Archive for the ‘Online Credit Card Transactions’ Category

“It” refers to data. Data Privacy Day, scheduled for January 28, is about keeping data to yourself and out of the hands of cybercriminals.  This annual international celebration is designed to promote awareness about privacy and education about privacy best practices. Official sponsors for Data Privacy Day are EBay and Intel, who are joined by a host of partners including Microsoft, Intuit, Comcast, MasterCard, AT&T, Facebook, Google, the International Association of Privacy Professionals, the State of West Virginia and….

Did we leave anybody out? Probably. But it’s a long list because Data Privacy Day is an excellent cause. Without it, literally the financial, social and political structure of society is at risk. HOLD ON. Just remembered somebody we left out —ThreatMetrix™.  ThreatMetrix strongly supports Data Privacy Day.

“We have entered a world of unprecedented identity theft and surveillance for monetary gain,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Every site we visit, everything we search for, to everything we now do, buy and share online is tracked by a growing number of powerful players. Unfortunately the evidence suggests that no data is unreachable or un-exploitable by adversaries or advertisers. Whether it be due to data breaches, phishing attacks or over-sharing, the implication is that identity can no longer be relied-on to authenticate a customer online. The distribution of our identities across the net not only threatens our privacy but also makes us all preposterously easy to impersonate.”

We  should all be concerned about data security being at risk in today’s cybercrime infested environment. And the list of companies and institutions that have had data compromised continues to grow at an alarming rate. From the criminals’ perspective, it just makes good sense. Why try knocking over a bank with a gun and a good chance of getting caught or killed when you can sit back on a beach six time zones away and with your trusty laptop steal more money in one day than bank robbers Willie Sutton, John Dillinger and Baby Face Nelson and Bonnie and Clyde did in their whole lives?
Just a cursory glance at the number and types of recent breaches that compromised personal data from finance to health records and employment histories underscores the importance of calling attention to this Pandora’s Box.

• Facebook (Social Networks): A computer worm stole 45,000 login credentials from Facebook accounts in the UK and France.

• Yale University (Academic Institutions): 43,000 Yale University faculty, staff, students and alumni names and Social Security numbers were made public via Google because a File Transfer Protocol (FTP) where data was stored became searchable.

• Cyworld (Online Gaming): 35-million records including phone numbers, email addresses, names and encrypted information about the sites’ members were taken from South Korea’s largest social networking site, Cyworld.

• PBS (Communities): Thousands of user names and passwords were compromised when a PBS Website was hacked.

• Patco Construction (Online Banking): $300,000 was stolen from Patco Construction Company’s online bank account when hackers gained access to the company’s account credentials by sending employees email with Zeus, a password stealing trojan, that infected the company’s computers.

• Citbank (Financial Services): 360,000 Citibank customers (originally Citibank said it was 210,000 customers) had their account numbers and contact information stolen by hackers.

• Pittsford, N.Y. (Government): $139,000 was stolen from the hamlet of Pittsford, a town of 25,000 near Rochester, N.Y. when cyberthieves logged onto the town’s online commercial bank account. Initiating a small batch of automated clearing house (ACH) transfers, the thieves covering their tracks by sending the transfers to “money mules” around the country.

• Comerica Bank (Banking): $560,000 of Experi-Metal Inc. (EMI) hard-earned cash slipped away when Comerica Bank let fraudsters waltz away with it.

• Sony PlayStation (Online Gaming): 70-million Sony customers were put at risk when hackers broke into Sony’s PlayStation Network (PSN) and stole credit card details. The security breech caused Sony to take down the network for “maintenance.” Subsequently, 93,000 Sony customer accounts were hacked in a separate incident. Sony believed those customers used the same Sony login credentials to logon to other sites and that the other sites were hacked, providing access to the customers’ PII (personally identifiable information).

• Sega (Online Gaming): 1.3 million users had personal information put at risk by a Sega online network breach causing the company to temporarily shut down its online network.

• Washington Post (Media): Either 1.27 million, 1.3 million or 1.6 million user IDs and email addresses were ripped off from the Washington Post’s job section.

• Pentagon (Government): 24,000 military files were stolen from a defense contractor doing business with the Pentagon in a cyberattack. On a side note, the Pentagon is now consider cyberattacks as an act of war.

