This document discusses various types of cyber fraud and solutions. It covers online banking fraud, data theft, ATM skimming, spear phishing, and technology red flags. It recommends establishing fraud risk management programs with policies, periodic risk assessments, prevention and detection techniques. Technology solutions like data leakage prevention and identity access control are suggested. The document also proposes setting up special committees to review new products and share details of fraudulent employees. It provides resources on fraud risk management systems and prevention in an automated world.

1. Cyber Fraud
Challenges & Solutions
K. K. Mookhey
Principal Consultant
Network Intelligence India Pvt. Ltd.

2. Agenda
Ground Reality – Digesting the Hard Facts
Online Banking Fraud
The Data Theft Epidemic
Skimming & ATM Fraud
Spear Phishing & APT
Identifying Technology Red Flags
Technology Fraud Risk Management
Resources

3. Online Banking Fraud

4. Primary fix?
2-factor
Or
OTP
User Awareness

13. The Data Theft Epidemic

18. What price India?
Online examples…

19. Fresh record price = Rs. 75
Converted customer price = Rs. 150

20. Skimming – Basic & Advanced

21. THE TRAP
♦ The trap is made up of XRAY film, which is the preferred material
by thieves; Simply because of the black color which is similar in
appearance to the slot on the card reader.

22. Placing the TRAP
♦ The trap is then inserted into the ATM slot. Care is taken not to
insert the entire film into the slot, the ends are folded and
contain glue strips for better adhesion to the inner and outer
surface of the slots.

23. INVISIBLE
♦ Once the ends are firmly glued and fixed to the slot, it is almost
impossible to detect by unsuspecting clients.

24. How is your card confiscated?
♦ Slits are cut into both sides of the trap, This prevents your card
being returned prior to completing your transaction.

25. Retrieval of Confiscated card.
♦ As soon as the “Customer” has gone, and they have your PIN , The
thief can remove the glued trap, by grasping the folded tips, he
simply pulls the trap out that has retained your card..

26. Advanced skimming - video

27. Where’s the silver lining?!

28. Technology Red Flags
Systems crashing
Audit trails not available
Mysterious “system” user IDs
Weak password controls
Simultaneous logins
Across-the-board transactions
Transactions that violate trends – weekends, excessive
amounts, repetitive amounts
Reluctance to take leave or accept input/help
Reluctance to switch over to a new system

29. The IIA – IT & Fraud Risks
Fraudulent Financial Reporting
• Unauthorized access to accounting applications —
Personnel with inappropriate access to the general ledger,
subsystems, or the financial reporting tool can post fraudulent
entries.
• Override of system controls — General computer controls
include restricted system access, restricted application access,
and program change controls. IT personnel may be able to
access restricted data or adjust records fraudulently.

30. The IIA – IT & Fraud Risks
Misappropriation of Assets
• Theft of tangible assets — Individuals who have access to tangible assets
(e.g., cash, inventory, and fixed assets) and to the accounting systems that
track and record activity related to those assets can use IT to conceal their
theft of assets.
• Theft of intangible assets — Given the transition to a services-based,
knowledge economy, more and more valuable assets of organizations are
intangibles such as customer lists, business practices, patents, and
copyrighted material.
Corruption
• Misuse of customer data — Personnel within or outside the organization
can obtain employee or customer data and use such information to obtain
credit or for other fraudulent purposes.

31. • As part of an organization’s governance structure, a fraud risk
management program should be in place, including a written policy
Principle 1 to convey the expectations of the board of directors and senior
management regarding managing fraud risk.
• Fraud risk exposure should be assessed periodically by the
Principle 2 organization to identify specific potential schemes and events that
the organization needs to mitigate.
• Prevention techniques to avoid potential key fraud risk events
Principle 3 should be established, where feasible, to mitigate possible impacts
on the organization.
• Detection techniques should be established to uncover fraud events
Principle 4 when preventive measures fail or unmitigated risks are realized.
• A reporting process should be in place to solicit input on potential
fraud, and a coordinated approach to investigation and corrective
Principle 5 action should be used to help ensure potential fraud is addressed
appropriately and timely.

32. Leveraging Technology
Data Leakage Prevention
Email Gateway Filtering
Security & Controls by Design
Information Rights Management
Identity & Access Control Management
Data Encryption
Business Intelligence Solutions
Revenue Assurance & Fraud Management Solutions
Forensic Investigation Capabilities

33. Chapter 6 – Cyber Frauds
Special Committee of the Board to be briefed separately
Independent Fraud Risk Management Group (FRMG)
Fraud Review Councils to be set up
Fraud Vulnerability Assessments
New products to be reviewed by (FRMG)
Banks to share details of fraudulent employees
Transaction monitoring group/system
Continuous trainings
Employee awareness and rewarding whistleblowers
Training institute for financial forensic investigation
Sharing of fraud management experiences
State-level Financial Crime Review Committee
Multi-lateral arrangement amongst banks to deal with online frauds

34. Resources
Fraud Risk Management System in Banks
http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=527
3&Mode=0
IIA – Fraud Prevention and Detection in an Automated
World
http://www.theiia.org/guidance/technology/gtag13/

35. Thank you!
Questions?
kkmookhey@niiconsulting.com
Information Security Information Security Training
Consulting Services Services