Tags Posts tagged with "Internal Fraud"

Internal Fraud

0 146

It is a well-known fact that, every time a security threat occurs in any organization, it makes it to the media and thus causing reputation damage and loss of business. We have seen many instances of such cases in the recent past.

In fact a very recent case, which was reported in the beginning of the year was with Vermont utility. According to news reports, which later proved to be false, Burlington Electric had found malicious software on a computer that was not connected to its grid control systems. Moreover, the malicious software found on Burlington Electric Company laptop matched with those on malware found in the Democratic National Committee computers that the US government has blamed on a specific country.[i]

Though the news was later debunked to being ‘erroneous’[ii], the news was initially covered in a multitude of news outlets. The fact remains that cybersecurity attacks continue to make news, negatively attack your business and brand reputation.

Unfortunately, the ground reality is that Hacking attempts are becoming more common, and the rollout of new technologies has created further vulnerabilities. It is important that businesses safeguard themselves in order to ensure that they stay out of negative limelight. In January 2014, Target admitted that hackers used malicious software to break into its networks and access credit and debit card information directly from Target’s checkout lanes through the holiday shopping season. News of the breach drastically affected the retail giant diminishing holiday sales causing Target to eventually fire its CEO in the breach’s wake. The hackers responsible for the 2013 Target data breach that exposed payment information on 40 million customers had nothing to stop them from accessing every cash register in every Target store.[iii]

Today with the world going ‘digital’, the number of potential devices, just waiting to be hacked are increasing. Experts predict that by 2020 there will be 200 billion connected devices, which in turn could result into increased probability of devices being vulnerable to such attacks.

We are also witnessing the rise of smart cities. For Instance, Saudi Arabia is investing $70 million to build four new smart cities, while in South Africa, a $7.4 billion smart city project is already underway. By 2020, the market for smart cities is predicted to reach $1 trillion, according to Frost & Sullivan, a consulting firm.[iv]

In such a scenario, imagine the magnitude of an attack on smart cities or connected infrastructure, which has implications on citizens. The negative impact this could have on brand reputation of state governments could be devastating. But an attack is indeed, possible. Last year, Cesar Cerrudo, an Argentine security researcher and chief technology officer at IOActive Labs, demonstrated how 200,000 traffic control sensors installed in major hubs like Washington; New York; New Jersey; San Francisco; Seattle; Lyon, France; and Melbourne, Australia, were vulnerable to attack. Mr. Cerrudo showed how information coming from these sensors could be intercepted from 1,500 feet away — or even by drone — because one company had failed to encrypt its traffic.[v]

Hence, it is important today for organizations and even government bodies to ensure that they are able to safeguard themselves from cyberattacks. Such vulnerabilities have huge implications on business and can cause irreparable damage to brand reputation. Stay ahead of cyber threats and, as the headline say, don’t be in the news for the wrong reasons.


[i] http://edition.cnn.com/2016/12/30/us/grizzly-steppe-malware-burlington-electric/

[ii] http://www.utilitydive.com/news/what-electric-utilities-can-learn-from-the-vermont-hacking-scare/433426/

[iii] http://www.ibtimes.com/target-hackers-had-access-all-chains-us-cash-registers-2013-data-breach-report-2106575

[iv] https://bits.blogs.nytimes.com/2015/04/21/smart-city-technology-may-be-vulnerable-to-hackers/?_r=0

[v] https://bits.blogs.nytimes.com/2015/04/21/smart-city-technology-may-be-vulnerable-to-hackers/?_r=0

0 381

Operators and global industry forums continue to wrestle with the question of whether or not to merge their fraud and security teams/work-groups to cope better with criminals who are breaking in through IP-based networks in order to derive profit for themselves (or their causes), or just to wreak havoc and disruption on their “enemies”.  Fraudsters are not just partaking in the traditional crimes of bypass fraud, roaming, Dial Through, AIT/PRS, Call Selling fraud etc., but also the exciting new stuff…. Phishing, malware, spoofing, DDoS, Trojans etc.

