Ken Jochims Fights Cybercrime with Intelligence
Posted March 12, 2015
ThreatMetrix’s Director of Product Marketing, Ken Jochims Interview on Pymnts.com on “10 Ways to Leave Cybercriminals in the Dust”
In advance of the Merchant Risk Council, March 23-26, in Las Vegas, where you’ll find ThreatMetrix at Booth 119, Ken Jochims did a far-ranging interview with pymnts.com on preventing the “new era” of cybercrime, where hackers go straight to the banks instead of the banks’ customers. He discussed ThreatMetrix’s multilayered (yet frictionless) approach to defense, which is detailed in a new ThreatMetrix whitepaper. The following has been excerpted from the pymnts.com interview and edited to fit our format. You may find the complete interview by clicking on this link.
What are the most effective methods and technologies cybercriminals use today to attack security roles in devices, operating systems and applications?
KJ: We see a wide range of attack methods or vectors – it’s a complex fraud challenge that we’re all up against. Many of the things you hear about in day-to-day media are things we run into as well in trying to deal with fraud. These are things like malware that’s always been present in the last 5-6 years, trying to steal credentials.
At the end, it’s all about how to steal credentials to break into accounts. That’s what the bad guys have in mind. This includes phishing attacks, or going after individuals via targeted emails or generalized attacks to banks. I know some of the recent banking attacks that have come to life have been exposed because of phishing attacks. Those are emails with some kind of hook, where people click on the link and the computer is infected with malware. Those are pretty good techniques to be used by bad guys that we are seeing in the financial and e-commerce space.
There are also other ways to enhance that information through social engineering – Facebook, LinkedIn, and more contain all kinds of information about us. That helps the bad guys create either fake identities or synthetic identities.
Then the criminals are also using things like proxies or VPNs that allow them to spoof locations. So, for example, you may think someone’s coming in from the Boston area to log into your bank, when in reality they’re coming in from Moscow.
As fraudsters adapt to fraud prevention methods and data breaches become a normal occurrence, is there a way to fight the fraudster’s intelligence with even more sophisticated intelligence? If so, how?
KJ: Well, it’s always about knowing who the enemy is. They’re doing a pretty good job at stealing lots of information. If you look at some of the recent attacks, many of those are sponsored or done by Russian cybergangs. There’s a number throughout Russia and Eastern Europe that have been very good at collecting data. Whether or not they’re using this data directly to breach accounts and to do attacks, it’s not quite clear, but they’re certainly either using it directly or selling it.
The idea is that all of this information is pretty fluid. It’s almost like you can’t stop the leak in the dam of information, but what you have to do is have a thorough understanding of how to stop these guys at multiple levels. We try to stop the bad guys at the front door by understanding who they are through the devices they’re using, through information gained about that device and operating system and all kinds of details about the network they’re coming through, to gain a really good understanding of where that device is and who is using it.
It also may be associated with all kinds of things like multiple credit cards or email addresses – things that can be linked together that we can determine from our network. The important thing about what we do with our network is we protect hundreds of millions of customer accounts through 15-20,000 websites. We gather all of that information for all of those devices that are coming in and connecting, and then we put that information together in a cohesive way to understand across the globe for all of our customers the level of risk or trust that should be associated with particular devices.
If you log into an account at Target, for example, and the bad guy is trying to get in and is blocked, then tries to go to Best Buy, we can see that information and connect the dots. We don’t think all of that information should be siloed – it needs to be freely shared. So it’s about how we anonymize a person – how we encrypt their information enough so we’re not sharing it, but so that we can see that data.
Ultimately, what we see is this data that needs to be used for good – we don’t want to get in the way of actual customers logging in and conducting business.
So the flipside of fraud, and what a lot of traditional systems do, is that as you dial up fraud prevention, you also dial up customer friction. Our goal is to increase the ability to detect fraudulent activity and reduce the friction associated with customers accessing their accounts. It’s an interesting juxtaposition between the two, but if you can really understand your customer, from the way they do business and the devices they use in their operating modes, it allows you to really understand who they are versus the bad guys.
How should defense mechanisms be implemented and what pitfalls should organizations avoid?
KJ: The pitfall is thinking that one particular solution may be the be-all, end-all. But like the military doctrine of understanding defense, fighting cybercrime is about layered defense. The additional concept of that is that generally things are more static than they should be. The concept of layers needs to be applied, but those layers should be very flexible in the way they operate. The way we look at it at ThreatMetrix is how to provide that first layer and probably one of the more important layers of defense – that’s keeping the bad guys out.
If you think about this as how do you stop somebody at the front door before they get through – many of the security solutions that are about understanding the behavior of a use are likened to a security camera. So what we try to do is stop the access to the front of the house. The first thing you want to do is minimize any fraudulent entry by the bad guys. For us, we look primarily at e-commerce businesses and financial services. That’s a little different from traditional IT hacking data out of a server.
Recently, an international band of hackers worked their way into dozens of banks. Is this a “new era” of cybercrime where criminals steal directly from banks instead of their customers? How can this type of crime be prevented?
KJ: We see this happen a lot in state-sponsored attacks where they’re going after intellectual property – not necessarily for financial gain, but more indirect, like for state or industrial secrets. The application of this attack against banks, from an attack perspective, isn’t necessarily new, but the way they implement it adds a new twist.
These guys went after bank employees with a phishing scheme, and when employees clicked on it, their IDs and access codes, through malware, were compromised. The bad guys used that malware to transfer funds from one account to another, then to a mule account that allowed them to withdraw those funds. That caused all kinds of havoc.
The two ways to stop this are, first, from the inside perspective, to use security teams at banks to limit the kinds of access to outside websites and things and scan emails in a better way to stop the breach initially. Second is to understand who’s accessing these accounts – from the account codes or locations they’re coming in for, or devices they’re using. Those will generally be known in our network.
So if someone creates a mule account, we’d probably be able to see that based on the activity of the device and the way it’s being used.
These are pretty insidious attacks – they come from [inside out]. It’s a much more challenging type of attack that requires coordination between internal security folks at a bank and the external fraud teams. Those are sometimes stove-piped in organizations – so that’s a good way to break barriers down and create more information sharing between the two. But ultimately, it’s a tough one to stop.