Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry
Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio
by Avivah Litan | October 9, 2012 | 1 Comment
The latest DDOS attack today against Cap One, which hactivists pre-announced, may be followed by attacks against two other preannounced (on Pastebin) hacktivist attacks against U.S. regional banks. I personally take these very seriously. In speaking with others closer to the situation, it appears the hacktivists are voluntarily stopping their attacks and taking breathers so that they don’t get caught. The authorities know which compromised servers are used to lob the mega payloads against the banks, but they haven’t yet identified or located the individuals conducting the attacks.
One highly respected researcher says there is direct evidence that the same tools used in January 2012 to take the Israeli stock exchange and El Al airlines websites down are being used for these DDOS attacks. And those attacks against the Israeli companies were publicly praised by Hamas leaders. No doubt, they are hiring English speaking experts for the ‘technical details.’
So is there fraud against accounts at these banks under siege? There are anecdotal accounts of fraud getting through their call centers, where call volume ratchets up tremendously during the attacks when web applications are unavailable, and more ‘untrained’ call center staff are put to work to help handle the volume. The bad guys socially engineer or lie their way through the identity proofing processes, and are able to get wire transfers executed over the phone. Call center security is much weaker than web security. Now would be a good time to change that.
Category: Uncategorized Tags:
by Avivah Litan | September 27, 2012 | 4 Comments
That’s how a colleague who knows what he is talking about characterized the latest spate of DDOS attacks against the U.S. Financial industry. Financial Armageddon.
Frankly, after learning some of the details of these DDOS attacks, we should all breathe a sigh of relief that the hacktivists are taking a break, at least for now. From what I can tell, there is no reason they needed to other than the fact that they need these U.S. banks to be up and running themselves so they can get the cash they need to sustain their lifestyles and nefarious activities.
Apparently, the DDOS attacks that are causing havoc at some of our most esteemed financial institutions are being launched from just 3000 compromised endpoints distributed around the world, all lobbing payloads of multiple megabytes that together add up to 100 gigabytes of noise blasting at the banks through their Internet pipes. This makes it impossible for customers and others using the same pipe to get to their websites.
From what I’ve been told (I’m not a network security specialist) the leading DDOS prevention software more or less stops working when the attacks get larger than 60-70 gigabytes and simply can’t handle the bandwidth of these 100 plus gigabyte attacks. The major ISPs only have a few hundred gigabytes bandwidth for all their customers, and even if they added more on to that, the hacktivists could quickly and easily eat the additional bandwidth up.
The only way to stop these attacks is to take down the compromised endpoints launching them but that would mean working with and coordinating with the thousands of service providers that service them, not an easy feat!
I’ve also learned that the attackers are communicating with each other in English so there’s no strong evidence that these attacks are being launched by an unfriendly nation state or foreign gang. That was my original and initial reaction upon learning about them.
Whether or not the hackers are robbing the banks in addition to denying their users service is unclear. They could very well be doing that – it’s a common ploy to launch a DDOS attack against a bank and then, when the security staff are all distracted, to go in for the ‘kill’ and transfer money out of bank accounts. That’s a common crime and battle tactic – distract the enemy and then go in for what you really want.
What’s the solution? Rapid identification and takedown of the offending endpoints conducting the attack. This should be possible as long as there is coordination and strong cooperation across countries and internet service providers.
In the meantime, don’t hold your breath waiting for that to happen. Instead, cross your fingers and check your bank balances as often as you can.
Category: Uncategorized Tags:
by Avivah Litan | August 17, 2012 | 9 Comments
It finally hit – in Brazil which reminds me of how Internet banking fraud started – also in Brazil. It looks like the same mode of attack. One mobile device is used to illegally access multiple online bank accounts and to transfer money out of them to new payees or existing mule accounts. Apparently, the banks in Brazil are more liberal with online banking functionality (e.g. money transfers) on mobile devices than the North American and European banks are.
I also heard that some banks are having users use separate and dedicated user ids and passwords for mobile banking. This helps in the documented cases where fraudsters illegally collect user credentials (user ids and passwords) used to access mobile banking applications, where they can’t do ‘too much’ damage because of limited functionality, and then reuse those credentials in online PC-based banking where they can do much more. I’m guessing it’s probably also because the fraudsters already have scripts written for PC-based Internet banking attacks and are too lazy to rewrite them for mobile banking.
So mobile bankers beware – mobile malware is not rampant yet but it’s starting to appear. For now, solutions are sparse, costly, or not yet fully implemented. And it’s a lot more expensive to use a dedicated mobile device for mobile banking than it is to use a dedicated PC for PC banking.
Category: Uncategorized Tags:
by Avivah Litan | August 8, 2012 | 5 Comments
I don’t get very excited by much news anymore but the Square/Starbucks announcement definitely got my adrenaline moving – even more than a couple shots of expresso.
