Expo 2013 S3-B-Thwarting the new faces of fraud

Criminals are targeting
smartphones and tablets
Thwarting the New Faces of Fraud
Smartphones and Tablets
Greg Litster, SAFEChecks
Industry experts expect mobile
threats to surpass PC threats.
- 10% of mobile apps leak logins or passwords
- 25% expose personally identifiable info (PII)
Mobile web browsers also present
threats.
Browser-based attacks can be launched
by simply visiting an infected site.
- 40% communicate with third parties.
“Cybercrime: This Is War”
Report by JPMorganChase 3/2013
Juniper Networks, 2011 Mobile Threats Report
-Many apps lack encryption, and many share
information insecurely.
- 30% of apps have the ability to obtain a
device’s location without the user's consent.
- 14% of apps request permissions that could
lead to the initiation of phone calls without user
knowledge.
Juniper Networks, 2011 Mobile Threats Report
An emerging trend:
“Spear Phishing” attacks (Trojans) on
Android device apps that allow users to
download Gmail attachments.
It can compromise the mobile devices
and the PCs or Macs to which these
devices connect….
App Security
Spear Phishing is based on social
engineering…. Fraudsters gather
information about mobile users through
groups with which they are affiliated, as
well as social media channels.
Product Reviews: CNET.com, PCmag.com
MyLookOut, Bullguard, etc.)
Kaspersky Lab - research April 2013
Kaspersky Lab - research April 2013
1
1
Mobile Banking
and
Deposit Fraud
Mobile Banking and Deposit Fraud
Mobile Banking and Deposit Fraud
Scenario: A title insurance company gives John
Doe a check at closing. John Doe deposits the
The company does not think to put a
check via a mobile app, then comes back to
office and returns the check, asking that it be
made payable to John Doe or Jane Doe.
1. If a physical check is returned for a replacement,
place a stop payment on the returned check. It
may have been deposited remotely.
2. Recipient MUST sign an affidavit stating the
check was not “deposited.”
Check Fraud...
Why talk about Check Fraud?
Stop Payment on the first check, because
they have the physical check in hand.
Check Fraud produces more losses
than all other payment fraud
COMBINED!
3. An Affidavit does not provide protection, only a
right to sue and collect legal fees.
Total Non-Cash Payments by Method
"Checks remain the most popular vehicle
"Checks continue to be widely used and
for criminals committing payments fraud,
abused, and fraud via check payments
35
even though the corporate use of checks
remains the overwhelming threat
30
has declined."
faced by companies."
Association for Financial Professionals (AFP)
Association for Financial Professionals (AFP)
2013 Payments Fraud Survey
2011 Payments Fraud Survey
(Transactions)
25
20
15
10
5
0
A
C
H
C
R
E
D
I
T
…
C
A
R
D
D
E
B
I
T
…
.
C
A
R
D
S
C
H
E
C
K
S
EBT
ACH
Credit Cards
Debit Cards
Checks
Billions
2010 Federal Reserve Payments Study
(the next Study will be released at the end of 2013)
2
2
Fraudulent Payments by Method
Fraud Losses by Method
(Some Respondents were hit multiple ways; total > 100%)
How Dollars were actually lost:
60% in 2011 –> 69% in 2012
CHECKS 87%
100
100
80
Purchasing
Cards 29%
60
80
Catch Me If You Can
Technology is making Frank Abagnale’s
“gift” achievable by mere mortals
Purchasing
Cards 10%
60
ACH Debits
27%
40
20
0
CHECKS 69%
Frank Abagnale
Wir e Transf er
11%
Percentage
ACH Debits 9%
40
0
ACH Credits
8%
ACH Credits
7%
20
Percenta ge
Wire Transfer
5%
The Evolution
of
Check Fraud
Counterfeit Checks
…Banks developed Positive Pay
and
Banker Solutions
BOSTON’S # 1 SELLER
Typical Check Layout
Altered Payees
…Banks developed Payee Positive Pay
Added Payee Names
Checks pass right through Payee Pos Pay!
Open Areas Where Forgers Add A New Payee Name
How?
3
3
Typical Check Layout
Multiple Payees:
Added Payee Names
If it doesn’t say AND,
Open Areas Where Forgers Add A New Payee Name
No Banker Solution!
it is assumed to be OR.
