Financial Fraud and Internet Banking
Total Page:16
File Type:pdf, Size:1020Kb
Report Financial Fraud and Internet Banking: Threats and Countermeasures By François Paget, McAfee® Avert® Labs Report Financial Fraud and Internet Banking: Threats and Countermeasures Table of Contents Some Figures 3 U.S. Federal Trade Commission Statistics 3 CyberSource 4 Internet Crime Complaint Center 4 In Europe 5 The Many Faces of Fraud 6 Small- and large-scale identity theft 7 Carding and skimming 8 Phishing and pharming 8 Crimeware 9 Money laundering 10 Mules 10 Virtual casinos 11 Pump and dump 12 Nigerian advance fee fraud (419 fraud) 12 Auctions 14 Online shopping 16 Anonymous payment methods 17 Protective Measures 18 Scoring 18 Europay, MasterCard, and Visa (EMV) standard 18 PCI DSS 19 Secure sockets layer (SSL) and transport secured layer (TLS) protocols 19 SSL extended validation 20 3-D Secure technology 21 Strong authentication and one-time password devices 22 Knowledge-based authentication 23 Email authentication 23 Conclusion 24 About McAfee, Inc. 26 Report Financial Fraud and Internet Banking: Threats and Countermeasures Financial fraud has many faces. Whether it involves swindling, debit or credit card fraud, real estate fraud, drug trafficking, identity theft, deceptive telemarketing, or money laundering, the goal of cybercriminals is to make as much money as possible within a short time and to do so inconspicuously. This paper will introduce you to an array of threats facing banks and their customers. It includes some statistics and descriptions of solutions that should give readers—whether they are responsible for security in a financial organization or a customer—an overview of the current situation. Some Figures U.S. Federal Trade Commission Statistics In the United States, many observers have been trying for several years to prove that financial fraud is stabilizing or decreasing. The U.S. Federal Trade Commission (FTC) is responsible for protecting consumers and monitoring competition. Its annual reports show a leveling off in the number of complaints between 2004 and 2006.1 In 2007, however, the figures increased slightly.2 All three FTC indicators are now on the rise. 500,000 450,000 400,000 350,000 300,000 250,000 200,000 Number of Complaints 150,000 100,000 50,000 0 2000 2001 2002 2003 2004 2005 2006 2007 est. 2008 Identity Theft Complaints Internet-Related Fraud Complaints Other Fraud Complaints Figure 1: Annual consumer statistics from the U.S. Federal Trade Commission for consumers. (Source: FTC) In 2008, the FTC no longer separated Internet-related fraud complaints from the total.3 Figure 2 shows its new breakdown. For 2008, only 58 percent of all fraud complaints reported the method of initial contact. Of those complaints, 52 percent cited email, while another 11 percent started with an Internet website. Only 7 percent of consumers who provided statistics reported the telephone as the initial point of contact. 1. Consumer Fraud and Identity Theft Complaint Data: Year 2004: http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf Year 2005: http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf Year 2006: http://www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf 2. Year 2007: http://www.consumer.gov/sentinel/pubs/Top10Fraud2007.pdf 3. Consumer Fraud and Identity Theft Complaint Data: Year 2008. http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2008.pdf 3 Report Financial Fraud and Internet Banking: Threats and Countermeasures CY-2006 CY-2007 CY-2008 Contact Method Complaints Percentages* Complaints Percentages* Complaints Percentages* Internet—Email 138,195 45% 152,131 50% 193,817 52% Mail 50,317 16% 42,330 14% 51,837 14% Internet—Website/Others 46,687 15% 45,447 15% 40,596 11% Phone 39,365 13% 33,733 11% 26,067 7% Other 31,722 10% 33,481 11% 57,695 16% Total Reporting 306,286 307,122 370,012 Contact Method * Percentages are based on the total number of CSN fraud complaints for each calendar year where consumers reported the company’s method of initial contact: CY-2006 = 306,286; CY-2007 = 207,122; and CY-2008 = 370,012. 58% of consumers reported this information during CY-2008. 