http://www.bankinfosecurity.com/articles.php?art_id=1490
The fraud fight is getting nastier by the minute, say experts familiar with the new schemes - and some old ones with new wrinkles -- being perpetrated by criminals against financial institutions and their customers. Here are 13 of the most prevalent ruses.
#1 - Credit Bust-Out Schemes
#2 - Customer Loan Account Takeover
#3 - Corporate Account Takeovers
#4 - Cross-Channel Call Center/Online CD Purchase Scam
#5 -- Wire Fraud Account Grooming
"A somewhat recent tactic being perpetrated by fraud rings --"in-session Phishing" -- has emerged as one of the chief threats to thebreach of secured online assets. These attacks utilize vulnerabilitiesin the Javascript engine found in most of the leading browsers,including Internet Explorer, Firefox and even Google's Chrome, notesEisen.
How it happens: Utilizing a host website that has been injectedwith malware acting as a parasite, this parasite monitors for visitorswith open online banking sessions or similar protected asset sites(such as brokerage or retirement planning sites).
Using the Javascript vulnerability, the parasite can identifyfrom which bank the victim has a session currently open by searchingfor specific sites pre-programmed in the malware itself. "There are nolimits to the volumes of URLs a website hosting the parasite can testfrom the victim's machine. The malware asks: 'is my victim logged ontothis XYZ bank website' and their browser replies either yes or no,"Eisen says.
Once any site from the list is confirmed to be "in session," apop-up claiming to be from the bank issues a warning. Most warningsappear as time-out messages stating "For security purposes your bankingsession has been terminated. To continue your session please re-enteryour username and password here (supplied link by fraudster)."
Once an unknowing victim complies, clicks the link and entershis/her credentials, the damage has been done and the attack wassuccessful and the game is over - right?
In most cases it would be devastating for a victim after theircredentials had been breached; expecting the fraud rings to quicklybegin selling off this information or pillaging through the victim'saccount. Since many financial institutions rely on cookies or tags todiscern one device entering user credentials from another, and thencount on fairly common (and easily answered by crooks) out of walletquestions - to validate a new device attempting access, this would betrue.
However, simply by utilizing a robust device ID technology -which creates the equivalent of a device fingerprint for every machineattempting to log on to a banks site, coupled with historical negativelists of known bad devices, "financial institutions could rendercredential breaches using in-session or any other type of phishingattack useless to the fraudster," Eisen says.
The power lies in knowing what a suspicious or fraudulentattempt looks like upon log-in. "If you know a legitimate customer mostalways uses a device configured for local New York time and thelanguage for this device is English, you would not provide unchallengedaccess to this account from a machine showing to come from China andhaving a default language set to Mandarin," Eisen says.
Further strengthening against future attacks, placing thedevice fingerprints gleaned from all known previous fraudulent attemptsinto a negative list effectively blocks the devices with a history offraud from ever gaining access to another user account. "
#7 -- ATM Network Compromises
#8 -- Precision Malware Strikes
For the past 10 years, Verizon Business has tracked metrics andstatistics from IT investigative cases, including incident response,computer forensic and litigation support, across the globe.
The VerizonBusiness' just-issued 2009 Data Breach Investigation Report, shows moreelectronic records were breached in 2008 than the previous four yearscombined, fueled by a targeting of the financial services industry anda strong involvement of organized crime, says Bryan Sartin, director offorensics and investigative response at Verizon Business.
Driving this explosion in compromised records are moresophisticated attacks, specifically targeting the financial sector. Infact, 2008 saw three of the world's largest known data compromises onrecord.
With many large individual compromises over the past twoyears, the value of payment card, check, and other forms of consumerdata on the information black market are on rapid decline, says Sartin."
Just two years ago, magnetic-stripe sequences sufficient forcounterfeit were priced at an average of $14 per record, while todaythat cost has dropped to as little as 20 cents," he says. "Cybercrime,it seems, chases the almighty dollar."
Last year showed a sharp increase in attacks againstcounterfeit sequences plus the corresponding cardholder PIN value,leading to the direct theft of consumer assets, Sartin notes. "The leadindicators of these types of crimes were not based on the conventionalanalysis of signature-based counterfeit fraud patterns to find commonvalid transaction points within legitimate spending histories. Instead,bank customers were suddenly reporting zero balances in checking andsavings accounts, alleging fraudulent ATM withdrawals." As more andmore similar complaints surface, it became easier to pinpoint thelikely source of compromise, whether it be a bank, data processor, orpayment gateway, Sartin says.
Verizon Business tracked at least three different techniquesduring 2008. Until recently, many PIN-based attacks were known to bepossible but no credible evidence of them being used in real-worldincident has ever surfaced. That has since changed as attacks againstPIN information are on the rise, setting the stage for moresophisticated forms of identity fraud.
#10 -- Account Manipulation
.
#11 -- Fraud Pattern Changes
#12 -- Foreclosure Prevention Schemes
#13 -- Builder Bail-Out Fraud
0 comments