Archive for the ‘online banking’ Category

The world is a big place with close to seven billion people. And, according to professional researcher Moya K. Mason, something like 50-million new firms are started each year. So when you think about ThreatMetrix making Red Herring’s top 100 leading private companies in all of North America, Europe, and Asia, it’s quite an honor – especially when put in the context of other companies that have made the Top 100 in past years: Google, Skype, Baidu, Salesforce.com, YouTube and eBay. (The full list of winners in 2011 can be found here: http://www.herring100.com/RHG/2011/top100.html)

Red Herring’s editorial staff evaluated the companies on both quantitative and qualitative criteria, such as financial performance, technology innovation, management quality, strategy, and market penetration. This assessment of potential was complemented by a review of the track record and standing of start-ups relative to their sector peers.

Alex Vieux, Chairman of Red Herring, observed, “Choosing the best [companies from] the previous two years was by no means a small feat. After rigorous contemplation and discussion, we narrowed down our list from 1,100 potential companies to 100 winners.  It was an extremely difficult process [and the] competition for the Top 100 was fierce.  [The] Top 100 Global are truly the best of the best.”

“We’re extremely proud to be recognized by Red Herring as among the best technology companies globally,” said Reed Taussig, president and CEO, ThreatMetrix. “Winning the Red Herring Global award further validates ThreatMetrix’s value proposition in the marketplace as a leading provider of online fraud prevention and cybersecurity solutions.”

Many companies have already come to the conclusion that ThreatMetrix is the “right decision” when it comes to protecting their online assets. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

Legitimate app or a real killer designed to upload malware and snag users’ personal information and money? Perhaps the only thing growing as fast as the mobile market is malware to steal from that market.

Gerry Smith in a Huffington Post post reported that “malware jumped 22 percent in the first half of this year compared with the same period last year. Google’s Android operating system was the most popular target for mobile malware developers during the second quarter….

“Hackers are setting their sights on Android…by disguising malware as legitimate apps. For example, a fake update of the popular game Angry Birds sends sensitive information about the user to the hacker who gains access to the user’s phone and downloads more malicious software….”

According to the Smith’s post, “after several malicious apps were published to the Android Market, Google said it was taking measures to help prevent additional malicious applications from being distributed and working to fix the underlying security issues. It said the malware did not affect Android versions 2.2.2 or higher.”

But, Smith said that a Symantec white paper claims “Google allows attackers to anonymously create and distribute malware in the Android market and relies on Android users to make important security decisions they are often not capable of making….”  Super news with more Americans opting for Google Android operating systems over Apple’s iOS.

A McAfee report found “an increase in fake anti-virus software for Mac operating systems, suggesting that such malware could start appearing on other Apple products, including iPhones and iPads.”

So if both Apple iOS and Google Android OS are becoming at risk of being compromised, where does an online business turn for protection? ThreatMetrix.

Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real-time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect social security numbers, email addresses or bank account information.

Either by turning away real customers or letting cybercrooks get their hands on goods without paying for them, online retailers could find themselves “on the hook” for a big chunk of money on Cyber Monday.

Officially nicknamed (as opposed to unofficially nicknamed) “Cyber Monday” in 2005, Cyber Monday is the Monday after Black Friday, which is the Friday after Thanksgiving, which is the last Thursday in November. Or, put another way, Cyber Monday is the first Monday after Thanksgiving.

Anyway, in 2010, comScore, which claims to be ” the global leader in measuring the digital world” reported that last year consumers spent $1.028 billion online on Cyber Monday, the highest spending day of 2010. And while other countries don’t celebrate America’s Thanksgiving, they do, indeed, celebrate Cyber Monday everywhere from Canada to New Zealand.

Security expert, Jorge Steinfeld, in a Forbes Magazine piece notes that hackers will be gearing up for Cyber Monday this year by taking advantage of social media. “[Hackers] are busy creating fake profiles on social networking and e-commerce sites. These profiles and Web sites are meant to mimic well-known corporate brands, and coax users into clicking on their content. As a result, malicious content can now lay hidden within Twitter posts and Facebook links…” Social media is one more way cybercriminals can “gather personal and professional information, creating specific profiles on individuals and tricking them into divulging sensitive or personal information [from] credit card numbers to information about their employer’s organization.”

