Real-Time Fraud Detection

Real-Time Fraud Detection
February 28, 2000
Speaker: Gary Dougherty, Principal Internet Consultant, Corporate Security Architecture and Engineering, FleetBoston Financial Corporation
Scribe: Kevin Fu


There is no much fraud in Voice Data Units (VDUs).

Consumers have a $50 liability on stolen credit cards. However, most credit card agencies rarely ask consumers to pay the $50. Financial institutions assume the liability.

In 1999, roughly $4 billion U.S. dollars were lost to credit card fraud (out of the $40 billion lost for both fraud and errors). Many trillion U.S. dollars flow through the credit card channel each year.

Gary explained that the only reason the financial systems work at all is because most people are innately honest.

Fraud Detection: Pattern Matching

Gary argued that pattern matching is the wrong approach to detecting fraud. Pattern matching compares new transaction types to that of past transactions. Should a new transaction sway from a customer's history, flags are raised. One ASRG member gave the anecdote about his travels to Providence, RI for a conference/his birthday. His wife rarely used a particular credit card except for Filene's Basement. When the ASRG member made a purchase in Providence. Upon returning from the conference/birthday, he found an answering message from the credit card's fraud detection department. On another instance with the same card, Filene's asked for extra ID after his purchase exceeded his typical charge.

Organized Crime

Organized crime has far greater resources than any anti-fraud division of the largest financial institutions. Organized crime spends millions to exploit weaknesses in credit card fraud detection. For instance, crime organizations will acquire credit card numbers and profiles of the credit card owners' purchase patterns.

Examples Attacks

Leased lines

Companies connect various points of presence via leased lines. Many companies believe that these leased lines are private and therefore extend their virtual private network. This is anything but true. For instance, frame relay will float through many carriers. Even leased lines float through weak links. Gary explained that organized crime has highly trained professionals who can infiltrate the system.

Lousy ATM software

Kevin gave an example where he walked up to a Fleet ATM, but was unable to withdraw money because the ATM merely displayed a mysterious "C:" prompt. This incident was discounted because it occurred during the merger of Shawmut Bank and Fleet Bank.

Jimmy the ATM

In some ATMs, it was possible to use a "slim jim" to tickle the ATM into spitting out cash. This is a result of poor physical security.

The Voided Transaction Game

Gary explained a rather ingenious attack against many ATMs. Organized crime has used this exploit to steal millions of dollars in Georgia and Oklahoma. The attackers would open an account and deposit $100. Next, the attacker would visit one of the vulnerable ATMs to withdraw $80. However, the attacker would only take $60 -- leaving $20 in the ATM. After a while the ATM would time out, reclaim the $20, and send a void transaction command to the bank. A group of gun-toting criminals made about $200,000/day with this method.

Why did this completely insecure rollback method exist? Gary attributed the problem to two factors. First, this is a relatively complex operation. It's not clear what to do when money is left behind. Second, many ATM software engineers are not security experts.

Fleet is not vulnerable to this attack because it places leftover cash in a special container. Should a customer want to claim this cash, the customer must enter the bank in person and make a reasonable proof of ownership.

Gary entertained the question: so who's liable in this case? Should the financial institution take the loss? The customer (the Fleet's container method)? The ATM?

Hot Phones

On any given day in New York City, you can walk up to someone on the street to buy a stolen phone. The buyer realizes that a stolen phone will be detected within ten days, but will still buy the phone for upwards of $600.

Why would anyone buy a 10-day phone with unlimited airtime for $600? New York City is filled with foreigners and people who have international contacts. Buyers will make phone calls to foreign countries, knowing that no sane country would subpoena a NYC immigrant simply to recover a $1000 phone bill. With respect to legal fees, such a maneuver makes no cost-benefit sense. So, crooks get away with fraud.

Enter the Internet

Banks consider the Internet largely as an experiment.

There is no pattern matching for malicious merchants.

Gary also explained that he uses his Fleet checking account only for testing. Employees of a bank receive intense auditing in order to prevent insider fraud.

$1 million can get lost in the noise of the financial system. It's not uncommon for million dollar discrepancies to exist in the balance books. does person-to-person credit card transactions.

Brought to you by the MIT LCS Applied Security Reading Group