Information Technology Fraud Prevention and Detection - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Information Technology Fraud Prevention and Detection

Description:

... in Electronic Banking Operations and Security IT Infrastructure Design and Training Consultant Certifications RHCE RHCSA ... 1_Concourse 2 _Concourse 3 ... – PowerPoint PPT presentation

Number of Views:279
Avg rating:3.0/5.0
Slides: 32
Provided by: KK98
Category:

less

Transcript and Presenter's Notes

Title: Information Technology Fraud Prevention and Detection


1
Information Technology Fraud Prevention and
Detection
  • Sujith Ambady

2
Agenda
  • Real-world Case Studies
  • Lessons Learnt
  • Types of Fraud
  • Fraud Prevention and Detection
  • Conclusions
  • QA

3
Speaker Profile Sujith Ambady
  • Head Trainer at Institute of Information
    Security(Training wing of Network Intelligence)
    and Security Analyst at Network Intelligence.
  • Over 9 years of experience in
  • Electronic Banking Operations and Security
  • IT Infrastructure Design and Training Consultant
  • Certifications
  • RHCE
  • RHCSA
  • Speaker at Mumbai Null Chapter
  • Trained corporate SOC and Software team on
    Reverse Engineering, Malware analysis, Secure
    Coding and Web Application Penetration Testing
  • MBA in Information Management

4
Fraud
  • Fraud encompasses a wide range of irregularities
    and illegal acts characterized by intentional
    deception or misrepresentation.
  • The IIAs IPPF defines fraud as Any illegal act
    characterized by deceit, concealment, or
    violation of trust. These acts are not dependent
    upon the threat of violence or physical force.
    Frauds are perpetrated by parties and
    organizations to obtain money, property, or
    services to avoid payment or loss of services
    or to secure personal or business advantage.
  • A knowing misrepresentation of the truth or
    concealment of a material fact to induce another
    to act to his or her detriment. - Bryan Garner,
    ed., Blacks Law Dictionary. 8th Ed. (2004),
    s.v., fraud. 

5
Types of Fraud
  • Internal Fraud or occupational fraud
  • Corporate Espionage
  • Data Leakage and Theft
  • Intellectual Property and Trade Secret Theft
  • Financial Fraud
  • External Fraud
  • Identity Theft
  • Malware Attacks
  • Amateur Fraud all CNP sales channels
  • Phishing
  • Fraud Against Individuals

6
Why does Fraud Occur?
  • Fraud triangle - Dr. Donald Cressey

7
How Technology Impact Financial Fraud?
8
Corporate Espionage
  • Case Study 1

9
Targeting and Exploitation Cycle
10
It could be in your backyard!
11
(No Transcript)
12
Conmen used 580 duplicate cards to dupe bank of
Rs 2.84cr
  • Kotak Mahindra Bank - 1,730 transactions worth Rs
    2.84 crore using Credit Cards that were not
    issued.
  • 580 Cards used in seven countries -- Canada, USA,
    UK, Germany, Brazil, France and India - between
    July 2 and September 10.
  • An internal probe by the bank revealed that the
    cards were created by stealing data from a newly
    created series of unissued cards, all within the
    BIN (Bank Identification Number) range.

13
Conmen used 580 duplicate cards to dupe bank of
Rs 2.84cr(cont..)
  • The new card series order was raised by the
    bank's product team and an order was given to DZ
    Card India Ltd at Gurgaon that has acquired the
    contract to create bank's cards. Bank had
    generated and registered three BIN Range
    (numbers) of the new cards (Visa and
    MasterCard)... Unknown fraudsters forged and
    fabricated (the) cards and used the same as
    genuine.

14
Shoulder surfing
15
Phishing
16
(No Transcript)
17
Fake Book
18
Solutions
  • Increasing user awareness
  • Strong policies against misuse of end-point
    systems
  • Strong monitoring controls
  • Personnel security controls
  • Run social engineering tests as part of your
    audits

19
Cyber-Crime and
  • Case Study 2

20

21
(No Transcript)
22
The biggest hack in history
  • How to build a multinational multi-billion dollar
    enterprise overnight!

23
Gonzalez, TJX and Heart-break-land
  • gt200 million credit card number stolen
  • Heartland Payment Systems, 7-Eleven, and 2 US
    national retailers hacked
  • Modus operandi
  • Visit retail stores to understand workings
  • Hack wireless networks
  • Analyze websites for vulnerabilities
  • Hack in using SQL injection
  • Inject malware
  • Sniff for card numbers and details
  • Hide tracks

24
The hacker underground
  • Albert Gonzalez
  • a/k/a segvec,
  • a/k/a soupnazi,
  • a/k/a j4guar17
  • Malware, scripts and hacked data hosted on
    servers in
  • Latvia
  • Netherlands
  • IRC chats
  • March 2007 Gonzalez planning my second phase
    against Hannaford
  • December 2007 Hacker P.T. thats how HACKER 2
    hacked Hannaford.

Ukraine New Jersey California
25
TJX direct costs
200 million in fines/penalties
41 million to Visa
24 million to Mastercard
26
Solutions
  • A single vulnerability in an Internet-facing web
    application could lead to disaster
  • Blind reliance on technology based on
    product/vendor reputation is a bad idea
  • Strong logging controls
  • Fraud risk assessment is different from a regular
    audit
  • Think like a fraudster to identify fraudulent
    areas and implement adequate controls
  • Concurrent monitoring via ACL or BI tools is
    also important
  • Identify red flags and put in place systems to
    monitor for these

27
Leveraging Technology
  • Data Leakage Prevention
  • Information Rights Management
  • Email Gateway Filtering
  • Security Controls by Design
  • Identity Access Control Management
  • Encryption
  • Business Intelligence Solutions
  • Revenue Assurance Fraud Management Solutions

28
Technology Red Flags
  • Systems crashing
  • Audit trails not available
  • Mysterious system user IDs
  • Weak password controls
  • Simultaneous logins
  • Across-the-board transactions
  • Transactions that violate trends weekends,
    excessive amounts, repetitive amounts
  • Reluctance to take leave or accept input/help
  • Reluctance to switch over to a new system

29
Fraud Prevention Strategies
  • Set Purchase Limits
  • Monitor Bill to/Ship to Mismatches
  • Pay Attention to the Time of Day
  • Ask a Secret Question
  • Manage Passwords
  • Account Change Notification
  • Use Proxy Piercing/IP Geo location Technology
  • Apply Device Fingerprinting Technology

30
Conclusions
  • Governances Policies, Procedures and
    Organizational Framework
  • Application Controls
  • Infrastructure Controls
  • Server
  • Network
  • End-point
  • Technological Controls for Fraud Detection,
    Prevention and Data Security
  • Training Awareness
  • Fraud-focused Reporting
  • Audit Trail Forensics

31
QAThank you!
  • Sujith Ambady
  • Head Trainer and Security Analyst
  • Sujith.Ambady_at_niiconsulting.com
  • https//in.linkedin.com/pub/sujith-ambady/9b/245/a
    bb
  • http//itsecuritymonk.wordpress.com
Write a Comment
User Comments (0)
About PowerShow.com