March 27, 2019
Better Cyberfraud Defense Through Threat Modeling
Posted January 31, 2019
New cyberfraud techniques, particularly large multi-channel attacks, are driving the growth of fraudsters who specialize in supporting complex attacks. This creates an entire fraud-as-a-service sector surrounding fraud, which appears to defenders as forgettable low-risk malicious activity that eventually combines into a coordinated large-scale loss. The good news is that multi-stage attacks across multiple channels has been a core concern of information security experts for years. The threat modeling and attack tree approach of information security was developed as a method to defend information systems from complex attacks and should be used to design fraud defenses that resist similar attacks. ThreatMetrix provides an industry-leading platform to create a combined defense platform that integrates otherwise unconnected defense mechanisms into a core decisioning engine that can secure the entire flow, reducing the success of multi-stage cross-channel attacks.
A Threat Modeling Approach
In a nutshell, threat modeling asks the defender to go beyond normal system design by considering the flow of a system from an attacker’s perspective, evaluating existing vulnerabilities by asking the simple question “what could go wrong?” With that information in hand, we then ask, “how would it go wrong?” by building an attack tree to find large discrete attacks that could stem from smaller attacks elsewhere in the system. Some threat models attempt to create an exhaustive process that evaluates every possible threat at every stage of the system, however, I prefer a simple “asset-based” approach that opens with the question “what do we have of value that we don’t want to lose?” For financial fraud, this is more than just account balances and money. We can replace stolen money, but we also must protect customer personally identifiable information (PII) which cannot be replaced. We also have assets like account login credentials that must be protected – we don’t want to lose a list of good usernames, and we certainly don’t want to lose passwords.
Fortunately, you don’t need to answer all these questions on your own. ThreatMetrix professional services uses a high touch consulting approach to ensure that your fraud defenses are robust – fully assessing potential user behaviors, subdividing those behaviors into specific activities that present a particularly high risk of abuse or loss based on their professional experience, and leveraging ThreatMetrix to institute effective monitoring and automation to provide system-wide defense. This ensures that the client’s system is reinforced with defense-in-depth rules to counter even the most seasoned fraudster in a portal that enables easy policy auditing and deep fraud investigation.
Threat Modeling in Action for Cyberfraud
Consider a typical implementation where a bank customer can log into a basic online services platform that only displays recent transactions and account statements. To access the portal, a customer must have an existing account with the bank that she can use to register an online account. Registration flow asks the user to verify two things: the account number on a statement and customer PII on file. There is no additional factor authentication at registration sent by a separate channel like a text message one-time password (OTP), but a letter will be mailed to the account address on file following registration which will take 3-5 business days to arrive. There is also a password recovery option to allow for a user to recover their username and password with an e-mail account on record that is set during registration. To reduce friction for the customer, entering a non-existent username results in a “bad username” error, while three bad passwords in a row will direct the user to the “reset password” page. No online bill-pay or wire transfer features are available, and all contact details must be changed in a branch or at the call center. The login page does not use a user-provided second authentication factor like OTPs as this portal shows no customer PII and does not permit a funds transfer, leaving no clear business case that would justify the cost of implementing additional security like text message OTP to augment login security.
Considering our asset-based approach, we know that we should consider protection of the following:
- Customer account balances – the money in the account
- Customer transaction details – information on where the money goes
- Customer PII – the customer information that enables identity theft
- Customer login credentials – how we authenticate activity as being from the customer
A typical attacker would face the registration page with no knowledge of its operation beyond that of a standard bank customer. Based on our prior description of the online registration flow, it is entirely possible that a mailed bank statement found discarded in the trash or stolen from a mailbox would have the account number and PII needed to register. We should not assume that mailed statements cannot be aggregated or that customer PII is unknown to a well-prepared fraudster. Fraud continues to specialize, and there are specialized “dumpster-diver” fraudsters who focus on collecting massive amounts of statements and PII, which they offer for sale in bulk. The mailed registration notification is a good approach to defeat registration fraud, but, it could be intercepted by a fraudster with access to the mailbox, and a good percentage of users will disregard the notice when discarding junk mail limiting its impact.
