Embed Size (px)
Citation preview
W H I T E PA P E R
OFAC ComplianceBest Practices in Knowing Where and
With Whom You Are Conducting Business
W H I T E PA P E R
2
Table of Contents
OFAC Sanctioned Countries, Entities, and Individuals 3
OFAC Requirements 4
Blocked Transactions 5
Prohibited Transactions 5
OFAC Reporting 5
Location Hiding Has Become Commonplace 5
Proxies Frequently Used To Hide One’s Location 6
Money and Account Mules 8
Solutions and Best Practices for Determining True Customer Location 8
ThreatMetrix TrustDefender™ Cybercrime Protection Platform 10
Proxy, VPN and TOR Network Detection 10
Advanced and Persistent Device Identification 11
Packet Fingerprinting 11
Anomaly Detection 11
Mobile Device Capabilities 11
World’s Largest Shared Global Trust Intelligence Network 12
Benefits of Using ThreatMetrix TrustDefender 13
Summary Conclusions 13
W H I T E PA P E R
3
Criminals and terrorists use sophisticated techniques to hide their true location, and many banks or other businesses become victims of such location spoofing – thus violating OFAC regulations that prohibit business transactions with specific countries, entities, or individuals.
OFAC, the Office of Foreign Asset Control within the United States government, administers and enforces economic and trade sanctions against foreign countries, entities, and individuals engaged in terrorism, international drug trafficking, the proliferation of weapons of mass destruction, and other activities deemed to be harmful to the United States.
All U.S. businesses must abide by OFAC regulations to ensure they don’t unwittingly transact with illegal entities. The laws also affect foreign banks and organizations who do business with the U.S. and need to clear payments in dollars – thus OFAC policies and laws can significantly impact organizations inside or outside the United States.
Apart from reputation and brand risk, OFAC Violations can also result in penalties as high as $250,000 dollars per incident, or twice the value of the transactions, whichever is greater. For banks, the reputation and financial stakes of non-compliance can be huge. BNP Paribas, the largest French bank was recently fined $8.8 billion dollars for OFAC violations.
To be compliant with OFAC, organizations must know the true location of their business clientele and customers, and often their customer’s customers. Unfortunately, most companies use outdated technologies such as IP addresses to determine the locale of those they are doing business with. Cybercriminals however, can use several techniques to easily alter or disguise their actual IP addresses – effectively hiding the fact that they are actually in an area restricted by OFAC. This makes these businesses and their directors vulnerable to interacting with illegal entities and violating OFAC regulations.
OFAC Sanctioned Countries, Entities, and IndividualsOFAC acts under Presidential wartime and national emergency powers, as well as authority granted by specific legislation, to impose controls on business and other transactions. Many of the sanctions are based on United Nations and other international mandates; therefore, they are multilateral in scope, and involve close cooperation with allied governments.
OFAC administers and enforces economic and other sanctions and embargoes that target geographic regions and governments. Comprehensive sanctions essentially prohibit all trade and
W H I T E PA P E R
4
transactions with specified countries unless special licenses are in place. At the time of this writing, these countries include:
• Burma (Myanmar)• Cuba• Iran • Sudan• Syria
In other non-comprehensive programs, there are no broad prohibitions on dealings with countries, but there are restrictions against interacting with specific named individuals and entities that may be associated with sanctioned countries. These are identified in OFAC’s list of Specially Designated Nationals, or SDN list, which includes over 6,000 names of companies, entities, and individuals who are connected with the sanctioned areas. Countries currently effected by non-comprehensive sanctions include but are not necessarily limited to:
• The Western Balkans• Belarus• Cote d’Ivoire• Democratic Republic of the Congo• Iraq• Liberia (Former Regime of Charles Taylor)• Persons Undermining the Sovereignty of Lebanon• Libya• North Korea• Somalia• Zimbabwe
OFAC RequirementsTo be compliant with OFAC regulations, organizations must adopt business practices that check OFAC data regarding which countries and SDNs are under sanctions, and utilize appropriate technologies to determine the true and actual location of their current and potential customers and clientele.
In general, OFAC requires the following:1. Blocking of accounts and other property of specified countries, entities, and individuals. 2. Prohibiting or rejecting trade and financial transactions with specified countries, entities,
and individuals. 3. Reporting of all blockings to OFAC within 10 days of the occurrence, and annually by
September 30th.