Square finally found a large enough payment acceptor – Starbucks – to ensure its mobile wallet will be on millions of American coffee drinkers’ smartphones. After all it will be cool for Starbucks to recognize we are in the store, and all we have to do is give our name at the cash register for the payment to be processed.
Plus Starbucks will save considerable money in credit card processing fees using Square and together, these companies will eventually move many consumers over to prepaid accounts (Starbucks or others) and other alternative and less costly payment instruments, for example direct bank (ACH) payments.
This announcement is significant – we finally have a killer app for a mobile wallet and we finally have strong mobile payment competitors taking on the legacy credit card payment networks. Just what free market competition is supposed to encourage.
I’m personally very psyched.
Category: Uncategorized Tags:
by Avivah Litan | July 30, 2012 | Comments Off
I’ve been hearing more and more from our clients about a new fraud trend involving agent and distributor based sales programs. These are the types of programs where distributors work at home and sell goods and products like makeup or nutritional supplements over the web either directly to consumers, or through other distributors who they in turn sign up. In all cases the distributors – fake or real – get a commission on each sale.
In the fraud scheme, a bad guy sets up a distributor under a fake identity – then sets up another dozen or so fake distributors under his or her fake identity. Step two- the fake distributor(s) uses a bunch of stolen credit cards to order goods and have them shipped to the people whose credit cards were stolen. (The credit card theft victims may not even complain, at least for a while, if they like the goods received…)
The payout: commissions that are paid by the sponsoring company to the fake distributor(s).
The solution: we’ve published lots of research on a layered identity proofing approach, where for example a simple check of the applicant’s phone number and/or endpoint (e.g. PC) can spot most of this nefarious activity. Monitoring the accounts after they are set up is also a must and we cover the vendors who can do this in our Magic Quadrant on Web Fraud Detection.
Bottom Line – anyone who runs a sales distribution network should be on the lookout for bad players. You don’t want to reward these crooks with anything, let alone precious commissions. Instead, spend a little money on processes and technology that can knock them off your network quickly and definitively.
Category: Uncategorized Tags:
by Avivah Litan | July 12, 2012 | Comments Off
I’ve been hearing from U.S. banks that card fraud continues to be a major issue for them, while online bank account takeover and trojan-based attacks have flattened out. The new trend, they say, is ‘micro-attacks’ that are localized, small in nature and which stay under the radar longer, giving the crooks more time to rack up unauthorized charges.
I heard today the latest example of this fraud trend. Law enforcement officials from Winchester, Kentucky report that a local restaurant appears to be the source of a lot of card fraud that has shown up since the breach apparently started in June. Winchester has a small population of just 17,000 with about 38,000 in its surrounding county, but already 12-15 banks serving that area have been affected by this card fraud. One bank already lost $30,000 which is a lot of money for a local Kentucky bank. Stolen cards have already been used around the world, in places far from Winchester, including Singapore, Australia, the Dominican Republic and Brazil.
And here’s an unusual twist: One quarter of the town’s police force, which happens to like the food and ambience at this local restaurant, have had unauthorized charges on their credit cards as a result of this incident.
No one yet knows how it happened and where it happened but it appears that someone got into the store’s system remotely and siphoned off the cards’ magnetic stripe data so that the criminals could make counterfeit cloned cards.
The town doesn’t likely have cybercriminals capable of this type of crime. Given that the cards were used across the globe so quickly, the hacker who perpetrated this crime could very well be sitting in a coffee shop on the other side of the world.
In any event, the restaurant goers should get their money back, and hopefully the banks who refund the victims their money will also get their money back from the right source responsible for this crime. It would be a shame to hold the restaurant responsible, since I doubt they even know what payment card data security is or means. Small businesses tend to rely on their vendors for that, and really aren’t aware that sometimes they can’t.
It’s these small localized incidents that are giving mega banks and card issuers major headaches.
Category: Uncategorized Tags:
by Avivah Litan | July 10, 2012 | Comments Off
Last week, a federal appeals court reversed a May 2011 lower court ruling that held PATCO Construction Inc. responsible for ACH fraud committed by hackers who used the Zeus Trojan to pilfer $588,000 out of PATCO’s account at Ocean Bank in 2009. The appeals court deemed the bank’s security procedures ‘commercially unreasonable’ and recommended that the two parties settle the matter out of court. For more information on the court case, see http://www.bankinfosecurity.com/inside-pacto-fraud-ruling-a-4927
Similar to the 2008 financial crisis and the subprime mortgage market meltdown, everyone has an opinion on who is responsible for preventing business account heists, i.e. the bank, the business, or the government. I happen to think that while every party shares a piece of the culpability, the ultimate responsibility for preventing this type of fraud lies with our Congress who is all too heavily influenced by the almighty financial services lobby.
