Author Archive

The Electronic Frontier Foundation wants to let you in on a little-known fact about your browser:  it talks behind your back. The secret’s out thanks to a newly published study from a project EFF calls Panopticlick that set out to show how your browser can be used as a way to uniquely identify your computer.

This research project kicked off in January demonstrates how anonymous data from your browser can be used to identify your computer. EFF created a web application that “will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of many other Internet users’ configurations” to derive a uniqueness score that indicates how identifiable your computer is among a population of similarly logged computers.  I’ve been following the Panopticlick story and writing about it since March in this blog and in Security Week.

An article by Robert McMillan that appeared in ComputerWorld yesterday delves into EFF’s research and the privacy issues raised by the notion that a web site can stealthily identify and track your computer using your browser. The big “aha” reported in the news is that web sites can track you by way of your browser—a convenient discovery in light of Gartner Analyst Avivah Litan’s prediction that flash cookies will eventually lose their effectiveness as a means to identify a computer since Adobe has opened up control over flash cookies so users can control their privacy. The important question isn’t how a website references your computer to track you (cookie, LSO, browser, etc.)—it’s whether they have made it clear to you what they’re doing and for what purpose.

To illustrate, suppose my favorite online electronics etailer wants to profile my computer (browser, cookie, LSO, whatever) as a means to monitor my purchasing behavior.  In this scenario I want them to tell me that they are tracking me, and what they will or won’t do with my data.  Now, if the same etailer is profiling my computer to protect me (and their business) from fraud – I also want to know about it, I want to know what they’re doing with my data–and I’m glad to see that they’re taking steps to protect me. The same scenario for online banking  underscores this point because of the higher risk and greater loss potential. I would feel much better going online to bank if my bank profiled my computer and gave it a unique identify so that if someone else is trying to use my (stolen) personal credentials to try and login to my accounts from a computer other than mine, the bank can intervene.

Web sites of all stripes use cookies and IP addresses to identify you by your Internet connection and your computer—banks, SaaS applications, content providers, internet retailers  and so on.  I know too much about how easy it is to fool/get around/spoof/defeat these flimsy handles to trust them.  I would rather they employ a far more reliable method to profile my computer—you guessed it, ThreatMetrix;  because how a website profiles and references your computer is very important after all.

- Tom

Why is e-commerce so fraught with risk despite the huge amount of money, effort, and technology devoted to making the online world safe? that’s simple: Because crime in the virtual realm has a lot going for it compared with traditional crime in the physical realm. Why use a gun to commit a robbery when you can use credit cards and stolen identities? Every fraudster, scammer and organized cybercriminal knows the five Big A’s: The five big advantages of doing crime online.

Read more…

We keep finding new and interesting ways to use our ThreatMetrix comic characters to spread the word about our SaaS web fraud solution — now here’s a new one that’s good for more than just a laugh: educational “how-to’s” so you can get under the hood of The ThreatMetrix Fraud Network. Here’s our first installment cooked up by ThreatMetrix Chief Products Officer Alisdair Faulkner:   ThreatMetrix Web Fraud 101 “how to” series learn about Botnets and Proxies—two powerful tools in the fraudster toolkit and how ThreatMetrix turns these tools against them.

The tight confines of our blog make the panels a bit hard to read so head over to our website to get the full sized version of the entire series.

- Tom

To a web fraudster, attacking a social game like Farmville or Mobsters 2 isn’t just fun—it’s profitable. There’s serious money in scamming the virtual goods world as evidenced by industry research cited in this new article posted today on GameBeat, co-written by web fraud experts Jeff Sawitke, Verifi vice president product strategy and Alisdair Faulkner,  ThreatMetrix chief products officer.

Cybercriminals know to match their tactics to the target—and social gaming is no exception. Here are some typical scenarios where the right fraud defenses can trip up fraudsters trying to game an online game.  Whereas a typical good customer uses one account from one computer, a fraudster would try to create and manage a half dozen accounts from a single computer—tipping his hand so that his computer can be flagged as suspicious and/or barred from playing. Besides the obvious losses from a fraudster/gamer using stolen credit cards, there is the downstream risk to the game publisher for chargebacks.  In this example, a gamer might be a gold farmer—this is a standard term for a player who tries to acquire items of value in a game to sell or trade for real currency.  They typically accomplish this by repeatedly (and rapidly) performing in-game actions that accumulate gains.  Automation with bots comes in handy here to get the most bang for the buck in as little time as possible. Here the scammer creates accounts using stolen (or legitimate) credit cards, then after a few weeks they call the credit card company and charge it back.  The rules credit card companies apply to chargebacks aren’t a good fit for digital goods, so the game publishers suffer fines from the card companies for exceeding chargeback rates.

