Cybercrime to Financial Services, aimed at taking over customer transactions and online banking sessions, also
attacks against the financial institutions
themselves.
6. A harmful activity, executed by onegroup
(including both grassroots groups or nationally
coordinated groups) through computers, IT systems
and/or the internet and targeting the computers,
IT infrastructure and internet presence of
another entity.*
6
Cyber
crime
* www.iosco.org, international organization of securities
7. A.k.a computer oriented crime, is crime that
involves a computer and a network.*
7
Cyber
crime
* Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Anderson Publishing.
8. • Crime Against Individual
• Crime Against Property
• Crime Against Organizations
• Crime Against Society
8
Cyber
crime
Classification
11. • Cracking
• Computer vandalism
• Intellectual Property Crimes
• Threatening
• Cyber Squatting
11
Cyber
crime
Against Property
Another classification of Cyber-crimes is that,
Cybercrimes against all forms of property. This
kind of crime is normally prevalent in the
financial institutions or for the purpose of
committing financial crimes.
13. • Is motivated by a political, religious or
ideological cause
• Is intended to intimidate a government or a
section of the public to varying degrees
• seriously interferes with infrastructure
13
Cyber
crime
Against Organizations
Also known as CyberTerrorism, is the use of the
Internet to conduct violent acts that result in,
or threaten, loss of life or significant bodily
harm, in order to achieve political gains through
intimidation.*
* wikipedia.org
15. • Cyber Trafficking
• Online Gambling
• Child Pornography
• Bigger Financial Crimes
• Salami Attack
15
Cyber
crime
Against Society
An unlawful act done with the intention of
causing harm to the cyberspace will affect large
number of persons. These offences include.
25. Financial threats, aimed at taking over customer
transactions and online banking sessions, also
attacks against the financial institutions
themselves.
25
Threats
to
financial
services • Against Customers.
• Against Financial Institutions.
26. • Credit card Fraud
• Financial Trojan
• Social engineering (Phishing)
• Mobile Fraud
26
The Most Common Threats
against Customers Side
Threats
to
financial
services
27. Credit card fraud is a wide-ranging term for
theft and fraud committed using or involving a
payment card, such as a credit card or debit
card, as a fraudulent source of funds in a
transaction.
The purpose may be to obtain goods without
paying, or to obtain unauthorized funds from an
account.
27
Credit
Card
fraud
• Hacked e-commerce
• Fake websites/payment gateway
• Phishing
• Sold at Black Market
30. Malware, one of the major threats against cyber
security today is malicious software, often
referred to as malware.
Malware exploits software vulnerabilities in
browsers, third party software and operating
systems to gain access to the device and its
information and resources. To spread, malware
uses also social engineering techniques to trick
users into installing and running the malicious
code.
30
Financial
Trojan
• Virus
• worms
• remote access tools
• rootkits
• Trojan Horse
• spyware
• adware
• ransomware
31. A.k.a Banking Trojan, trojan horse that redirects
traffic from banking and financial websites to
another website, ostensibly a website that the
attacker has access to. When the software is
executed it copies itself onto the host computer,
creating folders and setting Registry entries
each time the system is started.
31
Financial
Trojan
• zeus
• spyEye
• shylock
• dyre
• carbanak
• Odinaff
36. Pelaku Melakukan
transfer ke rekening
pelaku dan diminta
token 2
36
Nasabah
Memasukkan
Username &
Password
Pelaku login dengan
Username &
Password milik
nasabah dan langsung
menambahkan
rekening milik pelaku
pada daftar transfer
diminta token 2
Nasabah diminta
memasukkan hasil
Apply Token 2
Nasabah diminta
memasukkan hasil
Apply Token 2
Trojan
menampilkan
kode angka
untuk token 2&
dan meminta
hasil token 2
Trojan
mengirimkan
hasıl Apply
token 2 ke
Pelaku
Trojan
mengirimkan
kode angka
untuk token 2
dan meminta
hasil token 2
Pelaku memasukkan
kode token 2 dan
diminta memasukkan
kode token 1 untuk
konfirmasi
Nasabah diminta
memasukkan hasil
Apply Token 1
Trojan
mengirimkan
hasıl Apply
token 2 ke
Pelaku
Trojan
mengirimkan
permintaan
hasil token 1
Pelaku memasukkan
kode token 1 dan
transfer pun sukses di
lakukan
Trojan
mengirimkan
hasıl Apply
token 1 ke
Pelaku
Saldo Nasabah
berkurang.
“Sinkronisasi Token” Attack untuk Transfer
37. Social engineering, in the context of information
security, refers to psychological manipulation of
people into performing actions or divulging
confidential information
37
Social
Engineering
• Spear-Phishing
• Website attack vector
• Infectious Media
• SMS Spoofing
38. Phishing is the attempt to obtain sensitive
information such as usernames, passwords, and
credit card details (and money), often for
malicious reasons, by disguising as a trustworthy
entity in an electronic communication.
38
Phishing
• Link Manipulation
• Filter Evasion
• Website Forgery
• Covert Redirect (using XSS Vulnerability)
• Social Engineering
41. Mobile banking continues to grow in popularity as
customers drive the pace of change towards full
service banking apps in favor of physical visits
to the branch.
