Technical malfunctions in the payment chain have a major impact on both consumers and business owners. Fraud occurs in a variety of forms, such as phishing, skimming, shouldering and theft, cash trapping, etc. Many parties are involved in fraud prevention: banks, transaction processors, POS terminal suppliers, brand owners, and also business owners and consumers.  But how can you prevent fraud and reduce your risks?

In 2002 the movie “Catch Me If You Can” came out. The story of one of the most notorious conmen, Frank Abagnale, was set in film. With Leonardo Dicaprio in his shoes. What this movie shows, is that social engineering isn’t something new. In an example, Abagnale went to the bank, in a pilot suit, and a boost of confidence, and asked the bank cashier if they could cash the check for him. They would often oblige because they only saw the pilot, and Abagnale stated; ” The difference today is that when I used to pass cheques, 90% was the presentation, 10% was the cheque. Today, it’s the other way round”.

The three (security) lessons from Catch Me If You Can

Catch Me If You Can is an incredible story to see/read. Not only because we see a charming Leonardo DiCaprio, but it also gave us some insights into a real conman. These are three (security) lessons we can learn from Catch Me If You Can:

1. Social engineering isn’t new. It’s about confidence, targeting the right people in the chain to get what you want and look legit. Abagnale knew he could pull it off if he looks like he has the authority to cash money he didn’t have. – Luckily, social engineering is beatable. If they’ve looked to the details, they should’ve known something wasn’t right. It’s the same with scammers. If you know something isn’t right, there usually isn’t.

2. Information is key

Frank Abagnale Jr. impersonated some of the most educated careers in America without a fragment of background education. But he had an innate ability to learn quickly and think on his feet, allowing him to mesh well with his highly educated colleagues. It only took him so far, because, at the end of each of his scam, he chooses to flee, because his surroundings became suspicious about his real background and education. – For scammers nowadays, it’s just the same. They don’t know a lot, but what they do know about you, and about your company, lets them learn more, with the result to outwit the key person in your company. Moreover, it is really important to educate your colleagues about the risks, because once they are aware, they know which kind of questions they should/could ask to prevent a successful scam.

3. Technology (and policies) can prevent human error.
Last, but not least, technology could’ve prevented a lot of problems that Abagnale has caused. It wasn’t as sophisticated as it is now, but you could still see through the lies of Abagnale. The same with policies, or rather, the lack of. The only reason why Abagnale had the luck to fly all over the world, was because of policy between airlines (where pilots could fly for free). If they had checked Abagnale properly (according to policy), he couldn’t even get his hands on a pilot costume. – Again, it’s the same principle for most of the companies. With the right systems, technology and policies in place, it should be a lot harder to hack or social engineer into your company.

Privileged user accounts are magnets for hackers, fraudsters and auditors!

Earlier, it is mentioned that fraud comes in different sizes. Most of those cybercrimes are targeting privileged user accounts, and in 2019 it resulted in a dazzling estimated US$3.5 billion in losses. Why do you ask? Because a privileged user is someone who has administrative type access to critical systems. As ‘trusted’ users, they have the most powerful access to anyone within the organization. Often, they are able to carry out a wide range of system administration tasks, such as amend system configurations, install and/or upgrade software and change access for other users.  They may even be able to override existing security policies, make unauthorized system changes and access confidential data.

Typical job functions include:
– System / Database Administrators
– Human Resources Staff
– Support Staff

It’s worth mentioning that privileged access rights can also be granted to Service Accounts, such as those which are set up to manage integrations.  Although these accounts are not intended for use by humans, they could be abused by anyone who knows the credentials.

Privileged access increases the risk of fraud

PWC’s 2018 Global Economic Crime and Fraud Survey found that “52% of all frauds are perpetrated by people inside the organization.” That brings us back to lesson number 3. It is therefore vitally important that you implement rigorous risk management policies to protect your organization from the dangers associated with privileged access.

Of course, the natural thing to do is to mitigate these users or exclude them from regular audit reporting requirements by stating they are known or trusted – but that should not be acceptable to your organization and would likely result in a deficiency in your next audit.

As with any mitigation, the objective is to reduce the probability or possibility of an event to an acceptable threshold. So you need to consider your options for mitigating privileged access, the cost vs benefit of each option, and the impacts. Risk mitigation can be costly and time-consuming, but not if you do it right (with a suiting roadmap, the right information, and compatible tooling).

Mitigating risk for privileged users: the 3 main areas to consider

There are three main areas to consider if you’d like to mitigate risk for privileged users. The keywords are Manage, Monitor, and Review. Perhaps, you already have a few of these solutions or even an alternative, but it’s still good to check if it’s in place, or if it’s necessary to put it in place. Let’s take a look:

1.     Manage the risk:

Implement a User Management policy that tracks specifics about privileged user accounts, e.g. effective date, usage type (system admin or integration), vendor company name, the expiry date of the contract, or the date when access should cease pending contract renewal. It’s about documenting the “who, what, when and where” for privileged accounts.

Access Management – people often focus on controlling access to roles, but it’s more important to restrict the privileges within the roles. The roles should be created using a model of least privilege, where users only obtain access to the applications, modules, and data that they need to do their job.

For example, a System Administrator may not require access to business transactional applications in the production environment, provided sufficient support resources are available.  Read more about access management

Password Management – passwords for these users should expire more frequently, on a set schedule. They should never be set NOT to expire.

It is also recommended to implement a procedure for joiners/leavers; whereas you could give or take away access for network access. Upon leaving, passwords for service accounts should be changed when possible.

For shared passwords, such as those required for service accounts, passwords should be stored in a third-party password tool or kept in a secure, password-protected location/vault.

2.     Monitor activity:

Maintain on audit trail of changes to critical or master data, such as the address book, vendor / supplier master data and human resources data. Monitoring should consist of capturing before and after results, then reviewing them for unusual activity.

Set up alerts for events such as a high number of password change attempts (in example more than 5), or a significant period since last sign-on date (in example over 30 days). This ensures that you can keep an eye on unusual activity

Segregation of Duties – when access is granted either by a change in a role or the addition of roles to a user, it is critical to check whether this new access causes an SoD conflict.

3.     Review

User Access Review – conduct a review of privileged users on a more frequent basis than business users. It is recommended to do this monthly.

Vendor Review – in conjunction with your User Access Review, you should also check the status of ERP access granted to any vendor employees who work with your organization.

Ask your vendors to regularly supply a list of their employees who are assigned to your account.  Check for the spelling of names/name changes, job titles/position changes, and employment status, so that you can remove any redundant access for people who no longer work for them.

Service Accounts – ask for updates/status reports on the usage of these accounts. Ensure that usage is documented and updated regularly.

Passwords – review and set a schedule for when service account passwords should be changed (note that this may require system downtime). Require evidence of execution.

Terminate redundant access – revoke access when it’s no longer required. Institute an immediate termination policy and require evidence of execution.

Hopefully, this article gave you some useful insights and encouraged you to clamp down on privileged access to your ERP system. Keep in mind, some of the largest data breaches were carried out by insiders with administrative access, such as Edward Snowden.