Archive for the ‘New Account Registration’ Category

A new article in BankInfoSecurity by Managing Editor Linda McGlasson asks the question whether fraud cases are a black eye for banking.  More and more bank customers suffering online fraud losses in the hundreds of thousands of dollars are going to court in an attempt to recover their losses.  Banks large (Comerica) and small (Ocean Bank of Portsmouth VA) are on trial in court and in the court of public opinion to defend against customer claims that they (the banks) are responsible for fraudulent loses.

The article calls into question what constitutes “reasonable security” from banking institutions to protect themselves and their customers from fraud. Good question. Two factor authentication that uses the customer’s computer (device) and internet connection as a factor to mitigate risk in a banking transaction seems an obvious choice that not nearly enough banks have fully embraced (yet).

According to Rebecca Herold, an independent consultant, ACH fraud is the underlying cause to the recent incidents. She continues: “One primary reason that ACH fraud continues is because as the security “fixes” are made for the technology with the problems, new procedures are built specifically to address them. Then as the technology evolves and is implemented by the banks, new problems allow for ACH fraud to continue.”

What’s really at stake here are the reputations of the banks and whether customers will trust that they are doing all that they can to protect them from web fraud.  I don’t think public court battles between banks and customers have enough candle power to really move the needle with the online banking masses.  But they do nudge the needle and in time most banks will extend their security perimeter beyond traditional IT security solutions to include solutions that do more to protect against the new and growing threat of consumer facing bank fraud.  A black eye from bank fraud is the new new thing for brand damage that results from media coverage on the risks of doing business online—much like the big data breach headlines of yesterday (still going today…think Heartland Payment Systems.)

Commenting on consumer trust erosion that can result from publicized bank fraud “outings,” Tom Wills, a security, fraud and compliance senior analyst at Javelin Research quotes Benjamin Franklin: “It takes many good deeds to build a reputation, and only one bad one to lose it.”

- Tom

I remember when I was a kid in the late 60s when my parents hauled me down to the local savings and loan at the market to open my very own savings account.  I still remember the feel of the green cloth cover on the 5 x 7 booklet that the smiling banker slid across the desk to me.  My passbook told me everything I needed to know; I didn’t have to log in and it always told me my meager balance–without batteries, keyboard or glowing display.

It all seems rather quaint compared with the modern online banking system.  Now you can accomplish the same task and much more without ever leaving your home thanks to online banking.  You can transfer money, pay bills and even register a new account from the comfort of your browser.  All of this exposes banks and customers to a whole new breed of fraud that worries banks and consumers.

ThreatMetrix  just announced the results of a new research report in online banking based on a survey conducted in Q4 2009 and performed by Gatepoint Research.  Over 2K senior level executives, with 66% of the respondents employed by companies having annual revenues of $5 billion or more, were invited to participate.

Key findings in the report include:

• Respondents overwhelmingly cited new credit card applications (56%) as the top risk of financial risk of financial loss from fraud.
• Over half of the respondents stated that CNP (card not present) purchases carry the most risk of loss.
• 65% of respondents predict an increase in online fraud attempts using stolen or synthetic customer credentials over the next 18 months.

Click here for the full report complete with charts.

Tom

Attention social gamers: online fraud has officially arrived. All the players at the table-Nickelodeon, PopCap, Epic Games, Big Fish-really everyone is exposed to cybercrime. As evidence look no further than Offerpal Media’s announcement yesterday of OfferpalSECURE, a new security and fraud prevention product just released with several new features.

Fraud you ask? In casual gaming? Bet on it. Offerpal’s press announcement yesterday says “security experts estimate that when left unchecked, as much as 50% of a gaming publisher’s transactions for intangible goods like virtual currency can be fraudulent-especially if player-to-player transfers are allowed.” TrustWho Founder and CEO Marcus Eikenberry, whose company offers anti-fraud technologies and services to the video game industry goes on to say “and the problem will get worse if it isn’t tackled immediately, because scammers and hackers only become emboldened by their early successes.”

Check out Offerpal’s blog entry for more insights into fraud and casual gaming. It’s worth noting that “machine fingerprinting” (device identification) is called out as a means to prevent fraud such as when scammers attempt to use multiple accounts “in order to game the system.”

ThreatMetrix will be at the Casual Connect conference in Seattle next week as a conference co-sponsor -stop by and visit us and Offerpal if you’re there.

- Tom

According to a new study by researchers at Carnegie Mellon University it is now possible to exploit an individual’s place and date of birth to predict his or her Social Security number. Most of us have fed the worldwide web (often willingly, sometimes not) enough personal data about ourselves to leave pieces of us in the form of data that fraudsters can use to identify us: credit card numbers, birthdates, personal tastes…just about anything and everything that could be used to identify us. The Carnegie study reveals that personal data available from online sources such as Facebook can now be used to construct our Social Security numbers-personal private data that until now was considered reasonably save from intelligent guessing by networks of compromised computers.

Here’s an excerpt from the Carnegie study that spells out the problem:

‘Although defense mechanisms to detect repeated abuses are in place at those services [for instance, the SSNVS tracks incorrect attempts at verifying SSNs, and financial institutions blacklist (for various days or months) IP addresses originating 3 or more failed logins or transactions], ‘‘botnets” of compromised computers allow attackers to test-cheaply and covertly-vast numbers of variations of targets’ SSNs, strategically distributing simultaneous attempts across services, compromised machines, and target accounts.’