Social media and the continuing dramatic 50% growth in mobile transactions year-over-year since 2005 could make 2011 Cyber Monday a record-breaker. One aspect of Cyber Monday that a lot of people in the technology and retail sectors will be paying particular attention to is who will be the big winner of “Mobile Monday”?  Android or iOS?

Following is a breakdown of transactions by mobile device as compiled from the ThreatMetrix Global Network of more than 15-milllion daily transactions. From November 2010 to November 2011, ThreatMetrix found that mobile as a percentage of total transaction volume decreased for the iPhone by 35%, the BlackBerry by 51%, and the Palm by 96%. Conversely, Android mobile volume showed a massive uptick in 2011, with a 661% increase in overall transactions coming from a mobile device. Windows devices showed a more moderate increase, at 19% year-over-year.

“Based on our findings, the iPhone is still the dominant device where mobile transactions are taking place, but we’ve seen Android gain a lot of traction in 2011,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “It’s now become a two-horse race with mobile. The question does not center around whether or not consumers will make mobile purchases this season, but which device will come out ahead on what’s now deemed ‘Mobile Monday’.”

According to ThreatMetrix Fraud Facts, on average, 3% of transactions worldwide now come from a mobile device. That’s up from 2% in 2010.

“Mobile transactions have higher conversion rates because they are intention-driven,” added Faulkner. “This makes it even more critical for retailers to ensure they are not only delivering an excellent mobile experience, but have a solid mobile fraud prevention strategy in place.”

Faulkner noted that while many retailers will likely experience a record number of purchases coming from mobile this year, many still maintain insufficient or incorrect fraud tools in this channel. The consequence will be lost revenue based on both fraudulent transactions taking place, as well as valid customers being turned away because of incorrect fraud classifications. Faulkner predicts as many as one in four mobile transactions may be incorrectly classified this year.

Top Fraud Threats During Peak Season

With an increased volume of online transactions during the holidays, retailers have less time for manual screening and review of transactions – whether they are coming from a laptop, desktop computer, tablet or mobile device. It makes automated fraud screening vital during this high-volume period.

So what are the top five fraud threats during this time of year?

1. Mobile device spoofing – Merchants are put at increased risk with mobile transactions simply because it’s more user-friendly for fraudsters. Today, most fraud coming from the mobile channel actually originates elsewhere; the device acts like a mobile device.

2. Use of botnets and malware – This is a prominent concern on both traditional desktop and laptop computers, as well as mobile devices, as malware can steal passwords and payment account information. On top of that, many of today’s consumers fail to install appropriate fraud prevention software on their mobile devices, according to Faulkner. Analyzing anomalous behavior and checking third-party IP reputation can help detect malware.

3. Cookie-wiping – Merchants could previously track repeat visitors through cookies, yet many of today’s consumers and fraudsters remove cookies by using add-ons and private browsing modes. This makes it difficult to recognize suspicious repeat visitors and identify returning good customers; cookieless device identification is more important than ever.

4. IP address cloaking – It has also become easier for criminals to spoof or mask IP addresses. This makes it harder for merchants to know the “true” IP of the visitor and distinguish the good transactions from the bad. Identifying proxied visitors is crucial; this can be done by inspecting HTTP headers, maintaining a blacklist of known proxy sites, dynamically detecting proxied requests and piercing the proxy with a callback request.

5. Use of Virtual Private Networks (VPNs) – VPNs use separate software on the originating device to place it on a different network, showing traffic is originating from a different address than its true network. To identify fraudsters who are using VPNs, it’s important to monitor time zone and language settings, as well as global anomalies.

For more information about these Cyber Monday threats, and tactics for defeating cybercriminals during this peak transaction period, check out ThreatMetrix videos, “The Mobile Fraud Threat,” “Malware and Mobile: How Big of a Threat Is It?” and “Top Three Tactics to Consider for Mobile Fraud Detection.”

