Transcription
ACUIA Region 4 Meeting April 2013Randy Romes, CISSP, CRISC, MCP, PCI‐QSAPrincipalCliftonLarsonAllen LLPInformation Security Services11 2012 CliftonLarsonAllen LLP1 2012 CliftonLarsonAllen LLP Social Engineering and the Updated FFIECAuthentication Guidance
Overview Social Engineering History and evolution of threats Original and updated authentication guidance Authentication strategies (Case studies throughout )2 2012 CliftonLarsonAllen LLP2
Three Reasons Why We Should Care Organized Crime– Wholesale theft of personal financial information Payment Fraud– Use of online credentials for ACH,, CC and wire fraud Repeat the above.3 2012 CliftonLarsonAllen LLP
Norton/Symantec Corp – The Cost 4Norton/Symantec Corp.Cost of gglobal cybercrime:y 114 billion annually.yTime lost due to cybercrime an additional 274 billion.Cybercrime costs the world significantly more than theglobal black market in marijuana, cocaine and heroincombined ( 288 billion). 2012 CliftonLarsonAllen LLP
Security is a Business Issue. NOT at Technical Issue“A secure system is one we candepend on to behave as weexpect.””Source: “Web Security and Commerce”by Simson Garfinkel with Gene Spafford Confidentiality Integrity Availability5 2012 CliftonLarsonAllen LLP
The Fine Art of “People Hacking” Social Engineeringgg– What is it?– Examples abound in the following movies: Catch Me If You Can Oceans 11 Social Engineering uses non‐technical attacks to gaininformation or access to technical systems– Email attacks– Pre‐text telephone calls– Building penetration6 2012 CliftonLarsonAllen LLP
How do hackers and fraudsters break in?Social Engineering relies on the following: People want to help People want to trust The appearance of “authority” Peoplep want to avoid inconvenience Timing, timing, timing 7 2012 CliftonLarsonAllen LLP
Phishing, Phishing, Phishing Social Engineering Email Phishing– “SpearSpear PhishingPhishing” On‐line banking trojans8 2012 CliftonLarsonAllen LLP
Early Email Phishing First generation Phishing of consumers:– Nigerian Email Scam– eBayB anddPPayPalP l– Financiall Institutions– Resource:– http://www.millersmiles.co.uk/9 2012 CliftonLarsonAllen LLP9
Email Phishing – BBB Example10 2012 CliftonLarsonAllen LLP
Spear Phishing“Second Generation”phishingGoal is to “root thenetwork”tk”Install malwareLog system activity to harvestpasswordsUse automated tools to executefraudulent paymentsTrick users into supplyingcredentials (passwords)11 2012 CliftonLarsonAllen LLP
Spear Phishing Phishing evolves from basic and crudeattacks to more sophisticated attacks Increase the likelihood that the emailedlink will be followed:– “Spoof” the email to appear that it comesfrom someone in authority– Create a customized text that combines withth spoofingthefi tot createt pressure tto actt quicklyi kl(without thinking)12 2012 CliftonLarsonAllen LLP
Email ca/globe/pages/www.paypal.com/13 2012 CliftonLarsonAllen LLP
Email Phishing – Targeted AttackRandall J.J Romes [rromes@larsonallen[rromes@larsonallen.com]com]Two or Three telltale signs thatthis is notlegitimateCan yyou find them?14 2012 CliftonLarsonAllen LLP
Email Phishing – Targeted AttackRandall J.J Romes [rromes@larsonallen[rromes@larsonallen.com]com]Two or Three telltale signs thatthis is notlegitimateCan you find them?15 2012 CliftonLarsonAllen LLP
Email Phishing – Targeted Attack FFewer tellt ll talet lsigns on fakewebsites16 2012 CliftonLarsonAllen LLP
Email Phishing – Targeted Attack FFewer tellt ll talet lsigns on fakewebsites17 2012 CliftonLarsonAllen LLP
Phishing Evolves – Corporate Account Takeover EExamplesl off phishinghi hi messagesthat resulted Corporate AccountTake Overs Overs18 2012 CliftonLarsonAllen LLP18
Online Banking TrojansZues, OddOdd‐Job,Job, Spyeye, Sinowal 72 million stolen by international cybercrime gangInstall back doors or use “Man‐in‐the‐Browser” attackBypass tokens and secret questionsDisplay expected info to user – conduct fraud in backgroundIntelligent malware and criminals avoid triggering detectionMoney Mules 19“Work at Home”Re‐shipper insurance settlements processingRe‐shipper,processing, etcetc.Sometimes mule is co‐conspirator, sometimes victimMove money out of the country without triggering alerts 2012 CliftonLarsonAllen LLP
