WIXLIB

ACUIA Region 4 Meeting April 2013Randy Romes, CISSP, CRISC, MCP, PCI‐QSAPrincipalCliftonLarsonAllen LLPInformation Security Services11 2012 CliftonLarsonAllen LLP1 2012 CliftonLarsonAllen LLP Social Engineering and the Updated FFIECAuthentication Guidance

Overview Social Engineering History and evolution of threats Original and updated authentication guidance Authentication strategies (Case studies throughout )2 2012 CliftonLarsonAllen LLP2

Three Reasons Why We Should Care Organized Crime– Wholesale theft of personal financial information Payment Fraud– Use of online credentials for ACH,, CC and wire fraud Repeat the above.3 2012 CliftonLarsonAllen LLP

Norton/Symantec Corp – The Cost 4Norton/Symantec Corp.Cost of gglobal cybercrime:y 114 billion annually.yTime lost due to cybercrime an additional 274 billion.Cybercrime costs the world significantly more than theglobal black market in marijuana, cocaine and heroincombined ( 288 billion). 2012 CliftonLarsonAllen LLP

Security is a Business Issue. NOT at Technical Issue“A secure system is one we candepend on to behave as weexpect.””Source: “Web Security and Commerce”by Simson Garfinkel with Gene Spafford Confidentiality Integrity Availability5 2012 CliftonLarsonAllen LLP

The Fine Art of “People Hacking” Social Engineeringgg– What is it?– Examples abound in the following movies: Catch Me If You Can Oceans 11 Social Engineering uses non‐technical attacks to gaininformation or access to technical systems– Email attacks– Pre‐text telephone calls– Building penetration6 2012 CliftonLarsonAllen LLP

How do hackers and fraudsters break in?Social Engineering relies on the following: People want to help People want to trust The appearance of “authority” Peoplep want to avoid inconvenience Timing, timing, timing 7 2012 CliftonLarsonAllen LLP

Phishing, Phishing, Phishing Social Engineering Email Phishing– “SpearSpear PhishingPhishing” On‐line banking trojans8 2012 CliftonLarsonAllen LLP

Early Email Phishing First generation Phishing of consumers:– Nigerian Email Scam– eBayB anddPPayPalP l– Financiall Institutions– Resource:– http://www.millersmiles.co.uk/9 2012 CliftonLarsonAllen LLP9

Email Phishing – BBB Example10 2012 CliftonLarsonAllen LLP

Spear Phishing“Second Generation”phishingGoal is to “root thenetwork”tk”Install malwareLog system activity to harvestpasswordsUse automated tools to executefraudulent paymentsTrick users into supplyingcredentials (passwords)11 2012 CliftonLarsonAllen LLP

Spear Phishing Phishing evolves from basic and crudeattacks to more sophisticated attacks Increase the likelihood that the emailedlink will be followed:– “Spoof” the email to appear that it comesfrom someone in authority– Create a customized text that combines withth spoofingthefi tot createt pressure tto actt quicklyi kl(without thinking)12 2012 CliftonLarsonAllen LLP

Email ca/globe/pages/www.paypal.com/13 2012 CliftonLarsonAllen LLP

Email Phishing – Targeted AttackRandall J.J Romes [rromes@larsonallen[rromes@larsonallen.com]com]Two or Three telltale signs thatthis is notlegitimateCan yyou find them?14 2012 CliftonLarsonAllen LLP

Email Phishing – Targeted AttackRandall J.J Romes [rromes@larsonallen[rromes@larsonallen.com]com]Two or Three telltale signs thatthis is notlegitimateCan you find them?15 2012 CliftonLarsonAllen LLP

Email Phishing – Targeted Attack FFewer tellt ll talet lsigns on fakewebsites16 2012 CliftonLarsonAllen LLP

Email Phishing – Targeted Attack FFewer tellt ll talet lsigns on fakewebsites17 2012 CliftonLarsonAllen LLP

