March 15, 2019
The Office of Foreign Asset Control (OFAC), administers and enforces economic and trade sanctions against certain foreign countries and organizations in order to support U.S. national security and foreign policy objectives. All U.S. businesses, as well as many businesses worldwide, (particularly banks), must abide by OFAC regulations.
Apart from checking all transactions/individuals/enterprises against the SDN list (Specially Designated National) an enterprise must know with a much greater degree of certainty who their customers are and where they are located. To comply with OFAC regulations companies must be certain that transactions do not originate in countries or from organizations that are subject to penalty sanctions.
Furthermore, the OFAC list is not limited to the United States, and applies to other parts of the world. What’s more, the United Kingdom, United Nations and European Union maintain similar lists, such as:
- United Kingdom HM Treasury’s Consolidated List of Financial Sanctions Targets
- United Nations Security Council Sanctions List
- European Union Designated Terrorists List
In an increasingly global economy, most financial institutions and online businesses have to invest in technology and resources to ensure compliance with these regulations.
Advanced Tactics of Cybercriminals Put Global Organizations at Risk
Cybercrime is a well organized global phenomenon with criminals fast adopting emerging technologies to attack businesses. Strong knowledge sharing across decentralized cyber gangs promote ever more sophisticated ways to circumvent OFAC regulations.
By using device spoofing, cybercriminals appear to be in an area without OFAC sanctions, these masters of disguise dupe organizations into conducting illegal transactions.
Criminal control of accounts can also lead to the facilitation of other crimes. So called “mule accounts” are used as intermediary accounts when fraudsters extract money from victims in an account takeover attack, extending the network of fraudulent activity further.
Outdated Assurance Methods Mask True Identity
In an ever advancing technological landscape, hiding or cloaking location has become commonplace. Proxies, VPNs and software such as TOR allow the user to hide their true IP address relatively simply.
Companies that rely on outdated technologies to determine location are taking big risks. They could be exposed to hefty penalties if they unwittingly accept a restricted or fraudulent transaction.
Compounding the risk is the fact that stolen credentials can be used to set up accounts that pass Know Your Customer (KYC) checks. The apparently legitimate account may actually be controlled by a criminal network, hiding its identity behind anonymizing services whilst controlling the account from unknown locations.
The challenge for companies is to be able to differentiate between trusted users and potential threats: many savvy consumers are adopting software to maintain privacy and protect their personal data. How can companies value their customers whilst isolating those transactions that may originate from criminal or terrorist organizations?
The ThreatMetrix Solution to Destabilize Organized Financial Crime
Each month, the ThreatMetrix Digital Identity Network analyzes and detects hundreds of thousands of transactions from OFAC countries. A significant number of these are cybercriminals trying to hide their location using proxies and VPNs.
Although these transactions make up a small percentage of the overall volume, their financial impact can be far-reaching, not to mention devastating to a company’s reputation.
ThreatMetrix offers advanced solutions to support compliance with OFAC regulations. Furthermore, with the ThreatMetrix secure anonymous data sharing model, financial institutions can tag accounts that have confirmed involvement in money laundering or fraud and share these with other participating organizations. Shared intelligence is a key weapon in the fight against financial crime.
ThreatMetrix Analytics Detect Spoofing and Identify True Location
Using real-time advanced device profiling and data from the world’s largest shared Digital Identity Network, ThreatMetrix provides global organizations with an accurate assessment of suspicious online activity.
ThreatMetrix can instantly alert a company to any requests or transactions that should be blocked, prohibited or indeed accepted according to OFAC regulations.
Device analytics– Uniquely identifying each device, determining its location, association with the user, and ties to criminal activity or hacker rings.
Detecting anomalies that may indicate fraudulent locations, hacking or a compromised device.
Identity analytics– Pinpointing the end user’s association(s) with trusted entities, or any history or affiliation with crime, fraud, or hacking activities.
Behavior analytics– Analyzing normal login patterns such as login frequencies, locations, typical access times, login names, and devices used to detect anomalies and suspicious activities.
Analyzing these account access patterns and behavior can provide an early warning sign that an account may be a “mule account” in waiting.
Location analytics– Revealing the characteristics of each user’s connection to the online site, classifying and risk assessing proxies, VPN and TOR connections. Bypassing proxy connections to identify the true IP address of the originating machine, or for VPNs the DNS IP closest to the online user. This additional intelligence can change the KYC picture dramatically and highlight criminal activity.
Case Study: ThreatMetrix Delivers OFAC Assurance to Global Financial Institutions
The problem– Large financial institutions are becoming prime targets for cybercriminals across the globe. This is compounded by the need to cater to an ever more mobile end user who wants to access services wherever they might be in the world. How can banks maintain an optimum global customer experience without compromising security?
Fraudsters are cashing in on this global expansion by using identity and location spoofing to access services from restricted locations, as well as through stolen devices and identities.
The result is hundreds of thousands of transactions every month that come from restricted countries, masked by proxies or VPN. Many of these transactions are not detected by the banks’ existing solutions, exposing them to severe fines and risk to reputation.
The ThreatMetrix approach– ThreatMetrix multi-layered and detailed approach to profiling customers and transactions using sophisticated device, identity and behavior analytics enables these leading financial institutions to detect if cybercriminals are trying to mask their true locations to cover up their tracks.
With a foundation of intelligent packet and browser packet analysis, ThreatMetrix can pierce through proxies and uncover the malicious user’s true IP address. ThreatMetrix unique VPN and TOR detection capability performs deep analysis to incoming TCP/IP connections that reveals connection specific attributes. These attributes help analyze the network connection type from an originating device to accurately identify the end users true location.
|Countries||Percentage of Destination Transactions|
The Result– Access attempts from these restricted locations were identified and fagged in real-time. These transactions were marked as high risk by detecting the presence of proxy/VPN to mask true location as well as by identifying previously flagged fraudsters using global shared intelligence. The following table illustrates how ThreatMetrix goes beyond identifying restricted U.S. transactions in a way that supports UK, UN and EU initiatives.