© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 1 Welcome ! We have something for everyone here !

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 2 YOU ARE ALL WINNERS ! The graphic on this slide has been deleted from this presentation. You may click the link above to view the cartoon.

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 3 THOUGHTS TO SET THE TONE It is human nature to think wisely and act foolishly. - Anatole France ( )

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 4 “ to provide the most trusted information security services in the world.” Threat of frauds in online transactions Preventing Fraud When Transacting Online

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 5 Secure Matrix India Private Limited specializes in IT & IS Audit, Security Consulting and Technical Security Services across all industry and business segments We are headquartered in Mumbai and operate a Technology Centre cum Security Lab out of Pune. We have offices in Delhi and Chennai. International locations are London, Dubai and Atlanta. Our management and consulting team comprise professionals certified in Information Security, Governance Risk, Compliance having extensive industry experience covering Technology, Banking, Finance, Government, Media & Entertainment etc An extensive service offering includes Technical Security Services for Vulnerability Assessment, Penetration Testing, Application Security, Cyber Forensics, off-site and on-site Security Monitoring and Management. REGIONAL OFFICE TECHNOLOGY CENTRE HEADQUARTERS CHENNAI PUNE MUMBAI DELHI Secure Matrix India Pvt Ltd Secure Matrix UK (100%) Secure Matrix USA (100%) Secure Matrix UAE (100%)

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 6 A man is his own easiest dupe, for what he wishes to be true he generally believes to be true. CONSIDER THIS…

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 7 Agenda.. Fraud Threats Online and Discuss Prevention

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 8 The internet provides convenience, speed and efficiency in transactions… with internal or external customers, vendors, government and growing exponentially Every query at the public interface can be a risk - malicious hacker ? malicious insider ? ignorant user ? smart hobbyist ? human error ? trojan / logic bomb (command / plant)? Let’s keep our fingers crossed – it is a legitimate user knocking at your door and not one of the above !

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 9 THREATS, FRAUDS, SCAMS …. IT’S ALL OVER The fraud can start in a parking lot … The parking ticket has a website address where you will get details of the violation and pay the fine. On the site you are asked to install a toolbar that will enable the incident to be processed. Of course, you are expected to provide some personal info and use your credit card to pay the fine ! ….. The rest is left to your imagination. Even governments can be scammed …. State of Utah paid $ 2.5 m into the scam bank account. Key loggers captured information and this was used to create and pay fake invoices. Luckily the transactions were spotted by a bank manager and the department managed to save about $ 1.8 m

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 10 Starting off we take a look at some numbers …..

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 11 SOME FACTS & FIGURES Internet Crime Complaint Center 2007: 206, : 275,284 (+ 33.1%) Total $ loss: 265 million Avg $ 931 per complaint Fraud Delivery Mechanism 70% Webpage 25% Victims : 55.4% Males Perpetrators: 77% males from CA, FL, DC, TX, WA Men lost more money than women… $ 1.69 to every $1

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 12 More than 75% of all malicious threats were aimed at compromising end users for financial gain China accounted for almost half of all malicious activity within Asia Pacific Symantec created 1,656,227 new malicious code signatures - a 265% increase over 2007 Malicious code development is now a professional business, supporting the demand for goods and services that facilitate online fraud Variants of existing threats are the preferred and most cost-effective way to create new attacks, instead of creating totally new threats - Symantec Internet Security Threat Report Volume XIV 2008 POINTERS…

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 13 Categorization of Motives of Cyber Crimes No of Cases Perpetrators Revenge / Settling scores13Foreign National /Group8 Greed/ Money62Disgruntled Employee / Employee23 Extortion2Cracker / Student / Professional learners46 Cause Disrepute25Business Competitor65 Prank/ Satisfaction of Gaining Control0Neighbours / Friends & Relatives70 Fraud / Illegal Gain216Others151 Eve Teasing / Harassment56 Others85 - National Crime Records Bureau Report 2009 SOME FACTS & FIGURES (INDIA – breakdown for 2007) Cybercrime Cases registered under IT Act in 2007 increased 53% over 2006

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 14 SOME FACTS & FIGURES (INDIA – citywise breakdown for 2007) CityTotal Bhopal163 Bangalore41 Pune14 Mumbai10 Kochi9 Nagpur8 Delhi5 Vijayawada, Chennai, Amritsar, Lucknow, Ahmedabad, Ludhiana, Patna, Kolkatta, Kanpur, Indore