Phishing Evolves – Corporate Account Takeover EExamplesl off phishinghi hi messagesthat resulted Corporate AccountTake Overs Overs18 2012 CliftonLarsonAllen LLP18

Online Banking TrojansZues, OddOdd‐Job,Job, Spyeye, Sinowal 72 million stolen by international cybercrime gangInstall back doors or use “Man‐in‐the‐Browser” attackBypass tokens and secret questionsDisplay expected info to user – conduct fraud in backgroundIntelligent malware and criminals avoid triggering detectionMoney Mules 19“Work at Home”Re‐shipper insurance settlements processingRe‐shipper,processing, etcetc.Sometimes mule is co‐conspirator, sometimes victimMove money out of the country without triggering alerts 2012 CliftonLarsonAllen LLP

Phone Interactions Authentication guidance references:“Although this guidance is focused on the risks and riskmanagement techniques associated with the Internetdelivery channel, the principles are applicable to all forms ofelectronicli bankingb ki activities”i ii ”““Theh agenciesi considerid single‐factori l fauthentication,h i ias thehonly control mechanism, to be inadequate for high‐risktransactions involving access to customer information (orthe movement of funds to other parties)” http://www.ffiec.gov/pdf/authentication guidance.pdfh //ffi/ df/ h i iiddf20 2012 CliftonLarsonAllen LLP20

Phone Interactions ‐ Examples Simple phone attacks “ maymay I help you?”you?21 2012 CliftonLarsonAllen LLP21

Lessons Learned – Case Study Lessons learned from HELOC fraud events Dozens of Credit Unions around the country targetedwith prepre‐texttext phone calls Attackers used information that was available onpublic websites related to recent mortgage filings22 2012 CliftonLarsonAllen LLP22

Case Study – Pretext Phone Calls The attacks involved several calls to harvest smallpieces of member account information End goal was to wire funds made available by aHELOC23 2012 CliftonLarsonAllen LLP23

Case Study – Pretext Phone CallsBackground for HELOC fraud calls Several calls posing as “Karl”Karl CCompletel t callsll (7 calls)ll ) ttotalt l over 45 minutesi t –including 3 minute pauses while he looks foraccount #24 2012 CliftonLarsonAllen LLP24

Case Study – Call #3 Key Takeaways– Did not know password– Could not answer backup question(mother’s maiden name)– Gave incorrect address at firstHe never really authenticated!! Member services relied on member name, accountnumber, and mailing address25 2012 CliftonLarsonAllen LLP25

Case Study – Call #3 (continued) She gave out key info and hints:– “PasswordPassword is not the online passwordpassword”– Validated address on the account– Joint account holder’s first name– Password is a 4 digit number– Balances on the mortgage loan and HELOC– Type of car that is on the auto loan26 2012 CliftonLarsonAllen LLP26

What happened next? Used information from last call to authenticateSubsequent calls harvested more informationinformation Harvested the wire transfer cut off timesCalled back the same day and requested the wireUsed pressure – daughter needed money that dayHad all the right information – requested the wireFinancial Institution followed their verificationprocedures – stopped transfer Another Financial Institution was not so lucky( 700 000)( 700,000)27 2012 CliftonLarsonAllen LLP27

Lessons Learned What elements of the service culture approach putthe service representatives in a position to fail? What things did the attacker prey on?28 2012 CliftonLarsonAllen LLP28

Lessons Learned – Pretext Phone Calls Train, train, train AWARENESS Escalate calls to manager if security questions fail orare incomplete Establish a combination of authentication questionsthath must beb answeredd correctlyl beforeb fgivingi i outANY information Attach all telephone call recordings to membernumbers– Aids in search when one incident is detected29 2012 CliftonLarsonAllen LLP29

Example of Phone Call Procedures30 MCS Member IdentificationAll reps that deal with members requesting to access their accounts are required to askthree (3) of the twelve (12) listed below questionsquestions. Date of BirthPasswordLast four numbers of Social Security NumberLast transaction date and amountVerification of permanent mailing address (P.O.(P O Boxes not acceptable*)acceptable )Home phone numberWho’s joint member’s nameJoint membermember’ss Social Security NumberHire DateJoin DateBeneficiary Names 2012 CliftonLarsonAllen LLP

