Tracking the Fraud LifecycleWhen the Schemes Evolve, so Must the Solutions
What are the distinct phases of the fraud lifecycle, and how can banking institutions intervene at each stage to prevent losses? Daniel Ingevaldson of Easy Solutions offers fraud-fighting tips.
The three fraud phases are Planning, Launching and Cashing, and institutions need to know that they can stop fraud at each of these stages, says Ingevaldson, CTO of Easy Solutions.
"It's not realistic [for us] to approach our customers and say 'We're going to stop your fraud by focusing on one specific stage,'" Ingevaldson says. "If we were to produce some sort of technology or solution that was 100 percent effective at stopping one specific type of fraud at one specific stage, it would instantly be 100 percent obsolete because the attackers would simply move on or adjust what they were doing to bypass whatever countermeasure we were able to put in place."
Being in the anti-fraud space is to be in an adversarial situation, he says. "We're not dealing with a target that's standing still. We're not dealing with an adversary who has limited resources or creativity."
In an interview about the fraud lifecycle, Ingevaldson discusses:
- The stages of fraud that banks need to consider;
- How the tools differ at each stage;
- How banks are evolving their fraud protection strategies.
Ingevaldson is Chief Technology Officer of Easy Solutions, responsible for technical strategy and overseeing the research team. He was previously Director of Technology Strategy and oversaw the industry-renowned X-Force R&D team at Internet Security Systems (ISS), which was acquired by IBM for $1.3 billion. Most recently, he was co-founder and SVP of Product Management at Endgame Systems.
TOM FIELD: Let's start right up front by defining the fraud lifecycle. I'd love for you to describe it to us and offer up what are the specific stages of fraud that banking institutions need to be thinking about?
DANIEL INGEVALDSON: We like talking about the fraud lifecycle because it generally is a concept that applies to all of our customers. We deal primarily with customers who are dealing with online fraud, mostly in the financial services organization but now expanding into other verticals. With respect to online fraud and a lot of the other channels of fraud, whether they're kind of more financial-centric channels like ATM, IVR [integrated voice response] or mobile channels, any sort of fraud that might affect these channels is really the same with respect to these three stages.
The first stage is the planning stage; the second stage is the launching phase; and the last is the cashing phase. You can argue that there are lots of distinctions, lots of nuances and different sorts of fraud, but generally, every single attempt, even one that crosses different channels, would follow this process. It's an important model for us internally at Easy Solutions because what we try to do is build products, technologies and services that attack fraud at each discrete stage to provide a stronger cumulative benefit or a stronger solution to prevent fraud altogether.
Differing Fraud Tools
FIELD: How do you find that the fraud tools differ at each stage and why do you find that one might be more effective than another depending on the stage?
INGEVALDSON: It's really important to think about this from a high level. From my perspective and from my company's perspective at Easy Solutions, it's not realistic to approach customers and say that we're going to stop your fraud by focusing on one specific stage. You can even extend this into a theoretical argument. If we would produce some sort of product, technology or solution which was 100-percent effective at stopping one specific fraud at one specific stage, it would instantly be 100-percent obsolete because the attackers would simply move on. They would adjust what they were doing to bypass whatever countermeasure we were able to put in place.
It's important for vendors, specifically technology vendors, to be honest about what we're dealing with here. Being in the anti-fraud business is an adversarial business. We're not dealing with a target which is standing still. We're not dealing with an adversary who has limited resources. We're not dealing with an adversary who has limited creativity. We have to make sure that we're honest with our customers and we talk about how we can deploy discrete, unique technologies to deal with certain phases.
For example, the planning stage, the first stage, is generally around reconnaissance, intelligence gathering and target selection. What does a bad guy look for when he's targeting a bank or targeting an online property for some sort of attack later on? What sort of breadcrumbs can we pick up? What sort of things can be detected? Also, how can we advise our customers to make their sites appear to be the harder targets? There's all sorts of things that you can do there.
The launching phase is typically when the bad guy or the fraudster has made his selection and he starts to target the online property, and this could mean a phishing attack, pharming attack or a malware attack, which is focused squarely on trying to acquire log-in credentials, what we call account takeover. On the back end, there's cashing.
Up to this point, the bad guy has scanned a set of targets. He's made a selection; he's launched an attack; and now he's potentially gained access to some accounts, whether or not it's through the branch, through a mobile phone, piece of malware or through the e-banking online channel, for example. The money might have been moved around internally, but it hasn't actually left the organization. You can argue that no fraud has actually happened at that point. But cashing is an extremely important place to focus energy because it's where the multichannel thing comes into play. We've seen a lot of attacks which are designed to bypass traditional anti-fraud techniques because sometimes some of the monitoring is focused only on e-banking or only on checking or credit cards. The bad guys will simply move money across different channels to find a way to get it out of the bank, via cashing, via ACH or wire transfer.
We've developed technology, and there's lots of technology in the market to focus on trying to prevent the final stage, the cashing phase, which is focused on getting money out of the bank. We believe that we have to have overlapping technologies in each phase in order to limit the amount of fraud which can be taken all the way to the end and be successful for the adversary or for the fraudster.
Effectiveness of Today's Anti-Fraud Measures
FIELD: Given that context, let's take a step back. How effective would you say today's tools are at stopping fraud?
INGEVALDSON: Today these banks in the U.S. and Latin America are much better off than they were, say, five or ten years ago. Some of the banks in Latin America, where they were dealing with advanced man-in-the-middle, man-in-the-browser, Trojan horse programs back in the early 2000s, were aggressively scrambling to try to find a way to make sure that the bad guys couldn't steal two-factor authentication credentials to bypass what the banks were trying to deploy.
