The world of cybercrime is evolving rapidly and already a sophisticated, organised mirror of the legitimate IT industry, and unless organisations adapt they will continue to fall prey to fraudsters. This is the current the overarching theme from the Antifraud Command Centre (AFCC) of security giant RSA.
The AFCC developed from the acquisition of security and authentication specialist Cyota in 2005. Based in Herzilyya, Israel, the centre provides the basis for RSA's antifraud services to the financial industry and beyond.
Michal Blumenstyk-Braverman, Israel general manager, RSA, and Identity Protection and Verification (IPV) business unit manager, said that world of fraudsters is organised very much along the lines of the legitimate industry.
"It's like a mirror image of the real world," said Blumenstyk-Braverman.
Blumenstyk-Braverman, who was chief operating officer of Cyota when it was acquired, said that the fraudsters have highly efficient communications to sell their wares, stolen credentials and to share intelligence.
Daniel Cohen, head of business development, online threat management services (OTMS), RSA, outlined the main pillars of the underground version of the industry. The first is malware development, where easy to use tools are created to allow those with only a passing knowledge of the subject to create custom Trojans and malware for their own specific purposes. There are also infrastructure providers who will provide anything from networks of compromised machines (botnets) to hosting solutions for exploits or drop points. The cash out providers provide ways to turn ill-gotten gains into real money that can be then laundered through various schemes. And finally there is the training and support infrastructure where individuals will provide one-to-one tuition to allow full understanding and exploitation of the tools and services, at very competitive rates.
The AFCC specialises in preventing the kind of fraud against financial institutions that can result from these fraudsters using the likes of a phishing attack to steal credentials.
Once credentials have been stolen, it can be difficult to prevent an unauthorised log in taking place, potentially putting the compromised account at risk. The RSA risk engine uses a scoring system of 1-1,000 to identify how risky a log in may be.
RSA works with client companies to set risk scores and threshold's according to the risk appetite of the client. A rising risk score means that the user attempting to log in is challenged with ever higher requirements to gain access, which could be in the form of additional security questions, SMS-conveyed codes or even a phone call.
Citing another example from a UK bank, Blumenstyk-Braverman said that among 50 million transactions per month, up to 2,000 users could have an additional challenge over their normal log in and this alone provided a 92% detection rate for fraudulent log-ins.
Unfortunately, the risk does not stop with stolen credentials as mobile devices are increasingly targeted. Even the out of band verification methods, such as one time codes via SMS, can be intercepted. Blumenstyk-Braverman said that Trojans have been found that target the likes of the Android mobile operating system that will steal such codes and allow fraudsters to exploit them.
Marcello Blatt, Big Data research manager, information security, RSA, said that the risk engine is constantly evolving to meet such threats. The engine learns as it goes, based on encounters and detection results to change with the evolving threats.
RSA's success in the area is characterised by a ticking clock that sits proudly in the AFCC reception. "Every time we stop a fraudulent transaction for a client, it has a monetary value," said Blumenstyk-Braverman. The clock is currently well over €1.9 billion and counting, despite being reset each January.
For more detail see the next issue of ComputerScope, available 14 September.