Ericka Chickowski, a contributing editor at Darkreading.com, did a piece titled “Tales of De-Crypt 2011.” Considering it was scheduled to run sometime around Halloween, the title was “scary clever” while the subject matter was just plain scary. Chickowski observes that 2011 has been “a banner year for authentication and Identity and Access Management (IAM) failures, with embarrassments of epic proportions hitting the headlines nearly every month…. [There have been] targeted authentication tokens, sophisticated password-stealing Trojans, rogue certificates, stolen passwords and misappropriated accounts.”

Compiled by Ms. Chickowski is a list of the top ten worst “hacks, vulnerabilities and screw-ups to hit the headlines in 2011.” The upside is that the top-ten list only has seven entries.  It also has some lessons to be learned.

1. The RSA Tokens That Took a Lot of People for a Ride. “After a junior employee at security heavyweight RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. RSA confirmed that some ‘information related to the RSA SecurID product had been extracted.’” Extracted is another way of saying ripped off.

So what was learned? Don’t put all your eggs in one basket and leave the basket where anybody can trip over it. Or as Darkreading.com put it, “Security experts were aghast that the token seeds were resident in a place on the network where a hacker could even find them. The incident illustrates that network segmentation is a key best practice to mitigate the risk of a company’s most critical assets.”

2. The Death of DigiNotar.  A hacker with the moniker, ComodoHacker created fraudulent Comodo SSL certificates in March, then, later, hacked CA DigiNotar to issue 500 more certificates. The actions of ComodoHacker, who claimed to have hacked other certificate authorities, ultimately led to the demise of the company.

So what was learned? A stitch in time saves nine?  A penny saved is a penny earned? A wet bird never flies at night?  No, what was learned was, “DigiNotar knew about the fake certs long before the news went public and did nothing to get the word out. The situation is a good reminder at how important communication is in high-impact breach situations. It also illustrates that the fundamental basis of trust for Internet authentication still needs work.”

3. HBGary Federal’s “federal case” Over Anonymous Backfires.  After the company’s CEO said he was about to release information about Anonymous, the group infiltrated HGGary’s network through SQL injection, stole stored passwords and got control of the company’s email, internal accounts and its executives’ social media accounts.

So what was learned? As they used to say in the U.S. Infantry (and probably still do) in not such genteel terms, “Don’t let your alligator mouth overload your hummingbird ass.” Darkreading.com put it this way, “Hubris is not becoming of security executives who run companies that store passwords on insecure servers. Even the humble should learn to keep passwords better protected from multi-stage attacks that start with SQL injection. Anonymous was able to use Rainbow tables to crack the passwords’ encryption because the firm used weak MD5 hashes to protect them.”

4. Beware the LulzSec. After breaking into networks, LulzSec members distributed unencrypted passwords and other sensitive information, such as emails that impacted everyone from Sony to the U.S. Senate and compromised millions of accounts.

So what was learned? The bigger they come, the harder they fall. That could be one of the things learned.  But, Darkreading.com pulled out some other lessons like, “a lack of input validation or database monitoring [allow LulzSec] to commit SQL injection attacks at will. And …organizations [have a tendency] to store login information unencrypted and unprotected within network systems.”

5. Don’t Count on Citi Account Numbers. Darkreading.com says, “Hackers were able to game Citgroup’s online account site by manipulating the account number that appeared in the Web address browser bar to randomly guess other account numbers and gain access to random customers’ accounts. The trick gave them access to customer names, account numbers, and transaction information.”

So what was learned? Money is the root of all evil?  Or rather lack of money is the root of all evil?  No.  Actually it’s that, “web applications providing access into sensitive information, financial or otherwise, must be tested not only for vulnerabilities but also for business logic flaws such as the one that allowed hackers to circumvent Citi’s online banking authentication engine.”

6. Bank of America Rogue Employee Was a Rogue. A Bank of America employee leaked information to an identity-theft ring.  Fake accounts were created under victims’ names and $10-million was stolen before the thieves were nailed.

So what was learned? One rotten apple can spoil the whole barrel. He/she can also steal $10-million. The other thing that was learned is frequent reviews of access controls might have prevented this type of theft.

7.Duqu Worms Its Way Into the World. “A refinement on the code foundation laid down originally by Stuxnet… this password- and data-stealing Trojan features a rogue certificate [now revoked. However,] it’s able to fly under the detection radar by injecting itself into running processes.”