• Zappos (E-Commerce): 24 million customers’ personal information was put at risk when Zappos, the online shoe outlet owned by Amazon, was hacked.

• Toshiba (Computer Manufacturing): 7,520 Toshiba customers’ email addresses, telephone numbers and passwords were stolen by cybercriminals.

• NATO (Government/Military): A Gigabyte of NATO data was stolen by Anonymous which had accessed NATO servers.

• FTC (Government): More than 18,000 cases of child identity theft were reported to the Federal Trade Commission. Children’s identities provide the kind of clean backgrounds that make it possible for thieves to create entire fictional credit histories. Often the theft is not found until the person turns 18 and starts college or looks for a job.

• Credit Card Fraud: Restaurant workers, bank tellers and other service employees skimmed, swiped and scammed millions of dollars worth of personal credit information from thousands of American and European consumers. The cost to victims, financial institutions and retail business?  More than $13 million over a 16-month period.

• RSA (Security): After a junior employee at security firm RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. The attack compromised RSA tokens requiring users to enter a unique number generated by the token each time they connected to their networks. Facebook, Amazon, Abbot Laboratories, Charles Schwab, Microsoft — In all 20% of the Fortune 100 had been compromised.

• Online Advertising: An East European cybergang hijacked at least four million computers in over 100 countries. Included in the half-million hijacked computers in the United States were some at NASA.  Using these computers, the gang stole $14 million in four years with a PPC and ad scheme based on redirecting traffic and replacing genuine ads with their own.

• Steam (Online Video Game Distribution): In a major hack, 35 million user accounts at Steam, one of the world’s largest distribution networks for online video games, may have been compromised exposing credit card details and billing addresses.

• Stratfor Global Intelligence Service (Security): Stratfor Global Intelligence Service, a company which helps clients with security and is famous for its secrecy and its top-secret client list was hacked resulting in names, emails, credit card details, passwords and home addresses for some 4,000 people being compromised. Additionally, this information was used to have clients involuntarily donate to charity to the tune of a million bucks.  The hackers also said they had details for more than 90,000 credit card accounts.

• San Francisco City College (Education): For more than a decade San Francisco City College servers have been stealing personal banking information and other data from thousands, or even tens of thousands, of students, faculty and administrators in what the San Francisco Chronicle refers to as “an infestation” of computer viruses with origins in criminal networks in Russia, China et al.

• South Africa’s Postbank (Government): $6.7 million was stolen from South Africa’s Postbank when cyberthieves accessed a computer from a remote location and hacked into Postbank’s server system using stolen login details for a Postbank teller and a call-center agent.

• Epsilon (Email Marketing Services): Epsilon, a large email marketing services company, reported a data breach that could affect the email addresses of thousands of customers of major banks, retail and hotel chains. This impacted financial services institutions such as Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank of Delaware. However, the only Barclays Bank of Delaware customers affected were the ones who have an LL Bean VISA card. In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger. TiVo is also included in this list.

• WordPress.com (Blogs): WordPress.com, which hosts more than 19 million blogs, had its servers compromised and sensitive data taken.

• The State of Texas (Government): 3.5 million Texans had their names and Social Security numbers (and in some cases their dates of birth and driver’s license numbers publicly posted in a data breach at the Texas state comptroller’s office.

• International Monetary Fund (Banking/Government): Damage still not assessed or admitted to by the International Monetary Fund which fell victim to a large and sophisticated cyberattack that led the IMF to cut the link that allowed it and the World Bank to share confidential information.

Keep it to yourself. Protect your data with ThreatMetrix solutions. Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Zappos, the online shoe outlet owned by Amazon, was hacked putting some 24-million customers’ personal information at risk. PCWorld.com reported that Zappos CEO, Tony Hsieh, told customers that, “names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords may have been exposed.”  He added that the good news was that the database storing actual credit card and payment data had not been breached.

Nevertheless, the New York Daily News reported that the company had put out a statement informing customers of the incident and asking them to change their passwords. Customers, who attempted to phone Zappos for information, were met with the sounds of silence. Zappos’ CEO said in a memo, “We have made the hard decision to turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.).”

In an email to employees, which was posted to the Zappos blog, the company said the cyberattack came from a criminal who had gained access to parts of the company’s internal network and systems through a server in Kentucky.

