A long time ago, online retailers caught onto cybercriminals using stolen credit card accounts to buy expensive consumer products online, then turning around and reselling them in Eastern Europe, North Africa or Russia. The retailers’ answer was to stop shipping goods to these places.

But, reports security expert Brian Krebs in his blog, KrebsonSecurity, “these restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.”

Krebs points out, “There are dozens of businesses in the criminal underground engaged in merchandise laundering, known as ‘Drops for stuff’ on cybercrime forums.”

The people “hired” to do the reshipping are variously known as reshippers, mules or drops. “The ‘drops,’” says Krebs, “are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and cash bonuses. But the crooks almost always sever communications with drops just before the first payday, usually about a month after the drop ships their first package.

“A typical drop will receive and reship between two and four packages per day. The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the U.S. Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.”

Dropforrent.com is a kind of cyberspace fence operation that offers “clients” (cybercrooks) and “managers” (people who do recruitment scams) a percentage of what they steal. Krebs explains that Dropforrent pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products. Incidentally, if you do a search for Dropforrent online, you’ll get a score of websites warning you to stay away, that the jobs the site offers are a  scam.

In addition to electronics, Krebs says, “Drops also can be used to reship virtually anything else that the client or manager would like to use or consume themselves, such as clothes, jewelry, and candy. For this service, clients and managers pay a flat rate of 50 percent of the value of the goods to have the items reshipped abroad.

Reproduced here without editing KrebsonSecurity.com at http://krebsonsecurity.com/wp-content/uploads/2011/10/applestore-directinstructions.html gives an example of a standard operating procedure of rules for mules:

Use your applestore-direct.com Account to:

- Check a shedule about package deliveries
- Send messages to your manager
- Edit Your Default address and shipping address
- Upload your resume and documents for an approvement
- To check total scores and money you earn

IMPORTANT INFORMATION ABOUT SCORE AND PAYMENT SYSTEM:
YOU WILL RECEIVE APPROXIMATE 40 PACKAGES FOR MONTH
YOUR SALARY BASED ON THE 2000$ MONTHLY PAYMENT, STARTING FROM THE SHIPPING FIRST PACKAGE
AND THERE IS A BONUS SCORE SYSTEM
FOR EVERY SHIPPED PACKAGE YOU GET A SCORE
10-SCORES IF YOU SHIPPED A PACKAGE ON THE SAME DAY BEFORE THE NEXT DAY NOON
5-SCORES IF YOU SHIPPED A PACKAGE ON THE NEXT DAY
0-SCORES IF YOU DELAYED PACKAGEs SHIPPING FOR 3 DAYS AND MORE

ON YOUR PAYDAY THE SCORES WILL BE CHANGED TO MONEY AND ADDED TO YOUR TOTAL INCOME IN RATE OF
10 SCORES-50$
5 SCORES-25$
3 PENALTIES- MINUS 100$

PENALTIES CAN BE USED BECAUSE OF ANY SHIPPING DELAYS, NOT CONTACTING YOUR REGIONAL MANGER IN TIME, NOT COMPLETED

ORDERS,
MISSED PACKAGES TO YOUR ADDRESS WITHOUT ANY REASONS

Krebs observes, “Well-run reshipping schemes can launder huge volumes of stolen goods in a relatively short time. The minimum order dropforrent.net accepts is $300. Records at dropforrent.net show that since the beginning of this year, drops hired through one front site have shipped more than 800 orders — at least a quarter million dollars worth of stolen goods.”

And, the best part about the scam from the cybercriminals’ point of view?  If anything happens, the drop or reshipper or mule is the person the long arm of the law will snag.

For online businesses to avoid being victims of reshipping, the answer is ThreatMetrix.  Device identification is the first and most effective layer in a multi-layered defense against cyber criminals. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect social security numbers, email addresses or bank account information.

Okay, so maybe Sony can’t say it didn’t happen…again.  It did. But, there is one bright spot from the latest hacking. The company learned something from previous break-ins.

As reported in Wired.com, hackers broke into more than 93,000 Sony customer accounts. Sony believed those customers used the same Sony login credentials to log on to other sites and that the other sites were hacked, providing access to the customers’ PII (personally identifiable information).

Phil Reitinger, Sony’s new chief information security officer, announced the break-in. Hired last month as part of Sony’s efforts to improve security after two previous break-ins, Reitinger had been Deputy Under Secretary of the National Protection and Programs Directorate and Director of the National Cyber Security Center at the Department of Homeland Security. Prior to that, he was Microsoft’s chief trustworthy infrastructure strategist.