One can be forgiven for thinking that fostering closer links between fraud and security domains is breaking new ground in terms of responding to the threats posed by 4G/LTE, NextGen, the continued growth of e/m-commerce and the proliferation of data passing over networks.   I guess it is a sign of my advancing years that I can’t help feeling that we have been here before…

15 years ago, when I was prepping for an interview for my first job in the fraud management arena, I was listening open-mouthed as a fraud expert was explaining to me the finer points of PBX Hacking.  Thinking back, two things were very clear:-

  1. The Operator in the UK already had a merged fraud and security group (which they later separated out, then subsequently re-merged again, by the way).
  2. The main advice to combat PBX Hacking was prevention, not detection… and that meant security prevention. The operator was keen to tell its business customers that they needed to physically lock away their PBX equipment, protect their passwords, switch off unnecessary/vulnerable services such as DISA/Voicemail, carry out security awareness training for switchboard operators, support staff, suppliers, use barring at switch or extension level, keep PBX call logging records to see hacking attempts before they succeed, shred old copies of internal directories, vet their security/cleaning staff, etc. etc.   The FMS only stepped in when all the prevention activities failed and the PBX was breached.  By the time that happened, operators were already losing money directly, if they were responsible for the switch, or indirectly if their customers were liable.  Customers may have been unwittingly facilitating the fraud by their lack of security awareness etc. but even so, if a small business – used to paying perhaps $1000 a month for calls, suddenly gets a bill for $20000, they are going to fight it, refuse to pay it or be unable to pay it.  The indirect cost to the operator of customer complaints, disputes, potential court cases, damage to the brand, bad publicity, negotiated settlements, debt write-off and churn etc. can cost far more than the original bill.  It was a lose/lose situation… unless you were the fraudster.

These days, with the emergence of 4G/LTE, IP-based Networks, perpetrators are still committing the same underlying crime for the same motives as before, but now they are breaking in through a host of different entry points, wearing better disguises, carrying bigger SWAG bags and using faster getaway vehicles.  In truth, many operators are struggling to keep up with the high number and seemingly unpredictable nature of these attacks.

Security teams are traditionally very good at preventing access to networks, but they are not perfect.  The pace at which network elements, components, interfaces and transactions are increasing is making it impossible for all the preventative measures to be in-situ from day one.  Not to mention the surfeit of off-the shelf tools that fraudsters can use to break in to more and more lucrative areas of daily commerce.

In practice, Prevention alone cannot succeed.  Detection, Analysis and Response are also essential elements of the fraud management cycle.

Cycle

 

So, my point is this…. security and fraud teams cannot operate in silos.  Security teams must continue to try and prevent malicious intrusion as much as possible.  That requires taking in a lot of real-time data from the access points, identifying the nature of the content and the data patterns and quickly blocking anything that looks dubious.  But when the intruder gets in (and they do in their numbers), that is when the fraud team can also play their part.

Whilst the security team controls corporate IT networks, how well can they police the mobile workers and the homeworkers, the tablet users, the App Store/Android Users etc.?  And if you think that profiling subscribers was difficult historically, how much harder is it when you can’t even define what a subscriber is, let alone track their behaviour.  In the new world, the relationship between account holder, subscriber and product/service is not always obvious.  Also, the billing relationships for transactions can be mind-boggling.  Couple this with the speed at which these transactions are taking place and the value of services and content being passed across a proliferation of bearers, and you have a minefield to negotiate.

This is where a good Fraud Management System can supplement an operator’s security tools.  An FMS must now be equipped to take in much larger volumes of data than before, in many different forms and process it much quicker.   Any reputable FMS vendor will now be offering solutions with large scale, flexible data handling tools (including probe / deep packet inspection events), internal/sales partner audit logs/feeds, inline service/transaction monitoring, exhaustive rules engines (real-time, in-line and statistical), subscriber grouping & profiling features, reference data including Hotlists/Blacklists, fraud and device “fingerprinting” capabilities, ID verification, alarm prioritisation and established, flexible workflows, with a range of analytics tools and visualisation features.  All these components – in the hands of an experienced and well-managed fraud operations outfit – will help to choke fraudsters and drive them out to look for easier targets.

So, in summary, don’t let the security guys take all the strain at the prevention stage.  Share the data, share the knowledge and spread the load to the fraud team for a more comprehensive response.

To get more information about Subex Fraud products please click here.

0 2678

The Fraud Triangle

More money has been stolen at the tip of a pen than at point of a gun. It is the people behind the pen who committed the fraud than the pen itself. Hence for those who are fighting fraud, it is worth spending time in understanding why people are committing it.

Everyone who has exposure to fraud is very well aware of the Cressey’s hypothesis on why people commit fraud – Perceived opportunity, Pressure and Rationalization. These three attributes over the years make up what is widely known as Fraud Triangle.

