Post on 20-Sep-2020
transcript
1
Who can it be now?
FinTech Innovation and Emerging Financial Crime Typologies: Emerging Risks and How to Disrupt Them
Anti-Financial Crime Symposium – Nordics
25 October 2018
2
Moderator:
Rajeev Ahya - Financial Crime SME, ACAMS
Panel Members:
Rose Bernard - Senior Intelligence Development Analyst, Digital Shadows
Juho Hasa - Tax Auditor, Finnish Tax Administration
Johan Landström - Co-Founder / Head of Lab, Acuminor AB
3
Ask questions via slido.com
Event code: #nordics
4
Monitoring Cryptocurrencies
Juho HasaTax AuditorFinnish Tax Administration
Anti-Financial Crime Symposium – Nordics
25 October 2018
5
How do we obtain the relevant Data?
Legal background to retrieve third party data:
Tax Act on Assessment Procedure (TAP)
Tax audit can also be carried out solely for the
purpose of collecting data that can be used for
any other investigation, even related to another
taxpayer. 21. Act: Third Party Audit
6
How do we obtain the relevant Data?
Legal background to retrieve third party data (continued):
Tax Act on Assessment Procedure (TAP)
The Filer must identify information in addition to
the name with personal ID number and / or
corporate ID number, or if this information is not
available, other identification and contact
information must be provided. 22. Act: Special rulesconcerning theinformation
7
Sources of Data
Finnish Companies
• Increased likelihood of False Identity
• BTC FIAT Conversion Transactions
• BTC Purchase of Goods & Services
through payment of bills of bills
Finnish Banks
• Strong chance of correct identification
• €-deposits to, and withdrawals from, foreign
exchange platforms
8
Sources of Data (Continued)
Open Sourced
Intelligence – OSINT
• Data leaks (Mt. Gox)
• Internet Forums, Social Media etc.
Debit Cards
• Foreign issued cards used in Finland
• BTC Prepaid Debit Cards (Xapo)
9
Hiding the Assets
Mr. X ran a Payday
Loans Business
The business was highly
profitable. However,
obligations related to
bookkeeping and taxes
were not complied with
Convicted on
bookkeeping and
tax crimes – Fined
€400,000 in
unpaid taxes
Fined
€400,000
10
Hiding the Assets (Continued)
Before officials could seize funds,
Mr. X transferred € 80,000 to a
cryptocurrency marketplace called
Bitstamp and bought bitcoins leaving
enforcement authorities helpless
Knowing our strong legal
background and ability to source
information and data, the enforcement
authorities approached us to assist in
the matter
11
Hiding the Assets (Continued)
We requested exchange of information
from Bitstamp and received transactions
completed through his account and also
his bitcoin addresses
After conducting blockchain
analysis we found out that he had also
used the cryptocurrency exchanges
Bittrex and Poloniex who we then
contacted for further information
12
Bitstamp
Start of the Operation
Private Wallets to
hold and transact
with the funds
Bittrex and
Poloniex used in an
attempt to hide the origin
of the funds *Graph is simplified in order to provide a better overview
13
Hiding the Assets
Mister X has profited from
the overall value increase
in cryptocurrencies and
according to our analysis
his Bitcoin portfolio is now
valued at over € 1 million
However no notable
usage of cryptocurrencies
against Fiat-currency
is found
• P2P trades in cash?
• Bitcoin debit cards?
• New Bitcoin deposits to
Bitstamp in late 2017 &
2018
Next phase is to
do a seizure of his
assets that are in
bitcoin form
14
The Right Tools to Utilise the Data
Priorities
Keep the tax system
convincing (new phenomena)
through audits and other
taxation monitoring activities
Provide knowledge and
information to National and
International authorities
through cooperation1 2
Resource Tool
A relatively large amount of data Data scientists for combining
and enriching the data
Maintaining situation awareness by following
trends and knowledge obtained from the media
Blockchain analysis tools
15
Discussion and Question Time
Thank you
17
In the middle of nowhere
Johan LandströmCo-Founder – Head of LabAcuminor AB
Anti-Financial Crime Symposium – Nordics
25 October 2018
18
19
Private BTC exchange through:
Protecting from volatile course changes by
using Crypto trading platforms and OTC providers
such as Poloniex, Kraken and Genesis
NOTE: Poloniex, Kraken and Genesis
are legitimate actors
Cashing out to FIAT on days with lower
course swings and in accordance to business.