What Sony learned from previous breaches was to get the bad news out as fast as possible. Last time it took Sony a week to tell customers hackers had stolen 75-million of its customers’ personal information. And, there was no hurry to admit breaches had taken place at Sony Pictures, Sony BMG and Sony Online Entertainment. The last resulting in an additional 25 million customers’ information compromised.

This time it took Sony just two working days to fess up. The quick response may have been a reaction to a class-action lawsuit accusing Sony of failing to adequately secure data, depriving customers of the use of the network for an extended period of time (an almost Biblical 40 days) and failing to notify customers of the breach in a timely manner.

Reitinger explained hackers had tested a “massive set of sign-in IDs and passwords” at websites for several of its properties — Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE). Most of the login credentials failed to gain the intruders access, but about 60,000 credentials matched those used by SEN and PSN users, and another 33,000 matched credentials for SOE accounts.

Observed Reitinger, “[G]iven that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks.”

He noted that a “small fraction” of the accounts showed activity after they were breached, but that the intruders couldn’t access credit card account information. Sony had since locked all of the accounts accessed through the attack until customers could be notified to change their passwords.

Reitinger promised to “work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.”

Including expenses for shoring up its network against future attacks, Sony estimated the breaches last spring would cost it more than $170 million.

If users don’t have to create a profile with personal information, such as birth dates, maiden names and Social Security numbers, to log on to a website, hackers can never have access to that information. Because the ThreatMetrix Cloud-Based Fraud Prevention Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction, ThreatMetrix avoids the pitfalls of PII as an authentication method.

Customer confidentiality is respected at the same time online fraud is being detected.

Of course Americans would be cheering. Cybersecurity is one of the few things the President and Congress can agree on. Even the most ardent and partisan Republican Tea Partier would have to concede that when it comes to matters of the Internet and cybersecurity, the president has been all ears from the time he took office. As the President pointed this out in the proclamation, “Early in my administration we began updating our nation’s cybersecurity programs and policies. We developed a comprehensive plan that ensures a coordinated national response to major disruptive cyber events.”

Noting that the Internet is a “strategic national asset,” the President maintained that protecting it was a “shared responsibility” and called for partnering with other nations and the public and private sectors to “ensure coordinated and planned responses to cyber incidents,” the same way resources are brought to bear to fight a natural disaster.

In the proclamation, the President called for expanded broadband access and smarter electric grids. He also referenced the “National Strategy for Trusted Identities in Cyberspace” with its “Stop. Think. Connect” campaign telling consumers to…well…stop and think before connecting.  Will this slogan take its place with “Stop, look and listen” and “Only you can prevent forest fires?” in the pantheon of memorable bon mots?  Or will it become like the Reagan administration’s “Just say no to drugs” or the Ford administration’s “WIN” (Whip Inflation Now), a monologue starter for Leno, Letterman et al.  Only time will tell.

Likening the creation of the Internet to putting a man on the moon as a great American achievement, President Obama declared:

“Now, therefore, I, Barack Obama, president of the United States of America, by virtue of the authority vested in me by the Constitution and the laws of the United States, do hereby proclaim October 2011 as National Cybersecurity Awareness Month. I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and trainings that will enhance our national security and resilience.”

If your company needs more than “Stop. Think. Connect” to keep your customers from becoming victims of cybercrime, ThreatMetrix has the solution. The ThreatMetrix Cloud-Based Fraud Prevention Platform, which incorporates the ThreatMetrix™ SmartID cookieless device identification, provides online businesses with the ability to protect themselves and their customers by verifying new accounts, authorizing payments and transactions and authenticating user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, the cyber criminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

Unidentified cyber criminals filched customer records belonging to 7,520 Toshiba customers when a Web server run by its U.S. sales subsidiary, Toshiba America Information Systems, Inc. was hacked. While the company reported that credit card details were not compromised, email addresses, telephone numbers and passwords of hundreds of customers had been.

Said a Toshiba spokesperson, “We will continue the investigation and intend to thoroughly protect customers’ information and manage [related computer] systems to prevent a recurrence.” Customers potentially affected by the hack were reported to have been notified of the breach by Toshiba.

