Archive for the ‘Identity Theft’ Category

Child identity theft is exactly like stealing candy from babies. Easy. It’s easy because the crime is often not detected until the baby is an adult and has his/her credit and reputation ruined.

The Huffington Post relates the story of Jennifer Andrushko.   

When Jennifer Andrushko applied for public aid two years ago, a state employee entered her son Carter’s Social Security number into a computer and discovered something strange: The boy appeared to have been earning wages for the past eight years.

“I thought, ‘How could this be happening? He’s only three years old,’” Andrushko said.

It turned out an undocumented immigrant had been using Carter’s number to acquire jobs since before [Carter] was born. But Carter proved relatively fortunate. Unlike many child identity theft victims who do not realize their credit is ruined until they reach adulthood, his case was caught while he was young, giving him time to recover his good name.

Carter was lucky. He was living in Utah, one of the few states that cross-references its employment database with a list of children receiving public assistance. Well he wasn’t all that lucky. His mother was applying for public assistance.  Anyway, according to the Huffington Post, Utah found thousands of instances of child identity theft, including one where nine people used one nine-year-old’s Social Security number to get employment.

Parents hand over children’s Social Security numbers to schools and health care providers, and other institutions that often don’t have sufficient safeguards in place. It’s been suggested that a solution, or at least a partial one, would be if the Social Security Administration could do something with the numbers to make it possible for credit agencies to know that the holder is a minor.

Last year, more than 18,000 cases of child identity theft were reported to the Federal Trade Commission. The Huffington Post suggests even 18,000 doesn’t come close. “The real figure…is probably much higher because the crime often goes undetected….. ID Analytics estimates that more than 140,000 children are victims of identity theft each year, based on a one-year study of those enrolled in the firm’s identity protection service.

“In the largest study on child identity theft to date, researchers at Carnegie Mellon University found that 10 percent of children were victims of identity theft, compared with less than 1 percent of adults. The study, which was published this spring, analyzed more than 800,000 records — including 40,000 belonging to minors — compromised by data breaches in 2009 and 2010. The data was provided by the credit monitoring service Debix.”

The Huffington Post story says, “Thieves now exploit a gap in the system used by the three major credit bureaus to check consumer credit. When the bureaus pull reports, they look for matching names, birthdates and Social Security numbers. But identity thieves escape detection by pairing a child’s number with a different name and birth date, creating the appearance of a consumer who is applying for credit for the first time. Debix says it recently ran credit reports on 381 cases of confirmed child identity theft and found that credit reports only turned up fraudulent activity in four cases, or 1 percent.”

Companies are able to cross check names, birthdates and SSNs with the Social Security Administration, but the agency charges a $5,000 fee upfront, plus $1 for each check – a tab many companies don’t care to pay.

Stuart Pratt, president of the Consumer Data Industry Association, the trade association for the three credit reporting agencies, asked, “How can somebody open up any kind of account with just a name and Social on its own? Authentication should be much more than that. It has to be robust.”

In the late 1980s, the Social Security Administration started requiring parents to list their children’s SSNs to claim them as dependents. Newborns got spanking new credit histories that remained that way till they turned eighteen. It was an open invitation to crooks.

So what happens when thieves have a multi-year head start?  The Huffington Post relates the story of Jaleesa Suell of Oakland, California.  When Jaleesa was 17, a thief stole her identity to open a credit card. She didn’t find out until she turned 21 and was denied her first credit card. The reason?  She had a $300 unpaid credit-card debt, which had been sent to a collection agency.

Now 22, Suell has spent the last six months disputing the fraud with Plains Commerce Bank, based in South Dakota, where the account was opened. Before accepting the charges were fraudulent, the bank insisted that Suell provide a full police report. But the Oakland Police Department has refused to provide such a report because $300 does not meet the department’s threshold.