The meteoric rise of popular social games like Farmville that cater to a growing population of mainstream players makes social gaming an increasingly popular entry point for cybercriminals to lie, cheat—and of course steal.    Fraud and risk management should be a top priority for every gaming publisher regardless of size to protect their business, their customers and the overall reputation of the industry.  Online game publishers that employ a winning anti-fraud defense can turn social gaming into a losing game for cybercriminals.

-          Tom

P.S.  For more proof that cybercriminals know to match their tactics to the target, check out this new article posted at Internet Retailer that describes how iReel.com sets the rules when it comes to stopping online fraud

Fraudster or customer?  The answer to that question keeps getting harder to answer in the online world while the consequences of getting it wrong get more severe.  The last mile in web fraud prevention can’t be bridged by the tools and means that rely on the personal information (PII) we all supply to the various web sites we visit.  No, the last mile in web fraud prevention is more like a chasm that must be leaped by a new class of anti-fraud technology that relies on the wealth of anonymous characteristics spawned for a web transaction that make each a unique, measurable event—information from a computer, its Internet connection and the context of a web transaction—all intelligently managed in such a way that reveals truth.  Here are seven clues that can help you derive a confidence factor for the visitors knocking on your website door to create a new account, use a credit card, or login:

1. I’ve seen this computer at our website before—it has a questionable track-record with my business
2. Someone else in the network reports suspicious or negative experience with a device
3. Something’s out of place, missing or inconsistent—a good customer using their computer for legitimate purposes wouldn’t behave (that) way
4. This computer tried to use 20 credit cards in 5 minutes—what???
5. The computer is using a hidden proxy—to register for a new credit card account???
6. The computer appears to be under the control of a bot
7. The true geographical location by IP address is different than where the person claims to be

You can learn more about how anonymous data is increasingly useful to help stop online fraud in this article in the newly launched Security Week.

-          Tom

P.S.   If you haven’t heard about Panopticlick—a project by the Electronic Frontier Foundation then you really should check out the article

What’s more important:  stopping online fraudsters at the first attempt or making it fast and easy for customers to transact online? We posed this question and a few more to the attendees at our booth last week in Las Vegas for the Annual Merchant Risk Council conference.  Two hundred eighteen people completed the survey…more on what they said in a minute.

The MRC puts on a great conference where you can connect with top fraud prevention industry professionals in online retailing, payments, and information technology.  Web fraud tools, trends and tactics change all the time so it’s good to benchmark year over year and learn what’s new from the experts.

We asked attendees at our booth to complete a “one minute” survey to see what we could learn and share what we learned with survey respondents –and now you.  This was our second year at the MRC, and to celebrate our breakout 2009 we gave away a few hundred cool t-shirts with ThreatMetrix fraudster cartoon mascots Natasha and Gromyko emblazoned across the front…no surprise there were none leftover to ship back from the MRC.

We worked quickly to tally the survey results and get them out, so without further delay here are the complete results from our 2010 MRC Conference survey:

Slightly more than half of the respondents said they think stopping online fraudsters at their first attempt is more important than making it fast and easy for customers to transact online. Respondents were required to choose only one, many said both are equally important.

Almost two-thirds of the respondents said they are more at risk for collecting personally identifiable information than their customers are for providing it.

About two-thirds of the respondents said they need fraud prevention for only one of the three types of web transactions. About one-third require fraud protection for two or more of the three types of web transactions, with almost 20% needing fraud protection for all three.

Respondents were asked to select as many of these transaction types that applied to their business. The percentages reflect at least one selection marked for a category. About 44% respondents require fraud protection for card-not-present payments, while about 12% cited new account creation and 5% account logins.

We’ll ask these questions at the Electronic Transaction Association conference back in Las Vegas in a few weeks to find out how their answers compare with the MRC results…be sure to check back.

