KTH ROYAL INSTITUTE OF TECHNOLOGY IncidentResponseSim: An Agent-Based Simulation Tool for Risk Management of Online Fraud Dan Gorton Center for Safety Research Department of Transport Science
Outline Background Scenarios Directions for future research
Background The incident response process of online banking, and the incident response tree (IRT) tool
Online Banking and Fraud 1 (2) ” Online banking (OLB) is an electronic payment system that enables customers of a financial institution to conduct financial transactions on a website operated by the institution” [Wikipedia] An online bank may have several ”channels” providing different means for login, and a different set of online services depending on the level of security provided by the channel. The size of online banking fraud is ”channel” specific and depends on many parameters, including … • The number of customers • Countermeasures • Transaction limit • Distribution of wealth on customer accounts
Online Banking and Fraud 2 (2) Fig. Overview of electronic payment system [Julisch]. Detection Prevention Response (e.g., real time or batch fraud (e.g., authentication + IDS) (e.g., automatic or manual) detection ) Front End Security Measures Back End Security Measures
Threats Impersonation • Phishing, Man-in-the-middle, Man-in-the-browser, etc. Deception • Attacks where the customer performs the transaction on behalf of the attacker Server side attacks • Attacks directed at the online bank servers Ref: [Julisch]
Countermeasures … Updating prevention to include additional authentication methods, e.g., out-of-band authentication or adding control questions to customer support personnel Updating detection using more aggressive intrusion and fraud detection Blocking fraudulent transactions before clearing them Closing down one or more channels Closing down certain services (e.g., wire transfers) within specific online channels Restricting functionality within services Restricting the possibility to add new beneficiary accounts Blacklisting fraudulent accounts (known money mules) Grey listing potentially fraudulent accounts, to initiate manual review before allowing transactions to clear Letting the fraud response team contact the customer for extra verification …
The Incident Response Process of Online Banking On a high level • Event driven • Risks are evaluated against the current production environment • Shortage of time • Large scale incidents will typically activate crisis management teams On a low level • The fraud response team works with each separate incident • Limited time for documentation There is a need for a “quick” tool, which is “easy to grasp” for higher management
Existing Visual tools for Cyber Security Attack Trees • A methodical way or describing threats against, and countermeasures protecting a system [Schneier] Protection Trees • An explicit protection tree that mitigates the attack steps modeled in the corresponding attack tree [Edge] Problem : “Fault tree” models fail to capture the chronological ordering of events [Pat-Cornell] Solution : Event trees have been used for cyber threats [Ezell] Problem : Critique; huge problem with under-reporting [GAO] Solution : Make sure under-reporting is a limited problem [Gorton] Idea : Fraud is an area where under-reporting may be a minor problem, because ”the customers want their money back”
Incident Response Tree (IRT) Prevention Detection Response
Just Register the Frequencies…
Frequencies, C1 to C4 Ref: [Gorton]
Conditional Probabilities of Prevention P p , Detection P D , and Response P R The conditional probabilities change during the attack, up or down, depending on the effectiveness of the countermeasures against the threat at hand Ref: [Gorton]
Relative frequencies, RF C1 to RF C4 RF C1 = P IE (1 – P P ) (1 – P D ) RF C2 = P IE (1 – P P ) P D (1 – PR) RF C3 = P IE (1 – P P ) P D P R RF C4 = P IE P P RF Fraud = RF C1 + RF C2 = P IE (1 – P P ) (1 – P D P R ) Ref: [Gorton]
Quality assurance Use statistics for thresholds: • Threshold for monthly reporting • Threshold for weekly reporting • Threshold for daily reporting • Threshold for minor countermeasures • Threshold for major countermeasures
Expected loss from fraud (EF) "𝐹𝑀 = 𝑄𝐸 ∙ 𝐹𝐵𝐸 ∙ 𝑀𝐻𝐸 ” Credit Risk Approach [BIS]: • Probability of default (PD) • Exposure at default (EAD) • Loss given default (LGD) 𝑂 (𝐹𝐵𝐺 𝑗 ∙ 𝑀𝐻𝐺 𝑗 ) 𝐹𝐺 = 𝑄𝐺 ∙ 𝑗=1 Expected Fraud: • Probability of fraud (PF) # 𝑔𝑠𝑏𝑣𝑒 – 𝑄𝐺 = # 𝑑𝑣𝑡𝑢𝑝𝑛𝑓𝑠𝑡 • Exposure at fraud (EAF) – 𝐹𝐵𝐺 𝑗 = min(𝑈𝑠𝑏𝑜𝑡𝑏𝑑𝑢𝑗𝑝𝑜 𝑀𝑗𝑛𝑗𝑢, 𝐵𝑑𝑑𝑝𝑣𝑜𝑢 𝐶𝑏𝑚𝑏𝑜𝑑𝑓) • Loss given fraud (LGF) – 𝑀𝐻𝐺 𝑗 = 𝑇𝑢𝑝𝑚𝑓𝑜 𝐵𝑛𝑝𝑣𝑜𝑢 𝐹𝐵𝐺
Conditional fraud value at risk Credit Risk Approach [BIS] Online Fraud Approach VaR at 95 th percentile VaR at 99.75 th percentile • • – – Once every 20 years Once every 400 years • Simple Random Sampling of • Unexpected Losses (UL) Fraud Losses (FL) • UL = VaR - EL 𝐽 – 𝐺𝑀 𝑙 = 𝑗=1 (𝐹𝐵𝐺 𝑗 ∙ 𝑀𝐻𝐺 𝑗 )
IncidentResponseSim – Simplified Model
IncidentResponseSim – GUI
IncidentResponseSim – Customer Inspector
IncidentResponseSim – Example output
Simulations Scenarios for IRT and the design of new methods for calculating the number of defrauded customers
Current Situation In the following examples, we will use the following fictional statistics to describe the current situation. We assume that: • Probability of initiating event, P IE = 1 • Conditional probability of prevention, P P = 0.8 • Conditional probability of detection, P D = 0.9 • Conditional probability of response, P R = 0.9
Current Situation We assume: • 100,000 customers • A maximum transaction limit of 30,000 • Fraud may not continue over several days • Account balance drawn from an up-scaled Beta (below) • Stolen amount drawn from a truncated Normal
IncidentResponseSim – SRS of Defrauded Customers (current situation) Output from IncidentResponseSim (999 iterations): Number of Defrauded Customers Bootstrap Mean: 38,10 Number of Defrauded Customers Bootstrap Std: 6,07 Number of Defrauded Customers Bootstrap 95%: 48,00 Number of Defrauded Customers Bootstrap Min: 22 Number of Defrauded Customers Bootstrap Max: 62
IncidentResponseSim – SRS of Direct Economic Consequences (current situation) Output from IncidentResponseSim (999 iterations): EF Mean: 941 425,53 SEK EF Std: 62 547,99 SEK EF SE Mean: 9 028,02 SEK EF 95% (Fraud VaR): 1 042 430,61 SEK EF Min: 765 797,88 SEK EF Max: 1 110 622,08 SEK
Scenario 1 – Newly entered markets Threat Environment A Threat Environment B Existing Online Bank New Online Bank Assume that we want to keep the number of fraud victims the same, and that we use the probability of a customer being infected as a proxy: A : “reference risk of infection” vs B : e.g. 2.75 times as high risk of infection PandaLabs
Results from IncidentResponseSim SRS of Defrauded Customers: DC Mean: 104,58 DC Std: 10.186893976135476 DC 95% (Fraud VaR): 121.0 DC Min: 76.0 DC Max: 143.0 SRS of Direct Economic Consequences: EF Mean: 2 379 053,07 SEK EF Std: 97 137,15 SEK EF SE Mean: 8 830,65 SEK EF 95% (Fraud VaR): 2 545 100,11 SEK EF Min: 2 049 829,33 SEK EF Max: 2 679 394,95 SEK
Scenario 2 – Single point of failure Detection Prevention Response (e.g., fraud detection ) (e.g., Authentication + IDS) (e.g., real time, batch, manual) History: RF Fraud = 1(1-0.8)(1-0.9*0.9) = 0.038 Failed prevention: RF Fraud = 1(1- 0 )(1-0.9*0.9) = 0.19 Failed detection: RF Fraud = 1(1-0.8)(1- 0 *0.9) = 0.20 Failed response: RF Fraud = 1(1-0.8)(1-0.9* 0 ) = 0.20
Scenario 3 – Emerging threats Threat Environment A Threat Environment B Existing Online Bank Assume a new threat, highly contagious, 2 * infection rate, and very effective at overcoming current preventive measures, P P_B = 0.6. SRS of Defrauded Customers: Number of Defrauded Customers Bootstrap Mean: 152,05 Number of Defrauded Customers Bootstrap Std: 11,72 Number of Defrauded Customers Bootstrap 95%: 171,00 SRS of Direct Economic Consequences: EF Mean: 3 352 588,36 SEK EF Std: 114 012,55 SEK EF 95% (Fraud VaR): 3 545 783,33 SEK
Trojan Strategies vs Transaction Limits Max = min (Account Balance, Transaction Limit) Random = rnd (0, min (Account Balance, Transaction Limit)) Mean Transaction = 500 + rnd (0, 10 000)
Return on Security Investment (ROSI) MLR = Monetary Loss Reduction COS = Cost of Solution 𝑆𝑃𝑇𝐽 = 𝑁𝑀𝑆 − 𝐷𝑃𝑇 𝐷𝑃𝑇 Action COS # Frauds COST MLR ROSI Do nothing 0 48 1,042,431 0 N/A Add +0.1 400,000 26 581,281 461,150 0.15 prevention Add +0.05 300,000 38 826,431 215,999 -0.28 detection Add +0.05 200,000 38 826,431 215,999 0.08 response
Recommend
More recommend