Identity Theft 911, which is working pro-bono to help Suell, plans to write letters to the FDIC, FTC and the Better Business Bureau to pressure the bank to “do the right thing,” according to Kelly Colgan, a spokeswoman for Identity Theft 911.

If her case is not resolved, Suell fears she will graduate college in May and be unable to rent an apartment or acquire student loans for graduate school due to her damaged credit.

“I’m at an impasse,” she said. “It’s extremely frustrating.”

Story after story follows the same pattern. Even when victims are able to clear their names, they have still been forced to devote big chunks of time and energy to that end. And that’s time and energy that could be put to better use like improving their grades, finding jobs, etc.

Amending agency regulations and federal and state laws could help stop ID theft.  Another thing that could help the cause is for online businesses to use ThreatMetrix™ solutions.

ThreatMetrix doesn’t rely on passwords, user names and cookies to protect its clients.  Instead the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Zappos, the online shoe outlet owned by Amazon, was hacked putting some 24-million customers’ personal information at risk. PCWorld.com reported that Zappos CEO, Tony Hsieh, told customers that, “names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords may have been exposed.”  He added that the good news was that the database storing actual credit card and payment data had not been breached.

Nevertheless, the New York Daily News reported that the company had put out a statement informing customers of the incident and asking them to change their passwords. Customers, who attempted to phone Zappos for information, were met with the sounds of silence. Zappos’ CEO said in a memo, “We have made the hard decision to turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.).”

In an email to employees, which was posted to the Zappos blog, the company said the cyberattack came from a criminal who had gained access to parts of the company’s internal network and systems through a server in Kentucky.

Andrew Storms, director of security operations at nCircle, told PCWorld.com that Zappos’ response to the incident seemed to be appropriate in so far as it had notified customers, and reset all passwords to force customers to create new ones to replace those that may be exposed or cracked as a result of the breach.

Security expert, Neil Roiter, research director for Corero Network Security, observed, “Companies such as Zappos should have technology in place that monitors activity on their networks and reports in real time on suspicious activity or activity that does not conform to security policy. The sooner an organization detects a breach, the more quickly it can contain it.”

ThreatMetrix, the fastest-growing provider of integrated cybercrime prevention solutions, offers superior solutions that can’t be compromised by break-ins. The ThreatMetrix™ Cybercrime Defender Platform helps companies protect customer data and secure transactions against fraud, malware, data breaches, as well as man-in-the browser (MitB) and Trojan attacks. The Platform consists of advanced cybersecurity technologies, including TrustDefender™ ID, which is cloud-based, real-time device identification, as well as malware protection with TrustDefender™ Cloud and TrustDefender™ Client. The company serves a rapidly growing global customer base across a variety of industries, including financial services, e-commerce, payments,social networks, government, and healthcare.

PrECISE (Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness) is the cybersecurity bill introduced by members of the House Homeland Security Committee.  PrECISE establishes a quasi-governmental entity to oversee information-sharing with the private sector.

Wouldn’t you like to have sat in on the meeting where they decided on the acronym, PrECISE?  (Probably more like multiple meetings with emails flying back and forth for months):

Staffers: “How about Cybersecurity Information Sharing (CIS)?”

Committee: “CIS?  Too close to CIA, which is supposed to gather information, not spread it. Leaves the wrong impression.”

Staffers: “How about Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PECISE)?”

Committee:  “That’d be pronounced Pea-size. Does Pea-size sound like the taxpayers are getting any bang for their buck?”

Staffers:  “How about we put in an “R” for Research? “Promoting Research and Enhancing Cybersecurity and Information Sharing Effectiveness.” Then we’ve got PRECISE. “

Committee: “PRECISE.  Like it.  But we’re not doing Research. That makes PRECISE imprecise.”

Staffers:  “Okay, we can take the “R” from “Promoting” to make it “PRECISE.” And to differentiate it from the rest of the acronym, we can make the “R” an “r”.

