Author Archive

If someone told me a few years ago that people would pay real money for goods that aren’t real—virtual goods that only exist in digital form—I would have joked that I had a virtual Brooklyn Bridge to sell them. Well the laugh’s on me if the buzz at the Virtual Goods Conference in San Jose this week is any measure of where the VG industry is today and where it’s heading. There’s real money changing hands for virtual goods in social gaming and lots of people are working hard to figure how to make it pay even more.

If you’re new to the world of virtual goods, here’s a great overview written by Lora Abe, director of marketing for Gambit, a leading payments engine for online games. Gambit’s booth was right next to ours at the conference (thankfully they let us play their pinball machine during the low-booth-traffic intervals). Read the rest of this entry »

I wish all of the websites I do business with would fingerprint my computer to validate my identity. I’d sleep better at night knowing that computers used by criminals attempting to steal from me would be barred from entry because their computer’s unique fingerprint could never match that of my computer. I know more than the typical consumer about the high risk that goes with entering your PII (personally identifiable information) like your mother’s maiden name and social security number into a web form. I also know that it’s getting very hard not to surrender PII to accomplish anything of substance online.

Dr. Larry Ponemon knows a lot about what consumers are thinking about when it comes to their online privacy. He founded Ponemon Institute, dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Several months ago we asked Dr. Ponemon to look into what consumers think about having their computers fingerprinted as a means to help protect them from online fraud. Read the rest of this entry »

I am one of those consumers who disappoints companies by following through on rebates. Last week I meticulously followed all the rebate instructions for $60 back on a new set of tires for my car. Time will tell if I followed their detailed instructions to the letter like writing the name of the rebate program on the envelope EXACTLY where they wanted me to. Many of the companies offering rebate programs are counting on buyers not to remember to mail the coupons—a phenomenon known in the industry as breakage, or the shoebox effect. Or they count on “slippage” where the consumer has their rebate fulfilled but they lose or forget to cash the check. I am not one to “break” or “slip” when it comes to rebates—and the popular online cashback shopping site Ebates is no exception.

Ebates makes it easy to save money shopping by splitting the commission paid by the online stores in their network with you-the buyer. All you do is join Ebates (it’s free) and pass through the Ebates website to a partner store to make a purchase. Then Ebates pays members their portion of the commission as a rebate. Read the rest of this entry »

“Will your mystery date be a dream…or a dud?” That was a line I remember from a commercial for a board game called Mystery Date that was popular in the late sixties. I remember my sister playing the game with her friends, each trying to assemble the perfect matching outfit for a shot at a “dream date.” Forty years ago game maker Milton Bradley’s idea of a dream date was bowling, skiing, beach or a formal dance. Now with online dating the norm, a dream date would mean your mystery date isn’t a fraud trying to fool you into sending them money.

Trust is the bedrock on which online dating services are built. If members start to feel unsafe in the dating pool then they’ll opt out or try a different service. Online dating services understand this dynamic and some go to great lengths to try and keep the criminal element out. These are often sophisticated criminals working from offshore. CTO and co-founder of Date.com Chris Covino told Inc. Magazine that they “found many crime rings employed multiple teams that focused on different parts of a fraud operation. Read the rest of this entry »

I can imagine the thrill an online fraudster must get when he breaks into a bank—quietly clicking away at his browser in the comfort of his home checking the victim’s account balances to see if the balance is high enough to justify the added risk of proceeding to drain the account. With so many more potential targets to find and monitor, why not wait to strike when the moment is right and the payoff is huge? That’s exactly what the sophisticated fraudsters do: they wait because they know time is on their side.

The New York Times reports that Unspam Technologies filed a lawsuit against “gangs based in Eastern Europe that electronically break into business computers, steal banking password and transfer themselves money.” Unspam wants to get the names of the hackers by way of the banks and their customers who have been compromised. Unspam’s lawsuit invokes the federal Can-Spam Act, aiming at the email messages that are often the means by which consumer’s computers are compromised.

The critical enabler to these crimes is consumer computers infected with malicious software by cyber criminals who then monitor their activity in order to learn passwords and then use them to impersonate the consumer. The sheer numbers of infected computers is staggering; estimates put the number in the tens of millions worldwide. Fraudsters have the luxury of time on their side and the advantage of powerful technology that enables them to maximize the return on their efforts. The technology is sophisticated enough to alert the hackers “once their computers find they have gained access to the computer of someone who controls a lot of money.” They watch for consumer behaviors—like wiring money to other banks—that offer the biggest payoffs.