W H I T E PA P E R
5
Blocked Transactions
The law requires that assets and accounts of an OFAC-specified country, entity, or individual be blocked when such property is located in the United States, is held by U.S. individuals or entities, or comes into the possession or control of U.S. individuals or entities.
Organizations and specifically banks must block transactions that:
• Are by or on behalf of a blocked country, individual, or entity; • Are to or go through a blocked country, individual, or entity; or • Are in connection with a transaction in which a blocked individual or entity has an interest.
For example, if a funds transfer comes from offshore and is being routed through a U.S. bank to an offshore bank, and there is an OFAC designated party on the transaction, it must be blocked.
Prohibited Transactions
In some cases, an underlying transaction may be prohibited, but there is no blockable interest in the transaction (i.e., the transaction should not be accepted, but there is no OFAC requirement to block the assets). In these cases, the transaction is simply rejected, and not processed.
OFAC Reporting
Banks and other entities must report all rejected or prohibited transactions and blockings to OFAC within 10 days of the occurrence, as well as annually.
A full and accurate record must be kept of each rejected transaction for at least five years after the date of the transaction. For blocked property (including blocked transactions), records must be maintained for the period the property is blocked and for five years after the date the property is unblocked.
Location Hiding Has Become CommonplaceHiding or altering one’s online location has become common. There are a number of factors driving this including government censorship; circumventing employee web browsing restrictions; the desire to maintain privacy and avoid being tracked; and efforts to protect personal data. Most people wouldn’t think of giving their home address to a stranger, so why should they provide the address of their computer, which may be full of private and sensitive information, to potential spammers, hackers, compromised websites, or to those they don’t know?
With the increasing demand for location hiding, hundreds if not thousands of services have emerged that make it easy to do. Unfortunately, criminals also use these services and technologies to hide their location.
W H I T E PA P E R
6
Most banks and businesses are not aware of the frequency of location hiding, so they don’t check to see if IP addresses are legitimate. Moreover, when OFAC checking is outsourced, the service providers typically rely on IP addresses as well. This leaves the organization vulnerable to OFAC violations and penalties.
Proxies Frequently Used To Hide One’s LocationThere are a variety of readily available techniques that make it easy to hide or fake one’s location. Most use proxy servers which act as intermediaries, hiding the user from the sites they are communicating with. Users connect to a proxy server first, then direct the proxy to connect to a specific website or service. Since all of the user’s traffic flows through the proxy, the end website sees only the proxy’s IP address. The user, their IP address, browser, device type, operating system, and other attributes are all hidden behind the proxy. The target web site or application has no idea that the location and other attributes of the user they are connected to are fake.
Data from the ThreatMetrix Global Trust Intelligence Network during the last 6 months reveals that 3.57% of all transactions are flowing through a proxy server. Some countries, including those under OFAC sanctions, have a very high percentage of transactions flowing through proxies. In Iran, almost 32% of all transactions use proxies. In Zimbabwe it’s 22%, and Yemen, Liberia, Sudan, and Ivory Coast all have percentages ranging between 10 and 18 percent. In North Korea, a staggering 83% of transactions monitored by ThreatMetrix™ are flowing through proxies.
20 40 60 80 100%
CONGO
CUBA
IRAN
IRAQ
IVORY COAST
LIBERIA
NORTH KOREA
SOUTH SUDAN
SUDAN
YEMEN
ZIMBABWE
OTHERBELARUS
MYANMARLIBYA
SOMALIASYRIA
Percentage of All Transactions Globally Using A Proxy
COUNTRY
7%
8%
32%
5%
18%
11%
83%
20%
15%
10%
22%
12 %
TRANSACTIONS
W H I T E PA P E R
7
For banks and other financial institutions, 4 to 6 percent of all transactions are flowing through proxies. These numbers are fairly consistent across the United States and Canada, EMEA, and APAC. While these percentages may seem small, for large organizations that do tens of thousands or millions of transactions daily, hundreds or even thousands of those transactions may actually be occurring with OFAC restricted entities. Proxy usage for e-commerce and retail transactions varies from around 2.5% in EMEA to a whopping 29% in APAC.