A moderately-savvy fraudster would check the login page to see if they get differential error messages when the username is correct, but the password is wrong. Poor login page design presents the possibility to enumerate good usernames, greatly reducing the effort required to build a target list for account takeover by filtering out unused usernames from existing username-password lists. The password recovery option will send the username and password to a customer e-mail – a skilled fraudster can gain access to a target customer’s e-mail via credential phishing or social engineering. If the customer no longer has access to the e-mail on record, the call center would be the point of contact. Some fraudsters are particularly skilled at using discarded bank statements and open social media profiles to impersonate the customer and request a change of e-mail by socially engineering the call center representative. Just as most call center personnel are scripted, some highly specialized fraudsters maintain call representatives of their own just to scale social engineering attacks against a call center or a group of customers.
Once the fraudster has breached an account – either via phishing credentials, committing registration fraud, or employing credential stuffing to breach many accounts, they can now see a bank balance with account details. They have several potential options at this stage – they could forge a check from the account, or they could attempt to link the account with an electronic funds transfer (EFT) payment solution. One of the traditional ways EFT solutions verify an account is to make a small EFT deposit and ask the customer to confirm the amount of the deposit. With access to the balance and recent transactions, the fraudster may have enabled a cash-out avenue despite the portal engineering team making a conscious decision to omit bill pay and wire transfer options from online services. There are specialized “cash-out” fraudsters who focus on using various EFT solutions to clean out an account where a fraudster has access to the balance of a bank account for a reasonable percentage of the take. Similarly, there are fraudsters who specialize in using mobile check deposit features offered by many banks to deposit fraudulent checks. It can take weeks for some fraudulent checks to be discovered, however, most banks will make the deposit available in a matter of a few days by “floating” the deposit, allowing a fraudster to profit from a free short-term loan that is meant to reduce customer friction.
From the perspective of asset-based threat modeling we have identified the following:
- Customer account balances – using an EFT payment solution, an improperly authenticated attacker using stolen credentials could validate ownership of an account and initiate EFT transfers out of the account. A fraudster could also forge a check that will not bounce with adequate information on available funds, delaying fraud detection by days or weeks. These vulnerabilities exist despite our decision to exclude wire transfers, bill pay, and person to person payment from the portal. ThreatMetrix can evaluate anomalous online activity to identify devices that do not match the customer’s customary devices used to access the account.
- Customer transaction details – any improperly authenticated attacker can view customer transaction details. Additionally, any aggregator of online details can view these details, and may either be a source of breach on its own, or may be leveraged by a fraudster with good customer credentials. ThreatMetrix can be used to evaluate how a customer accesses or uses an account to identify potential fraud and potential money mule accounts for AML.
- Customer PII – mailed account statements contain customer PII. We should consider removing customer PII from all mailed materials when possible. The customer has their account number on their checks – which they know to protect. The full account number does not need to be printed on mailed statements. One problem that cannot be avoided is that the account number for a checking account is known to any payee that has cashed a check, which creates a risk to registration flow as designed. ThreatMetrix can secure the flow against this added risk by providing an additional factor of authentication that is invisible to the user – their prior use of a device in ThreatMetrix’s store of global data creates a robust “digital identity” that can assure you that you are dealing with your customer.
- Customer login credentials – customer credentials are vulnerable to username enumeration due to differential error messages. We should use a common error for all failed logins, avoiding accidental confirmation of credential validity. ThreatMetrix can also cut down on repeated attempts to log in, stopping fraud while also identifying good customers having trouble during login.
Using attack trees we uncovered a large attack possibility:
Good accounts could be enumerated in an automated bot attack, and the outcome of that attack could be linked up with known username-password pairs obtained in prior breaches to enable a large-scale account takeover attack. ThreatMetrix can identify and prevent automated bot attacks with ease, even in cases where the bot attempts to maintain a low profile through a “low and slow” bot attack designed to evade bot detection.
The fraudster can obtain great volumes of breached usernames and passwords as they are readily available on the deep and dark web. They can cross the usernames they identified with any shared username/password combinations, improving the success rate of their attack. Even a 5% success rate could represent thousands of breached accounts, millions of dollars in loss, and a potentially-public event that could cause a widespread loss of trust in the bank. ThreatMetrix is particularly suited to rapidly detecting and automating mitigation of large scale events. Decisioning on ThreatMetrix responses could easily automate fraud response, defeating the vast majority of fraudster attempts to breach accounts and flagging all impacted accounts for mitigation team treatment. Additionally, leveraging professional services would identify all of these use cases prior to implementation while providing high touch expert support to identify current and future risks in system flow – like the risk of enumeration attack created by differential error responses and page flows.
Pick the right professional support and platform to stand against an ever-evolving fraud threat. Learn more about the ThreatMetrix platform and ThreatMetrix Professional Services.