Banking apps are also becoming more popular than
desktop sessions for many users, because they can
leverage built-in authentication features of
devices, such as ngerprint biometrics, making the
login process particularly seamless.
41
Mobile
Fraud
44. 44
Mobile
Fraud
• Fake Banking App (via Free Apps)
• Mobile Malware
• Spoofed SMS Messages
• Phishing Attacks
• Mobile Apps Vulnerability
45. The new version of BankBot has been hiding in
apps that pose as supposedly trustworthy
flashlight apps, tricking users into downloading
them, in a first campaign.
In a second campaign, the solitaire games and a
cleaner app have been dropping additional kinds
of malware besides BankBot.The malicious
activities include the installation of a fake
user interface that’s laid over the clean banking
app when it’s opened by the user.
As soon as the user’s bank details are entered
they are collected by the criminal. In some
countries, banks use transaction authentication
numbers (TANs), a form of two-factor
authentication required to conduct online
transfers often used by European banks. The
authors of BankBot intercept their victims’ text
message that includes the mobile TAN, allowing
them to carry out bank transfers on the user's
behalf.
45
Bankbot
research
by Avast
“Mobile banking Trojan sneaks into Google Play targeting Wells Fargo,
Chase and Citibank customers” - https://blog.avast.com/mobile-
banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-
and-citibank-customers
50. • Distributed Denial of Service (DDOS)
• BlackMailing
• Bank2Bank Fraud
• ATM/POS Attack
• Salami Attacks
• Multi Factor Attacks
50
The Most Common Threats
against Financial Institutions
Threats
to
financial
services
51. Is a cyber-attack where the perpetrator seeks to
make a machine or network resource unavailable to
its intended users by temporarily or indefinitely
disrupting services of a host connected to the
Internet.
Denial of service is typically accomplished by
flooding the targeted machine or resource with
superfluous requests in an attempt to overload
systems and prevent some or all legitimate
requests from being fulfilled.
51
DDOS
54. One of the more common attacks against healthcare
providers involves the use of ransomware, where
patient records or hospital networks are hacked
and subsequently locked down until a ransom is
paid, typically in untraceable electronic
currency, such as bitcoin.
54
Blackmailing
56. Jackpotting/cash out attack - Jackpotting is a
term for attacks where malware takes control of
the ATM PC and the cash dispenser function,
thereby allowing the fraudster to directly cash
out money. In most cases the malware is adapted
to a specific environment, but the concepts can
be easily migrated to different systems.
56
ATM Related
Attack
59. Man-in-the-Middle Attack - MITM attacks focus on
the communication between the ATM PC and the
acquirers host system. The malware can, for
example, fake host responses to withdraw money
without debiting the fraudster’s account.
Typically the malware is triggered during
transactions with pre-configured card numbers. It
can be implemented at a high software layer of
the ATM PC or somewhere within the network.
59
ATM Related
Attack
61. A salami attack is a series of minor attacks that
together results in a larger attack. Computers
are ideally suited to automating this type of
attack.
Also known as penny shaving, is the fraudulent
practice of stealing money repeatedly in
extremely small quantities, usually by taking
advantage of rounding to the nearest cent (or
other monetary unit) in financial transactions.
61
Salami
Attack
63. SWIFT stands for the Society for Worldwide
Interbank Financial Telecommunication and is a
consortium that operates a trusted and closed
computer network for communication between member
banks around the world.
63
SWIFT
hacking
66. Attacker able to obtained valid credentials the
banks use to conduct money transfers over SWIFT
and then used those credentials to initiate money
transactions as if they were legitimate bank
employees.
They installed malware on the bank's network to
prevent workers from discovering the fraudulent
transactions quickly.
In the case of Bangladesh Bank, the malware
subverted the software used to automatically
print SWIFT transactions.
In the case of the bank in Vietnam, the custom
malware targeted a PDF reader the bank used to
record SWIFT money transfers. The malware
apparently manipulated the PDF reports to remove
any trace of the fraudulent transactions from
them.
66
SWIFT
hacking
67. Multi-vector attacks exploit common weaknesses in
the security chain - such as poorly configured
servers, gullible staff, vulnerable applications
or lack of multiple levels of defence - by
combining elements like social engineering, spear
phishing, contaminated USB drives and voice
phishing with malicious attachments carrying code
that exploits known or unknown vulnerabilities on
the target system.
Oftentimes, multi-vector attacks are designed to
avoid traditional defences like anti-virus
software, intrusion detection systems and other
endpoint protection programs, which makes them
elusive, difficult to detect and hard to defeat.
67
Multi
Factor
Attack
68. 68A security researcher examining Equifax's servers observed an online portal, apparently created for Equifax
employees only, was accessible to the open Internet.
70. Since financial threats “mostly” targeted the
customers and the financial institutions, so we
will try to controls and suggest the mitigations.
70
Suggested
Controls
and
Mitigation
71. A continuous exchange of intelligence information
about attacks and countermeasures among the IT
experts of Financial Institution is considered to
be almost the only possible defence against these
types of attacks.
