0 0 0 0 0 0 0
15 Kolkata 0 0 0 0 0 1 0 1
16 Kanpur 0 1 0 0 0 0 0 1
17 Indore 0 0 0 0 1 0 0 1
  Total (Cities) 6 42 2 9 179 22 13 273
17
IN THE NEWS FOR THE WRONG REASONS
  • Get-Rich Quick
  • Work-at-home
  • 419 Scams
  • Lottery Winners
  • Online Pharmacies
  • Phishing
  • Spear Phishing
  • Hoax Bomb Threats
  • Stolen Credit Card
  • Data Manipulation
  • Data Leakage
  • Impersonation / Identity Fraud
  • Brand Hijacking
  • Job Frauds
  • Marriage
  • Sale frauds
  • Stock Scams
  • Online Degrees
  • Check Cashing / Fraud

18
HOT OFF THE PRESS.
Lottery scam attempt at ACFE ! The fraudster
seems to be too intelligent for his own business !
19
KEYWORDS
Get Rich Quick Me Smartest of Them
All Lucky Me ! No One Can See Me
It Cant Happen To Me He Was a Fool He Got
Caught
20
EVERYONE LOSES
Institutions are drawn into the fraud due to the
omissions and commissions of their
constituents Institutions may be contributing to
their fraud threat quotient due to lax security
practices and a laissez faire attitude towards IT
security / risk management / awareness Effort
and resource cost cause losses to both
customers and institutions (even if the money is
recovered). Investigation and recovery is
expensive ! Add the cost of loss of credibility
and brand / image value
21
THREATS FRAUDS
  • Malicious Insider is by far the biggest threat
    and source of frauds on connected and
    non-connected systems.
  • Credit Cards stolen cards used online
  • Letters of Credit .. Investor is offered a highly
    discounted purchase price
  • Ponzi Schemes high interest rate is offered and
    is paid from investor money in the beginning. The
    scheme falls apart in some time and the scamster
    disappears
  • Identity Data Theft provides personal
    information to the fraudster who can then engage
    in phishing, vishing, spear-phishing

22
FRAUDS
  • Money Laundering Money Mules individuals are
    conned into working to launder money and become
    part of the criminal network
  • Re-shipping similarly individuals become part
    of a criminal chain by accepting and shipping
    stolen goods

23
FRAUDS
  • Check Fraud a lawyer is asked to cash a high
    value check and remit the funds after deduction
    of handling fees. The check is cleared, you wait
    5 or 10 days for a clear balance and then remit
    the funds. A month later the bank reverses the
    amount, because the check was fraudulent !
  • A variation is when an individual is hired as a
    payment processor and gets checks that he/she
    cashes and transfers to other accounts. The
    checks are usually stolen and the individual
    becomes a part of the crime as a Money Mule

24
FRAUDS
  • Mobile Phone Insurance UK consumers get calls
    offering cheap insurance for the new phone
    purchased. They asked for card information and
    the card is scammed
  • Medical Insurance . customer purchased a policy
    online and when he made a claim it was not
    accepted since he had not declared his medical
    condition at the time of purchasing the policy
    the agent sold the policy without providing
    proper information or sold inadequate cover
  • Insurance frauds false declarations and staged
    accidents against insurance purchased online
    healthcare, auto insurance
  • Stock market forums, spam send out
    recommendations and the whole world starts
    discussing how hot that scrip is. Of course,
    everyone buys and it tanks when the scamster has
    made his million.

25
PHISHING the nemesis of modern day transactions
Banks, online payment organizations and other
financial institutions are bearing most of the
financial cost of phishing attacks.  (A survey of
nearly 4,000 US consumers revealed a 40 increase
in the number of phishing victims in 2008 over
the year before to five million.)  The average
loss was 350 per phishing attack, but consumers
said they had recovered 56 of their losses from
the financial institutions involved.  (That's
196 to the banks and 154 to the consumers) 
- Gartner
I would highly recommend not entering a PIN
number anywhere on the Internet, unless it was
hardware based. - Avivah Litan, Analyst at
Gartner
26
STOCK MARKET FRAUD THREATS
Threats are lurking for the gullible investor at
every corner - Investment Newsletters hyping
stocks, false information, company promotion -
Bulletin Boards / Forums discussions are very
heated and dubious - Spam . mass mailing
Typically these are called Pump and Dump
scams since they work to build a hype around a
dabba company to push up the share price. The
scammer sells and exits and the share price tanks
!
October 2000 A bogus online press release caused
Emulex Corp., a California firm that designs and
develops fiber optics, to lose more than 2
billion in value during a single day of trading.
It stated that the company was reducing its
earnings estimates and that its chief executive
was stepping down. A 23-year old student used a
computer at his community college to distribute
the release and earned a 240,000 profit from the
resulting price fluctuations before he was caught.
27
Spear Phishing (report of Jun 09) The attached
file is, naturally, a Trojan horse that steals
stored user names and passwords, and looks for
victims logging in at commercial banks. If the
victim logs in to a bank that requires two-factor
authentication -- such as the input of a one-time
pass phrase or random number from a supplied
hardware token -- the Trojan re-writes the bank's
Web page on the fly, inserting a form that
requests the information.
http//isc.sans.org/diary.html?storyid6511
28
PREVENTION Corporate / Institutional Vigilance
  • Continuous network monitoring internal and
    external automated / manual Planned and
    periodic Vulnerability Assessment / Penetration
    Testing on infrastructure and Web Applications
  • Device based monitoring systems
    (FW/IDS/IPS/UTM)
  • Logging and log analysis use of SIM/SIEM tools
  • Proactive Incident Management to identify,
    contain, learn and update
  • Backup, Patch, Change Management, Continuity and
    Recovery. use appropriate technologies and
    processes with regular testing schedules and
    drills
  • Secure Software Development build security in
    purchase software that has undergone security
    testing

