In the Wake of Recent Breach It’s Time to Revisit Your Fraud Strategy

Sep 18, 2017 | by Angel Grant, CISSP

Organizations should expect consumers will demand more security from those they do business with.  Especially in light of the recent mega breach where highly sensitive personally identifiable information (PII) from over 143 million U.S. citizens were impacted – that is about 72% of U.S. population between 20 years and full retirement age. Such massive breaches increase the threat level for information security and fraud attacks, as identity theft and credential abuse.

It is critical that organizations pause for a moment and reflect on critical stepsthey must immediately focus on to align information security and fraud strategies to mitigate risk. At a minimum you should focus on these six actions:

Monitor the dark web and open social media forums – because of the billions of stolen credentials from different sources currently available in the hands of cybercriminals, the cybercrime underground has such a surplus of compromised credentials, so they are looking for new ways to sell them outside of the traditional dark web marketplaces. RSA found over 500 fraud-dedicated social media groups around the world, with over 300,000 members. The number of individuals involved in these types of social groups continues to grow.  Cybercriminals make a large amount of money in underground forums. Prices for stolen credentials vary a lot, mainly depending on which details are provided, how high quality they are and from which country. While cheap "fullz" including only a few details costs between $1.50 and $5USD, high quality data may demand between $20 to $65USD for North American credentials.

Use Infinite factors to determine identity Risk – organizations should no longer rely solely on a couple of factors in determining if a legitimate consumer is interacting with them, such as traditional username, SSN and public information.  In our interconnected digital world identities are now made up of infinite factors, and everything is part of a credential. Every ounce of meta data we leave behind in our digital footprint can be used to create a deep composite user profile. By assembling many unrelated attributes and correlating across channels will dramatically aid in user profiling to dynamically assess risk of unauthorized access or fraudulent transactions.

Be prepared for credential stuffing – this breach adds high quality information to the billions of previously stolen credentials which are being sold in the underground. Criminals are looking for fast ways to test if the credentials they bought are still valid and which sites they may work at.  Due to this demand, credential stuffing tools such as SentryMBA make it easy for fraudsters to check the validity of username/password pairs in a few moments - and, of course, counting on the fact that most users will re-use the same email address, user ID and password on multiple websites. Organizations must put mitigation strategies in place to help identify credential testing, which often precedes account takeover (ATO). Organizations should look for robotic behavior in the web session and trigger an alert when something looks anomalous. A couple of things you can identify when monitoring a user online interaction are:

-          IP addresses responsible for high hits on the login/forgot password pages and ones that have minimal page hits elsewhere

-          Successful logins then immediate session drops

-          High failed login count

-          IP addresses with multiple associated users located in foreign geo-locations or locations that aren’t associated with normal application traffic

Monitor for identity theft and ATO – after the cybercriminal verifies credentials purchased on the dark web are still valid, you should anticipate a spike in unauthorized new accounts and ATO attempts.  The recently stolen information is high-quality consumer data and will aid in the ID theft attacks, ranging from new credit card applications, loans, healthcare insurance fraud and the creation of synthetic identities. RSA’s Data Scientist team analyzed fraudulent patterns and have observed that new accounts had 15 times greater fraud rates in the first ten days after registration. We also see fraudsters use their own devices to commit fraud - the fraud rates are 3x higher coming from a new device, as well as 55% of fraud activities originate from a brand new device to a user.  And if you look at existing accounts when profile changes occur (such as password reset, new mailing address, adding a new payee), that should trigger a high risk score. More than 70% of fraudulent payments are performed when a brand new payee is set up, which should scream mule account.

Expect a new wave of ransomware – a new batch of high-quality stolen credentials motivates cybercriminals to launch new series of phishing attacks, targeted attacks as spear phishing and the most destructive ransomware attacks. Organizations should immediately determine what data matters most, classify it, make it useless to others with encryption / tokenization, back it up, and then monitor the heck out of it.  RSA identifies a new Phishing attack every 30 seconds and organizations must expect that a new wave will be triggered and could be linked to ransomware.  Remember it is all about the base - cybercriminals don’t behave the same way normal site or network users do; they move faster, navigate differently and leave more than one digital trail behind. Consistently identifying and tracking the interactions that occur from the beginning of a web session, through login and transactions helps you create a reliable baseline to quickly and effectively discover anomalies and spot advanced attacks

-          Monitor users -  take inventory of who has access and what they are doing,

-          Monitor Endpoint  - look for Signatures (known = seen before) vs. behaviors (always evolving)

-          Monitor Network – focusing on things like full packet capture so you can expose command and control (C2) connectivity

Assess your GRC framework – Think worst case scenario, are you ready? Ensure you have a solid coordinated process between your information security, fraud and risk teams and know how to execute against it.  The 7 steps to build a GRC framework is a great starting point. You should also know the OWASP top vulnerabilities   and ensure you have a plan to address them. Nearly all of them are due to coding errors and were exploited by some type of software bot.  Many times cybercriminals find it is much easier to leverage the vulnerabilities and biz logic flaws in websites than it is to write their own custom code. Why do the work when someone has done it for you? Remember it is an economics game for cybercriminals.

 

A new report, produced by 451 Research and commissioned by RSA, helps fraud and security decision-makers navigate the complex world of web behavior analytics, enabling them to counter the threats posed by massive data breaches, including account takeover and new account fraud, without interfering with their organization’s core business. At RSA, we are proud to be Defenders of the Digital Universe and will continue to be vigilant in protecting our customers and the global economy. If an enemy attacks we all need to become defenders – join the good fight! Learn how by following us on @RSAFraud.

Author: Angel Grant, CISSP

Category: RSA Point of View, RSA Fundamentals

Keywords: Artifical Intelligence, Fraud, GRC, Information Security, Risk Management, RSA Archer, RSA Adaptive Authentication, Fraud Prevention