A forward slash (virgule, vər-gyül “/” ) = OR
(There is a software solution….)
Added Payee printed 2 lines above the original name
– it will not be detected by Payee Positive Pay
Strategies to Prevent
kF
c
e
Ch
d
u
a
r
Commercial Purchase Card Benefits
Don’t Write Checks!
1. Reduces check writing and check fraud risk
2. Does not expose the checking account number
• Use Commercial Purchase Cards
• Pay electronically (ACH)
3. Terminating a card is easier than closing a
checking account.
4.
Reduces bank per-item fees
5. Increases payment float by 40+ days
6. Reduces interest expense
7. Potential for Rebates or Rewards
ACH Payment Benefits
1. Reduces check writing and check fraud risk
2. Does not expose the checking account number
3. Reduces late fees
4. Reduces mailing expense and bank fees
5. Pay 1 invoice at a time, or
6. Pay multiple invoices and email remittance detail
If you’re going to
ec
write checks…
.
#1
S
igh
yC
it
ur
ks
c
he
H
4
4
Association for Financial Professionals
(AFP) 2013 Payment Fraud Survey
Effective check fraud prevention
strategies begin with a
Types of Attempted or Actual Check Fraud Events:
1. Payee Name Alterations =
high security check.
2. Counterfeit Checks =
49%
1. Deter the forger (psychological warfare)
2. Thwart attempts to replicate or alter
the check
29%
3. Dollar Amount Alterations =
High Security Checks
28%
3. May help protect you legally, e.g. from
some Holder in Due Course claims
These attempts could be prevented with
high security checks.
Important Security Features
What makes a check
secure?
“Controlled” Check Stock is a critical
Ø Controlled Check Stock
Ø Dual-tone True Watermark
security feature
Ø Thermochromatic Ink (reacts to heat)
Ø Correctly Worded Warning Banner
Ø Toner Anchorage
10+ safety features
It is unique to each end-user or entity
Ø Copy Void Pantograph
Ø Chemical-reactive Ink + Paper
Ø Inventory Control Number on Back (laser)
Ø UV Ink + UV Fibers
Ø Microprinting
Ø Laid Lines
y
a
eP
Uncontrolled check stock is check stock that is generic
(meaning it is not unique or customized to the end-user)
iv
sit.net
o
P ay
It is available entirely blank to multiple organizations/entities
(including fraudsters)
Uncontrolled check stock
is a major contributor to check fraud.
#2
.P
P
ee Positive
y
a b:
Positive Pay...
...a powerful tool!
e
W
5
5
Preceding Events
Lawsuit
Added or Altered
Cincinnati Insurance Company
Payee Names
v.
Wachovia Bank
$154,000 Loss
Facts
from an
Altered Payee
Facts
Dec. 1, 2005: Schultz Foods issues
$154,000 check is intercepted and stolen.
$154,000 check payable to Amerada
Payee Name changed to “Kenneth Payton.”
Hess Corporation.
Kenneth Payton, an unwitting participant,
deposits $154,000 check into TCF Bank.
Schultz Foods had 3 prior check fraud
attempts and was encouraged by
Wachovia Bank to use Positive Pay
Schultz Foods does NOT use Positive Pay
Schultz buys check fraud insurance from
Cincinnati Insurance Company
Facts
Per instructions, Kenneth Payton keeps
$3,500 and wires $150K to Singapore to
“...help a refugee South African family.”
The money disappears.
Wachovia pays the altered check.
Facts
January 2006: Schultz Foods notifies
Wachovia Bank of Altered Payee and
demands repayment.
Wachovia demands repayment from TCF
Bank (bank of first deposit; liable party).
Facts
Facts
Wachovia Bank pursues TCF Bank for
$154,000; does not pay Schultz Foods.
Wachovia had a “defense” against Schultz
Foods and its insurance company:
A Signed Deposit Agreement
Schultz Foods makes a claim under its
policy; Cincinnati Insurance Co. pays
Schultz Foods $154,000.
Cincinnati Insurance Co. sues Wachovia
Bank for $154,000.
Under UCC § 3-119, TCF Bank’s attorneys,
acting for Wachovia Bank, use
Wachovia’s “deposit agreement defense”
against Cincinnati Insurance Co.