Andrew Storms, director of security operations at nCircle, told PCWorld.com that Zappos’ response to the incident seemed to be appropriate in so far as it had notified customers, and reset all passwords to force customers to create new ones to replace those that may be exposed or cracked as a result of the breach.

Security expert, Neil Roiter, research director for Corero Network Security, observed, “Companies such as Zappos should have technology in place that monitors activity on their networks and reports in real time on suspicious activity or activity that does not conform to security policy. The sooner an organization detects a breach, the more quickly it can contain it.”

ThreatMetrix, the fastest-growing provider of integrated cybercrime prevention solutions, offers superior solutions that can’t be compromised by break-ins. The ThreatMetrix™ Cybercrime Defender Platform helps companies protect customer data and secure transactions against fraud, malware, data breaches, as well as man-in-the browser (MitB) and Trojan attacks. The Platform consists of advanced cybersecurity technologies, including TrustDefender™ ID, which is cloud-based, real-time device identification, as well as malware protection with TrustDefender™ Cloud and TrustDefender™ Client. The company serves a rapidly growing global customer base across a variety of industries, including financial services, e-commerce, payments,social networks, government, and healthcare.

To meet the ever mounting threat posed by malware, ThreatMetrix™, the fastest-growing provider of integrated cybercrime prevention solutions, announced today that it has acquired the Australian-based company TrustDefender™, a recognized leader of secure browsing technology to stop man-in-the-browser (MitB) attacks and provide malware protection.

The ThreatMetrix™ Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform.

This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

The combined companies will operate under the ThreatMetrix name with global operations in the United States, Australia and Europe. The corporate headquarters will be located in San Jose, California.

“The natural synergies between device identification and secure browsing are very obvious,” said Reed Taussig, president and CEO, ThreatMetrix. “Successful transaction profiling requires sophisticated malware detection and intelligent device identification to determine if the device is compromised or if the transaction is at risk of being fraudulent. While our customers have recognized this for a long time, the only available solution – until now – was to implement multiple products across different vendors. By integrating advanced device identification and secure browsing into a single, competitively priced, easy-to-install and easy-to-use product, ThreatMetrix is delivering the most complete online fraud management solution available in the market today.”

The Growing Global Malware Threat 

According to an Aite Group report (“Know Your Enemy: Successful Online Fraud Mitigation Strategies”), 25 million new, unique strains of malware were released in 2011. That number is projected to grow to 87 million strains by the end of 2015.

A Gartner Group report (“The Five Layers of Fraud Prevention and Using Them to Beat Malware”) containing a survey of 76 U.S. banks found malware was the number one cyberthreat.  Gartner’s recommendation:  banks and financial institutions implement a layered approach to fraud prevention to prevent and contain against cybercriminal attacks.

According to Andreas Baumhof, co-founder and CEO of TrustDefender, who now joins ThreatMetrix as CTO, the acquisition addresses the growing global malware threat.

“In 2011 we saw a huge increase in sophisticated MitB Trojan activities supporting fraudulent transactions with stolen identities,” said Baumhof. “Malware protection and fraud prevention are closely related, yet no truly integrated solutions were available in the market. The merger allows ThreatMetrix to address fraud prevention and malware protection as a single problem and deliver real benefits to customers at a lower cost.”

ThreatMetrix Cybercrime Defender Platform

With the acquisition, the ThreatMetrix™ Cybercrime Defender Platform now consists of the following product solutions and associated benefits:

• TrustDefender™ ID — TrustDefender ID is a cloud-based, real-time device identification solution that protects companies against cybercriminals and helps validate valuable returning customers. TrustDefender ID provides businesses with a crucial first perimeter of defense to protect online transactions, including account creation, login authentication and payment authorization.
• TrustDefender™ Cloud – TrustDefender Cloud is a cloud-based, real-time solution that helps companies protect customer data and defend against fraud, malware, MitB and Trojan attacks, and data breaches. It mitigates the risk of hidden malware compromising authenticated sessions to steal data, identities or money.
  
• TrustDefender™ Client — TrustDefender Client is a client-based, real-time solution that mitigates the risk of hidden malware compromising authenticated sessions to steal data, identities or money. A small client component installed on end-user computers identifies and isolates malware, verifies legitimate websites, protects the online session with the business, and communicates with the business to identify potential fraud.