So what was learned? “[This was] another instance of hackers manipulating the certificate authority ecosystem…”

Perhaps the most important lesson to be taken from the seven disasters described above is many could have been averted by using ThreatMetrix solutions. The first perimeter and the most effective element in a multi-layered defense against cyber criminals is device identification. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

Misha Glenny’s book, DarkMarket, relates the brief history (2005 – 2008) of DarkMarket.ws, an Internet cybercrime forum (in English) that was kind of a cross between a chat room and Amazon.com.

If you haven’t heard about the site, it probably says something about your honesty. You see DarkMarket.ws was “by-invitation-only.”  If you weren’t a cybercrook who knew a cybercrook, you were not about to get access to the URL.  Very exclusive.

You know the expression “honor among thieves?”  Well, you could call getting an invitation to join, “a high honor among thieves.” The Website provided criminal entrepreneurs — stolen identity and credit-card data buyers and sellers — a venue to meet and exchange information and ideas with their peers and learn from experts about the latest technologies and scams in a professional, friendly atmosphere. Created in London by Renukanth Subramaniam, who went by the user name JiLsi, the site had 2,500 users at its peak and was a place where an online thief could buy “skimming machines” (devices installed in ATMs to record users’ credit-card details), find reviews of hardware advertised on the site, and generally catch up on the latest and greatest in crime.

You’ve probably heard this other old saying one time or another.  “You can’t bulls_ _t a bulls_ _ _ ter.”  While you may have heard it, the FBI evidently didn’t because they ended up scamming the scammers.

FBI agent J. Keith Mularski infiltrated the DarkMarket site using the name of an infamous Polish spammer, Master Splyntr. In fact, he not only infiltrated it, he became the site’s administrator!

Misha Glenny’s DarkMarket is the story of how DarkMarket.ws was taken down. Says Evgeny Morozov in his review in the Wall Street Journal, “Mr. Glenny, a gifted investigative reporter, has sought out investigators and cyber criminals alike (he visited many convicted offenders in prison and got them to talk about their trade). He dissects DarkMarket’s transient but maddeningly convoluted history in a highly meticulous, almost forensic manner….Before the story is over, Turkish military intelligence agents, the Tamil Tigers, members of the Saudi royal family and the brother of Supreme Court Justice Stephen Breyer all make appearances.”

Pointing out that it’s impossible to end cybercrime without understanding the psychology of cybercriminals, Morozov says Glenny’s book offers valuable insight. “Even though many cyber criminals have day jobs, they spend inordinate amounts of time online, mostly in a futile attempt to impress their peers and join the ranks of the digital übermenschen. Many choose cybercrime for the same reasons that disaffected youngsters choose more pedestrian forms of crime; tales of desperation, rejection and poverty loom large in this book. Faced with an unpalatable choice between a life of violent crime or seemingly victimless cybercrime, 13-year-olds in Ukraine choose the latter.”

However, no matter how they found their way into cybercrime, once in it, these criminals often act like mainstream business. “Obsessed with profit-maximization, they vie to annihilate competition, establish absolute monopoly and ratchet up the prices.”

While European and American police agencies seemed to work well together, the same couldn’t be said of American internal police agencies.  Offers Morozov, “Mr. Glenny recounts a grotesque story of how the FBI and the Secret Service had been investigating each other’s undercover agents, in both cases believing them to be actual criminals. Only the intervention of their British colleagues, who were privy to the secrets of both groups, prevented a major crisis.”

So, lacking guns, explosions and car chases, what kind of read is DarkMarket? Wall Street Journal reviewer calls it, “an eminently readable, witty narrative that sustains suspense until the very last pages.”

As a result of the FBI sting, there were more than sixty arrests worldwide with the man who started it getting sentenced to nearly five years in prison. So, what’s the best way to fight cybercrime if you’re not an FBI agent with unlimited time and funds?

ThreatMetrix™.