A very important aspect to counter the social
engineering attacks is continued awareness
raising campaigns.
Financial Institutions need to have a proper
customer education system in place, not only
addressing individual clients but also including
SMEs and large corporates, explaining the risks
in layman words.
71
Social
engineering
(e.g:
Phishing)
73. • Minimise the number of installed programs on
the device (and from trusted resources only).
• Regularly update the installed software and to
remove software that does no longer have any
use.
• Activate automatic update for OS and apps
installed.
• Limit the use of Administrative rights.
• Use and Update Anti-Virus.
• Use and Configure Firewall.
• Company; Use More sophisticated to protect the
users, such as IDS/IPS and APT protections.
• Use Script Blockers, e-mail filtering.
73
Malware
74. • Update the software running on your mobile
device with the latest security patches and
upgrades, these should be sent to you by your
network / operating system provider
• Use a secure lock screen, set a password, PIN
or fingerprint to unlock your device
• Add a PIN or Passcode to the voice-mail on
your mobile device
• install anti-virus software on your mobile
device
• Use two-factor authentication when the risk is
high.
74
Mobile
Related
Attacks
(Users)
75. • Do not allow applications to be installed from
unknown / untrusted sources
• Do not allow jailbroken or rooted devices
• Monitor App stores and internet for fake
applications
• Implement anti tampering controls.
• Protect app code with code signing and / or
obfuscation.
• Implement strong sensitive data encryption on
device.
• Do not consider frequently used third-party
libraries as secure and validate them before
using them.
• Implement controls to protect communication
channel.
• Implement device owner/user verification.
• Implement mobile device verification.
• Implement two-factor authentication when the
risk is high.
• Perform Application Penetration testing.
75
Mobile
Related
Attacks
(Bank/
Developers)
76. • 3D Secure: authentication protocol based on a
three-domain model (Acquirer, Issuer &
Interoperability domain) to ensure
authenticity of both peers through internet
transactions.
• Tokenisation: process of substituting
sensitive data with non-sensitive equivalent
called token.
• PAN truncation: replaces the card number
printed in any system with a printout of only
the last four digits, the remainder being
replaced usually by asterisks.
• Geolocation
76
Card
Related
Attacks
(Merchants)
77. • Use of strong authentication with the rollout
of chip (EMV) & PIN.
• Geoblocking: To protect cards from being
misused by skimming fraud, it is strongly
recommended to protect cards with a
geographical region of use.
• Blocking:To limit the usage of cards to
specific channels or specific contexts.
• Fraud monitoring: Deploy a responsive, real-
time fraud system with prevention
capabilities. Ensure your fraud system
identifies suspicious patterns of behavior to
stop fraud based on tailor-made scenarios and
rules.
77
Card
Related
Attacks
(Issuers)
78. • Communication authentication and encryption
protections should be apply to ATM Traffic,
use TLS or VPN.
• Firewall should established.
• Operating System should be hardened support
with policy and procedure to do it.
• Deploy Anti-Malware and logical protection
(using whitelisting).
• Uknown USB devices should be blocked.
78
ATM
Related
Attacks
79. • Doing offensive Security Regularly (IT
Security Penetration Testings)
• Regularly doing Security Audit and
vulnerability Assessments.
• financial institutions must keep investing in
new state of the art security technologies
(Advanced Threat Protection), ensuring that
their cyber defense frameworks provide
adequate response and defense-in-depth for
identifying, stopping and recovering from
multi-vector attacks.
79
Multi
factor
Attacks
80. References:
• “Cyber Crime – A Threat to Persons, Property,Government and Societies Er.
Harpreet Singh Dalla, Ms. Geeta “ - http://ijarcsse.com/Before_August_2017/
docs/papers/Volume_3/5_May2013/V3I5-0374.pdf
• “2016 PAYMENT THREATS TRENDS REPORT” - European Payment Council - https://
www.europeanpaymentscouncil.eu/sites/default/files/KB/files/
EPC293-16%20v1.0%20%202016%20Payment%20Threats%20Trends%20Report.pdf
• “The cybercrimes on financial and banking services:The Challenges and
Treatment.- MEZIOUD Brahim SMAI Ali, University of Medea” - https://
www.asjp.cerist.dz/en/downArticle/41/16/44/4701
• “2017 Cost of Cyber Crime Study - Accenture”- https://www.accenture.com/
t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-
CostCyberCrimeStudy.pdf
• “2017 Q3 Cybercrime Report - Threat Matrix” - https://www.threatmetrix.com/
info/q3-2017-cybercrime-report/
• “ISTR Financial Threat Review 2017 - Symantec” - https://www.symantec.com/
content/dam/symantec/docs/security-center/white-papers/istr-financial-threats-
review-2017-en.pdf
• “2016 SEA Online Fraud Benchmark Report - CyberSource” - http://
www.cybersource.com/content/dam/cybersource/en-APAC/Documents/
SEA_Fraud_Benchmark_Report.PDF
80
81. 81
Ahmad Muammar WK, OSCE, OSCP, eMAPT
email: me@ammar.web.id
Cybercrime:
A threat to
Financial
industry