View on-demand: http://event.on24.com/wcc/r/1203107/AF33616D86CFB47663095958218D99E0 Being one step ahead of rapidly evolving, well-organized online cybercrime can seem like a losing battle. However, the key to success is combining sophisticated fraud detection with intelligent access management. Tightly uniting these capabilities in an open platform provides the flexibility to choose the appropriate authentication scheme for the various scenarios leveraging built-in biometrics, seamless authentication and mobile technologies. This smooths the access experience for legitimate users on web and mobile into a quick, frictionless authentication process while preventing fraudulent activity in real-time. Join us in this IBM webinar where industry experts will discuss IBM’s approach on how to: Detect fraudulent activity from stolen user credentials or a criminal device Create risk-based access controls that reduce fraud while improving legitimate customers' activity Speed deployment, improve business results and reduce cost of fraud protection with an integrated fraud protection gateway

1. Outsmart Fraudsters
GIVING CUSTOMERS A GREAT USER EXPERIENCE WHILE KEEPING FRAUDSTERS OUT
Shaked Vax
June 2016
Trusteer Product Strategist - IBM Security
Brian Mulligan
Offering Manager Access and Directory - IBM Security

2. 2 IBM Security
Agenda
• The evolution of online fraud vs. identity verification
• Fraud is a problem of establishing an identity claim
̶ Applying intelligent access management
̶ Adding frictionless identity assurance
• An integrated identity-focused approach to fraud reduction

3. Online Fraud
EVOLUTION VS. IDENTITY VERIFICATION SOLUTIONS

4. 4 IBM Security
Account Takeover,
New Account
Fraud
Cybercrime Attack Vectors
Advanced Threats (Employees)
WWW
Online/Mobile Banking
Money, Intellectual Property, Business Data
Mobile Fraud Risk
Phishing and Malware Fraud

5. 5 IBM Security
Financial cybercrime trends
• Malware eco-system managed like Software & SaaS commodity
̶ Agile development cycle – Dyre, Ramnit, Bugat updates weekly
̶ Gangs with Start-up mentality. Use analytics to track success
̶ Malware is built to bypass dynamic analysis
̶ Malware is environment-aware
• Region-specific cybercrime intensifies : Targeted malware campaigns
• Phishing… the same old phish with twists
• Mobile threats rising : Cross channel fraud
• Social engineering + Mobile malware = Broken 2 factor authentication
• Fraud via user’s device on the rise – RAT/Proxy
• Focusing on high value targets
Cybercrime gangs are relentlessly, successfully focused towards fraud

6. 6 IBM Security
Dyre – A global 2014-2015 rock star
US Department
of Homeland
Security
Dyre Alert
October
First reports of
attacks against
US/UK targets
June
Attacks against
Targets in
Australia and
China
December 2014
Over 100 firms
targeted
November
Used as APT in
Attack against
salesforce.com
September
Attacks against
Romanian,
German and
Swiss Banks
October
2014 2015
Dyre Wolf against
high value targets
incl. DDOS ($5M
from Ryanair)
April 2015
Dridex Malware
launches Dyre
like attacks
January 2016
Keeps evolving with innovations:
Server Side web-injects, Anti-
sandboxing, Randomized Config
File Names
March-June 2015
2016
Dyre Gang
takedown in
Moscow.
Code Leaked?
November 2015
Attacks against
Spanish &
LATAM Spanish
speaking Banks
July

7. 7 IBM Security
Dyre data collection
==Programs==
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Dyre collects…
• OS attributes
• Browser attributes
• Installed programs
• Services
• Passwords over
secure connection