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform offers a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all of ThreatMetrix’s customers. The information is always up-to-date and always available. Incorporating ThreatMetrix SmartID™ cookieless device identification, the Platform lets companies authenticate user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, cybercriminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

Integrated into the latest release of the ThreatMetrix™ Cloud-Based Fraud Prevention Platform is a new multi-layered data encryption architecture feature that takes data encryption to a whole new level.  Addressing strict security requirements, the new feature provides multi-layered encryption of customer-siloed data and global customer data with minimum impact on customer response times.

Should any one customer account be compromised, data loss is limited to that one customer.  Even if the data center hosting ThreatMetrix services were compromised, the encrypted data would remain confidential. Customer data shared with ThreatMetrix™ for fraud protection purposes remains secure. And, there’s no worry about a degradation in performance.

“It’s our goal to raise the bar for the level of security and privacy of online transactions,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “The question is not if a consumer’s identity will be compromised, but it’s a matter of when it will be compromised. Credit card companies can update their credit cards if they’ve been compromised, but consumers can’t simply recycle their identity. ThreatMetrix is staying one step ahead so fraudulent activity is minimized and our clients can do a better job of protecting their customers.”

Faulkner added, “ThreatMetrix, in broadening its strategy as a leader in digital cyber identification, views the new data encryption feature as a critical next-step toward protecting privacy and enhancing the security of confidential consumer information during online transactions. Activities associated with hacker group LulzSec and many recent high-profile data breaches like Epsilon and PlayStation — which resulted in millions of compromised accounts — underlines the need for new encryption technology that better protects both online brands as well as consumers.”

The new release offers a host of new benefits including new fraud detection rules, device identification improvements, administrative enhancements, queue management improvements, and changes to the ThreatMetrix Portal around access and data privacy.

Faulkner observes, “PII is no longer an effective authentication tool by itself, as it can’t authenticate the person behind the transaction.  Context is key, which means looking past the device and also considering other factors associated with the device, like phone number and email. We’re looking for anomalies in customer data, in conjunction with the underlining device reputation behavior. It’s whether or not all transactions and customer and device information make sense in the context of that transaction. We then apply this intelligence across a comprehensive global network to stop fraud in real-time and better protect consumers.”

Today, ThreatMetrix serves social networks, financial services, e-commerce companies et al. by authenticating payments, new accounts, and customers in real-time —without hassling those customers for personal information like Social Security Numbers, mothers’ maiden names, etc. It’s estimated that ThreatMetrix helps screen up to one-billion online transactions each month and is successfully eliminating the threat of an estimated 300,000 fraudulent attempts every day!  That’s why ThreatMetrix has become the fastest growing provider of cloud-based fraud prevention solutions that don’t require personally identifiable information.

Anonymous took more than 600 MB of data from the International Association of Chiefs of Police and took down the IACP’s Website for good measure. Then Anonymous released data which included internal documents, membership rosters, home addresses, passwords, Social Security numbers, etc.

Now, if you agree with Occupy Wall Street, you may feel the hacker group Anonymous has its heart in the right place. But, wherever Anonymous’s heart is, the rest of its geography seems a bit skewed.

As everybody who’s ever lost money in the market knows, Wall Street’s in New York. But Anonymous revealed 1000 names and passwords from the Boston Police Patrolmen’s Association; 1000 names, ranks, social security numbers, addresses and phone numbers from Alabama law enforcement systems; and the full contact database from Arlington Virginia’s Matrix Group, a web development agency serving government Websites.

Attacking police in Boston and Alabama to support a protest in New York? Some observers might be tempted to draw a parallel between these Anonymous attacks and the invasion of Iraq as retribution for 911 which was carried out by Bin Laden from Afghanistan.

Anyway…

According to Meghan Kelly in VentureBeat.com, the Anonymous rationale for the attacks wasn’t supposed to be along geographic lines. “Anonymous said it wanted to attack the police directly because they act as a protector of ‘the one percent,’ or what OWS protesters describe as the fortunate few who hold the majority of the wealth that would otherwise benefit the remaining ‘99 percent.’”

Anonymous has attacked police in the past in an effort to “expose corruption and brutality.” In Anonymous’s own words, ““We have no problem targeting police and releasing their information even if it puts them at risk because we want them to experience just a taste of the brutality and misery they serve us on an everyday basis.”  Spoken like somebody who was caught in a speed trap. Or had his/her vehicle ticketed and towed when the meter was busted. Or got cited for jay walking at 3 in the morning on a deserted side street in a hurricane. Sort of sounds like that.