“Combining endpoint centric fraud prevention products is cost effective,” said Avivah Litan, vice president and distinguished analyst, Gartner. “Device identification and malware detection in particular, are two of the most prevalent and required endpoint protection products in the market today. Device identification provides a strong foundation against fraud while malware protection closes a loophole in fraud prevention caused by man-in-the-browser attacks. Combining these solutions will streamline the fraud prevention, management and administrative processes for organizations combating today’s cyberthreats.”

Additional Resources

• ThreatMetrix™ Cybercrime Defender Platform
• TrustDefender™ Client Datasheet
  
• TrustDefender™ Cloud Datasheet
  
• TrustDefender ™ID Datasheet 

Superstition has it that if a horseshoe is hung upside down, the luck runs out. Running out of luck and into a scam is exactly what happened to a number of unlucky Lucky Supermarket customers in Northern California.

U.S. Secret Service agents told Save Mart CFO Stephen Ackerman – Save Mart is Lucky’s parent company — that the device thieves concealed in Lucky card readers was ”the most sophisticated device[ they'd] ever seen in the United States.” Without being detected, thieves planted circuit board sniffer devices inside debit and credit card readers at self-checkout lanes in several San Francisco Bay Area stores. To make detection more difficult, only one card reader at each store was targeted.

Lucky informed customers that they might have to cancel their credit cards or change their bank accounts. “At this time, we strongly recommend that anyone who used our self-check terminals in the affected stores during the months of October and November consider closing their bank account and opening a new one,” said Ackerman.

Television station KTVU said that thus far eighty people have reported money taken or suspicious activity on their accounts with losses in the thousands of dollars.

Lucky only discovered that the card readers had been tampered with after routine maintenance. You might say Lucky found them by “sheer luck.”  Once detected, the affected card readers were immediately removed.

While management told KTVU that a recurrence of the tampering “could not happen again,” federal investigators were not quite so optimistic.  However, the feds did have a clue how thieves were able to plant the sniffers. It seems someone had stolen credit card readers from a Lucky store in Fresno, California several months prior. If and when they catch the responsible individuals, the feds could be on their way to finding the thieves.

Authorities maintained that thefts of this nature are most likely to occur over the weekend when most financial institutions are closed or have limited hours. To protect against credit card and other financial fraud 24/7/365, more and more online financial institutions are turning to ThreatMetrix.

ThreatMetrix solutions combine a computer’s packet signature data with transaction details and anonymized credentials (credentials that are obtained anonymously and unlinkably by the user) to differentiate between honest transactions and fraudulent ones. Financial institutions are protected against bad scripts and fraudulent account logins, payments and transactions.

The world is a big place with close to seven billion people. And, according to professional researcher Moya K. Mason, something like 50-million new firms are started each year. So when you think about ThreatMetrix making Red Herring’s top 100 leading private companies in all of North America, Europe, and Asia, it’s quite an honor – especially when put in the context of other companies that have made the Top 100 in past years: Google, Skype, Baidu, Salesforce.com, YouTube and eBay. (The full list of winners in 2011 can be found here: http://www.herring100.com/RHG/2011/top100.html)

Red Herring’s editorial staff evaluated the companies on both quantitative and qualitative criteria, such as financial performance, technology innovation, management quality, strategy, and market penetration. This assessment of potential was complemented by a review of the track record and standing of start-ups relative to their sector peers.

Alex Vieux, Chairman of Red Herring, observed, “Choosing the best [companies from] the previous two years was by no means a small feat. After rigorous contemplation and discussion, we narrowed down our list from 1,100 potential companies to 100 winners.  It was an extremely difficult process [and the] competition for the Top 100 was fierce.  [The] Top 100 Global are truly the best of the best.”

“We’re extremely proud to be recognized by Red Herring as among the best technology companies globally,” said Reed Taussig, president and CEO, ThreatMetrix. “Winning the Red Herring Global award further validates ThreatMetrix’s value proposition in the marketplace as a leading provider of online fraud prevention and cybersecurity solutions.”