29
IF IT SOUNDS TOO GOOD TO BE TRUE ITS NOT
TRUE !
30
NIGERIAN SCAM or 419 SCAM was a 5 billion
industry in 1996 !
  •  "419 fraud" so called after Section 419 of the
    Nigerian Penal code, the section that
    specifically prohibits this type of crime
  • Variations of the scam mails carry an emotional
    appeal
  • Deposed Leaders and their families ( widows, sons
    ) and associates ( aides, lawyers).-
    Over-invoiced contracts and government employees
    (NNPC, Central Bank of Nigeria ).- Forgotten
    accounts, wills and inheritances, death-bed
    claims of wealth.- Trade deals.- Assistance
    getting stolen assets ( cash, diamonds ) out of
    the country- Gifts to charitable or religious
    organizations.
  • Scholarships

!! scammed !!
31
THE FIVE RULES FOR DOING BUSINESS WITH
NIGERIA Courtesy of The 419 Coalition 1. NEVER
pay anything up front for ANY reason.2. NEVER
extend credit for ANY reason.3. NEVER do
ANYTHING until their check clears.4. NEVER
expect ANY help from the Nigerian Government.5.
NEVER rely on YOUR Government to bail you out.
Not just Nigeria ! These rules apply to doing
business with anyone !
Mountains of gold An exploratory research on
Nigerian 419-fraud backgrounds  http//419.swpboo
k.com/ Research was carried out in 2008 by Bureau
Beke and the Police Academy. It is in Dutch and
the first English edition is due any time.
32
AN UNFORTUNATE FACT . TRUE THROUGH THE AGES
  • A fool and his money are easily parted

33
WINNING THE FRAUD GAME USING THE PREVENTION
STRATEGY
We have to smarten up not to be fooled and
win the game Prevention measures
primarily require the tweaking of people, process
and technology.. the triumvirate on which all
security best practices rest.
34
FRAUD PREVENTION Corporate / Institutional
Vigilance
  • Continuous network monitoring internal and
    external automated / manual Planned and
    periodic Vulnerability Assessment / Penetration
    Testing on infrastructure and Web Applications
  • Device based monitoring systems (IDS/IPS/UTM)
  • Logging and log analysis use of SIM/SIEM tools
  • Proactive Incident Management to identify,
    contain, learn and update
  • Backup, Patch, Change Management, Continuity and
    Recovery. use appropriate technologies and
    processes with regular testing schedules and
    drills
  • Secure Software Development build security in
    purchase software that has undergone security
    testing

35
FRAUD PREVENTION Corporate / Institutional
Vigilance
  • Awareness Training for users at all levels
    there is nothing like low end or high-end
    training. Use Mailers and Seminars to reach out.
  • Banks online issues and how-to practice safe
    surfing
  • Stock Shares - do your own research dont rely
    on gossip
  • Identity / Access Management role based access
    control
  • Policies and Procedures to detect, respond,
    neutralize (or) remediate, report and learn. In
    addition to the IT use / security policy
  • Monitoring behavior, activity, markets, trends,
    internal controls, technology
  • Risk Management should be proactively built into
    controls that can alert responsible persons when
    a threshold is breached