In an odd twist, Kelly points out that a call to the Baldwin County, Alabama Sheriff’s office via Skype came from a man with a British accent, who claimed he hacked the Sheriff’s website because he was bored.  Kelly’s conclusion – the man was calling from the U.K. and this was an example of how Anonymous is “disjointed.”

No matter how anybody feels about Anonymous’s goals, its tactics, which disclose personal identifying information, are either regrettable or reprehensible. No matter which, there’s one solution designed to thwart an Anonymous attack. And that solution comes from ThreatMetrix™. ThreatMetrix doesn’t rely on passwords, user names or any other personal identifying information to protect its clients. Instead the ThreatMetrix™ Cloud-Based Fraud Prevention Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to stop the bad guys and let the good guys go.

Following a rash of security breaches at Sony, Google, Lockheed Martin, Citigroup, the International Monetary Fund and more, the Securities and Exchange Commission told public companies to disclose cyberattacks that could potentially lead to unexpected losses.

Senator John Rockefeller asked the SEC to issue rules governing what companies are required to disclose. The guidelines come as a result of the concern that companies might be failing to mention data breaches in their public filings.

According to a report in Venturebeat.com, the SEC said that if a cyber attack leads to losses, companies have to disclose the losses, or at least “reasonably possible” estimates of those losses.

In a statement to Reuters, Rockefeller noted, “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything.”

Because it could help cybercriminals, companies would not be required to describe how they would go about protecting themselves. However, companies are responsible for disclosing:

• The costs of fixing compromised networks

• Increased cyber protection costs that might involve changes to personnel

• Lost revenue from unauthorized access to information

• Losses related to the failure to retain customers after an attack

• Litigation costs, and reputation damage after an attack

There’s one way not to have to report bad news.  That’s not to have bad news to report. With ThreatMetrix™ solutions, the news is invariably good.  Without requiring personal identifying information that can be compromised, ThreatMetrix solutions catch cybercriminals in real time before they can do real damage.

ThreatMetrix combines a computer’s packet signature data with transaction details and credentials that are obtained anonymously and “unlinkably” by the user to differentiate between cybercriminals and genuine customers.

Everybody seems to be looking at privacy. Talk about an oxymoron. But, because of a raft of security breaches that disclosed personal identification information that could be used for everything from blackmail to identity theft, the U.S. and other governments, privacy-advocacy groups and the security industry itself has become “major-league” privacy conscious.

One of the leading organizations taking up online privacy is the International Association of Privacy Professionals or IAPP.  Founded in 2000, the IAPP is the world’s largest association of privacy professionals. Its more than 9,000 members in 70 countries help define, support and improve the privacy profession through networking, education and certification.

The IAPP deals with tough questions that face all security professionals.

• Could your organization’s reputation survive a breach?

• Is there a possibility that your corporation could be the target of an FTC enforcement action?

• How do you ensure that your organization’s products are trustworthy?

The IAPP’s programs, symposia, dinners, Web conferences and events include a Privacy Academy. The last one, held in Dallas, Texas in September, offered 60 sessions featuring operational programming and tools covering issues like mobile applications, consumer-data protection, employee privacy and building bridges between security and privacy. In addition, there were keynotes from consumer privacy leaders that included FTC Commissioner Julie Brill.

Another organization at the forefront of the online privacy movement is the National Cyber Security Alliance (NCSA). Board members include: ADP, AT&T, Bank of America, Cisco Systems, EMC Corporation, ESET, Facebook, General Dynamics Advanced Information Systems, Google, Intel, Lockheed Martin Information Systems & Global Services, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Verizon and VISA.

A non-profit public-private partnership focused on cybersecurity awareness and education, NCSA is organizing and leading the effort to make January 28, 2012 Data Privacy Day. Scheduled to be an annual event, this international awareness initiative promotes data privacy and protection across the United States, Canada, and a host of other countries across the world.