6
6
Resolution:
If…
Wachovia Bank Wins!
Schultz Food’s had used Positive Pay,
This case demonstrates you can have a great
relationship with your bank and
Preventing
Altered Payee Names
the check may not have paid, and
there may not have been a loss!
still lose a lawsuit!
(Exception: Added Payees)
Preventing Altered Payees
Ø High-security checks
• Includes “toner anchorage”
Ø Use 14 point font for Payee Name
Preventing
Typical Check Layout
Added Payee Names
Ø High-quality toner
Ø Hot laser printer
Open Areas Where Forgers Add A New Payee Name
• Highest temperature setting available
• Replace fuser element every 2-3 years
Ø Positive Pay with Payee Name Recognition
See Frank Abagnale’s Fraud Bulletin, Page 7:
A Primer on Laser Printing
Identical check data
Eliminate Added Payee Name Risk
No room for an Added Payee
10 point font – Easily scraped off – alteration covered with larger font
strengthened by software
7
7
Secure Number Font
14 point font – Scrape-offs more visible, difficult to cover up
PAYEE NAME: Upper & lower case letters
converted into UPPER CASE LETTERS
Identical data is printed on both checks.
Which check would forgers prefer to attack?
“Forger-Deterrent” Text
Secure Name Font = 18 point
Secure Seal barcode
“Forger-Deterrent” Text
Holder in Due Course Text
Barcode contains:
1.
Drawer
“Secure Seal”
2.
Payee Name
3.
Dollar Amount
is an
4.
Issue Date
image-survivable
encrypted barcode
5.
Check Number
6.
Account Number
7.
Routing/Transit Number
8.
X,Y coordinates on the check face of each data piece
9.
Date and Time Check was printed
Barcode is created
by a
Printer Driver
10. Laser Printer used
11. The employee that printed the check
8
8
8934 Eton Avenue
Canoga Park, CA 91304
Printer driver can:
1. Accumulate check data for Positive Pay
2. Change Font size
Typical Check Layout –
Check is on top and shows thru window envelope
3. Add Barcode, Secure Name & Number fonts
Payee Name, Address, is printed in TOP white panel.
Check is re-positioned to the bottom.
Printer Driver can Reposition the Check
4. Be configured to send Pos Pay files to the
Check is Z-folded with TOP PANEL showing thru window
It is not obvious the envelope contains a check.
bank automatically
5. Reposition Check Placement
ACH Fraud is on the rise!
n
tio
ilia
ec
c
on
ou
c
el
im
.T
#3
c
yA
R
nt
2012 = 23% vs. 2013 = 27%
• Use ACH Filters or Blocks (a bank service)
• Select “Return All” as your default choice for
ACH Debit Filter
• Set maximum debit limit for all Approved Vendors
• Be alert for small dollar ($1) ACH debits/credits
Cyber Crime
Keystroke Logger Virus
How a Remote Town in Romania Has Become
Cybercrime Central
How a Remote Town in Romania Has Become
Cybercrime Central
By Yudhijit Bhattacharjee
By Yudhijit Bhattacharjee
January 31, 2011
January 31, 2011
Expensive cars choke the streets of Râmnicu Vâlcea’s bustling city center—top-ofthe-line BMWs, Audis, and Mercedes driven by twenty- and thirty-something men
sporting gold chains. I ask my cab driver if all these men have high-paying jobs,
and he laughs. Then he holds up his hands, palms down, and wiggles his fingers as
if typing on a keyboard. “They steal money on the Internet,” he says.
The city of 120,000 has a nickname: Hackerville. It’s something of a misnomer; the
town is indeed full of online crooks, but only a small percentage of them are actual
hackers. Most specialize in e-commerce scams and malware attacks on businesses.
Tracks every keystroke; sends hourly reports
Spreads by:
- Email, Web sites
- Infected files on network
- USB drive or CD
9
9
Trojan Horse
Phishing Emails
A malicious program concealed
in something innocuous.
Contains keystroke logger virus
• Pictures, Video on Facebook
and MySpace
Can lead to “account takeovers”
• Free music downloads
• Email attachments
Lawsuit
Lawsuit
Experi-Metal, Inc.
Experi-Metal, Inc.
v.
Comerica Bank
Company sued the bank
82 Wires, $5,200,000
$560,000 Loss
“Phishing” Attack:
CFO responds with to email with his login
WHY did the Bank lose?
Company sued the bank.
Company sued the bank.
Who won the lawsuit?
Who won the lawsuit?
The Customer!
1. Bank wired out funds exceeding Customer’s
Actual Account Balance (Overdraft = $5MM)
(ZBA debited; Concentration Acct OD. Programming error remedied!)
2. Five (5) other companies were hit that day
3. Company was liable for CFO clicking on fake
email, BUT
4. Company “won” lawsuit against Comerica, but
5. Company not awarded attorney fees (> $250K)
10
10
Choice Escrow and Land Title
Choice Escrow and Land Title
vs.
BancorpSouth Bank
vs.
ü March 17, 2010: Bank received an internet-based request to
BancorpSouth Bank
Computer Takeover: NO “Dual Control”
ü Wire to Cypress was initiated using the User ID and
password of a Choice Escrow employee
wire $440,000 out of Choice Escrow’s Trust Account
ü Request not legitimate – Choice Escrow employee’s
computer was hacked, taken over by fraudsters
ü Wire was initiated from IP address registered to Choice
ü Bank authenticated employee’s computer by detecting
the secure device ID token that Bank previously installed
ü NO “Dual Authentication” in place
ü Wire transfer request to send $440K to Republic of Cypress
http://courtweb.pamd.uscourts.gov/courtwebsearch/mowd/qmC2dt555T.pdf
Bank: Customer Failed to Implement
“Dual Control”
ü Bank required online banking customers sending wires to
utilize “Dual Control”
ü Dual Control = 2 computers, 2 logins, 2 passwords
ü Wire transfer could only be effectuated by two individuals
Feeble Argument about Dual Control
ü Choice argued “Dual Control” was not “commercially
reasonable” because…
ü “…at
times, one or both of the two individuals
authorized to perform wire transfers through the [bank]
system were out of the office due to various reasons.”
using separate User IDs and passwords
ü Court disagreed.
ü Choice declined in writing, TWICE, to use Dual Control
ü Choice Escrow held liable for loss.
Official Comments to the Funds Transfers
provisions of the UCC:
Sometimes an informed customer refuses a
security procedure that is commercially
reasonable and suitable for that customer and
insists on using a higher-risk procedure
because it is more convenient or cheaper. In
that case, under the last sentence of subsection
(c), the customer has voluntarily assumed the
risk of failure of the procedure and cannot shift
the loss to the bank.
Online Banking
Require 2 different computers to move $$
1. Computers #1-99 can “originate” wires
2. Dedicated “banking-only” Computer to
“release” the wire / ACH
ü Immediately after wiring funds, Bank automatically
generated a Transaction Receipt faxed to and received
by Choice Escrow. Fax placed on a desk without review.
Official Comments to the Funds Transfers
provisions of the UCC:
The purpose of having a security procedure deemed to be
commercially reasonable is to encourage banks to
institute reasonable safeguards against fraud but not to
make them insurers against fraud.
A security procedure is not commercially unreasonable
simply because another procedure might have been
better or because the judge deciding the question would
have opted for a more stringent procedure. The standard
is not whether the security procedure is the best available.
Use a Layered Approach for Wires & ACH
• Dual Factor Authorization
• (“something you have (token), and something you know”)
• “Out of Band” Authentication
• (text msg from bank with password for that specific wire)
• Tokens
• Transactional Alerts via
• Text
• E-mail
• Voice call back (human confirmation)
11
11
Protect
Passwords
1
123456
2
12345
3
123456789
4
Password
5
qwerty
FBI:
10 Most
Popular
Passwords
trustno1
7
abc123
8
monkey
9
letmein
10
dragon
FBI:
10 Most
Popular
Passwords
RockYou.com list confirmed nearly all
2009
Cracking
Passwords
6
• Online games service RockYou.com hacked
• 32 Million plain-text passwords stolen
• 14 Million unique passcodes were posted
v Overnight, the way hackers cracked
CAPITAL LETTERS come at the beginning of
a password. Nearly all NUMBERS and
PUNCTUATION are at the end.
Revealed a strong tendency to use first names
followed by years: Christopher1965 or
passwords changed!