After all, the role of government is to look after and protect consumer and business interests that are not necessarily protected if the entities consumers and businesses trust (e.g. the banks) fail to protect them themselves.
Ocean Bank relied on a third party online banking processor for its security and was asleep at the wheel when the fraud took place. They had the means to filter and monitor high risk transactions but didn’t make good use of what they had. No doubt Ocean Bank assumed they were covered contractually with PATCO and had no liability for any business account losses, as there is no Reg E (that protects consumer accounts) equivalent on the business account side.
Further, our nation’s banking regulators – stretched as they may have been – also failed to ensure small banks like Ocean were doing their part in protecting customer assets. (The FFIEC banking regulators finally came out with an update to their Guidance on Internet Banking security in June 2011, or about three years too late).
This specific ruling will likely only have incremental impact. Other small businesses with the resources to sue their bank over similar incidents can now point to this ruling as they make their own case. But this battle will have to be fought one case at a time.
PATCO’s and many similar small business account takeover cases have been well publicized and already have had their major immediate impact with the 2011 update of FFIEC guidance, which frankly isn’t enough. It’s only guidance, not regulation. And it’s definitely not a federal law.
The federal appeals court judge was right to say the bank did not employ reasonable security. But what the judge did not say, for whatever reason, was that the U.S. laws that apply to banks safeguarding of business accounts (found in the Uniform Commercial Code) are not anywhere near as clear as they are when it comes to protecting consumer accounts (ala Regulation E). If they were, I doubt Ocean Bank would have ignored the signs that a theft of nearly $600,000 from one of its business customer accounts was going down.
Category: Uncategorized Tags:
by Avivah Litan | July 9, 2012 | 1 Comment
I’ve been talking with lots of financial services companies both in the U.S. and abroad over the past few months that have a strong presence in the mobile channel and are seeing very healthy use and growing adoption of their mobile applications. These apps range from mobile banking and brokerage services, to mobile shopping and mobile payments.
And here’s the punch line – none of them have seen any fraud worth reporting other than a couple of instances related to internal misuse and unauthorized activies. (Indeed the only mobile fraud I heard of that had a real impact was done by fraudsters who set up mobile x-rated services, and billed unknowing victims for accessing them using their mobile phones, which they also took over in the middle of the night. The victims were generally too embarrassed to complain about the charges).
The service providers expect this temporary respite in mobile fraud to change as they introduce higher risk transactions (e.g. lift payment or money transfer limits). Indeed, I think mobile fraud is already on its way.
A couple of days ago, I got a spam SMS message telling me I had won a $1000 Target gift card from a drawing I signed up for – along with a URL I should go to to redeem the card. My friend got the exact same SMS message. Of course we didn’t reply – and frankly it’s easier to spot fraudulent SMS messages than it is fraudulent emails since they are farther and fewer in between. Plus the PC fraudsters know better than to tell me I won $1000. They would make it more realistic – like a $10 reward which I would be happy to redeem since I keep forgetting my paper coupons that come in the mail when I go to Target.
Category: Uncategorized Tags:
by Avivah Litan | April 2, 2012 | 13 Comments
I just got off the Global Payments call where they talked about their breach. Their breach seems to be very different than the one Visa issued an alert on. Information presented on the timing windows were different and not reconciled during the Global Payments call (Visa reported the exposure window was January 21, 2012 – February 25, 2012, and Global Payments only reported they self-detected the breach early March), the data that may have been stolen was different (Visa reported Track 1 and 2; Global Payment reported only Track 2), and the reports on fraud (Global Payments said they had not heard about fraud on the stolen cards) are different.
Sounds like there’s a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about.
In the meantime, Global Payments who was PCI compliant at the time of their breach is no longer PCI compliant – and was delisted by Visa – yet they continue to process payments.
What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.
Category: Uncategorized Tags:
by Avivah Litan | March 30, 2012 | 140 Comments
Just when we thought the big credit card data breaches were over, at least for a while (with Alberto Gonzalez put away after his scams at TJX, Heartland Payments and others) – along comes a new one reported today in www.Krebsonsecurity.com. See KrebsOnSecurity.com
Visa and MasterCard have already issued warnings on this. I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently. From what I hear, the breach involves a taxi and parking garage company in the New York City area so if you’ve paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud.
One interesting twist again sheds light on the fact that knowledge based authentication should not be relied upon. I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently.
Isn’t that usually the case? So if that’s indeed what happened, we can expect the PCI assessors to say NO to KBA on administrative accounts. They need to say NO to many different types of authentication which are being successfully bypassed by determined crooks. See our research on “The Five Layers of Fraud Prevention” and “When Strong Authentication Fails and What you can do about it.”
A layered approach is always best, since you have to assume the bad guys will get through one or two or even three layers.
In the meantime, I’m not sure what’s holding up public disclosure of this breach but expect it to come soon.
Category: Uncategorized Tags:
