Southern California By John Buzzard Doubletree Hotel Ontario, CA - - PowerPoint PPT Presentation

Southern California

Doubletree Hotel Ontario, CA February 20, 2013

By John Buzzard

DDoS Attacks

• Distributed Denial of Service Attacks spurred by YouTube video.
• What is it? Occurs when multiple systems flood the bandwidth or

resources of a targeted system, usually one or more web servers. This is the result of several compromised systems (for example a botnet) flooding the targeted system(s) with several packets. When a server is

• verloaded with connections, new connections can no longer be

accepted.

• How can you prepare for them? Firewall settings, Intrusion defense

systems like “Top Layer IPS products”

• On February 7 Anonymous filed a petition to acknowledge DDoS as a

legal form of protest similar to the occupy protests.

Fraudulent PIN Changes

• What has been happening?
• Approx 13 cases
• 395 cards
• 23 FIs
• 1,500 trans
• $480k attempted withdrawals
• $200k successful withdrawals
• Best practices

Fraudulent ACH Payments

• Dishonest account holder.
• ACH Payment option is used to pay off credit card/line.
• Fraudster takes over an account at another FI to initiate payment or

uses one that they have opened.

• ACH Payment clears, Customer runs balance up again.
• Customer often over pays balance and then utilizes cash advances to

siphon off more funds.

• ACH Payment eventually is returned as NSF after the credit was
• applied. Financial institution’s corporate account takes the loss.
• Some losses have been as high as $100,000
• Best practices

ACH Kiting Best Practices

• Monitoring credit card payment reports daily.
• Consider not allowing ACH credit card payments for new customers.
• Be sensitive to over limit customers who suddenly over pay, perform multi

pmts, utilize ACH when they have not done so prior. (customized reports would be required)

• Monitor the following reports for credit card payments daily:
• ACH payment report
• ACH Large Dollar Report
• ACH Return Reports
• Return Check Adjustment Report
• Over Limit Report
• Balance Control Over Limit Report
• Review of Excessive Account Activity
• Credit card payment kiting report Use a fraud monitoring solution on credit card

payments to detect potential ACH kiting.

• Monitor the settlement account for ACH returns.

Fraud spending a priority for some in 2013

This information was gathered from a quarterly survey of US risk managers.

POS Malware is the new face of skimming

• Weak passwords at the merchant level.
• Malware can penetrate at any time and requires no physical presence.
• Mag and PIN capture risk is the same.
• Recent arrest activity in NY as thieves performed “cash outs” at ATMs.

(Suspects pictured below)

Multiple Mal Ware Attacks

Mal Ware Compromises

Basha’s Grocery Store Malware attack

Cash Out Warnings

Gathering Fraud Intelligence

• Know who’s on your front line-Identify the personnel best-suited to perform various

types of proactive intelligence gathering.

• Develop a communications plan-Decide who within your company should receive

various types of intelligence. For instance, you might determine that fraud investigators receive all financial crime intelligence, while corporate IT receives malware and virus intrusion intelligence.

• Take advantage of low-cost tactics-No-cost ideas include creating simple search

engine alerts on keywords; leveraging your contacts to build a strong network of people willing to share intelligence.

• Socialize-Join organizations that align with your information needs.
• Share intelligence internally-Educate your workforce on new concepts and initiatives,

such as EMV and mobile payments.

• “Feed” the intelligence-The same issues may have to be revisited multiple times to

maintain the most current level of understanding and deter any threats.

• Use data to respond faster-Use tactical fraud intelligence to create rules that mitigate

fraud before it disrupts your business operations. This could be as simple as understanding the geographic disposition of a fraud threat so that your team can develop an offense before the fraud losses stack up.

Interviewing an accountholder

• What is the name of the anti virus protection software that you use on

your home pc?

• What is the name of the SpyWare/Malware program on your PC?
• How often do you log into online banking?
• Let me show you how to activate account alerts so that you can stay in

touch with your accounts.

• Do you have a shared PIN or single PIN (little trick)
• When was the last time you changed your PIN?

2012 Card and PIN Skimming

Bookseller Case

• POS devices in the café section.
• 40 locations in 9 states. (CA, NY,NJ, CT,MA,RI,IL,PA,FL)
• 8700+ compromised cards identified/protected by CAS.
• First devices placed Oceanside, CA 6/10/12 (removed 9/9/12) and

Warwick, RI 6/25/12 (removed 9/12) Dual coast testing?

• Placement indicates NE/MidWest then FL then CA.
• No more activity until 8/3 in Smithfield, RI and 8/9 Deer Park, IL.
• Last skimming date 9/14/12.
• Cards were used at ATMs in the areas where they were skimmed.

2012 Breakdown % of Card Alert Service Cases

0.2 0.4 0.6 0.8 1 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

PIN Points of Compromise 2003-2012

POS ATM -NonBank ATM-Bank

Source: FICO Card Alert Service

2012 vs 2011 2012 POS skimming locations decreased by 33%. 2012 Skimming via ATMs @financial centers rose 21% 2012 Skimming @white label ATMs increased 12%

2012 Points of Compromise (Card Alert Service)

Green: Bookseller Case Pink: POS location Blue: ATM located at a financial institution Light blue: White label Non FI ATM

Gas Pump Skimmer from West Wendover, NV January 2012

Card Reader Theft February 24, 2012 Kensington, MD

Endicott, NY August 11, 2012

Gas Pump Internal Skimmer Irvine, CA 9/13/12

Queens, NY November 11, 2012

Virginia Beach, VA November 25, 2012

Vestibule Card Entry Point Skimmer Bedford Hills, NY 12/2/12

Disguises & spray paint 12/03/12 San Diego,CA

Door skimmer Bedford Hills, NY 12/5/12 Attached are photos of Skimming Device Camera

• setups. The Skimming device was apparently on the

access door pad and the cameras on the ATM’s. The cameras also have a small antenna for wireless transmission to the thief’s laptop.

May 2012 Howard Beach, NY

Chicago, IL 1/16/13

Social Engineerings & Other Scams

• Social websites: Account takeovers, Imposters who trick people into

sending them $ for emergencies.

• Games played through third party applications are not very trustworthy.
• Phone applications can easily inject malware. Good idea to completely

remove unused apps.

• Social websites are the gateway for break-ins during your vacation.
• Criminals who are in possession of your payment card or other bits of

information can SLOWLY friend you or review your postings to cull information to help them victimize your financial accounts. (Zip code collection, City/St, Family names are often answers to challenge questions online.)

• Be wary of what your friends post about you!

Other trends

• POS 90 Music download charges $99-$200 You can charge these

back to iTunes. Block Non US iTunes!

• POS 90 Rule declining all auths b/t $49.99 and $110.00 w/ a score

greater than 60. The rule has a 5:1 FPR.

• Healthcare & Universities deliver tons of compromises.

WWW.FraudAlertnetwork.com

Fraud discussions inside the community

Monthly Fraud Calls-Sign UP! https://www.csvep.com/FICO/FraudForum.html

Secure email portal https://secure.psmtp.com/s/welcome.jsp?b=fico

Convert to secure email delivery today

• Member Profile Updates:

http://www.fico.com/landing/CardAlert/CardAlertServiceForm.html

• Please provide your team email address.
• If you do not know your CAS ID please use eight zeroes in the field

requesting your CAS ID.

• Maximum of two email addresses can be accommodated otherwise.
• Card Alert will assist you via phone 888-440-4227 if you prefer.

Thank You

Investigations@fico.com 888-440-4227