Archive for the ‘Analysts and Research’ Category

For anybody who is unfamiliar with it. Queens is one of New York City’s five boroughs. It is the home of the New York Mets, JFK and LaGuardia airports, the U.S. Open tennis tournament and now, the biggest identity theft bust in U.S. history.

Restaurant workers, bank tellers and other service employees skimmed, swiped and scammed millions of dollars worth of personal credit information from thousands of American and European consumers. The cost to victims, financial institutions and retail business was more than $13 million over a 16-month period. Now 111 people are charged and 86 are in custody.

In New York, employees of banks, retail outlets and restaurants would skim credit card information while swiping customers’ credit cards. Others were tasked with stealing credit card information online.  The numbers were then handed off to teams who, using blank credit cards from overseas, forged Visas, MasterCards, Discover and American Express cards as well as fake IDs.

Sometimes the alleged crooks would employ an “impersonator,” an individual who contacted financial institutions or retail stores and impersonated the true cardholder to check on the actual cardholders’ credit.  After all, they probably didn’t want to get charged fees for going over their credit limits.

Anyway…

The bogus plastic was turned over to teams who went on spending sprees at higher-end stores including Apple, Bloomingdale’s and Macy’s in New York, Florida, Massachusetts and Los Angeles. During these shopping sprees, criminals used forged credit cards to stay at such five-star hotels as the Fontainebleau and The Royal Palm in Miami Beach and the high-end private villas of the El Conquistador in Puerto Rico. They are also alleged to have used forged credit cards to rent Lamborghinis and Porsches and, in one instance, a private jet to take them from New York to Florida.

The groups would then resell the merchandise that included iPads, iPhones, computers, watches and upscale handbags from Gucci and Louis Vuitton in China, Europe and the Middle East.

In addition to credit card fraud, twenty-four defendants were variously charged with burglaries and robberies throughout Queens County, including conspiring to commit a bank robbery. Five are charged with stealing more than $95,000 worth of cargo from Kennedy Airport and seven of stealing approximately $850,000 worth of computer equipment from the Citigroup Building in Long Island City.

“This is by far the largest – and certainly among the most sophisticated – identity theft/credit card fraud cases that law enforcement has come across,” said District Attorney Brown. “Credit card fraud and identity theft are two of the fastest growing crimes in the United States, afflicting millions of victims and costing billions of dollars in losses to consumers, businesses and financial institutions…. Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years.”

The investigation involved physical surveillance, intelligence gathering and court-authorized electronic eavesdropping on dozens of different telephones in which thousands of conversations were intercepted. Many required translation from Russian, Mandarin and Arabic to English.

Indictments charge that Imran Khan, Ali Khweiss, Anthony Martin, Sanjay (a/k/a/ Rocky) Deowsarran and Amar Singh were “bosses” of the criminal enterprise.

In what could be considered an act of irony or chutzpa or both, one defendant, Nelson Feliciano, who owns a security firm, allegedly allowed others to make a counterfeit credit card using his business account information and to use that account to make $50,000 in purchases before claiming that the charges were fraudulent and that he was a victim of identity theft.

The indictment also alleges that Jonathan Ortiz, Wilfred Rodriguez, Travis Hassang, Angel Quinones and two other individuals, who have not been apprehended, were charged with stealing approximately $850,000 in computer equipment. In a stirring demonstration of motherly devotion, Jonathan Ortiz’s mother, Maria, has been charged with hindering prosecution by logging into her son’s Facebook account to create an alibi for him – allegedly.  Now, don’t you just hate it when parents insist on checking what their kids do online

Govinfosecurity.com’s Managing Editor, Tracy Kitten, gathered analysis from security experts:

Gartner’s Avivah Litan, says “I think this does point out that U.S. law enforcement has beefed up multilingual capabilities in Russian, Mandarin and Arabic, which is critical to its activities, and is a big improvement over the situation pre- 9/11.”

Aite Group’s Julie McNelley observes, “While the operation spanned the five continents, the focus of this bust appears to be the hub of the operation in Queens.”

Security author and writer Neal O’Farrell notes, “We know there are scams like this being run in almost every city, usually in the $500,000 to $1 million range. That usually makes them too big for local law enforcement to investigate and too small for federal agencies to pick up. The big problem we’re seeing is that because the low- to mid-level crooks and gangs are going unchallenged, they simply have more time to get better, perfect their art, steal more, and hide their tracks. By the time law enforcement uncovers them, there’s little left to prosecute.”