Committee:  “But what do we do about the “a”s in the “ands” in “Promoting Research and Enhancing Cybersecurity and Information Sharing Effectiveness?”

Staffers:  “Lower case ands are always silent.” 

Committee:  “Precisely.”

However the PrECISE Act got its name, The Hill’s “Hillicon Valley Technology Blog” reports that it’s designed to encourage “private firms to share information on cyber threats [stopping] short of mandating new security standards for sectors deemed critical to national security” following other cybersecurity bills offered by House Republicans.

The bill lays out the Department of Homeland Security’s cybersecurity functions which would require DHS to evaluate cybersecurity risks for critical infrastructure firms and determine the best way to mitigate the risks.

“Cybersecurity is truly a team sport, and this bill gives DHS needed authorities to play its part in the federal government’s cybersecurity mission and enables the private sector to play its part by giving them the information and access to technical support they need to protect critical infrastructure,” said House Cybersecurity subcommittee Chairman Dan Lungren (R-Calif.).

Hillicon Valley Technology Blog observes, “By authorizing DHS to oversee civilian cybersecurity, the legislation aligns with proposals from both the Senate and the White House, but it is unclear how much authority DHS would have to enforce its security standards. Democrats have argued DHS needs some enforcement authority to ensure firms beef up their network protections.”

While there hasn’t been a whole lot of bi-partisan support for any measure recently, this bill appears to come close. Bennie Thompson (D-Miss.) said, “Introduction of this legislation represents a solid and significant step forward in the effort to secure our nation’s cyber infrastructure. While I am not prepared to give my full support to the bill at this time, there’s a lot to like in this bill. I am pleased that it gives DHS the authority and resources it needs to fulfill its cybersecurity mission instead of creating a whole new bureaucracy or complicated regulatory framework.”

Offers Cybersecurity sub-panel ranking member Yvette Clarke (D-N.Y.), “While we continue to review this legislation, I look forward to working with my colleagues in a more collaborative way to strengthen this bill.”

You may have to wait for Congress to work out the precise language of PrECISE before it’s enacted.  But, you don’t have to wait to achieve the most effective protection for your online assets.  That protection is available today from ThreatMetrix™.

The first perimeter and the most effective element in a multi-layered defense against cybercriminals is device identification.  Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform  lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

1917:  The Foreign Secretary of the German Empire, Arthur Zimmermann sent a diplomatic proposal from the German Empire to Mexico to make war against the United States. Intercepted by British intelligence and forwarded on to the United States, the Zimmermann Note angered Americans, adding another reason for the U.S. declaration of war against Germany in World War I.

2011: U.S. officials investigate reports that Iranian and Venezuelan diplomats in Mexico are involved in planned cyberattacks against U.S. targets, including nuclear power plants.

According to the Washington Times, a documentary that aired on the Spanish-language TV network, Univision, included secretly recorded footage of Iranian and Venezuelan diplomats being briefed on planned attacks and promising to pass information to their respective governments.

A former computer instructor at the National Autonomous University of Mexico told Univision that he was recruited by a professor there in 2006 to organize a group of student hackers to carry out cyberattacks against the United States, initially at the behest of the Cuban Embassy.

In an undercover sting, an instructor and several students infiltrated the hackers, secretly videotaping Iranian and Venezuelan diplomats.

State Department spokesperson William Ostick called the reports “disturbing,” but added that U.S. officials “don’t have any information at this point to corroborate them.”  However, earlier this year, U.S. prosecutors charged an Iranian official based in Tehran with trying to recruit a Mexican drug cartel to kill the Saudi ambassador to the United States by bombing a Washington restaurant. Ostick noted, “We constantly monitor for possible connections between terrorists and transnational criminals.”

An aide to New Jersey Senator Robert Menendez, chairman of the Senate Foreign Relations subcommittee on the Western Hemisphere told the Washington Times that the Univision report, which also said that Iranian extremists were recruiting young Latin American Muslims, is “one of a variety of concerns we have about Iran’s efforts to engage with countries and other actors in the region.”

Stating the obvious: technology has changed dramatically since 1917. People haven’t.  To ensure your company is protected against attack from people, who are out to cause harm or perpetrate fraud, the best solutions come from ThreatMetrix. Without requiring personal identifiable information, such as Social Security Numbers, that can be compromised, ThreatMetrix solutions nab criminals in real-time before they can do real damage. The ThreatMetrix™ Cloud-Based Fraud Prevention Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to stop criminals whether in Toledo or Tehran.

Just released in a second edition, Inside Cyber Warfare: Mapping the Cyber Underworld by Jeffrey Carr, is a wide-ranging overview of virtually every type of online illicit activity from cyber spying and cyber stealing to malicious malware attacks and identity theft.

Carr, a cyber intelligence expert is a columnist for Symantec’s Security Focus. A writer who specializes in investigating cyber attacks against governments and infrastructures, he’s been quoted in The New York Times, Washington Post, The Guardian, Business Week, Parameters, and Wired. Carr was also principal Investigator for Project Grey Goose, an Open Source intelligence investigation into the Russian cyber attacks on Georgia in August, 2008.

With a foreword by former Secretary of Homeland Security, Michael Chertoff and guest essays, including an essay by former senior advisor to the Director of National Intelligence and Cyber Coordination Executive,  Melissa Hathaway, Inside Cyber Warfare is encyclopedic in scope as it takes up :

·      The Conficker Worm: The Cyber Equivalent of an Extinction Event?

·      Africa: The Future Home of the World’s Largest Botnet?

·      The StopGeorgia.ru Project Forum

·      The Russian Information War

·      The Gaza Cyber War between Israeli and Arabic Hackers during Operation Cast Lead

·      Control the Voice of the Opposition by Controlling the Content in Cyberspace: Nigeria

·      Are Non-state Hackers a Protected Asset?

·     The Legal Status of Cyber Warfare

·      The Antarctic Treaty System and Space Law

·      The Law of Armed Conflict

·      Is This an Act of Cyber Warfare?

·      Responding to International Cyber Attacks as Acts of War

·      Analyzing Cyber Attacks under Jus ad Bellum – whether entering into a war would be a just war

·      The Korean DDoS Attacks (July 2009)

·      One Year After the RU-GE War (the War between Russia and Georgia)  Social Networking Sites Fall to DDoS Attack

·      Ingushetia Conflict, August 2009

·      Pakistani Hackers and Facebook

·      TwitterGate: A Real-World Example of a Social Engineering Attack with Dire Consequences

·      False Identities

·      Components of a Bulletproof Network

·      The Bulletproof Network of StopGeorgia.ru

·      SORM-2

·      The Kremlin and the Russian Internet

·      A Three-Tier Model of Command and Control

·      Organized Crime in Cyberspace

·      Russian Organized Crime and the Kremlin

·      Using Open Source Internet Data

·      Team Cymru and Its Darknet Report

·      Using WHOIS

·      Weaponizing Malware

·      The Role of Cyber in Military Doctrine

·      China Military Doctrine

·      A Cyber Early Warning Model

·      Advice for Policymakers from the Field

·      When It Comes to Cyber Warfare: Shoot the Hostage

·      The United States Should Use Active Defenses to Defend Its Critical Information Systems

·      Scenarios and Options to Responding to Cyber Attacks

·      Whole-of-Nation Cyber Security

·      Conducting Operations in the Cyber-Space-Time Continuum

·      Anarchist Clusters: Anonymous, LulzSec, and the Anti-Sec Movement

·      Social Networks: The Geopolitical Strategy of Russian Investment in Social Media

·      Globalization: How Huawei Bypassed US Monitoring by Partnering with Symantec

·      The Russian Federation: Information Warfare Framework

·      Russia: The Information Security State

·      Russian Ministry of Defense

·      Internal Security Services: Federal Security Service (FSB), Ministry of Interior (MVD), and Federal Security Organization (FSO)

·      Russian Federation Ministry of Communications and Mass Communications (Minsvyaz)

·      Cyber Warfare Capabilities for: Australia – Brazil – Canada – Czech Republic – Democratic People’s Republic of Korea – Estonia – European Union – France – Germany – India – Iran – Israel – Italy – Kenya – Myanmar – NATO – Netherlands – Nigeria – Pakistan – People’s Republic of China – Poland – Republic of Korea – Russian Federation – Singapore – South Africa – Sweden – Taiwan (Republic of China) – Turkey – United Kingdom

·      US Department of Defense Cyber Command and Organizational Structure

·      Active Defense for Cyber: A Legal Framework for Covert Countermeasures

·      Covert Action

·      Cyber Active Defenses as Covert Action Under International Law

The book covers much more in 316 pages that are topical while, at the same time, providing in-depth analyses of the often dark underbelly of cyberspace.

For maximum protection from cyberspace’s dark underbelly, there’s one company that stands out — ThreatMetrix. ThreatMetrix offers superior solutions that can’t be compromised by break-ins. ThreatMetrix solutions protect against bad scripts and fraudulent account logins, payments and transactions.  With customized rules for each, ThreatMetrix solutions are designed to interdict attacks of fraud and other criminal behavior in real-time, while passively and transparently profiling users — without collecting extraneous personal identity information such as Social Security Numbers, birth dates and mother’s maiden names.

Superstition has it that if a horseshoe is hung upside down, the luck runs out. Running out of luck and into a scam is exactly what happened to a number of unlucky Lucky Supermarket customers in Northern California.

U.S. Secret Service agents told Save Mart CFO Stephen Ackerman – Save Mart is Lucky’s parent company — that the device thieves concealed in Lucky card readers was ”the most sophisticated device[ they'd] ever seen in the United States.” Without being detected, thieves planted circuit board sniffer devices inside debit and credit card readers at self-checkout lanes in several San Francisco Bay Area stores. To make detection more difficult, only one card reader at each store was targeted.

Lucky informed customers that they might have to cancel their credit cards or change their bank accounts. “At this time, we strongly recommend that anyone who used our self-check terminals in the affected stores during the months of October and November consider closing their bank account and opening a new one,” said Ackerman.

Television station KTVU said that thus far eighty people have reported money taken or suspicious activity on their accounts with losses in the thousands of dollars.

Lucky only discovered that the card readers had been tampered with after routine maintenance. You might say Lucky found them by “sheer luck.”  Once detected, the affected card readers were immediately removed.

While management told KTVU that a recurrence of the tampering “could not happen again,” federal investigators were not quite so optimistic.  However, the feds did have a clue how thieves were able to plant the sniffers. It seems someone had stolen credit card readers from a Lucky store in Fresno, California several months prior. If and when they catch the responsible individuals, the feds could be on their way to finding the thieves.

Authorities maintained that thefts of this nature are most likely to occur over the weekend when most financial institutions are closed or have limited hours. To protect against credit card and other financial fraud 24/7/365, more and more online financial institutions are turning to ThreatMetrix.

ThreatMetrix solutions combine a computer’s packet signature data with transaction details and anonymized credentials (credentials that are obtained anonymously and unlinkably by the user) to differentiate between honest transactions and fraudulent ones. Financial institutions are protected against bad scripts and fraudulent account logins, payments and transactions.

As Hall of Famer and philosopher Yogi Berra once advised, “When you come to a fork in the road, take it.”

“Bloomberg View” columnist Susan Crawford, a law professor at Cardozo School of Law in New York and former special assistant for science, technology and innovation policy to President Barack Obama, would disagree.  She has strong feelings about the road that should be taken – and it’s not necessarily the way her former boss has been pointing toward.

Driven by the National Security Agency and the Department of Homeland Security, the administration has been lobbying for the Senate to pass an omnibus cybersecurity bill. The measure would give Homeland Security centralized authority to designate “Covered Critical Infrastructure.”

Crawford takes exception to “Covered Critical Infrastructure” explaining that “[the term] has been so broadly defined that it could include Internet access sold to ordinary Americans. Under the proposed bill, Homeland Security would have the authority to mandate, among many other things, that access providers extend a National Security Agency snooping program called Einstein 3 to Americans’ Internet activities.

“Under the White House plan, communications companies would submit their cybersecurity plans to auditors [and] Homeland Security would intervene if plans fall short of the agency’s desires.”

Crawford noted that the Congressional Budget Office said a similar bill proposed by Senators Lieberman and Collins would cost $1.5 billion. In addition, she maintains it would create a “giant bureaucratic operating system [that’s the] opposite of the kind of agile, innovative response needed to counter online threats.”

Instead of addressing every internet issue, Crawford says the emphasis should be on thwarting the most dangerous threats. “Rather than worrying about YouTube, we should focus on protecting dams and nuclear-power plants from catastrophic sabotage.”

Another major problem she sees in the administration’s approach is “the supply-chain mandates that will make it even harder for federal workers to use up-to-date technology.”  As proof she offers Deputy Defense Secretary William Lynn’s observation that “the iPhone took only 24 months to develop, but Pentagon procurement processes already take seven or eight years.”

Crawford thinks it would be better if the government could take advantage of innovative bargains developed by a competitive marketplace.

In place of a centralized approach, Crawford feels that, “We need to allow companies to defend themselves rather than having the government do it for them. We could solve 90 percent of cybersecurity problems by doing better at locking up bad guys, improving information sharing, and enhancing research, education and awareness.”

So rather than the direction the administration is taking, Crawford prefers a bill that the House Intelligence Committee is working on that would “let the government and Internet service providers voluntarily share digital patterns characterizing potential vulnerabilities, in the interests of speeding responses to cyber problems.”  However, she warns sharing this information could raise “real privacy and civil-liberties implications” that must be addressed.

“When cybersecurity problems arise,” she says, “the best response is to adopt a patch as soon as it’s available [without waiting] for an entirely new operating system [which has not been debugged] to be created.”

In matters of cybersecurity and privacy, ThreatMetrix is far ahead of the curve and any government legislation.  Its ThreatMetrix™ Cloud-Based Fraud Prevention Platform offers a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all of ThreatMetrix customers. The information is always up-to-date and always available. The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, lets financial institutions and others verify new accounts, authorize payments and transactions and authenticate user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, cybercriminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

Legitimate app or a real killer designed to upload malware and snag users’ personal information and money? Perhaps the only thing growing as fast as the mobile market is malware to steal from that market.

Gerry Smith in a Huffington Post post reported that “malware jumped 22 percent in the first half of this year compared with the same period last year. Google’s Android operating system was the most popular target for mobile malware developers during the second quarter….

“Hackers are setting their sights on Android…by disguising malware as legitimate apps. For example, a fake update of the popular game Angry Birds sends sensitive information about the user to the hacker who gains access to the user’s phone and downloads more malicious software….”

According to the Smith’s post, “after several malicious apps were published to the Android Market, Google said it was taking measures to help prevent additional malicious applications from being distributed and working to fix the underlying security issues. It said the malware did not affect Android versions 2.2.2 or higher.”

But, Smith said that a Symantec white paper claims “Google allows attackers to anonymously create and distribute malware in the Android market and relies on Android users to make important security decisions they are often not capable of making….”  Super news with more Americans opting for Google Android operating systems over Apple’s iOS.

A McAfee report found “an increase in fake anti-virus software for Mac operating systems, suggesting that such malware could start appearing on other Apple products, including iPhones and iPads.”

So if both Apple iOS and Google Android OS are becoming at risk of being compromised, where does an online business turn for protection? ThreatMetrix.

Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real-time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect social security numbers, email addresses or bank account information.

Does Richard Clarke’s assessment that U.S. Defense Networks are “as porous as a colander” hold water?  For you kitchen-challenged individuals, please be advised a colander is the thing you put spaghetti into, then pour water into over the spaghetti to drain off excess starch. Also works for rigatoni, vermicelli, fusilli, ziti, et al.

Anyway…Clarke comes with some pretty heavy credentials. He worked for every president from Reagan to Bush Two (George W.). George H.W. Bush appointed him to chair the Counter-Terrorism Security Group and to a seat on the National Security Council. Clinton kept Clarke on promoting him to chief counter-terrorism adviser on the National Security Council. And under G.W., he was appointed Special Advisor to the President on Cybersecurity.

As reported in the Boston Globe and New York Daily News, Richard Clarke joined a number of U.S. civilian and military experts cautioning that America’s critical networks are poorly protected against cyberattacks and warning against attacking other countries. Specifically mentioned were China, North Korea, Iran and Russia, which could destroy power grids, banking networks and transportation systems.

According to MSNBC.com, Clarke maintained that a good national security adviser would tell the president that the U.S. might be able to blow up a nuclear plant somewhere, or a terrorist training center somewhere, but a number of countries could strike back with a cyber attack and “the entire U.S. economic system could be crashed in retaliation … because we can’t defend it today.”

“I really don’t know to what extent the weapons systems that have been developed over the last 10 years have been penetrated, to what extent the chips are compromised, to what extent the code is compromised,” said Clarke.  “I can’t assure you that as you go to war with a cybersecurity-conscious, cybersecurity-capable enemy that any of our stuff is going to work.”

National security officials disclosed that in 2009 Russian and Chinese agents had penetrated the U.S. electric grid and left behind software to help map the systems.

Clarke, who claimed his warnings to the Bush administration about Al Qaeda prior to 911 fell on deaf ears, issued these new warnings as tensions escalate between the U.S., Israel and their shared adversary Iran.

So what can someone, who’s charged with safeguarding his/her company’s website and online business, take away from these dire predictions? It’s time to “haul out” the heavy protection. In other words, it’s time for ThreatMetrix.

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform does not rely on passwords, user names and other data to identify returning visitors, so spies are immediately denied one benefit of an attack – gathering personal information about the users themselves. By drawing upon hundreds of anonymous characteristics from every transaction and analyzing them in real-time, ThreatMetrix solutions provide security from hidden proxies, scripted attacks and browser manipulation.

Either by turning away real customers or letting cybercrooks get their hands on goods without paying for them, online retailers could find themselves “on the hook” for a big chunk of money on Cyber Monday.

Officially nicknamed (as opposed to unofficially nicknamed) “Cyber Monday” in 2005, Cyber Monday is the Monday after Black Friday, which is the Friday after Thanksgiving, which is the last Thursday in November. Or, put another way, Cyber Monday is the first Monday after Thanksgiving.

Anyway, in 2010, comScore, which claims to be ” the global leader in measuring the digital world” reported that last year consumers spent $1.028 billion online on Cyber Monday, the highest spending day of 2010. And while other countries don’t celebrate America’s Thanksgiving, they do, indeed, celebrate Cyber Monday everywhere from Canada to New Zealand.

Security expert, Jorge Steinfeld, in a Forbes Magazine piece notes that hackers will be gearing up for Cyber Monday this year by taking advantage of social media. “[Hackers] are busy creating fake profiles on social networking and e-commerce sites. These profiles and Web sites are meant to mimic well-known corporate brands, and coax users into clicking on their content. As a result, malicious content can now lay hidden within Twitter posts and Facebook links…” Social media is one more way cybercriminals can “gather personal and professional information, creating specific profiles on individuals and tricking them into divulging sensitive or personal information [from] credit card numbers to information about their employer’s organization.”

Social media and the continuing dramatic 50% growth in mobile transactions year-over-year since 2005 could make 2011 Cyber Monday a record-breaker. One aspect of Cyber Monday that a lot of people in the technology and retail sectors will be paying particular attention to is who will be the big winner of “Mobile Monday”?  Android or iOS?

Following is a breakdown of transactions by mobile device as compiled from the ThreatMetrix Global Network of more than 15-milllion daily transactions. From November 2010 to November 2011, ThreatMetrix found that mobile as a percentage of total transaction volume decreased for the iPhone by 35%, the BlackBerry by 51%, and the Palm by 96%. Conversely, Android mobile volume showed a massive uptick in 2011, with a 661% increase in overall transactions coming from a mobile device. Windows devices showed a more moderate increase, at 19% year-over-year.

“Based on our findings, the iPhone is still the dominant device where mobile transactions are taking place, but we’ve seen Android gain a lot of traction in 2011,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “It’s now become a two-horse race with mobile. The question does not center around whether or not consumers will make mobile purchases this season, but which device will come out ahead on what’s now deemed ‘Mobile Monday’.”

According to ThreatMetrix Fraud Facts, on average, 3% of transactions worldwide now come from a mobile device. That’s up from 2% in 2010.

“Mobile transactions have higher conversion rates because they are intention-driven,” added Faulkner. “This makes it even more critical for retailers to ensure they are not only delivering an excellent mobile experience, but have a solid mobile fraud prevention strategy in place.”

Faulkner noted that while many retailers will likely experience a record number of purchases coming from mobile this year, many still maintain insufficient or incorrect fraud tools in this channel. The consequence will be lost revenue based on both fraudulent transactions taking place, as well as valid customers being turned away because of incorrect fraud classifications. Faulkner predicts as many as one in four mobile transactions may be incorrectly classified this year.

Top Fraud Threats During Peak Season

With an increased volume of online transactions during the holidays, retailers have less time for manual screening and review of transactions – whether they are coming from a laptop, desktop computer, tablet or mobile device. It makes automated fraud screening vital during this high-volume period.

So what are the top five fraud threats during this time of year?

1. Mobile device spoofing – Merchants are put at increased risk with mobile transactions simply because it’s more user-friendly for fraudsters. Today, most fraud coming from the mobile channel actually originates elsewhere; the device acts like a mobile device.

2. Use of botnets and malware – This is a prominent concern on both traditional desktop and laptop computers, as well as mobile devices, as malware can steal passwords and payment account information. On top of that, many of today’s consumers fail to install appropriate fraud prevention software on their mobile devices, according to Faulkner. Analyzing anomalous behavior and checking third-party IP reputation can help detect malware.

3. Cookie-wiping – Merchants could previously track repeat visitors through cookies, yet many of today’s consumers and fraudsters remove cookies by using add-ons and private browsing modes. This makes it difficult to recognize suspicious repeat visitors and identify returning good customers; cookieless device identification is more important than ever.

4. IP address cloaking – It has also become easier for criminals to spoof or mask IP addresses. This makes it harder for merchants to know the “true” IP of the visitor and distinguish the good transactions from the bad. Identifying proxied visitors is crucial; this can be done by inspecting HTTP headers, maintaining a blacklist of known proxy sites, dynamically detecting proxied requests and piercing the proxy with a callback request.

5. Use of Virtual Private Networks (VPNs) – VPNs use separate software on the originating device to place it on a different network, showing traffic is originating from a different address than its true network. To identify fraudsters who are using VPNs, it’s important to monitor time zone and language settings, as well as global anomalies.

For more information about these Cyber Monday threats, and tactics for defeating cybercriminals during this peak transaction period, check out ThreatMetrix videos, “The Mobile Fraud Threat,” “Malware and Mobile: How Big of a Threat Is It?” and “Top Three Tactics to Consider for Mobile Fraud Detection.”