Mondays and Fridays in many cases
Family members Mobile payments
Deposits to prepaid cardsPre-paid cards – legally and illegally obtained
Both FIAT-only and BTC-TO-CARD since it is
still difficult to purchase groceries with Crypto
20
Layering through ever increasing multiple steps...
Constantly
changing behavior
Bank account OSP
(validates ID through
the Bank) Online
gambling establishment
Cash out through
E-Wallet E-Wallet
connected with Prepaid
MC Card use/cash
withdrawal Avoiding detection is
vital within CaaS as well
for private criminals
Criminals follow
trends and ongoing
investigations, so
switching of payment
brands/options is a
frequent occurrence
21
Drivers: Complexity and fragmentation
Who is
responsible
for what and
when
Institutes & classic players
BanksStock market entities
Payment networkproviders
E-money competitionE-walletsVouchers
Pre-paid debitOSPs
Closed loop currencies
Fin-techCrypto currencies -
FXSmart Contracts
Crowd...Multi-walletsGig-economy
22
Source: Copenhagen FinTech. https://copenhagenfintech.dk/about/fintech-startup-scene/
23
Success Factors
Get to know criminal modus operandi
Use external indicators from criminal behaviour and map against internal environments
The use of mobile payments in black market trading of bitcoins in Sweden
• Regular, multiple, and small incoming mobile payments from various private individuals
• Fewer large, outgoing mobile payments to private individuals, can be reoccurring persons
• Fewer large, outgoing payments to established brokers
Measure everything:
Early detection and
identification of
customer segments
misusing products
GDPR is not
a problem
Use new technologies to
gain insight but don't
over trust the models
You will have to be able
to explain the findings
Cooperation and
exchange of
information – Cheap
and very effective
(necessary)
Education
& Training
24
Discussion and Question Time
Thank you
26
Financial crime and the evolution of the Carbanak Group
Rose BernardSenior Intelligence Development AnalystDigital Shadows
Anti-Financial Crime Symposium – Nordics
25 October 2018
27
Overview• ATM theft has come a long way in a very short time
• The Carbanak Group has been targeting financial institutions
since
at least 2013
• In that time, they have continually adapted their tools, techniques,
and procedures (TTPs) to ensure that they are successfully
stealing as much as possible from vulnerable entities
• The group exploit both technical and human vulnerabilities
in successful intrusions
• What does this mean for financial institutions now?
28
Carbanak Group (aka Anunak) are a Russian language criminal group targeting
financial institutions, ATM systems, and point-of-sale service providers
Who are The Carbanak Group?
The group have been active since at least 2013 and in the past five years have
been responsible for the theft of over USD 1 billion
The group’s activities can be divided into 5 phases of targeting, including the
direct targeting of ATMs, Cash Out campaigns, and the exploitation of the
SWIFT communication network
The group combines social engineering tactics with custom made malware and
open source tools
Despite the arrest of a member in March 2018, the group’s profile is unlikely to
change in the immediate future
29
Phases of Activity
Targeting
ATMs
Phase
1
ATMs,
accounts, SWIFT
Phase
2
Point of
Sale systems
Phase
3
Banking trojans,
the hospitality sector
Phase
4
SWIFT
Phase
5
30
• Phishing lures
• Weaponised
documents
• Metasplot
• Mimikatz
• Spearphishing
emails
• Compromised
credentials
• Custom
malware
• Carberp/
Carbanak
Tools, Techniques, and Procedures
31
Key Takeaways
Organised and sophisticated groups use a mixture of technical and physical solutions
Human error is often the initial entry vector
From there groups can move laterally within a network
Technological solutions should be part of an in-depth holistic strategy that also includes training for employees
Criminals will often change tactics – employees are the first line of defence
32
Discussion and Question Time
33
Conclusion and Key TakeawaysImportance of Data and cooperation in its mutual exchange
Be creative - There are ways of using existing data effectively withinlegislation
No Silos > Lateral approach > A holistic view in Anti-Financial Crime
Technology is only as smart as those who operate it – Train your personnelto identify emerging risks
The threat is ever changing, empower your colleagues to think freely in their approach to individual threats...
Think like the criminal to stay ahead of the criminal
Thank you