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform offers a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all of ThreatMetrix customers. The information is always up-to-date and always available. The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, lets financial institutions and others verify new accounts, authorize payments and transactions and authenticate user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, cybercriminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

From October 9-10, more than 175 fraud fighters from around the world gathered in Monterey, Californa for the first annual ThreatMetrix 2011 Fraud Fighters Summit.  After enjoying the beautiful scenery of Monterey through a golf outing, as well as biking and kayaking tours, attendees participated in a packed conference that concluded with a private reception and dinner at the world-famous Monterey Bay Aquarium.

Presentations were spearheaded by ThreatMetrix executives, clients (including several Fortune 100 brands) and industry analysts, covering fraud issues that spanned across the online retail, mobile, government, financial services and social media sectors. Topics ranged from addressing organized stealth and cybersecurity, navigating the risk environment online and in the mobile channel, building an effective fraud prevention system, to challenges and opportunities in contemporary money movement.

Really hitting home the seriousness of fraud today was Julie Conroy McNelley, senior analyst with the Aite Group, and one of the first presenters of the conference. McNelley cited there are 73,000 new malware threats being released every day, a 26% increase since 2010. One of the biggest targets? The mobile channel, especially the App Store. According to McNelley, the App Store is the “greatest malware distribution platform ever invented” because consumers are willing to download apps with little information about who created them.

With the prominence of data breaches this year, McNelley also said the cybercrime trend line will only increase as the true impact of the compromised data and accounts have yet to be fully realized (with many of the hackers trying to lie low for awhile).

Stay tuned for more insight from McNelley and other fraud experts that presented at the ThreatMetrix 2011 Fraud Fighters Summit. Video interviews and photos photos of the event will be available in the days ahead.

In the interim, please view this video that opened the ThreatMetrix user conference.

Right up there — or down there — with recent approval ratings for Congress (15%) and the President (41%) are consumer approval ratings for not getting taken in online (21%).

A joint study — “Mobile Payments & Online Shopping Survey of U.S. Consumers” —  by ThreatMetrix and The Ponemon Institute, which is dedicated to advancing responsible information and privacy management practices in business and government, determined that three in four consumers have either some concerns (53%) or serious concerns (26%) about online fraud. Forty-three percent reported already having been victimized, up a full percentage point from a study done earlier this year.

Despite the fact that most consumers have doubts about Web security, one-third say they intend to buy more online than in brick-and-mortar stores this holiday shopping season. “While consumers continue to show a preference for the convenience of shopping and browsing online, their concerns about becoming a victim of online fraud is also growing,” said Bert Rankin, vice president of marketing, ThreatMetrix. “With mobile thrown into the shopping mix, which is even more apparent this year, consumers and retailers alike need to be well equipped against fraudsters in every possible channel.”

Rankin pointed out that nearly one in three consumers believed the fraud risk was lower on a smartphone or tablet than desktop or laptop. When a group of consumers considered extremely active Internet users were included, that number increased to 39%.

Huh?

Anyway…

According to Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, “Consumers who have a high propensity to use the Internet for shopping, banking, gaming, social media interactions, and other activities, appear to have a stronger sense of security online — which is not exclusive only to desktops and laptops.  While these users may be savvier when it comes to the digital channel, their safety net may not always be there. Online transactions are a two-way street. While they may think they’re taking the necessary precautions to avoid online fraud, the sites they’re visiting must also be implementing online fraud prevention tactics.”

Adds Julie Conroy McNelley, senior fraud and risk analyst at the Aite Group, “Mobile, in particular, is difficult to protect from fraud. With around 4,000 different device types to secure, it’s often a daunting task. On top of that, few consumers are using anti-virus or anti-spyware software on their mobile devices. Mobile, just like more traditional e-commerce transactions from a desktop, has the potential to become a hotbed for fraud.”

So what devices will shoppers use for Cyber Monday and the upcoming holidays? Forty-nine percent indicated they’d use their desktop or laptop. Thirty-seven percent opted for a smartphone, and 12% a tablet. In fact, one in four respondents already used their smartphone or tablet to make a mobile payment of some kind, with the majority using either PayPal or credit cards for the transaction.