Many companies have already come to the conclusion that ThreatMetrix is the “right decision” when it comes to protecting their online assets. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

Ericka Chickowski, a contributing editor at Darkreading.com, did a piece titled “Tales of De-Crypt 2011.” Considering it was scheduled to run sometime around Halloween, the title was “scary clever” while the subject matter was just plain scary. Chickowski observes that 2011 has been “a banner year for authentication and Identity and Access Management (IAM) failures, with embarrassments of epic proportions hitting the headlines nearly every month…. [There have been] targeted authentication tokens, sophisticated password-stealing Trojans, rogue certificates, stolen passwords and misappropriated accounts.”

Compiled by Ms. Chickowski is a list of the top ten worst “hacks, vulnerabilities and screw-ups to hit the headlines in 2011.” The upside is that the top-ten list only has seven entries.  It also has some lessons to be learned.

1. The RSA Tokens That Took a Lot of People for a Ride. “After a junior employee at security heavyweight RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. RSA confirmed that some ‘information related to the RSA SecurID product had been extracted.’” Extracted is another way of saying ripped off.

So what was learned? Don’t put all your eggs in one basket and leave the basket where anybody can trip over it. Or as Darkreading.com put it, “Security experts were aghast that the token seeds were resident in a place on the network where a hacker could even find them. The incident illustrates that network segmentation is a key best practice to mitigate the risk of a company’s most critical assets.”

2. The Death of DigiNotar.  A hacker with the moniker, ComodoHacker created fraudulent Comodo SSL certificates in March, then, later, hacked CA DigiNotar to issue 500 more certificates. The actions of ComodoHacker, who claimed to have hacked other certificate authorities, ultimately led to the demise of the company.

So what was learned? A stitch in time saves nine?  A penny saved is a penny earned? A wet bird never flies at night?  No, what was learned was, “DigiNotar knew about the fake certs long before the news went public and did nothing to get the word out. The situation is a good reminder at how important communication is in high-impact breach situations. It also illustrates that the fundamental basis of trust for Internet authentication still needs work.”

3. HBGary Federal’s “federal case” Over Anonymous Backfires.  After the company’s CEO said he was about to release information about Anonymous, the group infiltrated HGGary’s network through SQL injection, stole stored passwords and got control of the company’s email, internal accounts and its executives’ social media accounts.

So what was learned? As they used to say in the U.S. Infantry (and probably still do) in not such genteel terms, “Don’t let your alligator mouth overload your hummingbird ass.” Darkreading.com put it this way, “Hubris is not becoming of security executives who run companies that store passwords on insecure servers. Even the humble should learn to keep passwords better protected from multi-stage attacks that start with SQL injection. Anonymous was able to use Rainbow tables to crack the passwords’ encryption because the firm used weak MD5 hashes to protect them.”

4. Beware the LulzSec. After breaking into networks, LulzSec members distributed unencrypted passwords and other sensitive information, such as emails that impacted everyone from Sony to the U.S. Senate and compromised millions of accounts.

So what was learned? The bigger they come, the harder they fall. That could be one of the things learned.  But, Darkreading.com pulled out some other lessons like, “a lack of input validation or database monitoring [allow LulzSec] to commit SQL injection attacks at will. And …organizations [have a tendency] to store login information unencrypted and unprotected within network systems.”

5. Don’t Count on Citi Account Numbers. Darkreading.com says, “Hackers were able to game Citgroup’s online account site by manipulating the account number that appeared in the Web address browser bar to randomly guess other account numbers and gain access to random customers’ accounts. The trick gave them access to customer names, account numbers, and transaction information.”

So what was learned? Money is the root of all evil?  Or rather lack of money is the root of all evil?  No.  Actually it’s that, “web applications providing access into sensitive information, financial or otherwise, must be tested not only for vulnerabilities but also for business logic flaws such as the one that allowed hackers to circumvent Citi’s online banking authentication engine.”

6. Bank of America Rogue Employee Was a Rogue. A Bank of America employee leaked information to an identity-theft ring.  Fake accounts were created under victims’ names and $10-million was stolen before the thieves were nailed.

So what was learned? One rotten apple can spoil the whole barrel. He/she can also steal $10-million. The other thing that was learned is frequent reviews of access controls might have prevented this type of theft.

7.Duqu Worms Its Way Into the World. “A refinement on the code foundation laid down originally by Stuxnet… this password- and data-stealing Trojan features a rogue certificate [now revoked. However,] it’s able to fly under the detection radar by injecting itself into running processes.”