If we look just at proxy transactions that occur in countries with OFAC restrictions, it’s interesting to note that over half of all such transactions occur within Iran and Liberia. Belarus, Iraq, and Zimbabwe account for 25%, and the other countries together make up the last quarter.
US/CANADA4.7%
Banking TransactionsUsing Proxies
EMEA4.0%
APAC6.4%
US/CANADA
4.7%
E-Commerce & RetailTransactions Using Proxies
EMEA2.4%
APAC29.3%
0% 5 10 15 20 25 30 35%
IRAN
LIBERIA
BELARUS
IRAQ
ZIMBABWE
YEMEN
IVORY COAST
ALL OTHERS
Percentage of OFAC Restricted Transactions Globally Using A Proxy
35%
21 %
9 %
9 %
8 %
5 %
5 %
8 %
COUNTRY
TRANSACTIONS
W H I T E PA P E R
8
There are different types of proxies and various methods used to connect to them. Simple browser plug-ins and extensions like Geolocator, Location Guard, One Click Proxy ID, and SwitchProxy make it simple for users to hide their location, or change it to essentially any country or region desired.
Some proxies include VPN capabilities. Everything between the user and the proxy is encrypted, so users can transmit and receive data without anyone, even their network administrators, service providers, or governments being able to read it. Examples of proxies with VPN capabilities include IPVanish VPN, CyberGhost VPN, ExpressVPN, and pureVPN. With limited skills, one can also create their own VPN.
Using the TOR anonymity network is another very powerful way to hide ones location and encrypt all data. TOR encrypts the original data and destination IP address repeatedly as the packets traverse through a virtual circuit of randomly selected TOR relays. The final relay decrypts the original data and sends it to its destination without disclosing, or even knowing the original source IP address.
Numerous, readily available tutorials on YouTube and other sites make it very easy for anyone, even those with limited technical skills, to use any or all of the above methods to hide or alter their IP address and location.
Money and Account MulesCybercriminals will often use an unknowing individual or “mule” to circumvent OFAC checking. Mules are often dupes recruited online for what they believe to be legitimate employment. Paid a small sum to set up an account for their “employer”, the mule, who resides in a country without OFAC restrictions, establishes the account without incident. Then the account is transferred to and used by the criminal to perform illegal transactions.
If the bank only performs OFAC checks during account establishment, the subsequent illegal activity will likely go undetected. If however, the bank monitors on-going transactions the criminal would be detected as soon as he starts operating from a blocked country or entity.
Solutions and Best Practices for Determining True Customer LocationThere are a number of steps that can be taken to detect when an individual is using a fake or altered location.
The following list of best practices will help detect location spoofing and identify a user’s true whereabouts – greatly enhancing OFAC compliance. The procedures can generally be fully automated, and are inexpensive and simple to implement.
W H I T E PA P E R
9
1. Utilize advanced location services that are not dependent on IP addresses. Organizations should implement solutions that identify users, their devices, and their location using multiple technologies. In addition to IP addresses, solutions should include device identification; geo-location; device history and reputation; O/S and application localization; and numerous other location attributes such as fonts and languages used.
2. Use technologies capable of persistent device identification. Criminals are proficient in removing cookies, re-installing applications and system software and performing other steps to make their device hard to recognize and identify. Organizations should implement technologies that can detect when this happens, and still be capable of identifying the device, or at least recognize that something suspicious may be going on and provide appropriate alerts.
3. Implement solutions that can detect and pierce proxies, VPNs, TOR networks, and other location hiding techniques. Banks and other businesses should adopt solutions that use advanced technologies capable of identifying when the end user is utilizing proxies or services designed to hide or alter their true location. It should be possible in many cases to identify the end user’s true location, even when proxies are being used.
4. Deploy a solution that can identify device and transaction anomalies. Criminals frequently alter their devices to avoid detection. They may also take over a legitimate individual’s device and use it to perform their illegal activities. Organizations should utilize solutions that can detect the presence of malware and compromised devices, and know what normal device configuration and behavior looks like.
5. Implement Packet Fingerprinting to detect IP address alterations and other suspicious activities that may indicate criminal intent or activity. Criminals may launch man in the middle or man in the browser attacks in order to hijack or alter their location and transactions, thus changing the packets. Businesses should employ technologies that fingerprint the operating system, protocols, and individual packets in order to provide a comprehensive view of each transaction.