If Toshiba had been using ThreatMetrix solutions, would the outcome have been different? Decidedly different. That’s because ThreatMetrix fraud prevention solutions do not require the use of personally identifiable information (PII). The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, provides online businesses with the ability to protect themselves and their customers by verifying new accounts, authorizing payments and transactions and authenticating user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, the cyber criminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

At Sega, every cloud has that proverbial silver lining.

So what if thieves have everything but your Social Security number, keys to the front door and underwear size, at least your credit card information is safe — for now. Following security breaches to Sony, Nintendo, Bethesda Softworks and Square Enix comes the Sega online network break-in affecting some 1.3 million users. Along with it comes the now all-too-familiar exercise of “closing the barn door after the horse has escaped,” with Sega’s announcement that it is temporarily shutting down its online network, Sega Pass, to beef up its security.

Oh, and then there’s the standard apology. “We are deeply unlucky for causing distress to our customers. We wish to work on strengthening security,” said Yoko Nagasawa, a Sega spokesperson.

Apologies to Ms. Nagasawa, but instead of apologies, a better solution for Sega would be the ThreatMetrix solution. Because ThreatMetrix doesn’t require personally identifiable information (PII) to nail fraudsters, a security breach wouldn’t  affect users’ personal information — because that personal information wouldn’t be where fraudsters could get to it in the first place! No more embarrassing mea culpas.

ThreatMetrix combines a computer’s packet signature data with transaction details and anonymized credentials (credentials that are obtained anonymously and unlinkably by the user) to differentiate between honest transactions and fraudulent ones.

Companies using the ThreatMetrix™ Cloud-Based Fraud Prevention Platform don’t have to seek silver linings. That’s because they have ThreatMetrix protecting their reputations from being tarnished.

To paraphrase Obi-Wan Kenobi’s advice to Luke Skywalker in Star Wars, Google wants users to, “Trust the Wallet.”  The “Wallet” is the Google Wallet, a mobile payment service, which allows users to store credit cards, gift cards and redeem sales promotions on their mobile phones.  Users pay by tapping their mobile phones on MasterCard PayPass-enabled terminals at store checkout.

For security, Google relies on the NXP PN65K  NFC (Near Field Communication) chip in the Samsung Nexus S 4G smartphone (the only Google Wallet-enabling phone currently available) to prevent the Google Wallet from being picked, i.e., hacked.  Google Wallet is activated when the user enters his/her PIN. (The NFC chip antenna is turned off until it receives the correct PIN.)

Google Wallet encrypts and stores user information on the “Secure Element,” a computer chip that stores users’ credit card digits. The chip is isolated from the phone’s operating system and hardware and uses cryptography (PKI [Public Key Infrastructure] and Triple-DES [Data Encryption Standard]) and memory protection).  And, only authorized programs like Google Wallet may access the Secure Element to trigger a transaction; Google Wallet cannot read or write data from the Secure Element’s memory.

With all these precautions, could a malicious application access a user’s credit card? Well, more than one security expert would suggest you hang onto your wallet, the old-fashioned kind.

McAfee’s Jimmy Shah believes Android applications would be relatively easy to reverse engineer offering an attacker a way to extract the authentication key and create an application that simulates the Google Wallet application. Then, the malicious application would “fool” the Secure Element chip into giving up a user’s credentials.

Lookout Mobile Security CTO Kevin Mahaffey suggests that if the Google Wallet were widely adopted, the PIN might be dropped. This would open the door to a man-in-the-middle or ghost-and-leech attack where a hacker would use an NFC reader to swipe a mobile phone user’s credentials when the user made a purchase.

Alisdair Faulkner, ThreatMetrix chief products officer, observes, “The analogy I would use is that I can put my credit card in my wallet, but my driver’s license isn’t going to try and communicate with it in any way. Anywhere that you have stored value, that is going to be something that criminals are going to attack.

“Never before in history have we had this kind of financial data and credentials stored on a device, which we know fundamentally can never be trusted.”

Rather than relying on hardware that can be compromised or reverse engineered, ThreatMetrix solutions stop fraudsters by drawing upon hundreds of anonymous characteristics from a transaction and analyzing them in real-time. And, ThreatMetrix collects more device attribution from more sources, including Silverlight and HTML5. This makes it possible for ThreatMetrix to have more accurate device identification across more kinds of devices.

Explorer 9 and Firefox 4 upgrades permit users to prevent sites from using cookies to track their movements. But, to delete Adobe Flash local shared objects (LSOs) or cookies, users had to go to the Adobe Flash Website.

