SlideShare a Scribd company logo

Catella e-Crime London2015

Download as PPTX, PDF
Patrick Wheeler
Patrick Wheeler

* Historical bank robbery & sociological underpinnings * Why digital robbery is the 'Perfect Crime' * Some modern evolutions & why our traditional defenses are failing * Where we can see solutions…

1 of 20
MODERN BANK ROBBERY 101: THE INTRODUCTORY COURSE Patrick Wheeler Mar2015 v1.2 • Historical bank robbery & sociological underpinnings • Why digital robbery is the 'Perfect Crime' • Some modern evolutions & why our traditional defenses are failing • Where we can see solutions… DISCLAIMER - Doing the Necessary • This is not a How-To Manual and any effort to replicate techniques and methods herein may be met with variable success (and interest by law enforcement) … • This is an effort to share one person’s experience in hopes it helps us all… • These are largely my opinions (except where they aren’t)… • These are definitely not the opinions of my employer (except where they are)… • I may make mistakes and be factually incorrect (except where I ain’t & don’t)… • I will by relying upon publicly available information (for some reason I hesitate to share specific company information in a public forum) … • If I appropriated your images, my thanks (and apologies if I misuse, offend or fail to attribute) … Patience Please: • I tend to speak quickly … • I abuse analogies and esoteric references … • I apologize in advance if I stutter or stumble a little bit … Please let me know if I can clarify anything… … you can usually find me wherever someone is serving food or coffee
About what I do … BIO – Patrick Wheeler has been involved in IT Consulting, Business, Engineering and Security for over 20 yrs. He has a Bachelors in Environmental Engineering, an MBA and is a registered professional Civil Engineer. His background includes fun job titles like Security Architect, Audit Manager, Inspector, Systems and Security Analyst, Project Manager, Operations Director, VP of Operations and Chief Information Security Officer. •His business, IT and best practices focus is on information security, risk and compliance including PCI and security program management as well as internal and external financial & technology audits. With a legal support background he serves as an expert witness to courts on various aspects of best practices and industry standards. •He has been involved in many industries from government agencies, financial services, and banking through fashion, retail and technology startups. Prior to moving to Europe he served in California’s Silicon Valley and San Francisco Bay Area specializing in security, compliance and operational efficiency topics. •Personal interests include driving old cars too fast while taking photographs (in a well-controlled secure environments). Oh, and waterwheels. He now regrets this hobby after writing a successful EU grant of 2.5€M to identify and convert old watermills to generate renewable electricity …
…&who I do it for
Fraud Triangle Justification Motivation € $ Opportunity/ Deterrence The Fire Triangle … & Bank Robbery "Other People's Money, A Study in the Social Psychology of Embezzlement" … fraud problem as a "violation of a position of financial trust" that the person originally took in good faith.
1. Motivation ‘That’s Where The Money Is’ Andrew Stone (1996), a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million by pointing high definition video cameras at ATMs from a considerable distance, and by recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered … produce clone cards … withdraw the full daily limit for each account … also allowed him to sidestep withdrawal limits by using multiple copied cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to five years and six months in prison. vs.
Dishonesty is the new Honesty: …how getting caught matters less than we think in whether we cheat; and how business practices pave the way for unethical behavior, both intentionally and unintentionally. … how unethical behavior works in the personal, professional, and political worlds, and how it affects all of us. The RSA Animate Version. Cheating is the new Fair Play: … some behavioral ethics researchers were startled by a study published recently in The Journal of Personality and Social Psychology by researchers at the University of Washington, the London Business School, Harvard and the University of Pennsylvania. The title: “The Cheater’s High: The Unexpected Affective Benefits of Unethical Behavior.” http://well.blogs.nytimes.com/2013/10/07/in-bad-news-cheating-feels- good/?_r=0 …. Banks are evil …. 2. Justification: Sociologically, to get really depressed…
3. Deterrence / Opportunity Digital Crime: … a little less physical … •No need to be present at the site of the criminal act –No person-to-person interactions (individuals being robbed are unpredictable!) so no heroes and less potential for violence … –No chance of accidental weapons discharge and murder charges –No Local Police who pursue robbers diligently –No Video cameras and witnesses • Perceived as protected from identification and prosecution • State Lines? … while Americans struggled during the height of the Great Depression, the Dillinger gang stole … from Midwestern banks … made a crucial mistake… Dillinger fled jail in a stolen car and drove from Indiana to Illinois… a Federal offense to transport a stolen motor vehicle across state lines … enabled the FBI to lead the nationwide manhunt. Director J. Edgar Hoover made Dillinger’s capture the FBI’s top priority. …. Banks are evil …. Three Technological evolutions: Fast Cars Interstate Highways and Overwhelming Firepower. Legal justice system slow to adjust to new reality…