6. Use a quality Shared Global Trust Intelligence Network. Companies should adopt a solution that utilizes world wide data contributed by thousands of organizations regarding the level of trust or non-trust of individuals, entities, and their devices. Such networks provide valuable insight into desktops, laptops, tablets and phones, including their true location and owners. A good global trust intelligence network has information on criminals and fraudsters including the IDs and aliases they use, as well as their devices, locations, behaviors and reputation.
7. Perform regular location checks, not just at account creation. Banks and businesses should identify the location of all parties involved in each transaction, or at least on a regular basis. It is not sufficient to only check locations during account registration or updates.
8. Check the location of mobile devices too. Mobile device technology is evolving rapidly and continues to change. Organizations need to adopt solutions that can detect the location of tablets and phones as well as desk and laptops. The solution provider should
W H I T E PA P E R
10
continuously update their location technologies to match the quickly evolving mobile device capabilities and threats.
9. Use incremental authentication. When location spoofing is detected, step up authentication should generally occur to further validate the user.
10. Stay up to date with the ever changing threat landscape that surrounds location spoofing. Organizations should engage the services of providers who specialize in fraud detection and have the wherewithal to keep up to date with the ever changing methods used by criminals to hide their actual whereabouts.
ThreatMetrix TrustDefender™ Cybercrime Protection PlatformThe ThreatMetrix TrustDefender Cybercrime Protection Platform is a unique and powerful solution that enables banks and other organizations to significantly enhance their ability to comply with OFAC regulations. Real-time Trust Analytics enable context-aware security, and combines device, identity, and behavioral analytics with collaborative feedback from millions of users across tens of thousands of sites to provide the latest security and fraud detection capabilities.
TrustDefender uses advanced technology to accurately detect location spoofing and determine the user’s true location – ensuring end users are not located in illegal countries or regions. TrustDefender provides organizations with an accurate assessment of suspicious account registrations and transactions, and the ability to instantly determine if any given request or transaction should be blocked, prohibited, accepted, or held for manual review.
Proxy, VPN and TOR Network Detection
Using sophisticated technologies that are not dependent upon IP addresses that can be easily faked, TrustDefender determines the true and actual location of users, even if they are intentionally distorting their whereabouts.
TrustDefender is capable of detecting the use of hidden proxies, VPNs, TOR networks and other methods used to hide or distort one’s true location. By using the world’s largest and most comprehensive shared Global Trust Intelligence Network, and advanced technologies such as intelligent packet and browser packet analysis, ThreatMetrix allows organizations to pierce proxies and VPNs to uncover the user’s true IP address and location.
ThreatMetrix has developed a unique proxy and VPN detection capability that:
• Captures additional TCP/IP packet header attributes• Analyzes the network connection type from an originating device, such as Ethernet,
3G, WiFi, VPN and others
W H I T E PA P E R
11
• Enables new sets of policies and alerts for accurate location detection and fraud prevention• Distinguishes between normal IPs and proxy or VPN based IP addresses
Advanced and Persistent Device Identification
Properly identifying desktops, laptops, and mobile devices has always been a challenge for application developers trying to detect criminal activity. Fraudsters deliberately remove built-in security controls and modify device identifiers. A device may be reset, thus altering its attributes, or the identifying app itself may have been reinstalled. All of these factors make accurate device identification difficult to achieve.
Fortunately, ThreatMetrix has vast experience in device identification, and has spent years developing technology that is capable of uniquely identifying specific devices of all types. TrustDefender can single out individual desktops, laptops, smart phones, tablets, or other devices, even when fraudsters intentionally alter device identities.
Packet Fingerprinting
TrustDefender utilizes sophisticated and advanced device, operating system, and packet fingerprinting to expose and catch fraudulent activities. Unexpected changes in packet headers and location data is indicative of criminal activity such as session hijacking and location spoofing.
Organizations utilizing TrustDefender are alerted to the suspicious activity and can take steps to block or prohibit the transaction according to OFAC regulations.
Anomaly Detection
Criminals employ numerous methods to avoid detection. They may root or jail break their devices, alter or disable security settings and features, assume other’s locations and identities, access their targets during strange hours and at unusual frequencies. Their actions may utilize devices that have been infected with malware or compromised by weak device configurations. Criminals may claim to be in a specific location but their time zone data doesn’t match, and all of their fonts and language settings are foreign. Reported browser types may not run on their operating system, etc.