I'd say that the banks now are much better prepared to deal with the latest fraud. But there's always something new coming. Our customers are very concerned about the mobile channel. They're very concerned about mobile malware. They're extraordinarily concerned about how dangerous the Android ecosystem is with respect to malware. A lot of our customers are looking for ways that they could solidify the security of the mobile channel. They've done a lot to focus on e-banking. They've followed all the recommendations from the FFIEC here in the U.S., which is focused on ... enforcing implementation of multifactor authentication, as well as layered security approaches, which are directly aligned with our approach.
Mobile is a big one right now. There's a big gap. I think the bad guys are ahead with respect to mobile security. The tools are always getting better, but the fraudsters are always trying to move on to the next thing. ... Our focus is on limiting the lifespan of attacks. When there's malware, phishing or pharming attacks which are designed to steal accounts in those first two stages, the planning stage and the launching phase, we're focused on reducing the lifespan of those attacks as much as possible. Think of it as a funnel. If fraud is a funnel, at the top you have all the opportunity. At the bottom you have the fraud which emerges in the form of a cashing event. We're trying to constrict that funnel at every stage, to limit the number of accounts which are stolen, to reduce the lifespan of attacks, to limit the effectiveness of malware on mobile devices or PCs and then catch fraud on the way out the door. That's really the most effective approach, and that's what banks are really trying to do, intelligently layer in technologies which focus on each of those stages.
Real-World Fraud Examples
FIELD: Let's talk about some of what you see out in the real world. Can you offer up some examples of how you're seeing cybercriminals now stealing directly from the financial institutions?
INGEVALDSON: There are so many examples. A lot of the regulations and a lot of the disclosure requirements have really led to shedding light on some of the stories and some of the high-profile or large thefts over the years. Easy Solutions, being in the industry, is certainly privy to a lot of these attacks, but previously they were always confidential; now they're front-page news. I think the most recent one, which is shocking in the size and scale, was the theft of about $45 million from two Middle Eastern banks. I think there might be a movie script behind this actual hack. This was a very large-scale attack focused on actually hacking into the infrastructure of two credit card processors, which were between the actual card-issuing banks and the ATMs. The information that's been made public is there's a small number of people, really a low-level gang in New York, which was arrested for using stolen PIN information and ATM cards to walk around Manhattan in two separate 24-hour periods and extract millions and millions of dollars from ATMs. They were only a very, very small part of this process. It was a $45 million theft, and the one crew that was put in jail only stole a couple million dollars.
But the more interesting part of that is the upstream infrastructure behind the attack, the industrial nature of the attack. What the bad guys did - and these guys are still out there, they haven't been arrested or even mentioned publicly - is they actually compromised the credit card processor and they stole only a handful of ATM card numbers and PINs. They then printed up those cards, sent them off to cashing crews, basically teams of guys all over the world that would, in a synchronized fashion, start extracting money as quickly as possible from ATMs all over the place. But what they did was they basically made sure that whenever those ATM cards were put into the ATM and the ATM network would look for validation, if there was money on that card or they hacked into the servers that were making those determinations, then they provided that the answer would always be "yes." It was essentially an unlimited balance on those cards, and this was called the "Unlimited Operation."
This was a very sophisticated attack, which used those separate layers of people, kind of a hierarchy of people with different skills, a global international scheme that stole millions and millions of dollars. We're seeing those, not so often on that scale, but certainly these complex tiered attacks, which are designed to, in a flash, remove millions of dollars from bank accounts.
We're also seeing less sophisticated, less elegant attacks, but ones which are arguably just as effective. We have customers that are dealing with problems when keyloggers or physical keyloggers are somehow making their ways into branches, and those keyloggers are used to steal credentials when actual bank tellers or branch managers are logging into internal systems, and they're using a wireless bridge or a covert access point. A bad guy can sit across the street, steal login credentials for a trusted internal employee and then take control of those sessions and actually create their own transfers.
It runs the gamut. These can be super sophisticated, virtual attacks only in the cyber realm where they could actually involve a physical element when a person is paying off an insider or paying off a trusted employee of a bank to actually place a device within a bank branch to compromise it later on. We're seeing all sorts of things, and the attacks are always creative, they're always new and they're always leveraging some specific or discrete vulnerability, some trust relationship within a bank or within an organization which can then be exploited.
Evolving Fraud Protection Strategies
FIELD: The attacks are creative and they're coming from everywhere. My final question for you is: Given what we've discussed here, how do you see banks evolving their fraud protection strategy so that they can counter this creativity and this ongoing assault?
INGEVALDSON: The best bankers and the best anti-fraud groups are ones which are very, very pragmatic. Bankers know that they will lose some amount of money to fraud every year. They have to be very careful and very cautious to make sure that they apply the resources in the way that it makes sense. They want to make sure that they're staying ahead of the bad guys, but really just ahead and at par so they can manage and have predictable rates of losses. Every bank out there, as I said, is dealing with this. They're always going to have issues; they're always going to have vulnerabilities. It's important for them to always look at new technologies, look at new approaches, but also understand the downstream costs. What's the cost of deploying a new technology amongst lots of legacy technology in a very complex environment? A lot of banking infrastructures are mixed and very heterogeneous due to years and years, perhaps decades, of legacy technology being deployed to prevent various types of fraud or various types of security exposures. You also see it with acquisitions. The financial services industry is very inquisitive. You often have lots of infrastructures being glued together in integrations after acquisitions close.
Bankers are very pragmatic, and they understand that they have to understand the true cost of deploying new technology. What we try to do with our customers is provide them the ability to manage their legacy infrastructure, but also layer in new techniques or new countermeasures to provide a more effective defense while not increasing cost elsewhere. It's important for us with our customers to make sure that we can help them reduce their losses while not increasing other costs or creating hidden costs for them down the road.