McAfee and Symantec among others offer consumers tools to help prevent and clean up the viruses that give control and power to the fraudsters-but they are not foolproof nor does everyone use them. Banks and companies doing business on the wordwide web invest in technologies to identify and prevent criminals from infiltrating their business—it’s in their best interest to protect themselves and their customers. The lawyer for Unspam, Jon L. Praed, told the NYT “he hoped his John Doe lawsuit would encourage banks to improve their electronic defenses.” I’m not sure banks need more motivation to defend against crime, but they do need to continue to invest in more anti-fraud tools and people to stay ahead of the cyber criminals. Device identification is the new new thing to help banks and their customers keep the bad guys out.

- Tom

As if we need another real-world story as proof that online fraudsters are getting far more sophisticated and getting away with their crimes—when Bank Technology News gives us a doozy. “On the Backs Of Mules: An ACH Fraud Scheme” tells the story of how fraudsters with a well-thought-out plan infiltrated a community bank by way of an innocent customer’s credentials. They then used intermediaries to steal tens of thousands of dollars—less than the amount at risk but still a lot of money for the not-for-profit bank customer.

The story is a compelling read that offers lessons for banks and any organization doing business online. There are three approaches to detecting fraud that rely on different kinds of data: behavioral data, personal data and device data. The only fraud detection approach that does not require any information about or from the person is device identification. That doesn’t mean that one approach is better than another—but device identification does bring a new dimension to online fraud prevention that is very effective by itself or additive to other fraud prevention technologies.

Had device identification technology been in place when the fraudsters in this story first attempted to login to the bank with stolen credentials, ThreatMetrix would have identified the computer(s) and might have turned them away based on information gleaned from their machine/session including: a negative reputation from known experience elsewhere on the worldwide web, a match to a local blacklist of “bad” computers, velocity checks that revealed suspicious behavior, use of a hidden proxy attempting to mask an IP address or true geographic point of origin. Device identification could have stopped the fraudsters before they gained access to the bank for reconnaissance.

Had the fraudsters successfully gained entry by way of stolen credentials, then behavioral fraud detection would have monitored their activity early in their pursuit and likely identified anomalous behavior that would alert the bank to the scheme. Device identification isn’t a silver bullet to fight online fraud, but it is the new front line that can detect fraud in real time.

- Tom

Have you ever tried to login to a web application from a different location or different computer on the worldwide web and been challenged to authenticate your identity? More than likely the host relied on your IP address to determine your identity. Whenever I encounter a challenge to my credentials as a result of my location (IP address) it’s an annoyance that doesn’t make me feel any more secure.

The idea of using data from the machine/connection is sound, but an IP address isn’t reliable as a source of information to authenticate your identity. More and more web sites like banks—where the risk at login is extremely high—rely on this method as a security feature to protect the login page. Some SaaS applications like Salesforce.com also use this method as a way to confirm your identity. Salesforce.com describes this security feature this way:

“Our goal is to minimize the impact of the Identity Confirmation features by allowing established patterns of usage to continue unchallenged, so that users who log in from a known, trusted IP address are not affected. To exempt your users from having to take additional steps to log in, you can define a list of trusted IP ranges in the application.”

Given how easy it is to spoof an IP address I don’t see any circumstances when a “trusted IP address” can truly be trusted. And besides the spoofing issue, using IP for authentication is not very convenient for the mobile worker on a laptop who frequently logs in to a SaaS application while on the road. On the other hand, a device fingerprint (done right) would make a highly reliable factor to authenticate an identity—and once you have established the device’s identity you can cross-reference it to more data to get a complete risk profile that helps you decide whether to let the website visitor in, challenge them, or turn them away.

On the other side of login security there’s the dilemma of how to keep logins both safe and convenient. Ease of use is critical, as explained in this article by Usability Sciences Corporation Making Login Security Friendly. They point out that “users don’t want to ‘feel’ the complexity of the security measures being activated upon login; they just want to login at any time and enjoy effortless transactions. If a user cannot login, the visit is over, or at the very least, cut short.”

Two of the big advantages that device identification as a factor to authenticate a user offers are 1) its transparency; authentication takes place in a second or two without placing any burden on the web site visitor and 2) the authentication takes place in real-time so you can decide instantly whether to expedite entry of a known customer or stop the fraudster from ever gaining entry.

- Tom

Attention social gamers: online fraud has officially arrived. All the players at the table-Nickelodeon, PopCap, Epic Games, Big Fish-really everyone is exposed to cybercrime. As evidence look no further than Offerpal Media’s announcement yesterday of OfferpalSECURE, a new security and fraud prevention product just released with several new features.

Fraud you ask? In casual gaming? Bet on it. Offerpal’s press announcement yesterday says “security experts estimate that when left unchecked, as much as 50% of a gaming publisher’s transactions for intangible goods like virtual currency can be fraudulent-especially if player-to-player transfers are allowed.” TrustWho Founder and CEO Marcus Eikenberry, whose company offers anti-fraud technologies and services to the video game industry goes on to say “and the problem will get worse if it isn’t tackled immediately, because scammers and hackers only become emboldened by their early successes.”