However; critics have often cited that fraud triangle, being from fraudster’s perspective, has defined two attributes (pressure and rationalization) that are generally non observable. Thus it fails to explain why fraud was committed when perpetrator have traits of pathological fraudsters. This shortcoming can be overcome by taking fraudsters assessment of capability in to account. Not only does the fraudster have environmental or situational factors for committing fraud but also they must have the necessary abilities and traits to recognize and make it a reality. Everyone may not have this capability in a given situation. Many of the traits that make an individual capable of committing fraud can be derived from the individual’s personality itself.

The Fraud Diamond
Source: Wolf & Hermanson

The personality traits that makes a personal capable of committing fraud can be attributed to his position or function in the organization, his level of intelligence, his arrogance, persuasive & deceptive nature, and Immunity to stress.  The fraudster’s specific position or function within the organization along with his ability to recognize and exploit the weakness of internal controls allows him to visualize opportunities that are otherwise unnoticed. The fraudster’s egoistic nature often makes him believe that he is beyond the surveillance of checks and balances. The fraudster often will be able to persuade others to commit fraud or at bare minimum to turn a blind-eye. The fraudster will be good in concealing his inner stress and often lie convincingly in order to maintain a consistent story.

Thus capability provides with more measurable traits for detecting possible frauds. Therefore it is important that assessing capability and addressing them at early stage are made as part of the fraud fighting charter for organizations.

0 130

Subex Tweetup Series is a initiative for Subexians to share their knowledge and experience in the field emerging telecom trends and practices through Social Media interactions.

Today, Mr Rohit Maheshwari (Sr Director Business Consulting APAC) shared interesting insides on Internal Frauds. Internal Fraud has been a key area of concern for telecom operators since long. With the advent of new services like IP Services, Mobile Money and others operators will stand more exposed than ever. Below link contains more information on the conversation with Rohit. Please feel free to comment and add more inputs…

http://storify.com/ravishpatel/subex-tweetup-internalfraud

0 123

KARIBU !!!

‘ M-Pesa’  has been leading the revolution of mobile wallets across the globe. Over 50% of the adult population in Kenya today use M-Pesa service to send money to far-flung relatives, to pay for shopping, utility bills or taxi ride home. While East Africa has been dominating the numbers in the past few years other regions including APAC, EMEA, Europe and Americas are about to explode sooner or later with their own models – NFC, Google Wallets, Mwallets, Apple Passbook,etc

More operators are walking down the path of offering Mobile Banking services in some form or the other every year. These players might get caught off-guard & face what a leading operator in Uganda recent got  hit with– a million dollar mobile money fraud loss !! News articles indicate that a recent internal fraud in a leading operator in Uganda lead to 3.5 Million Dollar loss, Mobile Money boss losing his job & 8 other employees getting fired. Operator also received reprimands from the regulator and had significant dent to its brand image. This mess also opened up competition for other players in the country.  Regaining confidence of customers and regulators will not be an easy job for such operators. They will be looking to enhance security within their mobile money offerings.  It might be a differentiator and lead to uplift in adoption.

This incedence clearly presents a learning for other operators about to offer Mobile Money services. Moving forward, one of the key areas of focus for operators will be to provide a secure mobile money platform to users and manage frauds beyond the traditional regulatory requirements. Below infographic highlights some variants of Mobile Money frauds already rampant within operations and potential damage they might cause.

Mobile Money Risks – Infographic

Kindly follow the link for more information.

0 77

Here’s a recent incident with one of FM head in SE Asia. The FM head said, as an organization, the focus last financial year (FY) was on acquiring subscribers. The situation however when the annual report was published was :

(a) High growth in subscriber numbers

(b) Significant drop in revenues

(c) Drop in ARPU & AMPU

So, what had not gone according to the plan? Marketing had come up with “jazzy plans” to attract new subscribers. This was an avenue for dealers to inflate sales and earn commissions, as they realised the controls were not stringent (falsified subscriptions, dummy subscribers etc). Hence a significant portion of the new customers were taken on-board, but not generating revenue. This not only affected the top-line growth and in turn impacted the health indicators (ARPU and AMPU), but had a snow balling effect on investor confidence. The stocks have since then taken a beating.

This year the Telco is focusing on cleaning the subscriber base and finding ways to have the others generate more revenue. The FM head said, had we been vigilant while growing, we could have avoided a lot of negative consequences. The learning is fraud not only impacts small pockets of revenue streams. It could potentially impact the business at large. Hence it is imperative to consider fraud aspects as part of the proactive controls when launching new products and services.

Follow Us