Ecommerce & Online Banking Fraud issues, challenges & solutions

© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,

makes no warranties, express or implied, in this summary. 1

© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 1

Ecommerce & Online Banking Fraudissues, challenges & solutions

Victor TalamoVP & Director Risk Management

JP Morgan Chase

Karim NooraliSr. Product Manager, PayPal

Marcelo CâmaraFebraban - Brazil


Financial Services Initiative:BITS Email Security Project

Victor Talamo

Director IT Risk Management

JPMorganChase

Member, BITS SRA Steering Committee

http://www.jpmorganchase.com/pages/jpmc

http://www.jpmorganchase.com/pages/jpmc




Agenda

Financial Services Industry Initiative to Advance Adoption of Email Security Standards

Project Goals and Problem Statement

Security Protocols and Recommendations

Best Practices

Timing/Next Steps


Background

Financial Services Industry Membership prioritized a project to advance the security of Email communications

Priority established by the Security and Risk Assessment (SRA) Steering Committee of BITS

Project arose in response to increases in spam, phishing and malicious code transmitted via email

Seven of the top ten phishing targets are BITS member companies

SRA Working Group Developed Email Security Paper over the past year, consulting with ISPs, Standards Bodies, Email Security Vendors




BITS Email Security Project Goals

Enhance the security and integrity of electronic communications

Reduce the amount of phishing and malicious code (e.g., Spyware)

Improve confidentiality and integrity of information exchange among financial institutions and between financial institutions and their customers and clients

Strengthen protection of customers and their accounts from identity theft and account fraud

Restore greater reliability of the email delivery channel for Financial Institutions


Problem Statement

Email is an insecure, but necessary, communication channel

Consumers lack confidence in the integrity of messages they receive via email

Regulations require financial institutions to use reasonable and appropriate measures to protect customer information

Proprietary solutions have many drawbacks, including incompatibilities, inefficiencies and scalability issues

Email Security Technology Standards exist, but are inconsistently adopted and implemented




BITS Recommended Technologies

Transport Layer Security (TLS)

Protects confidentiality and integrity as it authenticates servers and encrypts email messages between the servers

Sender Authentication (SIDF/SPF)

Provides a way for financial institutions, ISPs and others to identify the authorized mail servers for a particular domain and validate that mail originated from these authorized sources

Domain Key Identified Mail (DKIM)

Is a cryptographically based protocol that provides message header and body integrity verification mechanisms


Advantages of Recommended Technologies

Leverage open standards that are currently available and are being utilized today

Transparent to the end-user and not an inconvenience

Relatively low-cost both in terms of implementation cost and total cost of ownership

Fairly easy to implement

Scalable across both small and large multinational enterprises




Recommendation Summary

Transport Layer Security (TLS) – Opportunistic Mode

Sender Authentication – Validate Incoming Email

Publish SPF Records (email and non-email domains)

Publish SPF Records as Hard Fail

Utilize Delegated Sub-domains for Third Party Mailings

Enforced TLS

Publish DomainKeys and Policy Records

Sign DomainKeys


Recommendations for Email Protocols

Encourage BITS members to implement each of the

recommended technologies in accordance with Guidelines

for implementation. Each protocol addresses a particular

problem. In combination, provides layered security

Promote awareness of email security concerns among

financial institutions, clients, consumers, Internet Service

Providers and Mail Service Providers

Encourage BITS members to engage their service providers

and encourage them to implement the recommended

technologies

Encourage BITS members to add email security

requirements to contracts with business partners and

service providers




Other Best PracticesUser Validation Controls

Anti-Spoofing Controls

Mail Relay Controls

DNS Lookups

Anti-Spam and Reputation

Malicious-code Defense in Depth

Malicious-code Technology Diversity

Attachment Filters

Inappropriate Word and Phrase Filters

Data Leakage Filters

Disclaimers

Governance


Next Steps

BITS Email Security Toolkit recommendations presented to CEOs for endorsement end of April 2007

BITS Email Security Toolkit may be downloaded from bitsinfo.org

Communications and awareness

Obtain BITS member technical contact information essential for the efficient adoption of the security protocols

Periodic checkpoint on adoption




Summary

The BITS Email Security initiative will bring greater focus to the advancement of Email Security, enabling message confidentiality, authentication and integrity controls

For maximum effectiveness, these solutions require adoption by a critical mass of institutions

Impact is broader than Financial Institutions (Service Providers and Business Partners)

Do your part by supporting adoption of TLS, SIDF/SPF and DKIM protocols

As a critical mass is reached, there will be more pressure on non-adopters


Resources & Contact Info

www.bitsinfo.org

www.fsround.org

Victor Talamo, Director IT Risk Management

John Carlson, Executive Director, BITS

John Ingold, Director, BITS

http://www.fsround.org/




Fraud at PayPalOverview and current trend

Karim Noorali

Sr. Product Manager, PayPal


Agenda

What is PayPal

Why PayPal is a target

Fraud globalization

Multi-angle approach

Law enforcement success




What is PayPalFounded in 1998, PayPal a global online payment co.

133+ million accounts in 103 countries.

$37.8 billion in total payment volume in 2006.

$1,384 transacted on average every second in Q4 2006.

Enables the most popular worldwide payment types.