Now Google Chrome, which is bundled with Flash, makes clearing Flash cookies as easy as…well…pie. All it takes is a few clicks from within the browser and no LSOs. That may be great for user privacy, but it’s hell and dollars to pay for online merchants, banks and social networks, all of whom depend on cookies stopping fraudsters. In fact, today, banking on cookies detecting fraudsters has about as much chance of success as Osama Bin Laden’s relying on messengers.

So what do “smart cookies” do when cookies don’t work?  They turn to ThreatMetrix SmartID™ which detects fraudsters even if they’ve wiped their cookies. Without cookies or cookie equivalents, ThreatMetrix SmartID enables companies to stop online fraud, and, at the same time, protect customer privacy.

ThreatMetrix and the Ponemon Institute reveal the first set of findings from their 2011 consumer survey, focused on consumer awareness and confidence in online fraud prevention: “Consumers’ Reaction to Online Fraud.” Most notably, the study found that 85% of survey respondents reported being worried and dissatisfied with the level of online protection businesses are providing to stop fraudsters today. Forty-two percent of respondents indicated that they have been the victim of online fraud, and of those, 80% said they did not report the crime and only 19% said they reported it only to the online business directly.

Other highlights of the findings include:

• Survey respondents who expressed concern over online fraud said they felt online merchants, banks and social networks need to take additional steps to prevent fraudsters from stealing consumer information.

• Consumers expressed much more willingness to share data like ISP, computer serial number, type and make, rather than information like date of birth and telephone number.

• Consumers have an overall positive perception about companies that use authentication and fraud detection tools to prevent online fraud. Fifty-six percent even indicated they are ‘more willing’ to shop or browse an online business if they know that company is taking specific measures toward combating fraud.

The research also looked at consumer sentiment about fraud prevention across the banking, social media and Web 2.0 industries and mobile channel. For more information about the findings, download a copy of the report at http://info.threatmetrix.com/ConsumerSurveyOnlineFraud2011.html.

Findings from the recent AWPG report reveal that fraud remains a serious issue in the credit card/payments information category. This is often downplayed to account for rises in cases of smaller categories such as Classified Advertising and Banking. These categories, however, only account for less than 10% of all phishing cases. Statistics show that more than one-third of phishing attempts to steal credentials are directed at collecting credit card/payments information, making this the largest category affected by fraudsters.

One reason this issue may not seem as relevant might be the decrease in brand attacks since 2009. It is important to keep in mind, however, that while the number of brands hijacked by phishing attacks is down 22% from October 2009, fraudsters are finding unique ways to target specific brands through personalized phishing attempts that make these efforts more difficult to track.

According to ThreatMetrix Chief Product Officer Alisdair Faulkner in a recent Security Week article, the attacks on the credit card/payment information category may be decreasing, but continue to affect the largest number of people: “‘Unfortunately the pain is not just felt by the brands targeted by phishing attacks, it is every other online business that is then attacked with the stolen identity and credit card information,’” he said.

Within a period of 24 hours (from Feb. 1 – Feb. 2) ThreatMetrix detected 135,000 fraudulent transactions attempted against 350 of the top online companies, data we pulled for Security Week.

Stolen consumer information continues to be a serious issue. It is essential that innovative efforts continue to block fraudsters before they have the opportunity to cause significant damage. Statistics like those gathered from the AWPG report illustrate the rapid pace the fraud protection industry needs to move in order to maintain a solid approach to fraud prevention.

Virtual Goods are expected to grow by 40 Percent in 2011, according to a new study by Inside Network and reported in the New York Times. That’s great news for virtual goods scammers:  with more virtual goods exchanging hands there’s more goods for the taking.  And, with hundreds of millions of gamers logging in every month and thousands more creating new accounts every minute virtual goods theft and cybercrime are bound to climb too. Will virtual goods theft rates grow even faster?  I wouldn’t be surprised.

There are lots of creative ways for cybercriminals to make virtual crime pay real cash, and no doubt they will invent new ones.  It will take more vigilance on the part of players to project their personal identities and more investment by the gaming companies to protect their customers with next generation fraud control technology like ThreatMetrix—one of the companies mentioned in the report.

-          Tom

P.S.  Check out this new column by PayPal’s Peter Martin – he discusses the three threats facing digital goods vendors:   account takeover, stolen financials and “not-so-friendly fraud.”