2012 CliftonLarsonAllen LLP “Amateurs' hack systems,professionals hack people.people ”Bruce SchneierKey tips for all users3131 2012 CliftonLarsonAllen LLP

Kevin Mitnik vs Tsutomu Shimomura32 2012 CliftonLarsonAllen LLP

Physical (Facility) SecurityCompromise the site: “Hi,“Hi JoeJ saidid heh wouldld letl you kknow I was comingi to fifix thehprinters ”Plant devices: Keystroke loggers WirelessWi laccess pointi t Thumb drives (“Switch Blade”)Examples Steal hardware s/Here s how a slick reaches.htm33 2012 CliftonLarsonAllen LLP

Case Study Examples for Social Engineering Audits34 2012 CliftonLarsonAllen LLP

Swimming with the Sharks?35 2012 CliftonLarsonAllen LLP

Evolution of FFIEC Authentication Guidance History and evolution ofthreats “Mr.Mr. Jessie James, why doyou rob banks?”36 2012 CliftonLarsonAllen LLP36

Original Authentication Guidance 2001 Authentication Guidance 2005 AAuthenticationth ti ti GGuidanceid 2011 Authentication Guidance37 2012 CliftonLarsonAllen LLP37

Multi‐Factor Authentication Solutions Authentication guidance calls for strongerauthentication– Authentication factors– Multi‐factor authentication38 2012 CliftonLarsonAllen LLP38

Phishing and ACH – In the NewsCustomer Sues Bank 560,000 in fraudulent ACH transfers to bank accounts in Russia,Estonia Scotland,Estonia,Scotland Finland,Finland China and the US; withdrawn soonafter the deposits were made. Alleges that the bank failed to notice unusual activity.activity Until the fraudulent transactions were made customer hadmaded jjust two wirei transfersf ever In just a three‐hour period, 47 wire transfers requests weremade. In addition,, after customer became aware of the situation andasked the bank to halt transactions, the bank allegedly failed todo so until 38 more had been initiated.39 2012 CliftonLarsonAllen LLP

Phishing and ACH – Two Direct Examples Business owner receives multiple emails: “WireWire Transfer CancelledCancelled” 40Finance staff open message – follow linksKey logging software installedFraudsters use obtained credentialsCreate 2 payroll ACH files ‐ 500,000 2012 CliftonLarsonAllen LLP40

Phishing and ACH – Two Direct Examples Finance person receives “2000 spam messages” Later in the day,day fraudsters make three ACH transfersall within 30 minutes:– 8,000,to Houston– Two transfers for 540,000 each to Romania In this case, business insists the following controlswere not followed:– Dollar limit/thresholds were exceeded– Call back verification did not occur This one is on‐going 41 2012 CliftonLarsonAllen LLP41

Updated Authentication Guidance Risk Assessment, Risk Assessment, Risk Assessment At least annually or after “changes”changes Changesg in the internal and external threat environment,,– including those discussed in the Appendix of theSupplement Changes in the customer base Changes in the customer functionality ActualA t l incidentsi id t off securityit breaches,bh ididentitytit theft,th ft or ffrauddexperienced by the institution or industry42 2012 CliftonLarsonAllen LLP42

Updated Authentication Guidance Do not rely on single control– Controls need to increase as risk increases– Multi‐layer– Additional controls at different points intransaction/interaction with member Technical (IT/systems) controls43 2012 CliftonLarsonAllen LLP43

Updated Authentication Guidance (2) Specificpauthentication guidanceg– Device identification– Challenge questions– Multifactor and two factor authentication– “Out of band” authentication44 2012 CliftonLarsonAllen LLP44

Controls for Layered Security Control of administrative functions Enhanced controls around payment authorization andverification– “Positive Pay” features– Dual authorization– “Call back” verification Detection and response to suspicious activity45 2012 CliftonLarsonAllen LLP45