Another organization stands at the forefront of privacy. That organization is ThreatMetrix™. Because the ThreatMetrix™Cloud-Based Fraud Prevention Platform does not rely on passwords, user names and other personal data to identify returning visitors, it offers unmatched security and unrivalled privacy. ThreatMetrix’s Cloud-Based Fraud Prevention Platform provides a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all ThreatMetrix customers. Information is always up-to-date and always available. With ThreatMetrix, companies can have it all —privacy and security.

A long time ago, online retailers caught onto cybercriminals using stolen credit card accounts to buy expensive consumer products online, then turning around and reselling them in Eastern Europe, North Africa or Russia. The retailers’ answer was to stop shipping goods to these places.

But, reports security expert Brian Krebs in his blog, KrebsonSecurity, “these restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.”

Krebs points out, “There are dozens of businesses in the criminal underground engaged in merchandise laundering, known as ‘Drops for stuff’ on cybercrime forums.”

The people “hired” to do the reshipping are variously known as reshippers, mules or drops. “The ‘drops,’” says Krebs, “are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and cash bonuses. But the crooks almost always sever communications with drops just before the first payday, usually about a month after the drop ships their first package.

“A typical drop will receive and reship between two and four packages per day. The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the U.S. Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.”

Dropforrent.com is a kind of cyberspace fence operation that offers “clients” (cybercrooks) and “managers” (people who do recruitment scams) a percentage of what they steal. Krebs explains that Dropforrent pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products. Incidentally, if you do a search for Dropforrent online, you’ll get a score of websites warning you to stay away, that the jobs the site offers are a  scam.

In addition to electronics, Krebs says, “Drops also can be used to reship virtually anything else that the client or manager would like to use or consume themselves, such as clothes, jewelry, and candy. For this service, clients and managers pay a flat rate of 50 percent of the value of the goods to have the items reshipped abroad.

Reproduced here without editing KrebsonSecurity.com at http://krebsonsecurity.com/wp-content/uploads/2011/10/applestore-directinstructions.html gives an example of a standard operating procedure of rules for mules:

Use your applestore-direct.com Account to:

- Check a shedule about package deliveries
- Send messages to your manager
- Edit Your Default address and shipping address
- Upload your resume and documents for an approvement
- To check total scores and money you earn

IMPORTANT INFORMATION ABOUT SCORE AND PAYMENT SYSTEM:
YOU WILL RECEIVE APPROXIMATE 40 PACKAGES FOR MONTH
YOUR SALARY BASED ON THE 2000$ MONTHLY PAYMENT, STARTING FROM THE SHIPPING FIRST PACKAGE
AND THERE IS A BONUS SCORE SYSTEM
FOR EVERY SHIPPED PACKAGE YOU GET A SCORE
10-SCORES IF YOU SHIPPED A PACKAGE ON THE SAME DAY BEFORE THE NEXT DAY NOON
5-SCORES IF YOU SHIPPED A PACKAGE ON THE NEXT DAY
0-SCORES IF YOU DELAYED PACKAGEs SHIPPING FOR 3 DAYS AND MORE

ON YOUR PAYDAY THE SCORES WILL BE CHANGED TO MONEY AND ADDED TO YOUR TOTAL INCOME IN RATE OF
10 SCORES-50$
5 SCORES-25$
3 PENALTIES- MINUS 100$

PENALTIES CAN BE USED BECAUSE OF ANY SHIPPING DELAYS, NOT CONTACTING YOUR REGIONAL MANGER IN TIME, NOT COMPLETED

ORDERS,
MISSED PACKAGES TO YOUR ADDRESS WITHOUT ANY REASONS

Krebs observes, “Well-run reshipping schemes can launder huge volumes of stolen goods in a relatively short time. The minimum order dropforrent.net accepts is $300. Records at dropforrent.net show that since the beginning of this year, drops hired through one front site have shipped more than 800 orders — at least a quarter million dollars worth of stolen goods.”

And, the best part about the scam from the cybercriminals’ point of view?  If anything happens, the drop or reshipper or mule is the person the long arm of the law will snag.

For online businesses to avoid being victims of reshipping, the answer is ThreatMetrix.  Device identification is the first and most effective layer in a multi-layered defense against cyber criminals. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect social security numbers, email addresses or bank account information.