8. 8 IBM Security
Device forging

9. 9 IBM Security
April-May 2016 GozNym attacking world wide

10. 10 IBM Security
Meet GozNym – the new “two-headed beast”
• Malware Installer (“Dropper”) active since mid-2013
• Highly effective infector and powerful launcher for other
malware
• Infiltrating computers through exploit kits
̶ Drive by infections, Spam campaigns and poisoned Word
documents, launched into action when users enable macros
• Stealthy and highly persistent on infected machines
̶ Uses heavy obfuscation techniques via encryption, anti VM and
anti-research capabilities to evade analysis and AV detection
• Connection with Gozi banking Trojans debuted in Q4-
2015
̶ Until then was recognized as a ransomware dropper
• Believed to be operated by one group, and developed
on an ongoing basis by the same developer(s).
• Alter web sessions and trick users into divulging
authentication details
• Capable of
̶ Web-form grabbing
̶ Social engineering
̶ Redirection and session manipulation
• Like Dyre and Dridex
̶ Screen grabbing (screenshots)
• Used to execute banking account takeover attacks
• LogMeIn remote desktop tool (RAT) may be used by
operators
̶ Perform fraud directly from the infected device
• April 2016, IBM Trusteer research discover an unprecedented code
merge between Gozi ISFB and the Nymaim downloader Trojan
• Combining two top-notch malware strains:
Gozi ISFBNaymaim

11. 11 IBM Security
Mobile fraud: The appearance of PC-grade mobile malware
• “GM Bot” / “Mazar Banking Software”
• Extensive PC malware-like capabilities including:
̶ Dynamic configuration via C&C
̶ Configurable banking app injection/overlay capabilities
̶ Ready made modules being sold to attack WW banks and financial services
̶ On-Mobile full fraud lifecycle – Credential stealing, 2FA circumvent, block user/authorization
̶ Flash News: GM Bot Code Leak !!
̶ Flash News 2: GM BOT 2.0 released

12. 12 IBM Security
The mobile channel threats
Understanding the mobile risk landscape
Customer
Sensitive Information Stealing Mobile Channel Misuse Cross-Channel Fraud
• Credentials stealing
• Personal Identifiable
Information (PII)
• Financial records
• Full account takeover on
mobile channel
• Use of mobile by fraudsters
as an anonymous channel
to perform the ATO
• Leverage mobile to enable
fraud on other channels
(e.g. web)
• Circumvent Out of Band
(OOB) two-factor
authentication (2FA)
Criminal

13. 13 IBM Security
Online Banking
Cross Channel Attacks – OOB pin stealing via mobile malware
Credentials
Theft
LOGIN
App
Login
Mobile Device Risk
Factors
Device Attributes
• Jailbroken /
Rooted Device
• Malware
Infection
• New device ID
• Unpatched OS
• Unsecure Wi-Fi
connection
• Rogue App
Account Risk Device Risk+
Account
Compromise
History
Phished
Credentials
Malware
Infections,
Phishing
Incident
(stolen
credentials)
The bank’s
mobile banking
app
Credentials, data
Customer
Criminal

14. 14 IBM Security
Viruses & worms
Focused on nuisance
& damage
2003
APT/High-value targeted attacks
Business email compromise, Dyre Wolf
bank employees/systems compromise
2015
Online/Mobile cross-
channel attacks
Leverage mobile anonymity,
bypass SMS OTP, 2FA
2012
MiTM/MiTB
Inject transactions
steal secondary
authentication
2006
Online fraud methodologies vs. identity verification
2nd Factor Auth Circumvention
Device ID & Risk Engine
Evasion
RATs - RDP/VNC, PC-grade
mobile malware
Bypass device ID,
overlay mobile app
2014
Single Factor Auth Stealing
Phishing &
keyloggers
Bypass static
username/password
2004
MitB with login blocking,
automated scripts
Steal credentials, bypass
device ID & risk engines
2009
Leveraging Mobile Channel

15. Fraud is a problem of
establishing an identity claim
BALANCING FRAUD PREVENTION AND BUSINESS NEEDS

16. 16 IBM Security
Stopping fraud means accurately identifying the user

17. 17 IBM Security
The traditional security vs. convenience tradeoff
High Usability Expectations Demand for Increased Assurance

18. 18 IBM Security
Embrace context for intelligent, risk-based access
• Dynamic user risk assessment using contextual information
̶ Device, user, environment, resource, malware, device management status and past user behavior
• Protect critical sensitive assets depending on the risk context
̶ Strong and multi-factor authentication, limit access to sensitive information/operations
• Central integration and enforcement
̶ No need to modify backend applications
̶ Unified risk-based access policy management and enforcement
Mobile
Web
Hybrid
Native
Apps

19. 19 IBM Security
Assess risk use context. What is context?
Identity
Groups, roles, credential attributes, organization
Endpoints
Device fingerprint, Screen resolution, Fonts, OS, Browser, Plugins etc
Environment
Geographic location, network, local time . . . etc
Resource / Action
The application being requested and what is being done.
Behavior
Analytics of user historical and current resource usage.