4. Capability ‘democratization’ of Fraud: Fraud as a Service (FaaS) / Communities of Crime / Getting Social Increased commercialization and ‘business’ driven approach … • ‘Supported’ Fraud Tools with Trouble Ticketing • Bot Networks for Hire • Networks of Money Mules and Bank Accounts for Hire • ‘Getaway Drivers’ and Denial of Service for Hire • Advertising Services within and to the Criminal Community Can outsource the difficult and parts • Zero Day Attacks and initial compromise Money Mules for hire • Distributed Denial of Service attacks to masque getaway • Can re-use attack methodology and tools again and again and • can become RESELLERS (entrepreneurs) … Sutherland's differential association theory can be summarized as: (Sutherland and Cressey, 1978) • Criminal behavior is learned; it's not inherited, and the person who isn't already trained in crime doesn't invent criminal behavior. • Criminal behavior is learned through interaction with other people through the processes of … communication and example. • The principle learning of criminal behavior occurs with intimate personal groups. • The learning of crime includes learning the techniques of committing the crime and the motives, drives, rationalizations and attitudes that accompany it… …. Banks are evil ….
While the street crews were taking money out of bank machines, the computer experts were watching the financial transactions from afar, ensuring that they would not be short-changed … the leader of the New York cashing crew … fled the United States just as the authorities were starting to make arrests of members of his crew … gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched. The Perfect Crime - ATM Breach - 45M$ Single Day ATM Cash-Out
The Perfect Crime – Carbanak/Anunak
The Perfect Crime - ATM Jack-potting Vendor Electronic Bank Robberies [30c3] – YouTube ▶ 56:19
Analogy of Castle & Moat Defense DMZ Customer Channels (e.g. online banking) Partner Channels Central Bank Processes (e.g. backend processing, HR, finance, etc)
Feeling ‘Outgunned’ •Is our financial industry ready to prevent a ‘Nation State’ backed compromise? •How about the tools released ‘into the wild’ by nation states? •Or the teams trained by them? •The damages from the NSA (and affiliates) actions (stuxnet, cryptography, backdoors, distrust) but even more importantly the tools re-purposed and in the hands of mal-intended persons are hard to prepare for … •Just as Vauban’s fortifications became obsolete with military evolution, our digital defences must evolve, somehow drastically, to a new reality …
Solutions (Today !) Jean-Baptiste Alphonse Kerr, 1849 plus ça change, the more things change, plus c'est la même chose the more things stay the same – There is no room for complacency … – The targets, the methods and the actors may evolve … – A coordinated, active and evolving defence is required … – We must keep getting better and better at what we are doing … – We will only get better by cooperating, learning and evolving our defences … Deeper/Taller/Wider/Harder Defensive Layers With Hardened Crunchy Interiors – Fortresses are Today’s Reality – Tip: how to stop targeted (APT) attacks http://www.asd.gov.au/infosec/mitigationstrategies.htm
Looking backwards to look forward: • Many Security and Operational Best Practices Standards Exist, are Being Created & Updated – International (e.g. ISO - International Standards Organization, NIST - National Institute of Standards) – Governmental & Quasi-Governmental (e.g. EPC - European Payments Council & SEPA- Single European Payments Area) – Channel Specific (e.g. EMV Chip & PIN and 3DS, PCI – Payment Card Industry) Vauban’s Layered Defenses at Rocroi Vauban’s ‘Other’ Defensive Layers
A Coordinated Societal Response: We need to see ourselves into the future we want to live in … • Critical National Infrastructure (CNI) learning & information sharing / CERTs • Police Computer Crimes Units (CCU) – real, rapid and substantive deterrence and criminal punishments • Industry working collaboratively; sharing information, standards bodies and frameworks, encryption and data de-valuation and building rapid internal response capabilities, minimise impacts on customers • Proposed European rules; emphasis on self certification schemes, breach notification and stiff penalties
Summary References & Credits: • Fraud Triangle – Donald Cressey & Diamond • Andrew Stone & Willie Sutton & John Dillinger • Dishonesty Animated & Dan Ariely & Cheating is Fun & Sutherland & Cressey • Zeus Trojan, Man-in-Browser & Spear Phishing • Botnets for rent, DDoS & Citadel Yes, systemic fraud and ‘modern’ Bank Robbery hurts society and <!fluffy kittens!> … Old fashioned bank robbery only went away with community support and organised policing… Yes, look to your Citadel and your Castle and Your Moat, Understand your Enemy … but … …Look over your citadel walls and find your friends … Q&A: (you can usually find me wherever there is food or coffee being served ;-) • NYTimes $45M in 1-Day & ‘New Bank Robbery’ & ATM • Carbanak / Anunak • ATM Jackpotting Commercial Software – Electronic Bank Robberies [30c3] – YouTube ▶ 56:19 • Tommy Gun & Stuxnet & Regin Banking Malware • ‘Standards’: ISO, NIST, PCI & Circl.lu, EU Data Privacy • Vauban Fortifications & New Brisach & Luxembourg
fini
My lessons learned … ‘X’ is a BaFin regulated and monitored payment institute there is no need for any auditing at ‘X’ premises and ‘X’ is not authorized to allow such audits (e.g.PCI-DSS)… http://www.bafin.de/SharedDocs/Veroeffentlichungen/EN /Fachartikel/2013/fa_bj_2013_11_it_sicherheit_en.html (Not) Sun Tzu: Keep your friends close, but your enemies closer

Recommended

Bases curriculares lenguaje 2°
Bases curriculares lenguaje 2°Bases curriculares lenguaje 2°
Bases curriculares lenguaje 2°
María José Cabañas Irazabal
 
Din cloud launched hosted sql server dinsql
Din cloud launched hosted sql server dinsqlDin cloud launched hosted sql server dinsql
Din cloud launched hosted sql server dinsql
dinCloud Inc.
 
Characterisation of Neuropeptide Signalling Systems in Learning
Characterisation of Neuropeptide Signalling Systems in LearningCharacterisation of Neuropeptide Signalling Systems in Learning
Characterisation of Neuropeptide Signalling Systems in LearningLucas Mergan
 
Pdhpe slideshow pdf
Pdhpe slideshow pdfPdhpe slideshow pdf
Pdhpe slideshow pdf17264945
 
Six Super Simple Productivity Boosters
Six Super Simple Productivity BoostersSix Super Simple Productivity Boosters
Six Super Simple Productivity Boosters
Charles H Strange
 
Csc240 -lecture_5
Csc240 -lecture_5Csc240 -lecture_5
Csc240 -lecture_5
Ainuddin Yousufzai
 
Chapter 01 networking
Chapter 01 networkingChapter 01 networking
Chapter 01 networking
Ainuddin Yousufzai
 
Power Point SOP
Power Point SOPPower Point SOP
Power Point SOPRajesh S Kumar, IFS
 

Recommended

Bases curriculares lenguaje 2°
Bases curriculares lenguaje 2°Bases curriculares lenguaje 2°
Bases curriculares lenguaje 2°
María José Cabañas Irazabal
 
Din cloud launched hosted sql server dinsql
Din cloud launched hosted sql server dinsqlDin cloud launched hosted sql server dinsql
Din cloud launched hosted sql server dinsql
dinCloud Inc.
 
Characterisation of Neuropeptide Signalling Systems in Learning
Characterisation of Neuropeptide Signalling Systems in LearningCharacterisation of Neuropeptide Signalling Systems in Learning
Characterisation of Neuropeptide Signalling Systems in LearningLucas Mergan
 
Pdhpe slideshow pdf
Pdhpe slideshow pdfPdhpe slideshow pdf
Pdhpe slideshow pdf17264945
 
Six Super Simple Productivity Boosters
Six Super Simple Productivity BoostersSix Super Simple Productivity Boosters
Six Super Simple Productivity Boosters
Charles H Strange
 
Csc240 -lecture_5
Csc240 -lecture_5Csc240 -lecture_5
Csc240 -lecture_5
Ainuddin Yousufzai
 
Chapter 01 networking
Chapter 01 networkingChapter 01 networking
Chapter 01 networking
Ainuddin Yousufzai
 
Power Point SOP
Power Point SOPPower Point SOP
Power Point SOPRajesh S Kumar, IFS
 
War Against Terrorism - CIO's Role
War Against Terrorism - CIO's RoleWar Against Terrorism - CIO's Role
War Against Terrorism - CIO's Role
Ayodeji Rotibi
 
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
CRS4 Research Center in Sardinia
 
nullcon 2010 - Underground Economy
nullcon 2010 - Underground Economynullcon 2010 - Underground Economy
nullcon 2010 - Underground Economy
n|u - The Open Security Community
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Steve Poole
 
Carl Miller
Carl MillerCarl Miller
Carl MillerMRS
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and Solutions
Goutama Bachtiar
 
Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14
Patrick Wheeler
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?
Thomas Malmberg
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
OWASP Foundation
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
Marc S. Sokol
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
CBIZ, Inc.
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
Steve Poole
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
Bankingdotcom
 
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
Miranda Anderson
 
Scot Secure 2017
Scot Secure 2017Scot Secure 2017
Scot Secure 2017
Ray Bugg
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Eric Vanderburg
 
Social Engineering 101: Don't Get Manipulated by Attackers
Social Engineering 101: Don't Get Manipulated by AttackersSocial Engineering 101: Don't Get Manipulated by Attackers
Social Engineering 101: Don't Get Manipulated by Attackers
NetSquared
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
faizulhassanfaiz1670
 

More Related Content

Similar to Catella e-Crime London2015

War Against Terrorism - CIO's Role
War Against Terrorism - CIO's RoleWar Against Terrorism - CIO's Role
War Against Terrorism - CIO's Role
Ayodeji Rotibi
 
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
CRS4 Research Center in Sardinia
 
nullcon 2010 - Underground Economy
nullcon 2010 - Underground Economynullcon 2010 - Underground Economy
nullcon 2010 - Underground Economy
n|u - The Open Security Community
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Steve Poole
 
Carl Miller
Carl MillerCarl Miller
Carl MillerMRS
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and Solutions
Goutama Bachtiar
 
Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14
Patrick Wheeler
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?
Thomas Malmberg
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
OWASP Foundation
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
Marc S. Sokol
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
CBIZ, Inc.
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
Steve Poole
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
Bankingdotcom
 
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
Miranda Anderson
 
Scot Secure 2017
Scot Secure 2017Scot Secure 2017
Scot Secure 2017
Ray Bugg
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Eric Vanderburg
 
Social Engineering 101: Don't Get Manipulated by Attackers
Social Engineering 101: Don't Get Manipulated by AttackersSocial Engineering 101: Don't Get Manipulated by Attackers
Social Engineering 101: Don't Get Manipulated by Attackers
NetSquared
 

Similar to Catella e-Crime London2015 (20)