- Tom

The Internet Crime Complaint Center (IC3) just published their 2009 Annual Internet Crime Report. The IC3 was established in 2000 “as a partnership between the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation (FBI) to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cybercrime.

The number of complaints received in 2009 increased from 275K to 336K (up 22%) and the dollar losses nearly doubled from $264M to $560M.  The data reported by the IC3 in terms of big scary web fraud numbers published elsewhere don’t really move the needle on the fear factor scale, but the percentages show Internet fraud as an industry that experienced considerable growth in 2009.

The IC3 report describes the top Internet scams for 2009, each with its own descriptive name:  Hitman Scam, Astrological Reading Scam, Economic Stimulus Scam, Job Site Scams, and Fake Pop-up Ads for Anti-Virus Software; each scam uses one or more tools-of-the-trade including email, online money transfer services, spam, viruses, Trojans, and key loggers.  The report understates the importance that anonymity affords cybercriminals: “…it is also vital to gain insight into who the typical perpetrators are. This can prove to be difficult in the world of cybercrime, where a mask of anonymity can impede law enforcement efforts.”

The risk of fraud lives anywhere on the web where someone can create a new account, pay with a credit card, or login giving fraudsters enough targets to cherry-pick the ones they want to hit.  ThreatMetrix’s own Alisdair Faulkner describes the problem this way in a new white paper:

Online fraud is an asymmetric problem because fraudsters can quickly adapt their methods to exploit weaknesses in online fraud protection systems. Cybercriminals take advantage of automation, tools, shared knowledge, and expertise to commit crimes while their targets—virtually any organization doing business online —are at a disadvantage due to IT scheduling, shortage of trained people, fixed processes, applications and verification services that do not leverage the investment of others.

In other words, cybercriminals hold the high ground in the war on fraud.  Faulkner’s new white paper coincides with our announcement today of ThreatMetrix Fraud Network–our next-generation web fraud solution to help companies stop online fraud and accelerate e-commerce.  Since ThreatMetrix’s U.S. launch in January last year, we presented our fraud prevention SaaS as a device identification solution.  Device ID (aka device fingerprinting) drew a lot of interest and attention last year helping to propel our customer base to over 100 customers–and growing fast.  The ThreatMetrix Fraud Network delivers unparalleled control over fraud and abuse from the cloud without requiring PII , integrated “out of the box” with anti-fraud, authentication and identification applications that leverage our proven device identification capabilities:

• Fully integrated fraud solution for account origination, account takeover and card not present purchases
• Customer accessible rules that enable anyone to tailor ThreatMetrix to their business
• No Personally Identifiable Information required
• Cost effective, easy to install and easy to maintain
• Easy to deploy and integrate with existing applications and processes
• Real-time operation and information delivery
• Proxy piercing device identification that stops fraud at the point of origination
• Enterprise and global fraud intelligence

You can learn more on our new website where you can download Alisdair’s white paper and watch his video on the ThreatMetrix Fraud Network.

-          Tom

P.S.  We’ll be at the Annual Merchant Risk Council event in Las Vegas this week, if you’re attending stop by our booth# 604

The latest installment in our Gromyko and Natasha comic series that has the two fraudsters heading for the 2010 MRC Conference will give you a smile, but money transfer fraud is no laughing matter.

You still hear the expression “wire me some money,” an artifact from the old Western Union days of telegraph to describe a money transfer transaction that puts cash in the hands of someone in a far flung destination.  The expression never achieved the generic status of “hand me a Kleenex” or “Xerox it” so perhaps it’s time to update “wire me some money” to “CNP me some cash.” The globalization of labor and the Worldwide Web have greatly increased the volume of money transfers from one country to another.  Naturally, where you find the capability to convert e-funds to cash from point A to point B overseas there’s bound to be a global population of hard-core cyber criminals, fraudsters and scammers diligently trying to figure out how to cash in on these transfers.

You can find a mountain of articles and information about these kinds of scams, but here’s one that’s a personal story that someone shared on Yahoo Answers that frames the problem in a very personal way.  “Bobby B” was duped by a 419 fraud (the 419 moniker has its origin from the section of the Nigerian penal code that which fraud schemes.)

