Ericka Chickowski, a contributing editor at Darkreading.com, did a piece titled “Tales of De-Crypt 2011.” Considering it was scheduled to run sometime around Halloween, the title was “scary clever” while the subject matter was just plain scary. Chickowski observes that 2011 has been “a banner year for authentication and Identity and Access Management (IAM) failures, with embarrassments of epic proportions hitting the headlines nearly every month…. [There have been] targeted authentication tokens, sophisticated password-stealing Trojans, rogue certificates, stolen passwords and misappropriated accounts.”

Compiled by Ms. Chickowski is a list of the top ten worst “hacks, vulnerabilities and screw-ups to hit the headlines in 2011.” The upside is that the top-ten list only has seven entries.  It also has some lessons to be learned.

1. The RSA Tokens That Took a Lot of People for a Ride. “After a junior employee at security heavyweight RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. RSA confirmed that some ‘information related to the RSA SecurID product had been extracted.’” Extracted is another way of saying ripped off.

So what was learned? Don’t put all your eggs in one basket and leave the basket where anybody can trip over it. Or as Darkreading.com put it, “Security experts were aghast that the token seeds were resident in a place on the network where a hacker could even find them. The incident illustrates that network segmentation is a key best practice to mitigate the risk of a company’s most critical assets.”

2. The Death of DigiNotar.  A hacker with the moniker, ComodoHacker created fraudulent Comodo SSL certificates in March, then, later, hacked CA DigiNotar to issue 500 more certificates. The actions of ComodoHacker, who claimed to have hacked other certificate authorities, ultimately led to the demise of the company.

So what was learned? A stitch in time saves nine?  A penny saved is a penny earned? A wet bird never flies at night?  No, what was learned was, “DigiNotar knew about the fake certs long before the news went public and did nothing to get the word out. The situation is a good reminder at how important communication is in high-impact breach situations. It also illustrates that the fundamental basis of trust for Internet authentication still needs work.”

3. HBGary Federal’s “federal case” Over Anonymous Backfires.  After the company’s CEO said he was about to release information about Anonymous, the group infiltrated HGGary’s network through SQL injection, stole stored passwords and got control of the company’s email, internal accounts and its executives’ social media accounts.

So what was learned? As they used to say in the U.S. Infantry (and probably still do) in not such genteel terms, “Don’t let your alligator mouth overload your hummingbird ass.” Darkreading.com put it this way, “Hubris is not becoming of security executives who run companies that store passwords on insecure servers. Even the humble should learn to keep passwords better protected from multi-stage attacks that start with SQL injection. Anonymous was able to use Rainbow tables to crack the passwords’ encryption because the firm used weak MD5 hashes to protect them.”

4. Beware the LulzSec. After breaking into networks, LulzSec members distributed unencrypted passwords and other sensitive information, such as emails that impacted everyone from Sony to the U.S. Senate and compromised millions of accounts.

So what was learned? The bigger they come, the harder they fall. That could be one of the things learned.  But, Darkreading.com pulled out some other lessons like, “a lack of input validation or database monitoring [allow LulzSec] to commit SQL injection attacks at will. And …organizations [have a tendency] to store login information unencrypted and unprotected within network systems.”

5. Don’t Count on Citi Account Numbers. Darkreading.com says, “Hackers were able to game Citgroup’s online account site by manipulating the account number that appeared in the Web address browser bar to randomly guess other account numbers and gain access to random customers’ accounts. The trick gave them access to customer names, account numbers, and transaction information.”

So what was learned? Money is the root of all evil?  Or rather lack of money is the root of all evil?  No.  Actually it’s that, “web applications providing access into sensitive information, financial or otherwise, must be tested not only for vulnerabilities but also for business logic flaws such as the one that allowed hackers to circumvent Citi’s online banking authentication engine.”

6. Bank of America Rogue Employee Was a Rogue. A Bank of America employee leaked information to an identity-theft ring.  Fake accounts were created under victims’ names and $10-million was stolen before the thieves were nailed.

So what was learned? One rotten apple can spoil the whole barrel. He/she can also steal $10-million. The other thing that was learned is frequent reviews of access controls might have prevented this type of theft.