36
FRAUD PREVENTION Corporate / Institutional
Vigilance
  • Anti Phishing guidelines (gyaan) must be
    highlighted on login page
  • Website Design must be simple There is too much
    noise so the user does not care about any
    announcement or warnings. Dont make life
    difficult for the user e.g. a frequent password
    change is no guarantee against compromise but if
    you log out the user after he / she has logged in
    and made a password change you are creating an
    unnecessary step in the process
  • Provide Visible Links for Statements, Password
    Change etc and inform customers that NO email
    will ever carry a clickable link
  • Auto Logout ... Inactive log-in is automatically
    logged out
  • Communicate proactively about any problems on
    the website (downtime, hack etc) and seek to
    educate the user (but this must be in plainspeak)
  • Endpoint Security regularly check for virus,
    keyloggers, spyware

37
THE USER
38
BEATING FRAUD
  • Personal Vigilance
  • Rely on Common Sense
  • Check the URL you are going to click (if it is in
    a mail)
  • Bookmark bank URLs and use it to visit the site
  • Do not save passwords using the browser save
    password feature
  • Careful about social engineering

39
BEATING FRAUD its Common Sense (to a large
extent)
  • Watch out for phishy/ scammy emails and sites
  • Dont click on links within emails that ask for
    your personal information
  • Block Pop-ups and never trust a site that is
    asking for your sensitive information on a pop-up
    if you must then verify the pop-up source and
    allow only those instances
  • Secure your system by using anti-virus,
    anti-spam, firewall and keep updated
  • Email Attachments from known people ? Trust it
    only if it is a known file type. Your system will
    show a cute program icon. In any case why do you
    want to mess with unknown file types when you
    have enough troubles already !
  • Ask Yourself If someone can make a crore out of
    my thousand why does that person look like a
    beggar. And if not, why is he /she doing you a
    favor !

40
BEATING FRAUD some tools will help
  • Google Safe Browsing is an extension to Firefox
    that alerts you if a web page that you visit
    appears to be asking for your personal or
    financial information under false pretences.
  • Link Alert is a Firefox Add-on that will warn you
    of any phishing attempt
  • Phishing Filter for IE 7 and higher from
    Microsoft

41
WHERE ARE WE AND WHERE DO WE GO
  • We are in a state of denial, dispute and (many a
    times) over-confidence
  • Government / Law enforcement / Institutions
    currently seem to work in reactive mode rather
    than proactively address threats / risks
  • Management purse strings have to loosen
  • IT / IT Security is a business function
  • Techical team members have to participate with
    business group and must communicate plainspeak
    rather than geekspeak it is the only way they
    can attract business managers to their table
  • Disciplines (Controls) in Security, Governance,
    Risk, Compliance, Continuity have to be
    considered together to be effective

42
RESOURCES
  • http//www.fraud.org
  • URBAN LEGENDS http//www.snopes.com/
  • http//www.cambusters.org
  • http//www.fbi.org
  • INTERNET CRIME COMPLAINT CENTER
    http//www.ic3.gov
  • NATIONAL CRIME RECORDS BUREAU http//ncrb.nic.in/
  • Australian Competition and Consumer Commission
    www.scamwatch.gov.au
  • http//www.antiphishing.org/
  • http//www.banksafeonline.org.uk/
  • THE UK PAYMENTS ASSOCIATION http//www.apacs.org
    .uk/

43
Partner Relationships, Clients, Locations,
44
PRESENTED BY
Dinesh Bareja CISA, CISM, ITIL, BS 7799 (Imp
LA) - Senior Vice President Email
dinesh_at_securematrix.in
Information Security professional, having more
than 11 years of experience in technology in
commercial, operational, functional and project
management roles on multiple large and small
projects in global and domestic
markets.   Experienced in establishing ISMS
(Information Security Management System),
planning and implementation of large scale CobiT
implementation, ISO 27001, ERM, BCP/DR,
BIA, Asset Management, Incident Mgt, Governance
and Compliance, VA/PT, AppSec etc   He is also
member of ISACA, OCEG, iTSMF and co-founder of
Indian Honeynet Project and Open Security
Alliance. You can find him on Linked In as the
owner of the India Information Security
Community group.
45
(No Transcript)
46
STRATEGIC RELATIONSHIPS
47
CONTACT US
Registered Office Mumbai 12 Oricon House 14, K.
Dubash Marg, Fort Mumbai 400 001 INDIA T 91 22
3253 7579 F 91 22 2288 6152 E
info_at_securematrix.in
Technology Centre Pune Trident Towers Office No
3 2nd Floor, Pashan Road Bavdhan Pune 411
021 INDIA
Technology Centre Chennai Plot No. 1, Door No.
5 Venkateshwara Street Dhanalakshmi
Colony Vadapalani, Chennai 600 026 INDIA Tel 91
4465269369/4443054114 Tele Fax 91 4442048620
Dubai P O Box 5207 Dubai, UAE Email
dubai_at_securematrix.in
48
THANK YOU
About PowerShow.com