A new article in BankInfoSecurity by Managing Editor Linda McGlasson asks the question whether fraud cases are a black eye for banking. More and more bank customers suffering online fraud losses in the hundreds of thousands of dollars are going to court in an attempt to recover their losses. Banks large (Comerica) and small (Ocean Bank of Portsmouth VA) are on trial in court and in the court of public opinion to defend against customer claims that they (the banks) are responsible for fraudulent loses.
The article calls into question what constitutes “reasonable security” from banking institutions to protect themselves and their customers from fraud. Good question. Two factor authentication that uses the customer’s computer (device) and internet connection as a factor to mitigate risk in a banking transaction seems an obvious choice that not nearly enough banks have fully embraced (yet).
According to Rebecca Herold, an independent consultant, ACH fraud is the underlying cause to the recent incidents. She continues: “One primary reason that ACH fraud continues is because as the security “fixes” are made for the technology with the problems, new procedures are built specifically to address them. Then as the technology evolves and is implemented by the banks, new problems allow for ACH fraud to continue.”
What’s really at stake here are the reputations of the banks and whether customers will trust that they are doing all that they can to protect them from web fraud. I don’t think public court battles between banks and customers have enough candle power to really move the needle with the online banking masses. But they do nudge the needle and in time most banks will extend their security perimeter beyond traditional IT security solutions to include solutions that do more to protect against the new and growing threat of consumer facing bank fraud. A black eye from bank fraud is the new new thing for brand damage that results from media coverage on the risks of doing business online—much like the big data breach headlines of yesterday (still going today…think Heartland Payment Systems.)
Commenting on consumer trust erosion that can result from publicized bank fraud “outings,” Tom Wills, a security, fraud and compliance senior analyst at Javelin Research quotes Benjamin Franklin: “It takes many good deeds to build a reputation, and only one bad one to lose it.”
In a word, I would describe this year’s Internet Retailer conference in Chicago as this: more. In fact, except for the number of servers walking the floor serving hors d’œuvres at the opening night reception it felt like there was more of everything compared with last year’s conference in Boston: more exhibitors, attendees, sessions—and more energy. We can thank the Windy City citizens and their hockey team for injecting some additional energy into the conference when the winning goal gave the Chicago Blackhawks their first Stanley Cup in 49 years (as a native Chicagoan my thanks go to the Internet Retailer 2010 event planners for choosing Chicago for the show this year). My co-worker Dan waded into the Blackhawks celebration downtown where he got this video of himself touching the Stanley Cup as it make its way through the crowds.
If you’re an Internet retailer, It’s never too soon to be thinking about the Christmas holiday online shopping season—as evidenced by one of the exhibitors who decked their booth out with a Christmas motif and booth staff dressed in elf outfits. Thanks to our annual booth survey at the IRCE we know what internet retailers really want for Christmas this 2010 season. We asked attendees at our booth to complete a brief survey to see what we could learn. The following results reflect surveys completed by 395 attendees.
Almost two-thirds of the respondents said they think making it fast and easy for customers to transact online is more important than stopping online fraudsters at their first attempt. Attendees at the 2010 Merchant Risk Council meeting were about evenly split on this question.
An overwhelming 88% majority said the business (website owner) bears primary responsibility for preventing fraud. The high percentage is counter to much of the prevailing push for consumers to take responsibility to protect their personal data and their computers.
No surprise here that about half said credit cards posed the most risk for loss to a web business--after all it is the Internet Retail conference. However it is noteworthy that half also said that logins and new accounts posed the most risk, a relatively high number for this audience.
Consumer protect yourself. That’s the big takeaway from a new report by Javelin Strategies that was supported by the Better Business Bureau found that the number of identity fraud victims in the United States has jumped by 12 percent to 11.1 million adults – the highest increase to-date since the survey started in 2003 – while the total overall fraud amount increased by 12.5 percent to $54 billion.
Here’s one of the key findings from the report that should make consumers and businesses shudder: The number of fraudulent new credit card accounts valid anywhere increased to 39 percent, up from 33 percent in 2008. New fraudulently-opened Internet accounts more than doubled over the previous year.
That means more cyber criminals are using stolen identities to manufacture new credit card accounts for a more lucrative spending spree. James Van Dyke, founder and president of Javelin, in an interview with Bank Systems & Technology explains that new accounts fraud “…are the most damaging types of fraud…they typically have higher dollar amounts and if somebody establishes an account in your name, you’re less likely to know about it.”
But take heart: according to one web site’s read on the report there’s some good financial news too: the mean fraud amount per victim dropped 0.3%, from $4,858 to $4,841—that’s good news?
So what’s the answer for consumers? Protect yourself. Indeed, the commentary by those who sponsored or produced the report is consistent on this point. And this theme appears over and over again from technology companies, banks, consumer protection organizations and more. The problem is, even if every consumer was vigilant on all fronts to protect their identity, the bad guys have the edge because they are far better armed, organized, more motivated, highly compensated and technologically advanced. The average consumer doesn’t stand a chance—if someone wants to steal your credentials they’re going to do it. The problem is compounded by the explosion of social media that soaks up more and more personal information (Facebook just topped 400 million users) which opens even more doors for fraudsters.
The Javelin report is just another indicator that privacy, security and convenience are on a collision course that is bound to force big changes in the way we interact on the Web.
You don’t need a crime scene chalk outline to figure out why a customer left never to return to your web site to shop if the customer was victimized by fraud in a prior transaction. According to the new 2009 LexisNexis® True Cost of Fraud Benchmark Studymore than four in ten victims will avoid certain merchants consequent to being victimizeddue to fear resulting from an unauthorized purchase made at a particular merchant.
The LexisNexis study backed by research from Javelin Strategy and Research delves further into this subject suggesting that merchants should do more than just educating their customers on how to protect themselves from online fraud. The study says that merchants must show customers that they’re taking a proactive role in protecting their customers from online fraud in ways that are “visibly robust” to consumers as a critical factor to promote customer retention and loyalty. Further, three in ten fraud victims cut back on overall online purchases. This chilling effect that online fraud has on its victims is one of the cost elements of fraud assigned to merchants, banks and consumers to quantify the “true” cost of fraud.
You could say the buck stops with consumers—literally—when they fall victim to fraud and associate negative feelings with the merchant. I believe that the impact consumer’s perceptions have on merchants and banks when it comes to anti-fraud efforts will have a much greater impact on their business and how aggressively they invest in visibly making their customer’s experiences safe from fraud. Consumers will vote with their wallets by selectively engaging with online businesses that promote and prove that they are doing everything possible to make their customers safe and their online experience convenient.
This consumer chilling effect from online fraud extends beyond merchants. Twenty-two percent of the respondents said they no longer bank online as a result of being a victim of online fraud. You can bet it doesn’t end there: online dating, gaming, and social networks are subject to the big chill effect too—Web 2.0 say hello to online fraud.
If you’re a merchant or financial institution this LexisNexis study is a must-read. In fact any online business can benefit from its findings and recommendations. The cost figures in the study are staggering with merchants suffering $100 billion in fraud losses from unauthorized transactions and fees/interest associated with chargebacks.
A key finding in the report notes the low satisfaction and effectiveness ratings merchants have for fraud technology solutions, pointing out that this presents an opportunity for merchants to “assess the cost-effectiveness of the latest fraud-fighting technologies and apply improvements.” Device identification (AKA device fingerprinting) is a strong contender here, offering a new source of anti-fraud data and decision-making power that can further reduce fraud rates, lower costs and improve online customer experience.
Caveat emptor/venditor emptor. Buyers and sellers beware when online fraud shapes consumer perceptions that put a chill on ecommerce.
I wish all of the websites I do business with would fingerprint my computer to validate my identity. I’d sleep better at night knowing that computers used by criminals attempting to steal from me would be barred from entry because their computer’s unique fingerprint could never match that of my computer. I know more than the typical consumer about the high risk that goes with entering your PII (personally identifiable information) like your mother’s maiden name and social security number into a web form. I also know that it’s getting very hard not to surrender PII to accomplish anything of substance online.
Dr. Larry Ponemon knows a lot about what consumers are thinking about when it comes to their online privacy. He founded Ponemon Institute, dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Several months ago we asked Dr. Ponemon to look into what consumers think about having their computers fingerprinted as a means to help protect them from online fraud. Read the rest of this entry »
According to a new study by researchers at Carnegie Mellon University it is now possible to exploit an individual’s place and date of birth to predict his or her Social Security number. Most of us have fed the worldwide web (often willingly, sometimes not) enough personal data about ourselves to leave pieces of us in the form of data that fraudsters can use to identify us: credit card numbers, birthdates, personal tastes…just about anything and everything that could be used to identify us. The Carnegie study reveals that personal data available from online sources such as Facebook can now be used to construct our Social Security numbers-personal private data that until now was considered reasonably save from intelligent guessing by networks of compromised computers.
Here’s an excerpt from the Carnegie study that spells out the problem:
‘Although defense mechanisms to detect repeated abuses are in place at those services [for instance, the SSNVS tracks incorrect attempts at verifying SSNs, and financial institutions blacklist (for various days or months) IP addresses originating 3 or more failed logins or transactions], ‘‘botnets” of compromised computers allow attackers to test-cheaply and covertly-vast numbers of variations of targets’ SSNs, strategically distributing simultaneous attempts across services, compromised machines, and target accounts.’
Device Identification would make it difficult to “strategically distribute simultaneous attempts across services” because ThreatMetrix would identify the source of the attempts, even if the fraudster is hiding behind a proxy. “Cheaply and covertly” are consistent with what I’ve said in previous blog entries about how the technology tools and means to commit fraud are making a bad problem much worse as they enable far more people to jump into the online fraud business. The more we reveal about ourselves online, the more easily we can be identified by who we are and what we do. Online banking, purchasing, gaming, dating and social networking rely on the ability for us to identify that we are who we claim to be without our physical presence-this creates the opportunity for fraud. On the web, we’re defined by data in the form of attributes that can be (and are) used to authenticate our identity: birth date, street address, favorite pet, height, color of eyes, Social Security number and more. The Carnegie study shows that it’s quite possible to correlate those data from various sources to get a more complete and accurate picture of a person for credentialing. This is something new that has the potential to wreak havoc in the online world.
Those personal data attributes scattered across the worldwide web present a new form of risk. Device Identification (when it’s done right) can take back some of that risk by providing a reliable point of reference to authenticate who’s at the computer. By profiling the computer instead of the person, ThreatMetrix Device Identification offers these advantages as a method to authenticate identity online:
Instantly identify a computer within seconds at the moment a connection is made: manage the risk of a device connection before you provide someone access to your web site
Passive, non-intrusive identification: because data is supplied by the visiting computer and its connection instead of the person, authentication requires no knowledge of or inputs from web site visitor
Even if personal data such as Social Security numbers are compromised, ThreatMetrix Device Identification helps companies and institutions prevent fraudsters from using them to establish illicit accounts
Will device identification become a must-have factor to authenticate identities on the worldwide web in the next few years?
That’s just one of the interesting findings in our Internet Retailer Conference 2009 informal survey from last week’s event in Boston.The final results are tabulated and ready for your consideration.Some of the comments hands written on the survey forms were insightful.Here’s one that I found especially telling on the question of who’s winning the war on fraud:“nobody wins—the best we can hope for is a draw.”The notion of a “draw” resonates because fraudsters are driven (and highly motivated) to constantly innovate. There’s always room for improvement when it comes to new ways and means to commit cyber fraud.
That’s why the good guys tasked with preventing fraud say “I’m always looking for new ways to fight online fraud.”I heard that a lot at IRCE last week—more evidence that device fingerprinting is the “new new thing” to fight fraud.
Click here to see the full report from our IRCE 2009 survey.
In a recent Silicon Business Valley Business Journal profiling ThreatMetrix, “ThreatMetrix fights cyberfraud at the ‘front door’”, Gartner Vice President Avivah Litan, an analyst covering authentication, identity theft, fraud detection and prevention applications said
There’s a lot of value in these types of applications in financial services, e-commerce, online dating sites, gaming sites, health care and government portals, anyone that does business on the internet
The article does a good job of describing ThreatMetrix ability to profile a device in real-time to help stop fraud at the front gate by simply using ThreatMetrix HTML tags on check-out pages, user registration and login pages.
Every business that has a presence on the web and has users logging into their web site could benefit from their offering.