7.Duqu Worms Its Way Into the World. “A refinement on the code foundation laid down originally by Stuxnet… this password- and data-stealing Trojan features a rogue certificate [now revoked. However,] it’s able to fly under the detection radar by injecting itself into running processes.”

So what was learned? “[This was] another instance of hackers manipulating the certificate authority ecosystem…”

Perhaps the most important lesson to be taken from the seven disasters described above is many could have been averted by using ThreatMetrix solutions. The first perimeter and the most effective element in a multi-layered defense against cyber criminals is device identification. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

A long time ago, online retailers caught onto cybercriminals using stolen credit card accounts to buy expensive consumer products online, then turning around and reselling them in Eastern Europe, North Africa or Russia. The retailers’ answer was to stop shipping goods to these places.

But, reports security expert Brian Krebs in his blog, KrebsonSecurity, “these restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.”

Krebs points out, “There are dozens of businesses in the criminal underground engaged in merchandise laundering, known as ‘Drops for stuff’ on cybercrime forums.”

The people “hired” to do the reshipping are variously known as reshippers, mules or drops. “The ‘drops,’” says Krebs, “are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and cash bonuses. But the crooks almost always sever communications with drops just before the first payday, usually about a month after the drop ships their first package.

“A typical drop will receive and reship between two and four packages per day. The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the U.S. Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.”

Dropforrent.com is a kind of cyberspace fence operation that offers “clients” (cybercrooks) and “managers” (people who do recruitment scams) a percentage of what they steal. Krebs explains that Dropforrent pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products. Incidentally, if you do a search for Dropforrent online, you’ll get a score of websites warning you to stay away, that the jobs the site offers are a  scam.

In addition to electronics, Krebs says, “Drops also can be used to reship virtually anything else that the client or manager would like to use or consume themselves, such as clothes, jewelry, and candy. For this service, clients and managers pay a flat rate of 50 percent of the value of the goods to have the items reshipped abroad.

Reproduced here without editing KrebsonSecurity.com at http://krebsonsecurity.com/wp-content/uploads/2011/10/applestore-directinstructions.html gives an example of a standard operating procedure of rules for mules:

Use your applestore-direct.com Account to:

- Check a shedule about package deliveries
- Send messages to your manager
- Edit Your Default address and shipping address
- Upload your resume and documents for an approvement
- To check total scores and money you earn

IMPORTANT INFORMATION ABOUT SCORE AND PAYMENT SYSTEM:
YOU WILL RECEIVE APPROXIMATE 40 PACKAGES FOR MONTH
YOUR SALARY BASED ON THE 2000$ MONTHLY PAYMENT, STARTING FROM THE SHIPPING FIRST PACKAGE
AND THERE IS A BONUS SCORE SYSTEM
FOR EVERY SHIPPED PACKAGE YOU GET A SCORE
10-SCORES IF YOU SHIPPED A PACKAGE ON THE SAME DAY BEFORE THE NEXT DAY NOON
5-SCORES IF YOU SHIPPED A PACKAGE ON THE NEXT DAY
0-SCORES IF YOU DELAYED PACKAGEs SHIPPING FOR 3 DAYS AND MORE

ON YOUR PAYDAY THE SCORES WILL BE CHANGED TO MONEY AND ADDED TO YOUR TOTAL INCOME IN RATE OF
10 SCORES-50$
5 SCORES-25$
3 PENALTIES- MINUS 100$

PENALTIES CAN BE USED BECAUSE OF ANY SHIPPING DELAYS, NOT CONTACTING YOUR REGIONAL MANGER IN TIME, NOT COMPLETED

ORDERS,
MISSED PACKAGES TO YOUR ADDRESS WITHOUT ANY REASONS

Krebs observes, “Well-run reshipping schemes can launder huge volumes of stolen goods in a relatively short time. The minimum order dropforrent.net accepts is $300. Records at dropforrent.net show that since the beginning of this year, drops hired through one front site have shipped more than 800 orders — at least a quarter million dollars worth of stolen goods.”

And, the best part about the scam from the cybercriminals’ point of view?  If anything happens, the drop or reshipper or mule is the person the long arm of the law will snag.

For online businesses to avoid being victims of reshipping, the answer is ThreatMetrix.  Device identification is the first and most effective layer in a multi-layered defense against cyber criminals. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect social security numbers, email addresses or bank account information.

Five class action lawsuits have been filed against Facebook alleging that it violated wiretap laws by having user-ID tracking cookies track those users’ browsers on sites integrated with Facebook — after the users had logged off.

Gavin Dunaway on Adotas.com reports, “One of the suits seeks statutory damages of $100 per day for every member of the class (the lawsuit is trying to certify all 150 million U.S. Facebook members as a class — so $15 billion a day….) or $10,000 per violation, plus punitive damages, attorney fees and court costs.”

But, rather than the lawsuit route, Dunaway thinks the Federal Trade Commission (FTC) would be a better arbiter of whether Facebook is guilty of stepping on users’ privacy rights.

What is Facebook accused of?

Well, according to Dunaway, after an Australian developer discovered Facebook leaving cookies (including the one with the user’s unique account number) on the user’s browser after the user logged out, Facebook revised its logout rules so the user ID cookie was deleted on log out along with the cookie that’s used to stop “cross-site forgery.”  However, Facebook kept the rest of the cookies that it had put on the user’s browser for security purposes to ensure users were who they said they were on login.

Stanford Security Lab’s Jonathan Mayer discovered that the cookie that sends data back to Facebook from Facebook-integrated sites whether users are logged in or not, was back. This after the cookie had been removed by Facebook just before publication of a Wall Street Journal article decrying the fact the cookie was there.

So, what’s Facebook doing with the data (Facebook says it keeps the data for up to 90 days, then deletes it.) obtained by this cookie from third-party sites?

Though there’s no evidence Facebook is profiling users for targeted advertising (All Facebook’s targeted advertising is based on user-submitted/shared information.), Dunaway speculates the data could well be used for that purpose. But, he adds, even if Facebook is not using the data for advertising, “It’s associating browsing data with specific users.”

While the Wall Street Journal was questioning Facebook’s motives for Facebook’s use of tracking cookies, Derrick Harris in a GigaOm.com story pointed to the Wall Street Journal’s own privacy policy update which included the use of new registrants’ personal identifiable information (PII) in building online profiles. The Journal claimed it was for content purposes only.

But, Dunaway admits, “Just like a lot of the ambivalent people (consumers and OBA [Online Behavioral Advertising] industry folk) out there that Harris is worried about, I got a bad case of online privacy fatigue. There’s so much back and forth and so many accusations shouted into the media megaphone, but nothing really ever happens. Nothing ever changes.”  Dunaway used the example of Facebook’s removing, then reinstating the tracking cookie after the Wall Street Journal’s story had run.

Because he doesn’t feel the lawsuits will be able to prove individuals have been harmed by Facebook’s gathering personal information and because many in media have grown tired of tackling the privacy issue, Dunaway believes, “…an FTC investigation is the ideal solution for both examining Facebook’s data collection practices and stirring the online privacy fatigue.”

Dunaway explains, “… it’s time for the FTC to talk less and act more. For at least two years, the FTC has been fanning consumer fires over privacy controls while promising OBA companies it won’t ‘strangle the golden goose.’ But what’s it actually done? “

Dunaway continues, “Granted, I’ve gotten used to the speed of digital innovation and forgotten the lurching pace at which Washington moves. But agency members constant tsk-tsking about the industry pulling its act together has only highlighted the lack of progress in an OBA framework.

“Well, here’s your chance for action, FTC — to actually show you’re protecting online consumers while insuring a fledgling (relatively) industry can continue to flourish. Investigate Facebook’s use of tracking cookies, give us a detailed report. And please don’t take two years to do it….”

The Wall Street Journal, Facebook et al. say they’re only interested in protecting users’ privacy rights and protecting their sites and contents from cybercriminals. If that’s the case, the solution is as close as www.threatmetrix.com. ThreatMetrix offers device identification solutions that recognize returning visitors without cookies and also recognizes them even when their device fingerprints change. ThreatMetrix has solutions that protect against bad scripts and fraudulent account logins, payments and transactions.  With customized rules for each, it’s designed to interdict attacks of fraud in real time, while passively and transparently profiling users — without collecting extraneous personal identity information. ThreatMetrix offers universal, reliable fraud detection that puts an end to overreliance on identity authentication.

Like the knights of yore who converged on King Arthur’s Round Table (not to be confused with the pizza restaurant) to discourse on fighting dragons and saving distressed damsels, industry leaders are coming together at the Monterey Plaza Hotel and Spa in Monterey, California (October 9-10) to address the threat of online fraud and to promote e-commerce.

Based around the theme, “Defeating Online Fraud and Promoting E-Commerce Together,” the ThreatMetrix 2011 Fraud Fighters Summit brings together the top fraud-fighting professionals in the industry, people who have maximized the effectiveness of their ThreatMetrix solutions.

Attendees will have an opportunity to network with peers and share fraud-fighting strategies. They’ll learn new ways to benefit from the ThreatMetrix Cloud-Based Fraud Prevention Platform from experts and come away better informed, motivated and prepared to wage the daily battle against fraudsters.

Presentations from well-known brands will be a highlight of the packed, two-day summit agenda. Featured presenters include:

• Reed Taussig, ThreatMetrix CEO and president, who will formally open the summit and provide an industry overview.
• David Burns, manager of operational risk, Optimal Payments, who will speak on: “Incorporating ThreatMetrix into Real-Time Rule Decisions.”
• Julie Conroy McNelley, senior analyst with the Aite Group’s Retail Banking practice, who covers fraud, data security, anti-money laundering, and compliance issues, will present on “Online and Mobile:  Navigating the Risk Environment.”
• Rhonda MacLean, founder of MacLean Risk Partners LLC, a consulting firm that provides strategic advisory services, will lead a financial service fraud prevention roundtable.
• Steven Boutelle, Lieutenant General, U.S. Army (Retired) and former chief information officer of the U.S. Army responsible for the U.S. Army’s use of information technology, will present on “Cybersecurity: A Government Perspective.”
• Alisdair Faulkner, ThreatMetrix chief products officer, will present a product development roadmap.

Other topics will cover everything from “Building an Effective Fraud Prevention System,” to “Addressing Organized Stealth with ThreatMetrix SmartID,” to “The Identity Challenge,” as well as best practices surrounding the use of ThreatMetrix professional services.

As an added bonus, the conference concludes with a private dinner at the world-famous Monterey Bay Aquarium.

Of course Americans would be cheering. Cybersecurity is one of the few things the President and Congress can agree on. Even the most ardent and partisan Republican Tea Partier would have to concede that when it comes to matters of the Internet and cybersecurity, the president has been all ears from the time he took office. As the President pointed this out in the proclamation, “Early in my administration we began updating our nation’s cybersecurity programs and policies. We developed a comprehensive plan that ensures a coordinated national response to major disruptive cyber events.”

Noting that the Internet is a “strategic national asset,” the President maintained that protecting it was a “shared responsibility” and called for partnering with other nations and the public and private sectors to “ensure coordinated and planned responses to cyber incidents,” the same way resources are brought to bear to fight a natural disaster.

In the proclamation, the President called for expanded broadband access and smarter electric grids. He also referenced the “National Strategy for Trusted Identities in Cyberspace” with its “Stop. Think. Connect” campaign telling consumers to…well…stop and think before connecting.  Will this slogan take its place with “Stop, look and listen” and “Only you can prevent forest fires?” in the pantheon of memorable bon mots?  Or will it become like the Reagan administration’s “Just say no to drugs” or the Ford administration’s “WIN” (Whip Inflation Now), a monologue starter for Leno, Letterman et al.  Only time will tell.

Likening the creation of the Internet to putting a man on the moon as a great American achievement, President Obama declared:

“Now, therefore, I, Barack Obama, president of the United States of America, by virtue of the authority vested in me by the Constitution and the laws of the United States, do hereby proclaim October 2011 as National Cybersecurity Awareness Month. I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and trainings that will enhance our national security and resilience.”

If your company needs more than “Stop. Think. Connect” to keep your customers from becoming victims of cybercrime, ThreatMetrix has the solution. The ThreatMetrix Cloud-Based Fraud Prevention Platform, which incorporates the ThreatMetrix™ SmartID cookieless device identification, provides online businesses with the ability to protect themselves and their customers by verifying new accounts, authorizing payments and transactions and authenticating user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, the cyber criminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

Online companies can be fish. Or they can be fowl.

Acting as both “fish” and “fowl” will have them “running afoul” of the bi-partisan-sponsored Kerry-McCain Commercial Privacy Bill of Rights Act of 2011.

Because many fraud-prevention companies offer solutions that work by gathering personal information, they are also excellent ways for advertisers to identify and accumulate audiences for targeted advertising. The Privacy Bill of Rights, as it’s come to be known, requires online businesses which collect information for authentication and fraud prevention as well as for advertising purposes to give consumers the opportunity to opt out.

However, businesses which collect information exclusively for authentication and fraud prevention are exempt. And, ThreatMetrix is exempt on two counts.

Number one: ThreatMetrix does not use or sell to third parties any information for advertising purposes.

Number two: ThreatMetrix solutions do not require cookies or personally identifiable information (PII) to catch fraudsters. Instead, ThreatMetrix combines a computer’s packet signature data with transaction details and anonymized credentials (credentials that are obtained anonymously and unlinkably by the user) to differentiate between a fraudster and an honest customer.

In the latest conflict between society’s right to protect itself and the individual’s right to privacy, ThreatMetrix has the solution that successfully addresses both.

What? Not an Oscar?

Oh, ThreatMetrix won Red Herring’s much coveted “Top 100 North America Award.” In all honesty, it seemed like there was something fishy about ThreatMetrix winning an Academy Award.

Now, a Red Herring “Top 100 North America Award” on the other hand — nothing fishy about that. After all, without relying on passwords and cookies, ThreatMetrix solutions preserve user privacy while its ThreatMetrix Cloud-Based Fraud Prevention Platform, which uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction, is the ultimate weapon against fraudsters. In short, ThreatMetrix offers the best of both worlds: protection for the e-company, privacy for the user.

The Top 100 North America Award is based on financial performance, technology innovation, quality of management, execution of strategy, and integration into the industry. Given by Red Herring editors, the award has become a mark of distinction for identifying promising new companies and entrepreneurs, such as Facebook, Twitter, Google, Yahoo, Skype, Salesforce.com, YouTube, and eBay.

And, now ThreatMetrix.

Is this shades of the 1984 movie, Red Dawn, where American teenagers band together to defend their town from invading Cuban and Nicaraguan soldiers acting on behalf of their Soviet Russian masters?

No.

Incidentally, have you heard they’ve remade Red Dawn?  It’s called Red Dawn 2011 and has an entirely new plotline. In the new movie, American teenagers band together to defend their town from invading North Koreans.

Anyway…

Russians really did attack the Hamlet of Pittsford, a town of 25,000 near Rochester, N.Y. And, they left it $139,000 poorer.

On or about June 1, 2011, fraudsters logged onto the town’s online commercial bank account. The thieves initiated a small batch of automated clearing house (ACH) transfers, covering their tracks by sending the transfers to “money mules,” cyberspace’s version of drug mules.

The money mules, who were wittingly or unwittingly taking part in a felony, took money from their own bank accounts and wired it to individuals in St. Petersburg and Kiev using Western Union and MoneyGram.

Over the course of four business days, fraudsters carried out multiple fraudulent batch payments. Some transfers went to money mules who owned businesses, including a Mission Viejo, California-based software company. That company was sent $14,750. But, most mules were sent payments of less than $5,000.

While details of the attack remain sketchy and the town reportedly had good firewall and antivirus protection, there was reason to suspect the breach occurred as a result of the town opening an account with a new bank.

Security expert, Brian Krebs, reported in his blog that Pittsford had maintained its account at a bank where all transactions had to be approved by at least two town officials. However, when it opened a new account with the Canandaigua National Bank & Trust, there were no such controls. The only security procedures in place were user name, password and a set of security questions. Customers did have the option of registering their computers, which involved downloading a CNBT certificate or cookie.  But, this only meant that when the customer was logged in from a registered computer, he or she would not be required to answer a security question. The FBI, which is conducting the investigation, theorized that it was when the account was opened in the new bank that the thieves most likely stole the town’s online banking password using a banking trojan.

Recently Patco Construction, which suffered a $300,000 loss at the hands of fraudsters who raided its account using a trojan, sued its bank. The Maine court in whose jurisdiction the case was heard, held that the bank had done sufficient due diligence simply by verifying that the company’s ID and password were authentic. Patco was forced to accept the loss.

So far, the courts have held that a bank is not liable for a company’s losses.  But, who’s to say the courts will find otherwise when a municipality, charity or religious institution is bilked out of millions of dollars? Or who’s to say that the lower courts’ decisions will not be reversed?

Pointing fingers as to who’s responsible is a waste of time and money when the answer is avoiding the problem entirely. And, that’s where ThreatMetrix comes in.  ThreatMetrix doesn’t rely on passwords, user names and cookies to protect its clients.  Instead the ThreatMetrix Cloud-Based Fraud-Prevention Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out crooks whether they’re in Kansas or the Crimea.

With ThreatMetrix protection in place, you don’t have to rely on passwords, user names, cookies or teenagers.

Actually, ThreatMetrix believes you CAN handle the truth.

Just reach out. It’s a fingertip, mouse-click away, anytime day or night, anywhere.

Need to know what’s really going on in the world of fraudsters, cheats, thieves and scammers? Here’s the truth, the whole truth and nothing but….

It’s ThreatMetrix’s up-to-this-instant, exciting, brand-new initiative for tracking fraud-activity trends: ThreatMetrix™ Fraud Facts. Based on evaluations of over 15-million transactions taking place every day, you get a unique peek into the fraudster mindset. Here you discover his/her latest tactics, tricks and dodges, so you can formulate plans and adopt strategies for stopping them.  With this information, it’s far easier to cull the criminals hidden among the vast majority of honest customers.

The analysis will cover a range of online fraud, looking at:

• Percentage of Transactions from Compromised Devices

• Percentage of Transactions from Devices that have had Cookies Wiped

• Percentage of Transactions from Devices that are Associated with Multiple Email Addresses

• Percentage of Transactions Flagged as Higher Risk

• Percentage of High-Risk Transactions by Country

• Percentage of Countries with Highest Ratio of High-Risk Transactions

• Mobile Transaction Volumes

• Relative Mobile Transaction Volume by Country

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform is the only global online fraud prevention platform that stops web fraud in its tracks to speed up e-commerce for new account origination, web payments and account logins.

The truth that was only “out there” is now here.

Bookmark it — ThreatMetrix Fraud Facts — and stay way ahead of the bad guys.

A recent “U.S. Cost of a Data Breach” report from the Ponemon Institute, which  conducts independent research on privacy, data protection and information security policy, concluded that it costs about $214 per compromised record. And, don’t bother looking for a decimal point between the “2” and the “14.”  Two-hundred-fourteen dollars is the right number. That’s because there are direct costs associated with the breech, such as customer notification and legal defense fees and additional indirect costs, including loss of customers and negative PR.

Following on the heels of Sony, which suffered an attack to its PlayStation Network that took PSN down for about a month, Citibank disclosed that hackers broke into its computers stealing the names, account numbers and contact information for approximately one percent of Citibank’s 21-million customer base or 210,000 customers.

Do the math and it turns out this recent breech put the company at risk to the tune of almost $45-million. Now, in terms of the national debt, it’s a drop in the proverbial bucket. But, $45-million is enough to pay the salaries of several small-market Major League Baseball teams for a year.

With so much at risk in terms of money and reputation when there’s a security breech, it kind of makes you wonder why companies continue to depend on PII (Personally Identifiable Information).  As Alisdair Faulkner, ThreatMetrix chief products officer, points out especially in light of the recent break-ins, “You can’t use PII to authenticate an identity online for any kind of transaction.”

That’s why ThreatMetrix offers superior solutions that can’t be compromised by break-ins. ThreatMetrix solutions protect against bad scripts and fraudulent account logins, payments and transactions.  With customized rules for each, it’s designed to interdict attacks of fraud in real-time, while passively and transparently profiling users — without collecting extraneous personal identity information. ThreatMetrix offers universal, reliable fraud detection and prevention that puts an end to over reliance on PII.