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 15 Malicious users in India yet to reach a high level of sophistication. This does not remove the risk of the “foreign hand” that we are always referring to… in this case the “FH” will refer to USA, Russia, China and a number of Eastern Europe countries Examples of outsourced malicious work in India : Indian IT worker may be coding for overseas buyer; Team works on ‘captcha’ breaking; EVERYONE LOSES

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 16 SL.NoCities Revenge / Settling Scores Greed/MoneyExtortionCause DisreputeFraud / Illegal Gain Eve Teasing /Harassement OthersTotal 1Bhopal Bangaluru Pune Mumbai Kochi Nagpur Delhi (City) Vijayawada Chennai Amristar Lucknow Ahmedabad Ludhiana Patna Kolkata Kanpur Indore Total (Cities) SOME FACTS & FIGURES (INDIA – citywise detailed breakdown for 2007)

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 17 IN THE NEWS FOR THE WRONG REASONS Get-Rich Quick Work-at-home 419 Scams Lottery Winners Online Pharmacies Phishing Spear Phishing Hoax Bomb Threats Stolen Credit Card Data Manipulation Data Leakage Impersonation / Identity Fraud Brand Hijacking Job Frauds Marriage Sale frauds Stock Scams Online Degrees Check Cashing / Fraud Domain Name Renewal Get-Rich Quick Work-at-home 419 Scams Lottery Winners Online Pharmacies Phishing Spear Phishing Hoax Bomb Threats Stolen Credit Card Data Manipulation Data Leakage Impersonation / Identity Fraud Brand Hijacking Job Frauds Marriage Sale frauds Stock Scams Online Degrees Check Cashing / Fraud Domain Name Renewal

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 18 Lottery scam attempt at ACFE ! The fraudster seems to be too intelligent for his own business ! HOT OFF THE PRESS….

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 19 Get Rich Quick Me Smartest of Them All Lucky Me ! No One Can See Me It Can’t Happen To Me He Was a Fool He Got Caught KEYWORDS

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 20 Institutions are drawn into the fraud due to the omissions and commissions of their constituents Institutions may be contributing to their fraud threat quotient due to lax security practices and a laissez faire attitude towards IT security / risk management / awareness Effort and resource cost cause losses to both – customers and institutions (even if the money is recovered). Investigation and recovery is expensive ! Add the cost of loss of credibility and brand / image value EVERYONE LOSES

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 21 Malicious Insider … is by far the biggest threat and source of frauds on connected and non-connected systems. Credit Cards… stolen cards used online Letters of Credit.. Investor is offered a highly discounted “purchase” price Ponzi Schemes… high interest rate is offered and is paid from investor money in the beginning. The scheme falls apart in some time and the scamster disappears Identity Data Theft … provides personal information to the fraudster who can then engage in phishing, vishing, spear-phishing THREATS & FRAUDS …

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 22 Money Laundering & Money Mules … individuals are conned into working to launder money and become part of the criminal network FRAUDS… Re-shipping … similarly individuals become part of a criminal chain by accepting and shipping stolen goods

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 23 Check Fraud … a lawyer is asked to cash a high value check and remit the funds after deduction of handling fees. The check is cleared, you wait 5 or 10 days for a clear balance and then remit the funds. A month later the bank reverses the amount, because the check was fraudulent ! A variation is when an individual is “hired” as a ‘payment processor’ and gets checks that he/she cashes and transfers to other accounts. The checks are usually stolen and the individual becomes a part of the crime as a “Money Mule” FRAUDS…

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 24 Mobile Phone Insurance … UK consumers get calls offering cheap insurance for the new phone purchased. They asked for card information and the card is scammed Medical Insurance …. customer purchased a policy online and when he made a claim it was not accepted since he had not declared his medical condition at the time of purchasing the policy – the agent sold the policy without providing proper information or sold inadequate cover Insurance frauds … false declarations and staged accidents against insurance purchased online – healthcare, auto insurance Stock market – forums, spam send out recommendations and the whole world starts discussing how “hot” that scrip is. Of course, everyone buys and it tanks when the scamster has made his million. FRAUDS…

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 25 PHISHING … the nemesis of modern day transactions Banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.) The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers) - Gartner I would highly recommend not entering a PIN number anywhere on the Internet, unless it was hardware based. - Avivah Litan, Analyst at Gartner

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 26 STOCK MARKET FRAUD THREATS Threats are lurking for the gullible investor at every corner… - Investment Newsletters… hyping stocks, false information, company promotion - Bulletin Boards / Forums … discussions are very heated and dubious - Spam …. mass mailing Typically these are called “Pump and Dump” scams since they work to build a hype around a ‘dabba’ company to push up the share price. The scammer sells and exits and the share price tanks ! October 2000: A bogus online press release caused Emulex Corp., a California firm that designs and develops fiber optics, to lose more than $2 billion in value during a single day of trading. It stated that the company was reducing its earnings estimates and that its chief executive was stepping down. A 23-year old student used a computer at his community college to distribute the release and earned a $240,000 profit from the resulting price fluctuations before he was caught.