Check out Offerpal’s blog entry for more insights into fraud and casual gaming. It’s worth noting that “machine fingerprinting” (device identification) is called out as a means to prevent fraud such as when scammers attempt to use multiple accounts “in order to game the system.”

ThreatMetrix will be at the Casual Connect conference in Seattle next week as a conference co-sponsor -stop by and visit us and Offerpal if you’re there.

- Tom

According to a new study by researchers at Carnegie Mellon University it is now possible to exploit an individual’s place and date of birth to predict his or her Social Security number. Most of us have fed the worldwide web (often willingly, sometimes not) enough personal data about ourselves to leave pieces of us in the form of data that fraudsters can use to identify us: credit card numbers, birthdates, personal tastes…just about anything and everything that could be used to identify us. The Carnegie study reveals that personal data available from online sources such as Facebook can now be used to construct our Social Security numbers-personal private data that until now was considered reasonably save from intelligent guessing by networks of compromised computers.

Here’s an excerpt from the Carnegie study that spells out the problem:

‘Although defense mechanisms to detect repeated abuses are in place at those services [for instance, the SSNVS tracks incorrect attempts at verifying SSNs, and financial institutions blacklist (for various days or months) IP addresses originating 3 or more failed logins or transactions], ‘‘botnets” of compromised computers allow attackers to test-cheaply and covertly-vast numbers of variations of targets’ SSNs, strategically distributing simultaneous attempts across services, compromised machines, and target accounts.’

Device Identification would make it difficult to “strategically distribute simultaneous attempts across services” because ThreatMetrix would identify the source of the attempts, even if the fraudster is hiding behind a proxy. “Cheaply and covertly” are consistent with what I’ve said in previous blog entries about how the technology tools and means to commit fraud are making a bad problem much worse as they enable far more people to jump into the online fraud business. The more we reveal about ourselves online, the more easily we can be identified by who we are and what we do. Online banking, purchasing, gaming, dating and social networking rely on the ability for us to identify that we are who we claim to be without our physical presence-this creates the opportunity for fraud. On the web, we’re defined by data in the form of attributes that can be (and are) used to authenticate our identity: birth date, street address, favorite pet, height, color of eyes, Social Security number and more. The Carnegie study shows that it’s quite possible to correlate those data from various sources to get a more complete and accurate picture of a person for credentialing. This is something new that has the potential to wreak havoc in the online world.

Those personal data attributes scattered across the worldwide web present a new form of risk. Device Identification (when it’s done right) can take back some of that risk by providing a reliable point of reference to authenticate who’s at the computer. By profiling the computer instead of the person, ThreatMetrix Device Identification offers these advantages as a method to authenticate identity online:

• Instantly identify a computer within seconds at the moment a connection is made: manage the risk of a device connection before you provide someone access to your web site
• Passive, non-intrusive identification: because data is supplied by the visiting computer and its connection instead of the person, authentication requires no knowledge of or inputs from web site visitor
• Even if personal data such as Social Security numbers are compromised, ThreatMetrix Device Identification helps companies and institutions prevent fraudsters from using them to establish illicit accounts

Will device identification become a must-have factor to authenticate identities on the worldwide web in the next few years?

What’s the difference between a fraudster scamming an airline and one scamming a social gaming site…or an etailer or a dating site? Fraud is always a game of deception for some purpose whether it’s stealing money or online gaming for free. But the strategy and tactics employed by a fraudster can be quite different depending on the target and objectives.

In the past two weeks ThreatMetrix attended or sponsored several industry focused events: Internet Retailer Conference and Exhibition, The Airline Reporting Corporation (ARC) Fraud Prevention Conference, The Social Gaming Summit and iDate 2009. Each industry gathering had its own spin on fraud concerns but they all had this in common: everyone is more concerned than ever about the rapid spread online fraud.

At the ARC conference I heard about the latest and greatest schemes to defraud airlines. They illustrate the complexities unique to online ticketing. The number of entities in the chain between consumer and merchant combined with the complexities of booking travel on a global scale in real-time pose serious challenges to fighting fraud. Credit card fraud was top of mind at ARC, but there are three possible points of entry online that present fraudsters with opportunity to pursue their objectives: new account sign-ups, account logins and online purchases.

Which of the three poses the highest fraud risk to your business depends on your business. For example, online dating and social gaming services are exposed to all three types of fraud, whereas etailers focus most of their fraud detection effort on preventing credit card fraud. This difference points to an important advantage in real time device identification: it’s very effective at detecting fraud across all industries, applications (new accounts, logins and card not present), fraud schemes, geographies and devices. Organizations typically employ multiple fraud fighting tools-device ID stands out for its unique ability to detect fraud (and identify customers) before you know anything about the person visiting your web site.

- Tom