Julia1984
Passwords Posted on the Web
Last Year
5 Years Ago
The Time it Took a Hacker
to Randomly Guess Your Password
+ numbers and
100,000,000+
Length
lowercase + Uppercase
symbols
6 Characters 10 Minutes 10 Hours 18 Days
7 Characters 4 Hours
23 Days
4 Years
463 Years
8 Characters 4 Days
3 Years
9 Characters 4 Months 178 Years 44,530 Years
Today:
It Takes a Hacker 12 Hours
to Randomly Guess Your Password
Length
8 Characters
Upper + Lower +
Numbers + symbols
12 Hours
This $12,000 computer
containing 8 AMD Radeon
GPU cards can brute force
the entire keyspace for any
eight-character password
in 12 hours.
12
12
“Common Sense” Controls to Prevent Fraud
• Tone at the Top
• Fraud Hotlines
• Strong Internal Controls
• Bonding of employees / Temps
• Internal Audit reviews of Controls
“Common Sense” Controls to Prevent Fraud
• Purchasing (CC’s / P Cards)
• Written Policy with guidelines
• Cardholder acceptance / Signature
• Merchant / Category restrictions
• Timely review of charges
“Common Sense” Controls to Prevent Fraud
• Vendors
• Segregate approval of vendors from
authorization of payments
• Current authorized signer list
• System that won’t allow duplicate payments
• Skimming of Cash
•
•
•
•
Segregation of Duties
Policy on Voids / Credits
Prenumbered Receipts / Information
Surprise Cash Counts
Kids keep 2 Facebook Accounts
(Mom only sees one)
• Timely vendor payments including verification
of goods / services
Track Your Kids
Keystrokes
• Timely reconciliation of paid checks / review of
check images to records
Track Your Kids’ Keystrokes
Track Your Kids’ Keystrokes
Spector Pro: Track your child’s keystrokes,
emails, MySpace, Facebook, IM, websites
visited with Spector Pro (spectorsoft.com).
eBlaster forwards incoming and outgoing
emails to your email address.
13
13
www.NoSlang.com
Spectorsoft.com/mobile
www.NoSlang.com
Internet Slang
Dictionary & Translator
Texting app
Sexting Slang Terms
Sexting can
create
serious
long-term
legal
consequences
for your
child.
www.NoSlang.com
What is Snapchat?
Snapchat is the fastest way to share a moment on iPhone and
Android. You control how long you want your friends to view your
messages. We'll let you know if we detect that they've taken a
screenshot!
Is there any way to view an image after the time has expired?
No, snaps disappear after the timer runs out. You can save snaps
that you capture by pressing the save button on the preview
screen.
What if I take a screenshot?
Screenshots can be captured if you're quick. The sender will be
notified if we detect you have taken a screenshot.
Holder in Due Course
Holder in
Due Course
Web: FraudTips.net
Holder in Due Course
Ø An innocent party who accepts a check as
payment for goods or services
ØTrumps Stop Payments
Ø No evidence of alteration or forgery on face of
the check, or knowledge of fraud by recipient
ØTrumps Positive Pay
Ø Statute of Limitations
• 10 years from date of issue
• Three (3) years from date of return
Trump (n.) To get the better of an adversary or
competitor by using a crucial, often hidden resource.
Ø A Holder in Due Course can sell his/her rights
14
14
Holder in Due Course #1
Holder in Due Course
Federal Appellate Court
Lawsuits
Holder in Due Course Text
Ø Robert Triffin v. Cigna Insurance
• Two year old check, payment stopped
• No “expiration date” printed on check
UCC rules: 3 years or 10 years
• Print on check face: “This check expires
and is void 25 days from issue date”
üDon’t re-issue check until first check expires
Holder in Due Course #2
Someone who accepts an
expired instrument
Has No Legal Standing!
as a Holder in Due Course
Ø Robert Triffin v. Somerset Valley Bank
and Hauser Contracting Company
• 80 counterfeit checks on authentic-looking
check stock (ADP payroll checks)
• $25,000
• Hauser Contracting held liable in both Courts
because checks looked authentic
Ø Solution: Use controlled, high security check
stock that cannot be purchased blank
Greg Litster, President
SAFEChecks
(800) 949-2265 direct
(818) 383-5996 cell
[email protected]
15
15