A comparison of conventional and online fraud

1
A comparison of conventional and online fraud

• B. Thomas, J. Clergue, A. Schaad, M. Dacier

2
Motivation

• Fraud represents massive money loss
• US 6 of businesses revenue lost to
  organisational (internal) fraud (The register)
• UK Identity fraud costs at least 1.3bn per year
  (ACFE)
• The number of perpetrated frauds is increasing
• Id theft is the fastest growing crime in the UK
  
• 31.6 annual increase (The register)
• Need to systematically study frauds

3
The question we attempt to answer

• More and more critical infrastructures are moved
  into an online environment
• Is the knowledge we have on conventional frauds
  useful, or are we facing a new threat ?
• In order to answer this question, we propose
• 1. A general fraud definition through
• Fraud examples
• Existing definitions
• Leading to a decision tree
• 2. Knowledge on conventional frauds by
  describing some
• prevention and detection techniques
• 3. The main challenges in an online world
• 4. A conclusion as a first answer

4
Fraud example 1/3
Account Books
1. Supplies Product
Supplier (S)
Shop (V)
6. Sends cheque for x
8. Writes cash debits as (x y).
2. Sends Invoice for x
5. Writes two stubs - for F as void - for S
as (xy).
7. Banks cheque for y
4. Writes cheque to F for y
Shops Sole Accountant (F)
3. Writes cheque to S for x
5
Fraud example 2/3

• Two researchers published an article in Nature
  stating G.M. pollen contaminated crops further
  away than was previously thought
• Same day two people posting to a website claim
  the authors are anti-G.M. activists, and thus
  biased
• An internet petition is launched against the
  article
• Nature retracts article, says it should not have
  been published
• Investigation showed message posters employed
  by a G.M. seed company, published results were
  correct and unbiased

6
Fraud example 3/3

• Extortion of online bookmakers
• Bookmakers website being DDoSed by three men
• The three men were part of a global extortion
  racket
• For stopping the DDoS attack the gang demanded
  40,000

7
Fraud definition

• Existing fraud definitions for each environment
• Telecom
• Academic
• Computer frauds
• Need for a broader fraud definition as common
  fraud schemes are present in different
  environments
• One shared notion to deceive a victim
• to be false / to fail to fulfil / to cheat / to
  cause to accept as true what is false or invalid
• Our definition
• A deception deliberately practiced to secure
• unfair or unlawful gain.
• A taxonomy would help to classify frauds and
  could generalise similar properties of different
  frauds

8
Taxonomy requirements

• A taxonomy should have
• An explanatory value
• A predictive value
• Needs to fulfil some properties
• Objectivity classification depends only on
  objective characteristics
• Repeatability two different observers reach the
  same classification
• Determinism explicit procedure for
  classification
• Specificity the criterion classified has exactly
  one value (Krsul, 1998)

9
First step towards a taxonomy

• Existing frauds taxonomies
• Rely on too specific fraud definitions
• Fuzzy classification process
• Thus we began to create our own taxonomy
• Based on the victims knowledge
• Clear victims boundaries
• What fraud criterion should we classify ?
• The fraudster (F) and the victim (V)
  relationship
• We achieved a first step decision tree
• Limited scope
• Less formalism
• Simplified view of victims

10
The decision tree
11
Knowledge on conventional fraud

• Prevention mostly by
• Employee education
• Good access control policies ? clear duty
  separations
• Verification that software is robust and meets
  requirements
• Records must be duplicated, stored securely
• Detection uses diverse techniques
• Traditional audit investigations and employee
  tips / customer complaints
• Statistical methods regression analysis,
  bayesian networks, probability density estimation
• Rule-based methods and heuristics
• Data-mining and knowledge discovery
  classification methods, automatic discovery of
  fraud patterns
• Intelligent methods pre-trained neural networks,
  multi-agent systems

12
10 challenges for fraud in the online world

• Amplification criteria
• Speed quicker decisions, contact of many
  victims, compromising of many hosts / less
  obvious consequences
• Parallelism same fraud with n victims / n
  attacks on 1 victim
• CPU Speed Parallelism inconsequential gains
  mount quickly
• Environment Is Your Enemy information
  intercepted more stealthily
• Fraud Cost vs. Benefit more worthwhile for the
  bad guy
• Specific criteria
• Environment Is Your Enemy untrustworthy pop-ups
  emails / many possible places for attack
  (access points, DNS, routing)
• Anonymity cant detect ID to detect a fraud
• Ubiquity can be in n places / can be n people at
  the same time
• Available Victims many / not in a niche (hard to
  warn) /
  multi-national multi-jurisdictional / websites
  cant profile volatile customer base
• Slashdot Effect sometimes what looks like an
  attack isnt
• Schizophrenia users must trust their machines
  (act as interpreters), but can we and should we?

13
Conclusion

• Knowledge on conventional fraud useful when
• Some online frauds are translation of
  conventional schemes
• However, there are new kinds of frauds not
  conventionally known
• Means to detect and prevent them are to be found
• And the new environment provides
• More victims / easy to access
• The nature of the victims changes (individuals
  rather than special targets)
• Further work is needed to think about the
  prevention and the detection of specific frauds
  in this new environment

14
(No Transcript)
15
Other classified criterion

• Instead we looked at the forms of deception used
  by the frauds
• Without a deception, there is no fraud gt prevent
  deceptions
• Not specific to technologies, methods, layers gt
  maybe ok in future
• Came up with a questionnaire to classify the
  forms (1) involved
• Not fully described here, ask for more details

16
Modelling frauds (goals / subgoals)
17
Outline

• General fraud definition
• Fraud examples
• Existing definitions
• Decision tree
• Knowledge on conventional frauds
• Main challenges with an online world
• Conclusion as a first answer

18
Outline

• General fraud definition
• Fraud examples
• Existing definitions
• Decision tree
• Knowledge on conventional frauds
• Main challenges with an online world
• Conclusion as a first answer

19
Outline

• General fraud definition
• Fraud examples
• Existing definitions
• Decision tree
• Knowledge on conventional frauds
• Main challenges with an online world
• Conclusion as a first answer

20
Fraud examples 1/2
6. Sends the product
5. Order with stolen CC No
4. Sends THE mail
3. Bargain the product
7. Sends money
Ebay customer
2. Sees the product
1. Put a product to sell