Extremely active Internet users tended toward smartphones (49%) and tablets (17%) with only 34% saying they’d use their desktop or laptop. Of this group 40% said their online purchases would likely exceed ones done in-store.

The most popular purchases using a mobile payments option on a smartphone or tablet are music downloads (77%), online service subscriptions or memberships (75%) and apps for smartphone or tablets (73%). Consumer electronics ranked slightly above clothing, at 48% and 43%, respectively.

For a free Executive Research Summary of the “Mobile Payments & Online Shopping Survey of U.S. Consumers” download it here.”

On one point in the study, there was overwhelming agreement. A whopping 84% of survey respondents said they thought it was important that a retailer express a commitment to protecting them from fraud.  And protecting online companies from cybercriminals is what ThreatMetrix does better than anybody.

The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, provides online businesses with the ability to protect themselves and their customers by verifying new accounts, authorizing payments and transactions and authenticating user logins in real-time — without relying on personally identifiable information (PII) such as birth dates, maiden names and Social Security numbers. And this protection is assured no matter which devices consumers may use.

A new article in BankInfoSecurity by Managing Editor Linda McGlasson asks the question whether fraud cases are a black eye for banking.  More and more bank customers suffering online fraud losses in the hundreds of thousands of dollars are going to court in an attempt to recover their losses.  Banks large (Comerica) and small (Ocean Bank of Portsmouth VA) are on trial in court and in the court of public opinion to defend against customer claims that they (the banks) are responsible for fraudulent loses.

The article calls into question what constitutes “reasonable security” from banking institutions to protect themselves and their customers from fraud. Good question. Two factor authentication that uses the customer’s computer (device) and internet connection as a factor to mitigate risk in a banking transaction seems an obvious choice that not nearly enough banks have fully embraced (yet).

According to Rebecca Herold, an independent consultant, ACH fraud is the underlying cause to the recent incidents. She continues: “One primary reason that ACH fraud continues is because as the security “fixes” are made for the technology with the problems, new procedures are built specifically to address them. Then as the technology evolves and is implemented by the banks, new problems allow for ACH fraud to continue.”

What’s really at stake here are the reputations of the banks and whether customers will trust that they are doing all that they can to protect them from web fraud.  I don’t think public court battles between banks and customers have enough candle power to really move the needle with the online banking masses.  But they do nudge the needle and in time most banks will extend their security perimeter beyond traditional IT security solutions to include solutions that do more to protect against the new and growing threat of consumer facing bank fraud.  A black eye from bank fraud is the new new thing for brand damage that results from media coverage on the risks of doing business online—much like the big data breach headlines of yesterday (still going today…think Heartland Payment Systems.)

Commenting on consumer trust erosion that can result from publicized bank fraud “outings,” Tom Wills, a security, fraud and compliance senior analyst at Javelin Research quotes Benjamin Franklin: “It takes many good deeds to build a reputation, and only one bad one to lose it.”

- Tom

In a word, I would describe this year’s Internet Retailer conference in Chicago as this: more.  In fact, except for the number of servers walking the floor serving hors d’œuvres at the opening night reception it felt like there was more of everything compared with last year’s conference in Boston: more exhibitors, attendees, sessions—and more energy.  We can thank the Windy City citizens and their hockey team for injecting some additional energy into the conference when the winning goal gave the Chicago Blackhawks their first Stanley Cup in 49 years (as a native Chicagoan my thanks go to the Internet Retailer 2010 event planners for choosing Chicago for the show this year). My co-worker Dan waded into the Blackhawks celebration downtown where he got this video of himself touching the Stanley Cup as it make its way through the crowds.

If you’re an Internet retailer, It’s never too soon to be thinking about the Christmas holiday online shopping season—as evidenced by one of the exhibitors who decked their booth out with a Christmas motif and booth staff dressed in elf outfits.  Thanks to our annual booth survey at the IRCE we know what internet retailers really want for Christmas this 2010 season. We asked attendees at our booth to complete a brief survey to see what we could learn. The following results reflect surveys completed by 395 attendees.

Almost two-thirds of the respondents said they think making it fast and easy for customers to transact online is more important than stopping online fraudsters at their first attempt. Attendees at the 2010 Merchant Risk Council meeting were about evenly split on this question.

No surprise here that about half said credit cards posed the most risk for loss to a web business--after all it is the Internet Retail conference. However it is noteworthy that half also said that logins and new accounts posed the most risk, a relatively high number for this audience.

- Tom

Consumer protect yourself. That’s the big takeaway from a new report by Javelin Strategies that was supported by the Better Business Bureau found that the number of identity fraud victims in the United States has jumped by 12 percent to 11.1 million adults – the highest increase to-date since the survey started in 2003 – while the total overall fraud amount increased by 12.5 percent to $54 billion.

Here’s one of the key findings from the report that should make consumers and businesses shudder: The number of fraudulent new credit card accounts valid anywhere increased to 39 percent, up from 33 percent in 2008.  New fraudulently-opened Internet accounts more than doubled over the previous year.

That means more cyber criminals are using stolen identities to manufacture new credit card accounts for a more lucrative spending spree.  James Van Dyke, founder and president of Javelin, in an interview with Bank Systems & Technology explains that new accounts fraud “…are the most damaging types of fraud…they typically have higher dollar amounts and if somebody establishes an account in your name, you’re less likely to know about it.”

But take heart: according to one web site’s read on the report there’s some good financial news too: the mean fraud amount per victim dropped 0.3%, from $4,858 to $4,841—that’s good news?

So what’s the answer for consumers?  Protect yourself.  Indeed, the commentary by those who sponsored or produced the report is consistent on this point.  And this theme appears over and over again from technology companies, banks, consumer protection organizations and more.  The problem is, even if every consumer was vigilant on all fronts to protect their identity, the bad guys have the edge because they are far better armed, organized, more motivated, highly compensated and technologically advanced.  The average consumer doesn’t stand a chance—if someone wants to steal your credentials they’re going to do it. The problem is compounded by the explosion of social media that soaks up more and more personal information (Facebook just topped 400 million users) which opens even more doors for fraudsters.

The Javelin report is just another indicator that privacy, security and convenience are on a collision course that is bound to force big changes in the way we interact on the Web.

- Tom

You don’t need a crime scene chalk outline to figure out why a customer left never to return to your web site to shop if the customer was victimized by fraud in a prior transaction.  According to the new 2009 LexisNexis® True Cost of Fraud Benchmark Study more than four in ten victims will avoid certain merchants consequent to being victimized due to fear resulting from an unauthorized purchase made at a particular merchant.

The LexisNexis study backed by research from Javelin Strategy and Research delves further into this subject suggesting that merchants should do more than just educating their customers on how to protect themselves from online fraud.  The study says that merchants must show customers that they’re taking a proactive role in protecting their customers from online fraud in ways that are “visibly robust” to consumers as a critical factor to promote customer retention and loyalty.  Further, three in ten fraud victims cut back on overall online purchases.  This chilling effect that online fraud has on its victims is one of the cost elements of fraud assigned to merchants, banks and consumers to quantify the “true” cost of fraud.

You could say the buck stops with consumers—literally—when they fall victim to fraud and associate negative feelings with the merchant.  I believe that the impact consumer’s perceptions have on merchants and banks when it comes to anti-fraud efforts will have a much greater impact on their business and how aggressively they invest in visibly making their customer’s experiences safe from fraud.  Consumers will vote with their wallets by selectively engaging with online businesses that promote and prove that they are doing everything possible to make their customers safe and their online experience convenient.

This consumer chilling effect from online fraud extends beyond merchants. Twenty-two percent of the respondents said they no longer bank online as a result of being a victim of online fraud. You can bet it doesn’t end there: online dating, gaming, and social networks are subject to the big chill effect too—Web 2.0 say hello to online fraud.

If you’re a merchant or financial institution this LexisNexis study is a must-read.  In fact any online business can benefit from its findings and recommendations. The cost figures in the study are staggering with merchants suffering $100 billion in fraud losses from unauthorized transactions and fees/interest associated with chargebacks.

A key finding in the report notes the low satisfaction and effectiveness ratings merchants have for fraud technology solutions, pointing out that this presents an opportunity for merchants to “assess the cost-effectiveness of the latest fraud-fighting technologies and apply improvements.” Device identification (AKA device fingerprinting) is a strong contender here, offering a new source of anti-fraud data and decision-making power that can further reduce fraud rates, lower costs and improve online customer experience.

Caveat emptor/venditor emptor. Buyers and sellers beware when online fraud shapes consumer perceptions that put a chill on ecommerce.

- Tom

I wish all of the websites I do business with would fingerprint my computer to validate my identity. I’d sleep better at night knowing that computers used by criminals attempting to steal from me would be barred from entry because their computer’s unique fingerprint could never match that of my computer. I know more than the typical consumer about the high risk that goes with entering your PII (personally identifiable information) like your mother’s maiden name and social security number into a web form. I also know that it’s getting very hard not to surrender PII to accomplish anything of substance online.

Dr. Larry Ponemon knows a lot about what consumers are thinking about when it comes to their online privacy. He founded Ponemon Institute, dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Several months ago we asked Dr. Ponemon to look into what consumers think about having their computers fingerprinted as a means to help protect them from online fraud. Read the rest of this entry »

According to a new study by researchers at Carnegie Mellon University it is now possible to exploit an individual’s place and date of birth to predict his or her Social Security number. Most of us have fed the worldwide web (often willingly, sometimes not) enough personal data about ourselves to leave pieces of us in the form of data that fraudsters can use to identify us: credit card numbers, birthdates, personal tastes…just about anything and everything that could be used to identify us. The Carnegie study reveals that personal data available from online sources such as Facebook can now be used to construct our Social Security numbers-personal private data that until now was considered reasonably save from intelligent guessing by networks of compromised computers.

Here’s an excerpt from the Carnegie study that spells out the problem:

‘Although defense mechanisms to detect repeated abuses are in place at those services [for instance, the SSNVS tracks incorrect attempts at verifying SSNs, and financial institutions blacklist (for various days or months) IP addresses originating 3 or more failed logins or transactions], ‘‘botnets” of compromised computers allow attackers to test-cheaply and covertly-vast numbers of variations of targets’ SSNs, strategically distributing simultaneous attempts across services, compromised machines, and target accounts.’

Device Identification would make it difficult to “strategically distribute simultaneous attempts across services” because ThreatMetrix would identify the source of the attempts, even if the fraudster is hiding behind a proxy. “Cheaply and covertly” are consistent with what I’ve said in previous blog entries about how the technology tools and means to commit fraud are making a bad problem much worse as they enable far more people to jump into the online fraud business. The more we reveal about ourselves online, the more easily we can be identified by who we are and what we do. Online banking, purchasing, gaming, dating and social networking rely on the ability for us to identify that we are who we claim to be without our physical presence-this creates the opportunity for fraud. On the web, we’re defined by data in the form of attributes that can be (and are) used to authenticate our identity: birth date, street address, favorite pet, height, color of eyes, Social Security number and more. The Carnegie study shows that it’s quite possible to correlate those data from various sources to get a more complete and accurate picture of a person for credentialing. This is something new that has the potential to wreak havoc in the online world.

Those personal data attributes scattered across the worldwide web present a new form of risk. Device Identification (when it’s done right) can take back some of that risk by providing a reliable point of reference to authenticate who’s at the computer. By profiling the computer instead of the person, ThreatMetrix Device Identification offers these advantages as a method to authenticate identity online:

• Instantly identify a computer within seconds at the moment a connection is made: manage the risk of a device connection before you provide someone access to your web site
• Passive, non-intrusive identification: because data is supplied by the visiting computer and its connection instead of the person, authentication requires no knowledge of or inputs from web site visitor
• Even if personal data such as Social Security numbers are compromised, ThreatMetrix Device Identification helps companies and institutions prevent fraudsters from using them to establish illicit accounts

Will device identification become a must-have factor to authenticate identities on the worldwide web in the next few years?

That’s just one of the interesting findings in our Internet Retailer Conference 2009 informal survey from last week’s event in Boston. The final results are tabulated and ready for your consideration. Some of the comments hands written on the survey forms were insightful. Here’s one that I found especially telling on the question of who’s winning the war on fraud: “nobody wins—the best we can hope for is a draw.” The notion of a “draw” resonates because fraudsters are driven (and highly motivated) to constantly innovate. There’s always room for improvement when it comes to new ways and means to commit cyber fraud.

That’s why the good guys tasked with preventing fraud say “I’m always looking for new ways to fight online fraud.” I heard that a lot at IRCE last week—more evidence that device fingerprinting is the “new new thing” to fight fraud.

Click here to see the full report from our IRCE 2009 survey.

- Tom