War Against Terrorism - CIO's Role
War Against Terrorism - CIO's RoleWar Against Terrorism - CIO's Role
War Against Terrorism - CIO's Role
 
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economyRaoul chiesa - Auditing the hacker mind - da wargames a underground economy
Raoul chiesa - Auditing the hacker mind - da wargames a underground economy
 
nullcon 2010 - Underground Economy
nullcon 2010 - Underground Economynullcon 2010 - Underground Economy
nullcon 2010 - Underground Economy
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
Carl Miller
Carl MillerCarl Miller
Carl Miller
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and Solutions
 
Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14
 
APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?APT or not - does it make a difference if you are compromised?
APT or not - does it make a difference if you are compromised?
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
IELTS BAND SCORES - Mr. Einstein Pare. Online assignment writing service.
 
Scot Secure 2017
Scot Secure 2017Scot Secure 2017
Scot Secure 2017
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
Social Engineering 101: Don't Get Manipulated by Attackers
Social Engineering 101: Don't Get Manipulated by AttackersSocial Engineering 101: Don't Get Manipulated by Attackers
Social Engineering 101: Don't Get Manipulated by Attackers
 

Recently uploaded

Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
faizulhassanfaiz1670
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
eCommerce Institute
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Access Innovations, Inc.
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 

Recently uploaded (16)

Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
 
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 

Catella e-Crime London2015

  • 1. MODERN BANK ROBBERY 101: THE INTRODUCTORY COURSE Patrick Wheeler Mar2015 v1.2 • Historical bank robbery & sociological underpinnings • Why digital robbery is the 'Perfect Crime' • Some modern evolutions & why our traditional defenses are failing • Where we can see solutions… DISCLAIMER - Doing the Necessary • This is not a How-To Manual and any effort to replicate techniques and methods herein may be met with variable success (and interest by law enforcement) … • This is an effort to share one person’s experience in hopes it helps us all… • These are largely my opinions (except where they aren’t)… • These are definitely not the opinions of my employer (except where they are)… • I may make mistakes and be factually incorrect (except where I ain’t & don’t)… • I will by relying upon publicly available information (for some reason I hesitate to share specific company information in a public forum) … • If I appropriated your images, my thanks (and apologies if I misuse, offend or fail to attribute) … Patience Please: • I tend to speak quickly … • I abuse analogies and esoteric references … • I apologize in advance if I stutter or stumble a little bit … Please let me know if I can clarify anything… … you can usually find me wherever someone is serving food or coffee
  • 2. About what I do … BIO – Patrick Wheeler has been involved in IT Consulting, Business, Engineering and Security for over 20 yrs. He has a Bachelors in Environmental Engineering, an MBA and is a registered professional Civil Engineer. His background includes fun job titles like Security Architect, Audit Manager, Inspector, Systems and Security Analyst, Project Manager, Operations Director, VP of Operations and Chief Information Security Officer. •His business, IT and best practices focus is on information security, risk and compliance including PCI and security program management as well as internal and external financial & technology audits. With a legal support background he serves as an expert witness to courts on various aspects of best practices and industry standards. •He has been involved in many industries from government agencies, financial services, and banking through fashion, retail and technology startups. Prior to moving to Europe he served in California’s Silicon Valley and San Francisco Bay Area specializing in security, compliance and operational efficiency topics. •Personal interests include driving old cars too fast while taking photographs (in a well-controlled secure environments). Oh, and waterwheels. He now regrets this hobby after writing a successful EU grant of 2.5€M to identify and convert old watermills to generate renewable electricity …
  • 3. …&who I do it for
  • 4. Fraud Triangle Justification Motivation € $ Opportunity/ Deterrence The Fire Triangle … & Bank Robbery "Other People's Money, A Study in the Social Psychology of Embezzlement" … fraud problem as a "violation of a position of financial trust" that the person originally took in good faith.
  • 5. 1. Motivation ‘That’s Where The Money Is’ Andrew Stone (1996), a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million by pointing high definition video cameras at ATMs from a considerable distance, and by recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered … produce clone cards … withdraw the full daily limit for each account … also allowed him to sidestep withdrawal limits by using multiple copied cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to five years and six months in prison. vs.
  • 6. Dishonesty is the new Honesty: …how getting caught matters less than we think in whether we cheat; and how business practices pave the way for unethical behavior, both intentionally and unintentionally. … how unethical behavior works in the personal, professional, and political worlds, and how it affects all of us. The RSA Animate Version. Cheating is the new Fair Play: … some behavioral ethics researchers were startled by a study published recently in The Journal of Personality and Social Psychology by researchers at the University of Washington, the London Business School, Harvard and the University of Pennsylvania. The title: “The Cheater’s High: The Unexpected Affective Benefits of Unethical Behavior.” http://well.blogs.nytimes.com/2013/10/07/in-bad-news-cheating-feels- good/?_r=0 …. Banks are evil …. 2. Justification: Sociologically, to get really depressed…
  • 7. 3. Deterrence / Opportunity Digital Crime: … a little less physical … •No need to be present at the site of the criminal act –No person-to-person interactions (individuals being robbed are unpredictable!) so no heroes and less potential for violence … –No chance of accidental weapons discharge and murder charges –No Local Police who pursue robbers diligently –No Video cameras and witnesses • Perceived as protected from identification and prosecution • State Lines? … while Americans struggled during the height of the Great Depression, the Dillinger gang stole … from Midwestern banks … made a crucial mistake… Dillinger fled jail in a stolen car and drove from Indiana to Illinois… a Federal offense to transport a stolen motor vehicle across state lines … enabled the FBI to lead the nationwide manhunt. Director J. Edgar Hoover made Dillinger’s capture the FBI’s top priority. …. Banks are evil …. Three Technological evolutions: Fast Cars Interstate Highways and Overwhelming Firepower. Legal justice system slow to adjust to new reality…