Phone Interactions Authentication guidance references:“Although this guidance is focused on the risks and riskmanagement techniques associated with the Internetdelivery channel, the principles are applicable to all forms ofelectronicli bankingb ki activities”i ii ”““Theh agenciesi considerid single‐factori l fauthentication,h i ias thehonly control mechanism, to be inadequate for high‐risktransactions involving access to customer information (orthe movement of funds to other parties)” http://www.ffiec.gov/pdf/authentication guidance.pdfh //ffi/ df/ h i iiddf20 2012 CliftonLarsonAllen LLP20
Phone Interactions ‐ Examples Simple phone attacks “ maymay I help you?”you?21 2012 CliftonLarsonAllen LLP21
Lessons Learned – Case Study Lessons learned from HELOC fraud events Dozens of Credit Unions around the country targetedwith prepre‐texttext phone calls Attackers used information that was available onpublic websites related to recent mortgage filings22 2012 CliftonLarsonAllen LLP22
Case Study – Pretext Phone Calls The attacks involved several calls to harvest smallpieces of member account information End goal was to wire funds made available by aHELOC23 2012 CliftonLarsonAllen LLP23
Case Study – Pretext Phone CallsBackground for HELOC fraud calls Several calls posing as “Karl”Karl CCompletel t callsll (7 calls)ll ) ttotalt l over 45 minutesi t –including 3 minute pauses while he looks foraccount #24 2012 CliftonLarsonAllen LLP24
Case Study – Call #3 Key Takeaways– Did not know password– Could not answer backup question(mother’s maiden name)– Gave incorrect address at firstHe never really authenticated!! Member services relied on member name, accountnumber, and mailing address25 2012 CliftonLarsonAllen LLP25
Case Study – Call #3 (continued) She gave out key info and hints:– “PasswordPassword is not the online passwordpassword”– Validated address on the account– Joint account holder’s first name– Password is a 4 digit number– Balances on the mortgage loan and HELOC– Type of car that is on the auto loan26 2012 CliftonLarsonAllen LLP26
What happened next? Used information from last call to authenticateSubsequent calls harvested more informationinformation Harvested the wire transfer cut off timesCalled back the same day and requested the wireUsed pressure – daughter needed money that dayHad all the right information – requested the wireFinancial Institution followed their verificationprocedures – stopped transfer Another Financial Institution was not so lucky( 700 000)( 700,000)27 2012 CliftonLarsonAllen LLP27
Lessons Learned What elements of the service culture approach putthe service representatives in a position to fail? What things did the attacker prey on?28 2012 CliftonLarsonAllen LLP28
Lessons Learned – Pretext Phone Calls Train, train, train AWARENESS Escalate calls to manager if security questions fail orare incomplete Establish a combination of authentication questionsthath must beb answeredd correctlyl beforeb fgivingi i outANY information Attach all telephone call recordings to membernumbers– Aids in search when one incident is detected29 2012 CliftonLarsonAllen LLP29
Example of Phone Call Procedures30 MCS Member IdentificationAll reps that deal with members requesting to access their accounts are required to askthree (3) of the twelve (12) listed below questionsquestions. Date of BirthPasswordLast four numbers of Social Security NumberLast transaction date and amountVerification of permanent mailing address (P.O.(P O Boxes not acceptable*)acceptable )Home phone numberWho’s joint member’s nameJoint membermember’ss Social Security NumberHire DateJoin DateBeneficiary Names 2012 CliftonLarsonAllen LLP
2012 CliftonLarsonAllen LLP “Amateurs' hack systems,professionals hack people.people ”Bruce SchneierKey tips for all users3131 2012 CliftonLarsonAllen LLP
Kevin Mitnik vs Tsutomu Shimomura32 2012 CliftonLarsonAllen LLP
Physical (Facility) SecurityCompromise the site: “Hi,“Hi JoeJ saidid heh wouldld letl you kknow I was comingi to fifix thehprinters ”Plant devices: Keystroke loggers WirelessWi laccess pointi t Thumb drives (“Switch Blade”)Examples Steal hardware s/Here s how a slick reaches.htm33 2012 CliftonLarsonAllen LLP
Case Study Examples for Social Engineering Audits34 2012 CliftonLarsonAllen LLP
Swimming with the Sharks?35 2012 CliftonLarsonAllen LLP
Evolution of FFIEC Authentication Guidance History and evolution ofthreats “Mr.Mr. Jessie James, why doyou rob banks?”36 2012 CliftonLarsonAllen LLP36
Original Authentication Guidance 2001 Authentication Guidance 2005 AAuthenticationth ti ti GGuidanceid 2011 Authentication Guidance37 2012 CliftonLarsonAllen LLP37
Multi‐Factor Authentication Solutions Authentication guidance calls for strongerauthentication– Authentication factors– Multi‐factor authentication38 2012 CliftonLarsonAllen LLP38
Phishing and ACH – In the NewsCustomer Sues Bank 560,000 in fraudulent ACH transfers to bank accounts in Russia,Estonia Scotland,Estonia,Scotland Finland,Finland China and the US; withdrawn soonafter the deposits were made. Alleges that the bank failed to notice unusual activity.activity Until the fraudulent transactions were made customer hadmaded jjust two wirei transfersf ever In just a three‐hour period, 47 wire transfers requests weremade. In addition,, after customer became aware of the situation andasked the bank to halt transactions, the bank allegedly failed todo so until 38 more had been initiated.39 2012 CliftonLarsonAllen LLP
Phishing and ACH – Two Direct Examples Business owner receives multiple emails: “WireWire Transfer CancelledCancelled” 40Finance staff open message – follow linksKey logging software installedFraudsters use obtained credentialsCreate 2 payroll ACH files ‐ 500,000 2012 CliftonLarsonAllen LLP40
Phishing and ACH – Two Direct Examples Finance person receives “2000 spam messages” Later in the day,day fraudsters make three ACH transfersall within 30 minutes:– 8,000,to Houston– Two transfers for 540,000 each to Romania In this case, business insists the following controlswere not followed:– Dollar limit/thresholds were exceeded– Call back verification did not occur This one is on‐going 41 2012 CliftonLarsonAllen LLP41
Updated Authentication Guidance Risk Assessment, Risk Assessment, Risk Assessment At least annually or after “changes”changes Changesg in the internal and external threat environment,,– including those discussed in the Appendix of theSupplement Changes in the customer base Changes in the customer functionality ActualA t l incidentsi id t off securityit breaches,bh ididentitytit theft,th ft or ffrauddexperienced by the institution or industry42 2012 CliftonLarsonAllen LLP42
Updated Authentication Guidance Do not rely on single control– Controls need to increase as risk increases– Multi‐layer– Additional controls at different points intransaction/interaction with member Technical (IT/systems) controls43 2012 CliftonLarsonAllen LLP43
Updated Authentication Guidance (2) Specificpauthentication guidanceg– Device identification– Challenge questions– Multifactor and two factor authentication– “Out of band” authentication44 2012 CliftonLarsonAllen LLP44
Controls for Layered Security Control of administrative functions Enhanced controls around payment authorization andverification– “Positive Pay” features– Dual authorization– “Call back” verification Detection and response to suspicious activity45 2012 CliftonLarsonAllen LLP45
Controls for Layered Security (2) Customer awareness and education– Explanation of protections provided and not provided– How the credit union may contact a member on anunsolicited basis– A suggestion that commercial online banking membersperform assessment and controls evaluation periodically;– A listing of alternative risk control mechanisms thatmembers may consider implementing to mitigate their ownrisk– A listing of credit union contacts for members discretionaryuse to report suspected fraud46 2012 CliftonLarsonAllen LLP46
Definition of a Secure System“A secure system is one we can depend on tobehave as we expect.”Source: “Web Security and Commerce”by Simson Garfinkel with Gene SpaffordRulesPeople Confidentiality Integrity Availability Tools47 2012 CliftonLarsonAllen LLP
Questions?48 2012 CliftonLarsonAllen LLP48
2012 CliftonLarsonAllen LLP Thank you!yRandy RomesCliftonLarson Allen, LLPInformation Security ServicesRandy.Romes@cliftonlarsonallen.comdlf lll612‐397‐31144949 2012 CliftonLarsonAllen LLP49
References FFIEC ec.gov/pdf/pr080801.pdf (2001)http://www.ffiec.gov/pdf/authentication guidance.pdf 206‐22‐11%20(FFIEC%20Formated).pdf (2011) 2012 CliftonLarsonAllen LLP50
References Bank Info Security: http://ffiec.bankinfosecurity.com/http://ffiec bankinfosecurity com/ FDIC ACH Advisories:Ad i i dex htmlndex.html SANS reportt (2009) /summary phprisks/summary.php51 2012 CliftonLarsonAllen LLP51
Norton/Symantec Corp -The Cost Norton/Symantec Corp. Cost of global cybercrime: 114 billion annually. Time lost due to cybercrime an additional 274 billion. Cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ( 288 billion).