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 27 Spear Phishing (report of Jun ‘09) The attached file is, naturally, a Trojan horse that steals stored user names and passwords, and looks for victims logging in at commercial banks. If the victim logs in to a bank that requires two-factor authentication - - such as the input of a one-time pass phrase or random number from a supplied hardware token -- the Trojan re-writes the bank's Web page on the fly, inserting a form that requests the information.

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 28 Continuous network monitoring … internal and external; automated / manual; Planned and periodic Vulnerability Assessment / Penetration Testing on infrastructure and Web Applications Device based monitoring… systems (FW/IDS/IPS/UTM) Logging and log analysis… use of SIM/SIEM tools Proactive Incident Management… to identify, contain, learn and update Backup, Patch, Change Management, Continuity and Recovery…. use appropriate technologies and processes with regular testing schedules and drills Secure Software Development… build security in – purchase software that has undergone security testing PREVENTION– Corporate / Institutional Vigilance

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 29 IF IT SOUNDS TOO GOOD TO BE TRUE ……… IT’S NOT TRUE !

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 30 NIGERIAN SCAM or 419 SCAM … was a $ 5 billion industry in 1996 ! "419 fraud" so called after Section 419 of the Nigerian Penal code, the section that specifically prohibits this type of crime Variations of the scam mails carry an ‘emotional’ appeal -Deposed Leaders and their families ( widows, sons ) and associates ( aides, lawyers). - Over-invoiced contracts and government employees (NNPC, Central Bank of Nigeria ). - Forgotten accounts, wills and inheritances, death-bed claims of wealth. - Trade deals. - Assistance getting stolen assets ( cash, diamonds ) out of the country - Gifts to charitable or religious organizations. - Scholarships !! scammed !!

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 31 THE FIVE RULES FOR DOING BUSINESS WITH NIGERIA Courtesy of The 419 Coalition 1. NEVER pay anything up front for ANY reason. 2. NEVER extend credit for ANY reason. 3. NEVER do ANYTHING until their check clears. 4. NEVER expect ANY help from the Nigerian Government. 5. NEVER rely on YOUR Government to bail you out. Mountains of gold An exploratory research on Nigerian 419-fraud: backgrounds Research was carried out in 2008 by Bureau Beke and the Police Academy. It is in Dutch and the first English edition is due any time. Not just Nigeria ! These rules apply to doing business with anyone !

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 32 A fool and his money are easily parted AN UNFORTUNATE FACT …. TRUE THROUGH THE AGES

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 33 We have to smarten up not to be fooled and win the game … Prevention measures primarily require the tweaking of people, process and technology….. the triumvirate on which all security best practices rest. WINNING THE FRAUD GAME USING THE PREVENTION STRATEGY

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 34 Continuous network monitoring … internal and external; automated / manual; Planned and periodic Vulnerability Assessment / Penetration Testing on infrastructure and Web Applications Device based monitoring… systems (IDS/IPS/UTM) Logging and log analysis… use of SIM/SIEM tools Proactive Incident Management… to identify, contain, learn and update Backup, Patch, Change Management, Continuity and Recovery…. use appropriate technologies and processes with regular testing schedules and drills Secure Software Development… build security in – purchase software that has undergone security testing FRAUD PREVENTION– Corporate / Institutional Vigilance

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 35 Awareness & Training for users at all levels – there is nothing like low end or high-end training. Use Mailers and Seminars to reach out. Banks – online issues and how-to practice safe surfing Stock & Shares - do your own research don’t rely on gossip Identity / Access Management … role based access control Policies and Procedures to detect, respond, neutralize (or) remediate, report and learn. In addition to the IT use / security policy Monitoring behavior, activity, markets, trends, internal controls, technology Risk Management should be proactively built into controls that can alert responsible persons when a threshold is breached FRAUD PREVENTION– Corporate / Institutional Vigilance

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 36 Anti Phishing… guidelines (gyaan) must be highlighted on login page Website Design must be simple… There is too much noise so the user does not care about any announcement or warnings. Don’t make life difficult for the user – e.g. a frequent password change is no guarantee against compromise but if you log out the user after he / she has logged in and made a password change you are creating an unnecessary step in the process Provide Visible Links… for Statements, Password Change etc and inform customers that NO will ever carry a clickable link Auto Logout... Inactive log-in is automatically logged out Communicate… proactively about any problems on the website (downtime, hack etc) and seek to educate the user (but this must be in plainspeak) Endpoint Security… regularly check for virus, keyloggers, spyware FRAUD PREVENTION– Corporate / Institutional Vigilance

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 37 THE USER

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 38 Personal Vigilance Rely on Common Sense Check the URL you are going to click (if it is in a mail) Bookmark bank URLs and use it to visit the site Do not save passwords using the browser save password feature Careful about social engineering BEATING FRAUD

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 39 Watch out for “phishy/ scammy” s and sites Don’t click on links within s that ask for your personal information Block Pop-ups and never trust a site that is asking for your sensitive information on a pop-up – if you must then verify the pop-up source and “allow” only those instances Secure your system by using anti-virus, anti-spam, firewall and keep updated Attachments from known people ? Trust it only if it is a known file type. Your system will show a cute program icon. In any case why do you want to mess with unknown file types when you have enough troubles already ! Ask Yourself… If someone can make a crore out of my thousand why does that person look like a beggar. And if not, why is he /she doing you a favor ! BEATING FRAUD – its Common Sense (to a large extent)

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 40 Google Safe Browsing is an extension to Firefox that alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. Link Alert is a Firefox Add-on that will warn you of any phishing attempt Phishing Filter for IE 7 and higher from Microsoft BEATING FRAUD – some tools will help

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 41 We are in a state of denial, dispute and (many a times) over-confidence Government / Law enforcement / Institutions currently seem to work in reactive mode rather than proactively address threats / risks Management purse strings have to loosen “IT / IT Security is a business function” Techical team members have to participate with business group and must communicate ‘plainspeak’ rather than ‘geekspeak’ it is the only way they can attract business managers to their table Disciplines (Controls) in Security, Governance, Risk, Compliance, Continuity have to be considered together to be effective WHERE ARE WE AND WHERE DO WE GO

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 42 URBAN LEGENDS : INTERNET CRIME COMPLAINT CENTER: NATIONAL CRIME RECORDS BUREAU: Australian Competition and Consumer Commission: THE UK PAYMENTS ASSOCIATION : RESOURCES

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 43 Partner & Relationships, Clients, Locations,

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 44 Dinesh Bareja CISA, CISM, ITIL, BS: 7799 (Imp & LA) - Senior Vice President Information Security professional, having more than 11 years of experience in technology in commercial, operational, functional and project management roles on multiple large and small projects in global and domestic markets. Experienced in establishing ISMS (Information Security Management System), planning and implementation of large scale CobiT® implementation, ISO: 27001, ERM, BCP/DR, BIA, Asset Management, Incident Mgt, Governance and Compliance, VA/PT, AppSec etc He is also member of ISACA, OCEG, iTSMF and co-founder of Indian Honeynet Project and Open Security Alliance. You can find him on Linked In as the owner of the India – Information Security Community group. PRESENTED BY

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 45 Global Locations Abdul Kareem Holdings, Saudi Arabia KSA, UAE Omania e-Commerce Ltd, Oman Oman Consolidated Gulf Company, Qatar Qatar NextGen Technologies, South Africa RSA, Mauritius, Botswana, Namibia and Kenya IPMC, Ghana Ghana and Nigeria New Delhi Mumbai Pune Malaysia Indonesia Chennai London Office UK and Europe Canada USA Sri Lanka Secure Matrix Head Office Regional Office Location Partner Location Planned Office Location

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 46 STRATEGIC RELATIONSHIPS

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 47 CONTACT US Registered Office Mumbai: 12 Oricon House 14, K. Dubash Marg, Fort Mumbai INDIA T F E: Technology Centre Chennai: Plot No. 1, Door No. 5 Venkateshwara Street Dhanalakshmi Colony Vadapalani, Chennai INDIA Tel: / Tele Fax: Technology Centre Pune: Trident Towers Office No: 3 2 nd Floor, Pashan Road Bavdhan Pune INDIA Dubai: P O Box 5207 Dubai, UAE

© 2009 SECUREMATRIX : PROPRIETARY & CONFIDENTIAL Page 48 THANK YOU