TrustDefender detects all of these and many more anomalies, helping organizations to detect imposters and block or prohibit their actions.
Mobile Device Capabilities
TrustDefender analyzes each connection to determine what type of device is being used. Mobile devices are detected, and advanced technologies identify when proxies, VPNs, or other methods are being used to hide or alter the true IP address and location.
W H I T E PA P E R
12
Mobile fraud detection technologies, capabilities, and solutions are fully integrated within the TrustDefender platform. Location detecting features such as persistent device identification, device and packet fingerprinting, and anomaly detection are fully supported for mobile devices as well as desk and laptops. This uniform and all encompassing approach to fraud detection makes the TrustDefender platform an ideal solution for organizations looking to process transactions from all types of devices, including mobile.
World’s Largest Shared Global Trust Intelligence Network
An important element of fraud detection is the ThreatMetrix Global Trust Intelligence Network. By leveraging the combined data and intelligence of thousands of organizations around the world, all battling to detect and defeat cybercrime, ThreatMetrix can detect location spoofing, impostors, and fraudsters that would otherwise be unidentifiable.
ThreatMetrix profiles tens of millions of users and their devices daily, and regularly processes hundreds of millions of logins and related transactions. The Global Trust Intelligence Network is the repository for this wealth of data. Devices infected with malicious malware, or associated with botnets or crime rings, are identified. All devices involved in criminal behavior or suspicious activities are noted. When any of those devices later connect to your site, TrustDefender informs you of its history and risks, and intelligently analyzes your custom policies and rules to help you determine the correct course of action.
W H I T E PA P E R
13
Benefits of Using ThreatMetrix TrustDefender All U.S. organizations, and banks in particular, can benefit from using ThreatMetrix TrustDefender as part of their OFAC compliance solution.
Benefits of using TrustDefender:
• ThreatMetrix products and services will keep you updated with the latest and best capabilities to accurately detect where you customers and clientele are truly located
• Highly accurate processes essentially eliminate the risk of OFAC violations and fines
• TrustDefender’s automated location detection processes are significantly faster and less expensive than using OFAC’s own tool or other manual procedures
• Knowing immediately when you need to block or prohibit transactions will save you time and money otherwise spent on manual reviews
• TrustDefender’s cloud based solution is simple and cost effective to implement
• Because TrustDefender can identify good transactions that may otherwise be denied, revenue is often increased - leading to a rapid ROI
• In addition to accurate location detection, TrustDefender’s fraud detection and context-based authentication capabilities help most organizations significantly reduce their overall fraud related costs
• OFAC Compliance and peace of mind
Summary ConclusionsThe ability for cybercriminals to hide their true location has never been greater, and many organizations are falling prey to location spoofing – thus violating OFAC regulations and potentially incurring steep penalties.
Fortunately, there are a number of relatively simple steps and procedures businesses can take to replace outdated OFAC assurance programs with advanced solutions that are capable of detecting the true location of criminals and imposters.
TrustDefender, from ThreatMetrix is an excellent tool that banks and organizations of all types can use to accurately detect the real location of end users, and comply with OFAC regulations.
The TrustDefender Cybercrime Protection Platform is simple and quick to implement, and provides many benefits. In most cases, revenues are increased and the low total cost of ownership provides a full ROI within months.
W H I T E PA P E R
14
© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Client, TrustDefender Cloud, TrustDefender Mobile, ThreatMetrix SmartID, ThreatMetrix ExactID, the ThreatMetrix Cybercrime Defender Platform, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.
V-8.14
For More Information:For more information about the TrustDefender Cybercrime Protection Platform and how it can help you reach your OFAC compliance objectives, call ThreatMetrix or visit our website at www.threatmetrix.com.
ThreatMetrix Inc.160 W Santa Clara StSuite 1400San Jose, CA, 95113Telephone: +1 408 200 5755
About ThreatMetrixThreatMetrix screens site visitors to detect their true location, prevent account takeover, payment fraud, fraudulent account registration, enterprise web fraud, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million transactions monthly, provides context-aware security and online fraud prevention solutions, to help companies accelerate revenue, reduce costs, and eliminate friction.
ThreatMetrix protects over 2,500 customers and 10,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance.