Device Identification would make it difficult to “strategically distribute simultaneous attempts across services” because ThreatMetrix would identify the source of the attempts, even if the fraudster is hiding behind a proxy. “Cheaply and covertly” are consistent with what I’ve said in previous blog entries about how the technology tools and means to commit fraud are making a bad problem much worse as they enable far more people to jump into the online fraud business. The more we reveal about ourselves online, the more easily we can be identified by who we are and what we do. Online banking, purchasing, gaming, dating and social networking rely on the ability for us to identify that we are who we claim to be without our physical presence-this creates the opportunity for fraud. On the web, we’re defined by data in the form of attributes that can be (and are) used to authenticate our identity: birth date, street address, favorite pet, height, color of eyes, Social Security number and more. The Carnegie study shows that it’s quite possible to correlate those data from various sources to get a more complete and accurate picture of a person for credentialing. This is something new that has the potential to wreak havoc in the online world.

Those personal data attributes scattered across the worldwide web present a new form of risk. Device Identification (when it’s done right) can take back some of that risk by providing a reliable point of reference to authenticate who’s at the computer. By profiling the computer instead of the person, ThreatMetrix Device Identification offers these advantages as a method to authenticate identity online:

• Instantly identify a computer within seconds at the moment a connection is made: manage the risk of a device connection before you provide someone access to your web site
• Passive, non-intrusive identification: because data is supplied by the visiting computer and its connection instead of the person, authentication requires no knowledge of or inputs from web site visitor
• Even if personal data such as Social Security numbers are compromised, ThreatMetrix Device Identification helps companies and institutions prevent fraudsters from using them to establish illicit accounts

Will device identification become a must-have factor to authenticate identities on the worldwide web in the next few years?

What’s the difference between a fraudster scamming an airline and one scamming a social gaming site…or an etailer or a dating site? Fraud is always a game of deception for some purpose whether it’s stealing money or online gaming for free. But the strategy and tactics employed by a fraudster can be quite different depending on the target and objectives.

In the past two weeks ThreatMetrix attended or sponsored several industry focused events: Internet Retailer Conference and Exhibition, The Airline Reporting Corporation (ARC) Fraud Prevention Conference, The Social Gaming Summit and iDate 2009. Each industry gathering had its own spin on fraud concerns but they all had this in common: everyone is more concerned than ever about the rapid spread online fraud.

At the ARC conference I heard about the latest and greatest schemes to defraud airlines. They illustrate the complexities unique to online ticketing. The number of entities in the chain between consumer and merchant combined with the complexities of booking travel on a global scale in real-time pose serious challenges to fighting fraud. Credit card fraud was top of mind at ARC, but there are three possible points of entry online that present fraudsters with opportunity to pursue their objectives: new account sign-ups, account logins and online purchases.

Which of the three poses the highest fraud risk to your business depends on your business. For example, online dating and social gaming services are exposed to all three types of fraud, whereas etailers focus most of their fraud detection effort on preventing credit card fraud. This difference points to an important advantage in real time device identification: it’s very effective at detecting fraud across all industries, applications (new accounts, logins and card not present), fraud schemes, geographies and devices. Organizations typically employ multiple fraud fighting tools-device ID stands out for its unique ability to detect fraud (and identify customers) before you know anything about the person visiting your web site.

- Tom

IT PRO has some interesting musings on a Global Fraud Report from RSA that brings new chilling predictions for online fraud. This report brings more than just the usual bad news we typically hear about. Findings in the report cast online fraud in a new light that underscores the monumental challenge fraud poses to the worldwide web. ‘Fast-flux botnets’ capable of hiding the content servers that serve up the malware and phishing content that fuels online fraud are expected to increase in the next year. Fast-flux botnets can change addresses much more quickly making them much harder to catch. The technology aspect is chilling, but the rapid commercialization of online fraud it ushers in is what makes this story noteworthy.

The means and expertise to commit online fraud have reached a tipping point where they are easy to learn and operate, more powerful, affordable (even free) and broadly available to just about anyone who wants to get into the business. IT PRO spoke with RSA’s Andrew Moloney who stated the problem in clear terms:

Moloney said: “Fundamentally what we’re seeing is a commercialization of the fraud industry at a level really greater than what we’ve ever seen before.

“The barrier for entry, if you’re a non-technical kind of person, has been significantly lowered.”

This was seen with ‘fraud-as-a-service’, which meant that people didn’t need technical expertise to infect a machine with a trojan or other type of attack, as they could simply buy what they needed.

Fraud-as-a-service has the potential to be a game-changer in favor of online fraudsters and against those conducting legitimate business on the worldwide web. The worldwide volume of account logins, new accounts, and online credit card purchases (CNP) increases year after year—and thanks to fraud-as-a-service the number of people willing and able to commit online fraud is likely to grow at a faster rate.

Increasingly coordinated fraud attacks and better tools available to anyone with the desire to steal will require even more vigilance on the part of etailers, banks, online social networks, web payment facilitators and governments in order to stay ahead of fraudsters. The rise of fraud-as-a-service makes an even more compelling case for device fingerprinting—the only fraud prevention method that can detect fraud before it occurs by profiling the computer instead of the person.

Does Geoffrey Moore’s famous chasm theory apply to fraud-as-a-service? Will it push online fraud across the chasm from early adopters to an early majority?

- Tom

In a recent Silicon Business Valley Business Journal profiling ThreatMetrix, “ThreatMetrix fights cyberfraud at the ‘front door’”, Gartner Vice President Avivah Litan, an analyst covering authentication, identity theft, fraud detection and prevention applications said

There’s a lot of value in these types of applications in financial services, e-commerce, online dating sites, gaming sites, health care and government portals, anyone that does business on the internet

The article does a good job of describing ThreatMetrix ability to profile a device in real-time to help stop fraud at the front gate by simply using ThreatMetrix HTML tags on check-out pages, user registration and login pages.

Every business that has a presence on the web and has users logging into their web site could benefit from their offering.