  • 8. 4. Capability ‘democratization’ of Fraud: Fraud as a Service (FaaS) / Communities of Crime / Getting Social Increased commercialization and ‘business’ driven approach … • ‘Supported’ Fraud Tools with Trouble Ticketing • Bot Networks for Hire • Networks of Money Mules and Bank Accounts for Hire • ‘Getaway Drivers’ and Denial of Service for Hire • Advertising Services within and to the Criminal Community Can outsource the difficult and parts • Zero Day Attacks and initial compromise Money Mules for hire • Distributed Denial of Service attacks to masque getaway • Can re-use attack methodology and tools again and again and • can become RESELLERS (entrepreneurs) … Sutherland's differential association theory can be summarized as: (Sutherland and Cressey, 1978) • Criminal behavior is learned; it's not inherited, and the person who isn't already trained in crime doesn't invent criminal behavior. • Criminal behavior is learned through interaction with other people through the processes of … communication and example. • The principle learning of criminal behavior occurs with intimate personal groups. • The learning of crime includes learning the techniques of committing the crime and the motives, drives, rationalizations and attitudes that accompany it… …. Banks are evil ….
  • 9. While the street crews were taking money out of bank machines, the computer experts were watching the financial transactions from afar, ensuring that they would not be short-changed … the leader of the New York cashing crew … fled the United States just as the authorities were starting to make arrests of members of his crew … gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched. The Perfect Crime - ATM Breach - 45M$ Single Day ATM Cash-Out
  • 10. The Perfect Crime – Carbanak/Anunak
  • 11. The Perfect Crime - ATM Jack-potting Vendor Electronic Bank Robberies [30c3] – YouTube ▶ 56:19
  • 12. Analogy of Castle & Moat Defense DMZ Customer Channels (e.g. online banking) Partner Channels Central Bank Processes (e.g. backend processing, HR, finance, etc)
  • 13.
  • 14. Feeling ‘Outgunned’ •Is our financial industry ready to prevent a ‘Nation State’ backed compromise? •How about the tools released ‘into the wild’ by nation states? •Or the teams trained by them? •The damages from the NSA (and affiliates) actions (stuxnet, cryptography, backdoors, distrust) but even more importantly the tools re-purposed and in the hands of mal-intended persons are hard to prepare for … •Just as Vauban’s fortifications became obsolete with military evolution, our digital defences must evolve, somehow drastically, to a new reality …
  • 15. Solutions (Today !) Jean-Baptiste Alphonse Kerr, 1849 plus ça change, the more things change, plus c'est la même chose the more things stay the same – There is no room for complacency … – The targets, the methods and the actors may evolve … – A coordinated, active and evolving defence is required … – We must keep getting better and better at what we are doing … – We will only get better by cooperating, learning and evolving our defences … Deeper/Taller/Wider/Harder Defensive Layers With Hardened Crunchy Interiors – Fortresses are Today’s Reality – Tip: how to stop targeted (APT) attacks http://www.asd.gov.au/infosec/mitigationstrategies.htm
  • 16. Looking backwards to look forward: • Many Security and Operational Best Practices Standards Exist, are Being Created & Updated – International (e.g. ISO - International Standards Organization, NIST - National Institute of Standards) – Governmental & Quasi-Governmental (e.g. EPC - European Payments Council & SEPA- Single European Payments Area) – Channel Specific (e.g. EMV Chip & PIN and 3DS, PCI – Payment Card Industry) Vauban’s Layered Defenses at Rocroi Vauban’s ‘Other’ Defensive Layers
  • 17. A Coordinated Societal Response: We need to see ourselves into the future we want to live in … • Critical National Infrastructure (CNI) learning & information sharing / CERTs • Police Computer Crimes Units (CCU) – real, rapid and substantive deterrence and criminal punishments • Industry working collaboratively; sharing information, standards bodies and frameworks, encryption and data de-valuation and building rapid internal response capabilities, minimise impacts on customers • Proposed European rules; emphasis on self certification schemes, breach notification and stiff penalties
  • 18. Summary References & Credits: • Fraud Triangle – Donald Cressey & Diamond • Andrew Stone & Willie Sutton & John Dillinger • Dishonesty Animated & Dan Ariely & Cheating is Fun & Sutherland & Cressey • Zeus Trojan, Man-in-Browser & Spear Phishing • Botnets for rent, DDoS & Citadel Yes, systemic fraud and ‘modern’ Bank Robbery hurts society and <!fluffy kittens!> … Old fashioned bank robbery only went away with community support and organised policing… Yes, look to your Citadel and your Castle and Your Moat, Understand your Enemy … but … …Look over your citadel walls and find your friends … Q&A: (you can usually find me wherever there is food or coffee being served ;-) • NYTimes $45M in 1-Day & ‘New Bank Robbery’ & ATM • Carbanak / Anunak • ATM Jackpotting Commercial Software – Electronic Bank Robberies [30c3] – YouTube ▶ 56:19 • Tommy Gun & Stuxnet & Regin Banking Malware • ‘Standards’: ISO, NIST, PCI & Circl.lu, EU Data Privacy • Vauban Fortifications & New Brisach & Luxembourg
  • 19. fini
  • 20. My lessons learned … ‘X’ is a BaFin regulated and monitored payment institute there is no need for any auditing at ‘X’ premises and ‘X’ is not authorized to allow such audits (e.g.PCI-DSS)… http://www.bafin.de/SharedDocs/Veroeffentlichungen/EN /Fachartikel/2013/fa_bj_2013_11_it_sicherheit_en.html (Not) Sun Tzu: Keep your friends close, but your enemies closer

Editor's Notes

  1. Part I:
  2. Banks were evil, putting people out in street while living lavish lifestyles, robbers as folk heroes
  3. PtII: Poster boys for low-level street thugs, ‘livin la vida gangsta’ complete with selfies
  4. PtIII: Falling Defenses
  5. Pt IV: