New Age Risks in Banking: Beating Fraud with Paladion Insights

Summary:

The document you provided outlines a comprehensive guide for setting up and implementing an internet trading system, with a particular emphasis on utilizing ArcSight for enhanced fraud detection capabilities. Below, I will summarize the key points from your text, focusing on the integration of ArcSight and its role in preventing financial fraud within the enterprise security landscape. ### Key Points: 1. **Define Requirements**: Start by clearly defining what you need from the internet trading system, including objectives, constraints, and necessary features. This sets the foundation for all subsequent steps. 2. **Design Architecture**: Create a detailed architectural diagram that includes data flows between different components of the system, network configurations, security measures, and integration points with other systems. 3. **Configure Database Connection**: Ensure that the database connection is robust and capable of handling large volumes of transaction data efficiently. This involves setting up appropriate connections to databases where transaction details are stored. 4. **Sample Parser File**: Develop a sample file format for parsing transaction details, which should include device information, user IDs, amounts, dates, statuses, and other relevant fields. 5. **Test and Deploy**: Follow a structured testing process: - Collect test logs using the ArcSight flex connector in a UAT environment. - Verify that all data fields are correctly parsed from these logs. - Check for errors in both log files and agent logs to ensure system reliability. - Deploy the system into production and continue logging collection, making any necessary adjustments based on feedback during testing. 6. **Implement Use Cases**: Map ArcSight variables to specific fraud indicators such as suspicious geography access, blacklisted mule accounts, transactions from anonymous proxies, and high transaction values. Create rules, reports, and dashboards in ArcSight for these early indicators. Maintain active lists of potentially risky accounts or transactions. 7. **Define Rules**: Establish criteria for detecting fraudulent activities based on the mapped variables and create corresponding rules within the ArcSight platform. 8. **Sample Reports and Dashboards**: Create specific reports and dashboards to monitor unauthorized access points, locations related to transactions, and an overview of top transactions across various banking channels for analysis. 9. **Monitoring Process**: Implement a continuous monitoring process to ensure the system operates efficiently in real-world scenarios and adapts to changes in transaction patterns and fraud techniques. ### Benefits: Using ArcSight ESM provides several benefits, including early detection of fraud which helps prevent significant financial losses. It also allows for a higher return on investment by efficiently managing the effort required for detecting anomalies related to application security. This setup contributes to compliance with PCI standards for data security in applications and enhances an enterprise's reputation as a secure entity in the market. ### Threats and Targets: Banks are particularly vulnerable to financially motivated threats due to the sensitive nature of their operations. Cybercrime syndicates target business applications because they can exploit vulnerabilities within these platforms to breach data or transactions. ### Detection through Application Monitoring: By monitoring application parameters, it is possible to detect early indicators of potential fraud and irregularities using tools like ArcSight ESM with its FlexConnector capabilities. This document serves as a comprehensive guide for setting up an internet trading system that effectively utilizes ArcSight for enhanced security measures against financial fraud.

Details:

The presentation titled "New Age Risks in Banking: Beat the Fraud" by Vinod Vasudevan discusses current threats faced by banks and introduces the use of ArcSight for Application Monitoring. Key points include: 1. **Current Threat Landscape**: Banks face several risks due to technological advancements and changing customer needs. These include financial motivated threats such as phishing attacks, web application attacks, targeted financial malware like Skimming, Card Cloning, and Data Theft. Advanced financial malware including Botnets/Spyware/Scareware is also on the rise. 2. **Business Application Monitoring**: The increasing vulnerability around new technologies adopted by banks for enhanced reach and automation has led to more opportunities for fraud. Business applications now house critical data and transactions which make them a primary target for fraudsters using advanced techniques that combine technology with social engineering. 3. **Solution Benefits**: Using ArcSight for application monitoring allows banks to proactively detect suspicious activities, monitor changes in business configurations, protect customer data from theft, and reduce the risk of financial fraud. The solution helps in identifying threats such as unauthorized access attempts, fraudulent account registrations, and changes to banking configuration settings that could lead to significant financial loss or reputational damage. 4. **Key Insights**:

• Threats are primarily financially motivated, aiming to steal credentials and data.

• Advanced techniques involve sophisticated combinations of technology and social engineering tactics focused on extracting valuable data from business applications.

• Business applications have become a central target for fraud due to the presence of sensitive information within them.

• Fraudsters use various methods like phishing to obtain netbanking login credentials, SSNs, and other account details remotely.

Overall, the presentation underscores the importance of proactive monitoring and securing business applications in modern banking environments where financial threats are becoming increasingly sophisticated. The provided text discusses a financial fraud case involving ATM fraud and malware injection through web applications. The fraud involved card cloning at 49 cities across 130 ATMs, resulting in the theft of $9 million within just 30 days. The perpetrators used stolen data from multiple banks to clone cards and withdraw funds. The method employed by the fraudsters included exploiting vulnerabilities in web applications through malicious iframe tags that redirected users to malware-infested sites. Once infected, the user's credentials were captured as they attempted transactions on compromised banking websites. Business Application Monitoring (BAM) plays a crucial role in detecting early indicators of fraud within business applications by examining patterns such as authentication, access, and authorization mechanisms, critical application parameters, and policy changes. Transaction monitoring is another mechanism used to detect fraudulent activities in banking applications and channels. To summarize the text, the ATM fraud incident was facilitated through card cloning and malware injection via web applications, targeting multiple banks for financial gain. Business Application Monitoring helps in detecting early indicators of fraud by analyzing various patterns, including authentication, access, and authorization mechanisms, as well as changes in critical application parameters and policies. The document outlines various rules and applications monitored through ArcSight Event Manager (ESM) to ensure the security and integrity of banking operations. Key areas covered include: 1. **Logins from Suspicious Geographies**: Monitoring logins that occur from geopolitically unstable or suspicious locations, which could indicate unauthorized access attempts. 2. **Access Patterns**: This includes monitoring activities like invalid access attempts to cardholder data, repeated access to customer profiles, and ATM cash chest openings during unusual hours, all of which are indicators of potential security breaches. 3. **Authorization Patterns**: Rules focus on granting higher privileges to normal user IDs without legitimate need, requests for approval coming from the same machine, and other Maker/Checker role violations that can lead to unauthorized access or misuse of information. 4. **Critical Application Parameter Changes**: Monitoring changes in limit settings, interest rates, account statuses of dormant accounts, and altering password policies which are critical for maintaining security protocols. 5. **Policy Changes**: This involves monitoring alterations to both account/password policies that could be indicative of potential fraud or unauthorized access attempts. 6. **Transaction Monitoring Rules**: These cover various aspects including blacklist/watchlist checks for money transfers, transactions above a certain threshold, simultaneous transactions from different locations, suspicious geographies, anonymous proxy usage, and fund transfer trends. 7. **List of Common Monitored Banking Applications**: Includes retail and corporate internet banking, ATMs, mobile banking, SMS banking, IVR services, payment gateway operations, core banking systems, treasury functions, customer relationship management tools, loan originating systems, and credit card application processing. The document emphasizes the use of ArcSight ESM for these monitoring activities to enhance security measures in a "defense in depth" approach, which involves multiple layers of defense mechanisms designed to protect against potential threats more effectively than relying on single point solutions. This text is focused on enhancing the capabilities of catching early fraud indicators using ArcSight Enterprise Security Manager (ESM). It emphasizes investing in enterprise fraud solutions for better ROI and highlights that extending this effort does not require much infrastructure investment while offering significant benefits. The document also discusses how to monitor business applications such as Internet Banking, ATM, and IVR through a channel integrator. ArcSight ESM features include:

• A flexible architecture allowing it to collect logs from various devices using the same agent server.

• Customizable backend infrastructure for rules, alerts, reports, and dashboards through a custom connector kit that supports easy development of connectors for multiple log sources and formats.

The process outlined involves several steps: 1. Define fraud scenarios and early indicators (suspicious geography access or use of anonymous proxies). 2. Understand the Channel Integrator logs stored in Oracle databases, including identifying log locations and types like operating system, database, and log rotation. 3. Collect sample logs to understand their format and syntax. 4. Create a parser file for logging processes. 5. Implement the methodology by deploying use cases and scenarios based on indicators identified from early fraud detection. 6. Test and implement the application monitoring process for fraud/threat prevention, using log collections as methods. 7. Deploy the solution to gain benefits through better management of financial transactions and overall business security. The provided text describes a structured format for logging financial transactions, particularly in the context of an Internet Banking system. Here's a summary of the key components and their significance: 1. **Transaction Logging Format**: The format includes several fields that capture detailed information about each transaction, including user details, transaction type, date and time stamps, amount involved, account numbers, status updates, error codes, and more. 2. **Field Definitions**:

• **IDCIF (NOT NULL)**: User's CIF Number, which could be an identifier for the customer in the system.

• **IDDEVICE (NOT NULL)**: Indicates the channel from which the request was made, such as Internet Banking (INB), Interactive Voice Response (IVR), etc.

• **IDTXN (CHAR(3))**: A code representing the type of transaction being performed, possibly ranging from utility bill payments to credit card alerts.

• **IDREQUEST (VARCHAR2(20))**: Combination of IDAPP, IDTXN, and NUMSEQUENCE, which might be used for uniquely identifying a request across multiple steps or pages.

• **IDUSER (VARCHAR2(20))**: User ID, possibly linked to the user's account in the system.

• **DATREQUEST (NOT NULL)**: The date and time when the transaction was initiated by the user.

• **AMTTXN (NUMBER)**: The amount involved in the transaction, which could be transferred or paid out as part of the transaction.

• **STATUS (NOT NULL)**: A three-character code indicating the current status of the transaction, possibly ranging from success to failure and session termination.

• **RETURNCODE (NUMBER(1,0))**: Indicates the outcome of the transaction, where 0 means successful completion, 1 indicates a failure, and 2 means transaction failure with session termination.

• **ERRORCODE (VARCHAR2(20))**: An error code that might provide specific details about why a transaction failed or encountered issues.

3. **Optional Fields**: Some fields like AUDITREQUEST, AUDITRESPONSE, TOKEN1-8 are marked as "Not Required" and will generally be NULL unless specifically needed for audit trails or additional features in the system. 4. **Purpose**: This structured logging format is likely used to maintain detailed records of all transactions for auditing purposes, customer support, fraud detection, and overall system performance analysis. It provides a comprehensive view of user interactions with the Internet Banking service, including details about each transaction initiated by users through various channels. 5. **Steps for Using this Format**: To implement or use this format:

• Map the log fields to corresponding fields in the ArcSight schema (normalization).

• Create a parser file that can read and interpret these logs according to their specific structure, extracting necessary information as required by the application's needs.

This detailed logging system is crucial for maintaining regulatory compliance, ensuring accurate transaction records, facilitating efficient customer support, and improving overall operational efficiency in financial services provided through Internet Banking platforms. This text is a mapping of data types from an unspecified system to ArcSight data types. Here's a summary of what it entails: 1. **Data Types and Fields**: The document lists various fields with their respective nullability (NOT NULL or NULL), data type, and explanation or purpose within the context of the system. For example, there are fields for language, device facility, application, transaction ID, user ID, date and time of transaction, description, return code indicating transaction outcome, error code, session ID, customer ID, IP address from which a request was made, and more. 2. **ArcSight Field Categorization**: The document categorizes these fields into specific types used within ArcSight:

• **IDSEQ**: A primary key external ID of type NUMBER(15,0).

• **IDLANG**: CHAR(3) for language; not required.

• **Channel**: Device Facility categorized by codes (e.g., 01-INB, 11-IVR).

• **Device Process Name**: Categorized by codes like INB, CRM, etc.

• **Transaction ID and Sequence**: NUMSEQUENCE as CHAR(2), used for transactions with multiple steps or pages.

• **User Information**: VARCHAR2 fields for user ID and customer ID; not required in some cases (indicated by NOT NULL).

• **IP Address**: REMOTEADDRESS of type VARCHAR2(50) from which the request was made.

• **Session ID**: IDSESSION as VARCHAR2(18), used to identify a session.

• **Processing Flag**: FLGPROCESSED of type CHAR(1).

• **Tokens**: Various token fields (TOKEN1, TOKEN2, TOKEN3) which are not required and always null.

3. **Additional Information**: The document also provides additional context for some fields like AUDITREQUEST and AUDITRESPONSE which are always NULL and not required. 4. **ArcSight Fields Mapped**: Finally, the text lists a subset of these fields in a structured format with their respective ArcSight field names (like IDCIF, Channel, etc.), indicating how they map to specific categories within ArcSight for data management and analysis. Overall, this document serves as a mapping guide or template for integrating specific system data into an existing framework used by ArcSight, ensuring that the data is appropriately categorized and analyzed according to predefined standards in security information and event management (SIEM). This document outlines a comprehensive process for implementing and testing an internet trading system, including the setup of a flex connector for ArcSight to monitor fraud early indicators. The steps are as follows: 1. **Define Requirements**: Establish clear objectives and gather necessary information about the system's capabilities, constraints, and desired features. 2. **Design Architecture**: Create a detailed design that includes data flows, system components, network configuration, security measures, and integration points with other systems. 3. **Configure Database Connection**: Set up database connections for real-time transaction processing and ensure the system can handle large volumes of data efficiently. 4. **Sample Parser File**: Develop a sample file to parse transaction details including device information, user IDs, amounts, dates, statuses, and other relevant fields. 5. **Test and Deploy**:

• Collect test logs using the flex connector in the UAT environment.

• Verify that all data fields are parsed correctly.

• Check for errors in log files and agent logs.

• Deploy the system in a production environment and continue logging collection.

• Fine-tune connector settings based on testing feedback.

6. **Implement Use Cases**:

• Map ArcSight variables to fraud indicators such as suspicious geography access, blacklisted mule accounts, transactions from anonymous proxies, and high transaction values.

• Create rules, reports, and dashboards in ArcSight for these early indicators.

• Maintain active lists of potentially risky accounts or transactions.

7. **Define Rules**: Establish criteria for detecting fraudulent activities based on the mapped variables and create corresponding rules within the ArcSight platform. 8. **Sample Reports and Dashboards**:

• Create specific reports such as "Suspicious Geography Access – Internet Banking" to monitor unauthorized access points or locations related to transactions.

• Generate dashboards that provide an overview of top transactions across various banking channels for analysis and trend identification.

9. **Monitoring Process**: Implement a process to continuously monitor the performance of the system, ensuring it operates efficiently in real-world scenarios while adapting to changes in transaction patterns and fraud techniques. This document provides a structured approach to developing an internet trading system with robust fraud detection capabilities, utilizing ArcSight for early warning systems and real-time monitoring. The document discusses several benefits and concepts related to enterprise security trends and concepts, particularly focusing on how businesses can use tools like ArcSight Enterprise Security Manager (ESM) to prevent financial fraud. Key points include: 1. **Benefits**: Using ArcSight ESM provides early detection of fraud and helps in preventing significant financial losses. It allows organizations to achieve a higher return on investment by efficiently managing the extension effort for detecting anomalies related to application security, thus serving as a robust defense mechanism. Additionally, it can help businesses demonstrate compliance with standards such as PCI (Payment Card Industry) data security requirements for monitoring applications. 2. **Threats and Targets**: Banks are particularly vulnerable to financially motivated threats that lead to fraud due to the sensitive nature of their operations. Cybercrime syndicates target business applications because they can exploit vulnerabilities in these platforms to breach data or transactions. 3. **Detection through Application Monitoring**: By monitoring application parameters, it is possible to detect early indicators of potential fraud and irregularities. ArcSight ESM can be extended with the FlexConnector kit to monitor such signs within the enterprise system. 4. **Compliance and Standards**: The effectiveness of this approach contributes to compliance with PCI standards for data security in applications, which are crucial for maintaining customer trust and avoiding penalties related to non-compliance. In summary, integrating ArcSight ESM and using its extendibility through FlexConnector can significantly enhance an enterprise's fraud prevention capabilities while demonstrating commitment to high security standards. This setup not only protects against financial loss but also boosts the organization's reputation as a secure entity in the market.