Visa and MasterCard (103 countries), American Express, Discover, Visa Electron, UK Switch and Solo, German EC and giropay, Italian PostePay, bank direct debit (5 countries), PayPal balance

17 currencies

14 local language websites

Multiple channels: eBay, merchant website, email, mobile, phone, Skype


What is PayPal




Why PayPal is a target

Card companiesBanks

133+ million accounts in 103 countries.


Fraud GlobalizationRussia

IP Address from Russia runs script against site to validate email addresses

Fraudster’s list of

email addresses




Fraud GlobalizationRussia Romania

Script drops valid email accounts to Romanian ISP email address

Fraudster’s list of

email addressesRomanian ISP

Drop Box


Individual in Pakistan hired to set up multiple spoof sites in China, Mongolia, US, Korea

Fraud GlobalizationRussia Romania Pakistan

IRC

Skype




Fraud GlobalizationThe rest…

Global bot net fires off phishing emails

Victim information collected in Russian ISP drop box

Information sold to U.S., U.K., DE

Accounts taken over



Spoofer sets-up a

site & sends email

Service provider

delivers email

Victim

responds to

email

Spoofer logs in

to victim's

account

Spoofer sends

$$ out of user

account

Spoofer

successfully

withdraws $$

Cost per

Incident

Time

Partner with hosting services to remove phishing sites when we report them

Partner with hosting services on spiders to crawl and remove phishing sites

Contract with companies that monitor domain registrations to get alerts

when sites are registered

Promote strong domain registration recordkeeping

Implementing SPF, SenderID & Domain Key signing of legitimate

emails (and encouraging email providers to block all others)

SPOOF LIFE CYCLE





Educate our users aggressively – Security Centre, Safety Guides,

transaction messaging & outreach campaigns

Use My Messages for eBay member communications

Encourage use of [email protected] for user reporting

Share spoof URLs we identify with leading ISPs and toolbar providers

Partner with browser companies to integrate safe browser technology

SPOOF LIFE CYCLE

Spoofer sets-up a

site & sends email

Service provider

delivers email

Victim

responds to

email

Spoofer logs in

to victim's

account

Spoofer sends

$$ out of user

account

Spoofer

successfully

withdraws $$

Cost per

Incident

Time



Transaction spoof model scores risk on every transaction

Implementing second factor authentication – PayPal Security Key

Participate in industry coalitions such as Anti-Phishing Working

Group to share data on perpetrator techniques

SPOOF LIFE CYCLE

Spoofer sets-up a

site & sends email

Service provider

delivers email

Victim

responds to

email

Spoofer logs in

to victim's

account

Spoofer sends

$$ out of user

account

Spoofer

successfully

withdraws $$

Cost per

Incident

Time

mailto:[email protected]





Fraud Investigations Team proactively refers cases to law

enforcement & trains law enforcement agencies around the world on

how to work these cases

Provide 100% reimbursement to phished users for their losses from

spoof (in addition to buyer protection and pass-through credit card

chargeback rights)

SPOOF LIFE CYCLE

Spoofer sets-up a

site & sends email

Service provider

delivers email

Victim

responds to

email

Spoofer logs in

to victim's

account

Spoofer sends

$$ out of user

account

Spoofer

successfully

withdraws $$

Cost per

Incident

Time


Law enforcement success

In good month –

3.5 people arrested per day in partnership with eBay Fraud Investigations Team

1.5/day in US

2.4/day in a slow month

4 year sentence to fraudulent gold coin seller

8 year sentence for another fraudulent seller

16 year sentence for yet another one

Working with Law Enforcement is effective!




How Brazilian Banks Have Done It?

Marcelo Câmara

Febraban - Brazil


Agenda

Brazilian picture of online fraud

What has been done:

Technology

Education

Contention

The factors of success




Success on a Curve

2003

ValueQuantityAverage

2004 2005 2006


Settings

Brazilian Hackers work “34 x 7”

“There are 34 new Brazilian Malware every 7 hours.”




Settings

Population: ~190 million

Highly Developed Financial System

Technologically Advanced Banks


Brazilian Approach





Technology - The Security Race

2003 2004 2005 2006

Pharming

Keyloggers

Key & Screenloggers

Phishing with forms

Fake Browser

Pop up Phishing

Pop up Phishing + Plugin Disabler

BHO Malware

Clickless Infection

For Export Malware

DNS Monitor

Virtual Keyboards

Protection Plugins

OTP Tokens

Bingo Cards

Machine Registration

Behavior Monitoring

Protection Plugins 2.0




Technology - The Security Race

2007

Man in the Middle

Anti-Reverse Engineering Crimeware

Transaction Signing

Robot in the Middle

More Powerfull Tools (?!?!)





Phishing - Online shoppingEducation – Phishing Examples


Phishing - updates, patches, etc.

Education – Phishing Examples




Phishing – Social Networking Sites



Phishing - Warnings from Government





Phishing - Songs to listen/download






Contention – Reality Shown












Summary – Call to Action

2nd Factor Authentication

Behavior Monitoring

Protection Plugins

Inform

Inform

Inform

Provide help to law enforcement


Contact Info

www.Febraban.org.br

Marcelo Câmara

+55 11 3684-4251

Date post:	03-Feb-2022
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Ecommerce & Online Banking Fraud issues, challenges & solutions

Documents