71% and 53% for CY-2006 and CY-2007, respectively. Figure 2: Consumer Sentinel Network fraud complaints by contact method. (Source: CSN) CyberSource Fraud as a percentage of online revenue—in the United States and Canada combined—has decreased over the past few years. It stabilized at 1.4 percent three years ago, according to CyberSource, an electronic payment and security vendor. Overall revenue losses have nevertheless shown a marked increase. As the growth of online sales slowed during 2008, recorded losses are estimated at US$4 billion for the American market alone. This is an increase of 11 percent in value, after a 20 percent rise the previous year.4 Online Revenue Loss Due to Fraud % Revenue Lost to Online Fraud $4B in 2008 4.0% $4.5 3.5% $4.0 3.6% $4.0 $3.5 3.0% $3.6 3.2% $3.0 2.5% 2.9% $2.5 $3.0 2.0% $2.8 $2.6 $2.0 1.5% $2.1 1.8%% $1.5 $1.9 1.7%% $1.7 1.6%% % of Online Revenue Lost % of Online Revenue Lost 1.0% $1.5 1.6%% 1.6%% 1.6%% $1.0 0.5% $0.5 0% $0.0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2000 2001 2002 2003 2004 2005 2006 2007 2008 n=132 n=220 n=343 n=333 n=348 n=404 n=353 n=294 n=399 Although the rate of revenue loss due to online payment fraud was stable in 2008, total dollars lost to fraud have increased due to online sales growth. Figure 3: Payment fraud statistics for the American market. Although the rate of revenue loss due to online payment fraud was stable in 2008, total dollars lost to fraud have increased due to online sales growth. (Source: CyberSource 10th Annual Online Fraud Report) Internet Crime Complaint Center The Internet Crime Complaint Center,5 working in partnership with the U.S. Federal Bureau of Investigation (FBI) and the National White Collar Crime Center, also collects data. In 2008, Americans filed 33.1 percent more complaints than in 2007, and the total amount of money stolen online reached a historic record. The claims center registered almost 275,000 complaints, representing a loss of US$265 million, or 10.6 percent more than in 2007. 4. CyberSource. 10th Annual, 2009 Edition, “Online Fraud Report.” http://forms.cybersource.com/forms/FraudReport2009NACYBSwww020309 5. Internet Crime Complaint Center, “2008 Internet Crime Report” http://www.nw3c.org/downloads/2008_IC3_Annual%20Report_3_27_09_small.pdf 4 Report Financial Fraud and Internet Banking: Threats and Countermeasures 2008 Yearly Dollar Loss (in millions) Referred Complaints $280 $264.59 $260 $239.09 $240 $220 $198.44 $200 $183.12 $180 $160 $140 $125.60 $120 Yearly Comparison Complaints Received via the IC3 Website $100 $80 $68.14 $60 $54.00 $40 300,000 275,284 $20 $17.80 $0 250,000 231,493 207,449 206,884 2001 2002 2003 2004 2005 2006 2007 2008 200,000 150,000 124,515 100,000 75,064 2008 Yearly Comparison Referrals 50,412 50,000 16,838 120,000 103,959 0 100,000 96,731 2000 2001 2002 2003 2004 2005 2006 2007 2008 86,279 90,008 80,000 70,553 72,940 60,000 28,252 40,000 20,000 4,810 0 2001 2002 2003 2004 2005 2006 2007 2008 Figure 4: Internet Crime Complaint Center statistics for America. (Source: IC3 2008 Internet Crime Report) Half of all cases involved a monetary loss of less than $1,000. One-third (33.7 percent) of those filing complaints reported losses between $1,000 and $5,000. Only 15 percent indicated a loss greater than $5,000. Complaint Type % of Reported Total Loss Average Loss per Complaint Reporting a Loss Check Fraud 7.8 $3,000 Confidence Fraud 14.4 $2,000 Nigerian Letter Fraud 5.2 $1,650 Computer Fraud 3.8 $1,000 Non-Delivery (Merchandise and Payment) 28.6 $800 Auction Fraud 16.3 $610 Credit/Debit Card Fraud 4.7 $223 Figure 5: Amounts lost to fraud, by type, for U.S. individuals reporting a loss. (Source: IC3 2008 Internet Crime Report) Auction fraud and the failure to deliver purchases are the most widely reported complaints. Other complaints relate to credit card fraud or even advance-fee fraud (scam). Email and web pages are the two main mechanisms for approaching victims. We find that a frequently reported scam concerns the purchase or sale of pets. The majority of complaints come from men. Nearly half are 30 to 50 years old, and one-third of them live in one of the four most populated states in the United States: California, Florida, Texas, and New York. In Europe During the same period (2004 to 2007) and consistent with the overall North American figures, the Association for Payment Clearing Services statistics also showed a decrease in online banking fraud. In Great Britain, the sharp rise in 2006 did not continue the following year. The figures for 2007 were even lower than the 2005 figures. This note of optimism is greatly tempered today by the results from the first half of 2008, which show a 185 percent increase compared to last year.6 6. APACS, “APACS announces latest fraud figures.” http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm 5 Report Financial Fraud and Internet Banking: Threats and Countermeasures January–June January–June January–June January–June January–June Increase, 2004 2005 2006 2007 2008 2007–2008 Online banking fraud losses £4 £14.5 £22.4 £7.5 £21.4 185% (in millions) Phishing 126 312 5,087 7,224 20,682 186% incidents “Mule” recruitment NA 196 468 655 873 33% offers Figure 6: Online banking fraud, phishing, and money mule advertisements in the United Kingdom.