“Bobby B” says he was tricked into believing he was helping an online friend he met on ESPN that wired him $865 to a bank account Bobby B opened to help him. He confirmed with the bank that the money was clear, and then he wired the money to his US bank account. Bobby B then contacted his “friend” who had told him that the money was for his son who went to a private school about ten miles from Bobby B’s location. Bobby B asked his friend what the address of the school was, and the scammer gave him a Nigerian address with instructions to send the money and threatened to drain all of Bobby B’s bank accounts and steal his identity. Bobby B panicked and made two money transfers using Western Union to the scammers address. Poor Bobby B didn’t realize yet that the funds were fraudulent, relying on the bank representative that confirmed the funds were cleared. The other shoe dropped on Bobby B’s head when his bank contacted him to notify Bobby B that the $865 funds were fraudulent.

Bobby B goes on to advise “never to trust anyone you have not met in person or online.”  This scammer invested a year in Bobby B to gain his trust until he felt the time was right to bilk him out of his money. In this example, device identification would have likely exposed the true location of the computer of the scammer thereby exposing his scheme well before it was successfully executed.

If you want to learn more about money transfers, check out SendMoneyHome.org.  The site was started by the UK Government’s Department for International Development (DFID), “to bring clarity and transparency to the remittances sector for migrant communities living and working in the UK who send money home.”  The web site has lots of great information about sending money overseas including a comparison tool that lets you see your provider options based on country of origin and destination for the funds.

- Tom

Consumer protect yourself. That’s the big takeaway from a new report by Javelin Strategies that was supported by the Better Business Bureau found that the number of identity fraud victims in the United States has jumped by 12 percent to 11.1 million adults – the highest increase to-date since the survey started in 2003 – while the total overall fraud amount increased by 12.5 percent to $54 billion.

Here’s one of the key findings from the report that should make consumers and businesses shudder: The number of fraudulent new credit card accounts valid anywhere increased to 39 percent, up from 33 percent in 2008.  New fraudulently-opened Internet accounts more than doubled over the previous year.

That means more cyber criminals are using stolen identities to manufacture new credit card accounts for a more lucrative spending spree.  James Van Dyke, founder and president of Javelin, in an interview with Bank Systems & Technology explains that new accounts fraud “…are the most damaging types of fraud…they typically have higher dollar amounts and if somebody establishes an account in your name, you’re less likely to know about it.”

But take heart: according to one web site’s read on the report there’s some good financial news too: the mean fraud amount per victim dropped 0.3%, from $4,858 to $4,841—that’s good news?

So what’s the answer for consumers?  Protect yourself.  Indeed, the commentary by those who sponsored or produced the report is consistent on this point.  And this theme appears over and over again from technology companies, banks, consumer protection organizations and more.  The problem is, even if every consumer was vigilant on all fronts to protect their identity, the bad guys have the edge because they are far better armed, organized, more motivated, highly compensated and technologically advanced.  The average consumer doesn’t stand a chance—if someone wants to steal your credentials they’re going to do it. The problem is compounded by the explosion of social media that soaks up more and more personal information (Facebook just topped 400 million users) which opens even more doors for fraudsters.

The Javelin report is just another indicator that privacy, security and convenience are on a collision course that is bound to force big changes in the way we interact on the Web.

- Tom

I remember when I was a kid in the late 60s when my parents hauled me down to the local savings and loan at the market to open my very own savings account.  I still remember the feel of the green cloth cover on the 5 x 7 booklet that the smiling banker slid across the desk to me.  My passbook told me everything I needed to know; I didn’t have to log in and it always told me my meager balance–without batteries, keyboard or glowing display.

It all seems rather quaint compared with the modern online banking system.  Now you can accomplish the same task and much more without ever leaving your home thanks to online banking.  You can transfer money, pay bills and even register a new account from the comfort of your browser.  All of this exposes banks and customers to a whole new breed of fraud that worries banks and consumers.

ThreatMetrix  just announced the results of a new research report in online banking based on a survey conducted in Q4 2009 and performed by Gatepoint Research.  Over 2K senior level executives, with 66% of the respondents employed by companies having annual revenues of $5 billion or more, were invited to participate.

Key findings in the report include:

• Respondents overwhelmingly cited new credit card applications (56%) as the top risk of financial risk of financial loss from fraud.
• Over half of the respondents stated that CNP (card not present) purchases carry the most risk of loss.
• 65% of respondents predict an increase in online fraud attempts using stolen or synthetic customer credentials over the next 18 months.

Click here for the full report complete with charts.

Tom