20. 20 IBM Security
Recognize that achieving absolute
certainty about an identity's
legitimacy is impossible. Focus
instead on assessing the probability
that an identity claim is legitimate.
GARTNER 2015

21. 21 IBM Security
Balancing identity verification and usability

22. 22 IBM Security
Frictionless authentication through a new factor: Something you DO!
Comprehensive
Behavioral
Based Profile Profile
Anomalies
detection
Rogue Activity
Identification

23. 23 IBM Security
Behavior based profiling
• Proactively analyze hundreds of parameters to authenticate users against a
uniquely created user profile
• Profile is based on user interaction patterns, account usage and frequently used
devices, learned during service accesses
• User is authenticated by a much richer identifying data set that can augment
traditional authentication factors
• No user interaction is required in most logins
̶ Only when suspicion arises – user is presented with authentication
challenges

24. 24 IBM Security
User identity verification through anomaly detection
• Different devices / accounts
• Deviation in access times / locations
• Velocity – irrational location change
• Language
User/Account behavior anomalies
• Navigation patterns – jumping between unlinked pages
• Clipboard – pasting page address
• Automation – link clicking
• User interaction – deviation in typing/mouse movements
Session flow anomalies
• Device ID spoofing
• Interaction patterns
• Suspicious geographies
• Proxy usage
• RAT usage
Device

25. 25 IBM Security
Identifying rogue activity
• Clientless detection of MitB malware
• Detecting PC, Mac and mobile devices malware
• Detection updates, addressing evolving threats and new attack
vectors, deployed automatically
• No customer interaction or business interruption required
Malware detection
• Unique detection of machine remote take over by RATs
Remote Access Trojans (RATs) use detection
• Identifying known attackers using a world wide fraudsters database
Known fraudsters detection

26. Identity-focused approach to
fraud reduction

27. 27 IBM Security
Holistic fraud protection solution
• Detect identity and fraud accurately
• Manage centralized context based access policies balancing security
and usability
• Enforce fraud prevention measures using explicit-authentication and access-
authorization
• E.g. require additional 2nd factor authentication via SMS on access to highly sensitive
operations (money transfers)
• Limit operations if there is a significant risk a particular user is compromised (prevent
“add payee”)
• Provide remediation facilities to infected user to regain full business activity
• Clean and re-credential
Addressing the cycle - Detect–Prevent–Remediate
• Deploy Trusteer’s Pinpoint fraud protection and dynamic authentication via ISAM
• Allows integrating and protecting multiple applications at once (without any changes to
their application)
Accelerate deployment of fraud protection and dynamic
authentication
Full Fraud
Lifecycle
management
Prevent

28. 28 IBM Security
How it works? Trusteer Pinpoint & IBM Security Access Manager
X-Force / Trusteer Security Research
customer
Authentication,
Verification, Access
Policy Management
Web/Mobile
Application
snippet
Pinpoint Identify
Detection Service
Session
assessment
LineofBusiness/Frauddepartment
Session
Session&
devicedata
Session
Management
On-demand remediation
(Rapport for remediation)
ISAM

29. 29 IBM Security
Additional benefits from IBM Security Access Manager (ISAM)
 Enforce identity- and risk-aware application
access for web and mobile devices
 Secure identity assurance with built-in mobile
authentication service and one-time-passwords
 Centrally manage policies to protect enterprise
from fraud and malware:
 Deploy Trusteer Pinpoint without modifying apps
 Block the OWASP top 10 vulnerabilities
 Reduce TCO and time to value with an modular
“all-in-one” access appliance in virtual and hardware
form factors
 Deliver built-in integrations with, MobileFirst
Platform, MobileFirst Protect, Microsoft Office 365,
SAP, Websphere and more
Web & Mobile Access / SSO
Risk-based Enforcement
Web, Fraud & Malware
Protection
IBM Security Access
Manager
Identity Federation

30. 30 IBM Security
Use a pre-integrated, holistic solution that addresses business
needs and security
Don’t prototype integrating multiple point solutions to protect critical assets
Seamless
identity
verification
Centralized
fraud
prevention
Extensive
authentication
tools
Holistic
toolset
Address full
compromise
cycle
Accurate
fraud
detection

31. Questions?
IBM SECURITY

32. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU