A recent “U.S. Cost of a Data Breach” report from the Ponemon Institute, which  conducts independent research on privacy, data protection and information security policy, concluded that it costs about $214 per compromised record. And, don’t bother looking for a decimal point between the “2” and the “14.”  Two-hundred-fourteen dollars is the right number. That’s because there are direct costs associated with the breech, such as customer notification and legal defense fees and additional indirect costs, including loss of customers and negative PR.

Following on the heels of Sony, which suffered an attack to its PlayStation Network that took PSN down for about a month, Citibank disclosed that hackers broke into its computers stealing the names, account numbers and contact information for approximately one percent of Citibank’s 21-million customer base or 210,000 customers.

Do the math and it turns out this recent breech put the company at risk to the tune of almost $45-million. Now, in terms of the national debt, it’s a drop in the proverbial bucket. But, $45-million is enough to pay the salaries of several small-market Major League Baseball teams for a year.

With so much at risk in terms of money and reputation when there’s a security breech, it kind of makes you wonder why companies continue to depend on PII (Personally Identifiable Information).  As Alisdair Faulkner, ThreatMetrix chief products officer, points out especially in light of the recent break-ins, “You can’t use PII to authenticate an identity online for any kind of transaction.”

That’s why ThreatMetrix offers superior solutions that can’t be compromised by break-ins. ThreatMetrix solutions protect against bad scripts and fraudulent account logins, payments and transactions.  With customized rules for each, it’s designed to interdict attacks of fraud in real-time, while passively and transparently profiling users — without collecting extraneous personal identity information. ThreatMetrix offers universal, reliable fraud detection and prevention that puts an end to over reliance on PII.

Users say “Yes.”  Sony says, “No.”

Eerily reminiscent of the aftermath of Japan’s tsunami nuclear reactor disaster are the widely conflicting reports about the extent of the fallout from the attacks on Sony’s PlayStation Network (PSN).

PSN-users have reported frauds on their credit cards. Additionally, there are published reports that hackers have attempted to sell stolen PSN credit card details. According to various published reports, it’s happened not just once, but repeatedly, including most recently by the hacker group LulzSec. Sony responds that the data was  encrypted, therefore useless to fraudsters. So, what’s going on here?

Nobody knows for sure. And there are a whole lot more questions than answers:  Were hackers in control of the PlayStation Network long enough to decrypt credit card details?  Did they have access to the CVV (Card Verification Value) and CVS (Concurrent Versioning System) codes? Now Congress and even possibly Homeland Security have gotten into the act looking for answers.

If you’re one of the 77-million who turned over PII (Personally Identifiable Information) to Sony that might’ve been compromised…or if you’re responsible for a bank, social networking company, online merchant or any other institution that could be in danger of being defrauded as a result of the PSN break-ins, you’ve got to be asking another question, “Why didn’t they use ThreatMetrix?”

Without requiring PII that can be compromised, ThreatMetrix solutions nab fraudsters in real time before they can do real damage. That’s because ThreatMetrix combines a computer’s packet signature data with transaction details and anonymized credentials (credentials that are obtained anonymously and unlinkably by the user) to differentiate between a fraudster and a customer. In other words, ThreatMetrix would’ve turned points of contention between Sony and PSN users into moot points.

It might’ve been a friend.  Or perhaps even you were caught daydreaming in a history class. What was it the teacher said?  “Get your head out of the clouds.  You’re not going to find the answers up there.”

With respect to all those teachers who offered that advice, the people at ThreatMetrix would strongly disagree.  That’s because when it comes to fraud prevention the cloud is the answer.

“Behind the firewall” solutions are designed for specific markets. They only look for one type of fraudster, for example, fraudsters using stolen credit cards to buy electronic goods from e-tailers.  By contrast, ThreatMetrix’s Cloud-Based Fraud Prevention Platform operates on a global scale.  ThreatMetrix is able to find fraudsters faster and stop them before they can hit other members of whichever community they’re attacking.

ThreatMetrix’s Cloud-Based Fraud Prevention Platform looks at transactional anomalies, such as compromised email addresses, across the whole network, which means across the length and breadth of the planet. Results are not limited to a single customer base such as is the case with “behind the fire wall” solutions.

ThreatMetrix device profiling surpasses standard browser fingerprinting to identify the device, bypass proxies and detect the use of botnets and scripts, regardless of device used. ThreatMetrix verifies new accounts, authorized payments and transactions and authenticates user logins in real-time. The bottom line is that ThreatMetrix is able to identify fraudsters faster and do it for less.

Explorer 9 and Firefox 4 upgrades permit users to prevent sites from using cookies to track their movements. But, to delete Adobe Flash local shared objects (LSOs) or cookies, users had to go to the Adobe Flash Website.

Now Google Chrome, which is bundled with Flash, makes clearing Flash cookies as easy as…well…pie. All it takes is a few clicks from within the browser and no LSOs. That may be great for user privacy, but it’s hell and dollars to pay for online merchants, banks and social networks, all of whom depend on cookies stopping fraudsters. In fact, today, banking on cookies detecting fraudsters has about as much chance of success as Osama Bin Laden’s relying on messengers.

So what do “smart cookies” do when cookies don’t work?  They turn to ThreatMetrix SmartID™ which detects fraudsters even if they’ve wiped their cookies. Without cookies or cookie equivalents, ThreatMetrix SmartID enables companies to stop online fraud, and, at the same time, protect customer privacy.

ThreatMetrix and the Ponemon Institute have announced the second set of findings from their recent survey around consumers’ reactions to online fraud today. This second round of data was gathered from survey questions around behavioral advertising specifically, on the heels of the recent McCain-Kerry privacy bill.

The study revealed the majority of consumers are comfortable with online behavioral tracking for fraud prevention purposes, but remain hesitant around advertising and promotional purposes. The results are outlined in a report, “Consumers’ Reaction to Online Fraud.”

Other highlights of the findings include:

• Seventy-four percent of consumers expressed some level of concern about online advertisers collecting and using their information for future promotional activity. Half of the respondents, however, feel it acceptable to use information about their online behavior as long as it’s to detect potential fraudsters.

• Twenty-four percent of consumers said they don’t think behavioral targeting in any form is appropriate, whereas 26% said it is okay for online businesses to use their information to either send them ads or monitor potential fraudsters.

• Only 16 % of consumers said that advance consent is necessary for each transaction, when asked about the extent of obtaining consent to use their online behavior information for fraud detection. One third said consent was not necessary at all, while the majority (36%) said consent only once in advance is sufficient.

• The majority of consumers (70%) reported that if they were assured their personal information was not collected when used for fraud detection purposes, they were comfortable with an online business authenticating their identity through a digital fingerprint. Another 22% said they were unsure.

The research also looked at consumer sentiment about fraud prevention across the banking, social media and Web 2.0 industries and mobile channel. For more information about the findings, download a copy of the report at http://info.threatmetrix.com/ConsumerSurveyOnlineFraud2011.html.

ThreatMetrix and the Ponemon Institute reveal the first set of findings from their 2011 consumer survey, focused on consumer awareness and confidence in online fraud prevention: “Consumers’ Reaction to Online Fraud.” Most notably, the study found that 85% of survey respondents reported being worried and dissatisfied with the level of online protection businesses are providing to stop fraudsters today. Forty-two percent of respondents indicated that they have been the victim of online fraud, and of those, 80% said they did not report the crime and only 19% said they reported it only to the online business directly.

Other highlights of the findings include:

• Survey respondents who expressed concern over online fraud said they felt online merchants, banks and social networks need to take additional steps to prevent fraudsters from stealing consumer information.

• Consumers expressed much more willingness to share data like ISP, computer serial number, type and make, rather than information like date of birth and telephone number.

• Consumers have an overall positive perception about companies that use authentication and fraud detection tools to prevent online fraud. Fifty-six percent even indicated they are ‘more willing’ to shop or browse an online business if they know that company is taking specific measures toward combating fraud.

The research also looked at consumer sentiment about fraud prevention across the banking, social media and Web 2.0 industries and mobile channel. For more information about the findings, download a copy of the report at http://info.threatmetrix.com/ConsumerSurveyOnlineFraud2011.html.

Today, while cybercriminals, Trojans, and botnets have radically evolved, many online bank accounts are still only protected by little more than a cookie and a simple hash of browser and IP attributes. With growing online security challenges, however, the Federal Financial Examination Council (FFIEC) has pulled together guidelines for more rigorous forms of customer and transaction authentication.

The draft suggests banks should include use of “one-time” cookies to create a more complex digital fingerprint of the PC by looking at characteristics such as PC configuration, Internet protocol address and geo-location.

At this point, it’s indisputable that banks need to consider smart device identification. This can also include:

• Cookieless device identification
• Man-in-the-middle detection technologies
• Compromised device and script detection
• Global device recognition and behavior tracking
• Context aware risk based assessment across customer and transaction authentication processes

To read more about the issue read “ThreatMetrix on FFIEC New Authentication Guidance: Banks Must Move Quickly to Adopt Smart Device Identification Technologies.”

At the 2011 Merchant Risk Council Annual e-Commerce Payments & Risk Conference, ThreatMetrix will be announcing the availability of the ThreatMetrix™ Cloud-Based Fraud Prevention Platform, incorporating cookieless device identification and enhanced mobile authentication. This platform will make it easy for banks, merchants, online businesses, payment gateways and payment providers to detect and screen for fraud.

The Threatmetrix Cloud Based Fraud Prevention Platform represents the third-generation of device identification technology.  Threat Metrix device intelligence has evolved from IP address, to browser attributes, to packet fingerprinting intelligence to stay one step ahead of increasingly sophisticated fraud attacks and competitive vendors. ThreatMetrix goes beyond first generation device identification technologies that are limited to IP address and browser attributes with ThreatMetrix SmartID™, a key component of the ThreatMetrix Cloud-Based Fraud Prevention Platform.

ThreatMetrix SmartID, which incorporates unique TCP/IP packet fingerprint detection, cross correlates and scores device fingerprint attributes and behavior with session and browser cookies to more accurately establish and authenticate a device identity. Attributes collected from the IP address and browser are easy to manipulate. For example, common browser plugins allow fraudsters to change the apparent browser and version that the Web server sees with a click of a button.

ThreatMetrix SmartID device identification overcomes these limitations by adding packet fingerprinting intelligence for greater accuracy and spoof protection. Because the information is collected as part of the standard networking and browser security model, there is no possibility of leakage of personal information, no interruption to the customer’s online experience, and no additional software or browser plugins to download or accept.

Some of the new features include:

• Enterprise Risk Engine
• Global Network Intelligence
• Queue Management
• Customizable Alerting
• Online Portal and Dashboard for Transaction Monitoring and Link Analysis
• Bulletproof Security and Privacy Protection

“The ThreatMetrix Cloud-Based Fraud Prevention Platform provides companies with the ability to authenticate payments, new accounts and returning customers online regardless of the device involved – be it a smartphone, personal or tablet computer – without requiring a forklift install of hardware or software,” said Reed Taussig, president and CEO, ThreatMetrix. “A smarter approach to device identification combined with aggregated fraud intelligence in the cloud allows customers to benefit from proactive protection without needing to share personally identifiable information.”

For more details on the new features, check out our press release.

Findings from the recent AWPG report reveal that fraud remains a serious issue in the credit card/payments information category. This is often downplayed to account for rises in cases of smaller categories such as Classified Advertising and Banking. These categories, however, only account for less than 10% of all phishing cases. Statistics show that more than one-third of phishing attempts to steal credentials are directed at collecting credit card/payments information, making this the largest category affected by fraudsters.

One reason this issue may not seem as relevant might be the decrease in brand attacks since 2009. It is important to keep in mind, however, that while the number of brands hijacked by phishing attacks is down 22% from October 2009, fraudsters are finding unique ways to target specific brands through personalized phishing attempts that make these efforts more difficult to track.

According to ThreatMetrix Chief Product Officer Alisdair Faulkner in a recent Security Week article, the attacks on the credit card/payment information category may be decreasing, but continue to affect the largest number of people: “‘Unfortunately the pain is not just felt by the brands targeted by phishing attacks, it is every other online business that is then attacked with the stolen identity and credit card information,’” he said.

Within a period of 24 hours (from Feb. 1 – Feb. 2) ThreatMetrix detected 135,000 fraudulent transactions attempted against 350 of the top online companies, data we pulled for Security Week.

Stolen consumer information continues to be a serious issue. It is essential that innovative efforts continue to block fraudsters before they have the opportunity to cause significant damage. Statistics like those gathered from the AWPG report illustrate the rapid pace the fraud protection industry needs to move in order to maintain a solid approach to fraud prevention.

A new article in BankInfoSecurity by Managing Editor Linda McGlasson asks the question whether fraud cases are a black eye for banking.  More and more bank customers suffering online fraud losses in the hundreds of thousands of dollars are going to court in an attempt to recover their losses.  Banks large (Comerica) and small (Ocean Bank of Portsmouth VA) are on trial in court and in the court of public opinion to defend against customer claims that they (the banks) are responsible for fraudulent loses.

The article calls into question what constitutes “reasonable security” from banking institutions to protect themselves and their customers from fraud. Good question. Two factor authentication that uses the customer’s computer (device) and internet connection as a factor to mitigate risk in a banking transaction seems an obvious choice that not nearly enough banks have fully embraced (yet).

According to Rebecca Herold, an independent consultant, ACH fraud is the underlying cause to the recent incidents. She continues: “One primary reason that ACH fraud continues is because as the security “fixes” are made for the technology with the problems, new procedures are built specifically to address them. Then as the technology evolves and is implemented by the banks, new problems allow for ACH fraud to continue.”

What’s really at stake here are the reputations of the banks and whether customers will trust that they are doing all that they can to protect them from web fraud.  I don’t think public court battles between banks and customers have enough candle power to really move the needle with the online banking masses.  But they do nudge the needle and in time most banks will extend their security perimeter beyond traditional IT security solutions to include solutions that do more to protect against the new and growing threat of consumer facing bank fraud.  A black eye from bank fraud is the new new thing for brand damage that results from media coverage on the risks of doing business online—much like the big data breach headlines of yesterday (still going today…think Heartland Payment Systems.)

Commenting on consumer trust erosion that can result from publicized bank fraud “outings,” Tom Wills, a security, fraud and compliance senior analyst at Javelin Research quotes Benjamin Franklin: “It takes many good deeds to build a reputation, and only one bad one to lose it.”

- Tom