So what was learned? “[This was] another instance of hackers manipulating the certificate authority ecosystem…”

Perhaps the most important lesson to be taken from the seven disasters described above is many could have been averted by using ThreatMetrix solutions. The first perimeter and the most effective element in a multi-layered defense against cyber criminals is device identification. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

Misha Glenny’s book, DarkMarket, relates the brief history (2005 – 2008) of DarkMarket.ws, an Internet cybercrime forum (in English) that was kind of a cross between a chat room and Amazon.com.

If you haven’t heard about the site, it probably says something about your honesty. You see DarkMarket.ws was “by-invitation-only.”  If you weren’t a cybercrook who knew a cybercrook, you were not about to get access to the URL.  Very exclusive.

You know the expression “honor among thieves?”  Well, you could call getting an invitation to join, “a high honor among thieves.” The Website provided criminal entrepreneurs — stolen identity and credit-card data buyers and sellers — a venue to meet and exchange information and ideas with their peers and learn from experts about the latest technologies and scams in a professional, friendly atmosphere. Created in London by Renukanth Subramaniam, who went by the user name JiLsi, the site had 2,500 users at its peak and was a place where an online thief could buy “skimming machines” (devices installed in ATMs to record users’ credit-card details), find reviews of hardware advertised on the site, and generally catch up on the latest and greatest in crime.

You’ve probably heard this other old saying one time or another.  “You can’t bulls_ _t a bulls_ _ _ ter.”  While you may have heard it, the FBI evidently didn’t because they ended up scamming the scammers.

FBI agent J. Keith Mularski infiltrated the DarkMarket site using the name of an infamous Polish spammer, Master Splyntr. In fact, he not only infiltrated it, he became the site’s administrator!

Misha Glenny’s DarkMarket is the story of how DarkMarket.ws was taken down. Says Evgeny Morozov in his review in the Wall Street Journal, “Mr. Glenny, a gifted investigative reporter, has sought out investigators and cyber criminals alike (he visited many convicted offenders in prison and got them to talk about their trade). He dissects DarkMarket’s transient but maddeningly convoluted history in a highly meticulous, almost forensic manner….Before the story is over, Turkish military intelligence agents, the Tamil Tigers, members of the Saudi royal family and the brother of Supreme Court Justice Stephen Breyer all make appearances.”

Pointing out that it’s impossible to end cybercrime without understanding the psychology of cybercriminals, Morozov says Glenny’s book offers valuable insight. “Even though many cyber criminals have day jobs, they spend inordinate amounts of time online, mostly in a futile attempt to impress their peers and join the ranks of the digital übermenschen. Many choose cybercrime for the same reasons that disaffected youngsters choose more pedestrian forms of crime; tales of desperation, rejection and poverty loom large in this book. Faced with an unpalatable choice between a life of violent crime or seemingly victimless cybercrime, 13-year-olds in Ukraine choose the latter.”

However, no matter how they found their way into cybercrime, once in it, these criminals often act like mainstream business. “Obsessed with profit-maximization, they vie to annihilate competition, establish absolute monopoly and ratchet up the prices.”

While European and American police agencies seemed to work well together, the same couldn’t be said of American internal police agencies.  Offers Morozov, “Mr. Glenny recounts a grotesque story of how the FBI and the Secret Service had been investigating each other’s undercover agents, in both cases believing them to be actual criminals. Only the intervention of their British colleagues, who were privy to the secrets of both groups, prevented a major crisis.”

So, lacking guns, explosions and car chases, what kind of read is DarkMarket? Wall Street Journal reviewer calls it, “an eminently readable, witty narrative that sustains suspense until the very last pages.”

As a result of the FBI sting, there were more than sixty arrests worldwide with the man who started it getting sentenced to nearly five years in prison. So, what’s the best way to fight cybercrime if you’re not an FBI agent with unlimited time and funds?

ThreatMetrix™.

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform offers a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all of ThreatMetrix’s customers. The information is always up-to-date and always available. Incorporating ThreatMetrix SmartID™ cookieless device identification, the Platform lets companies authenticate user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, cybercriminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

Integrated into the latest release of the ThreatMetrix™ Cloud-Based Fraud Prevention Platform is a new multi-layered data encryption architecture feature that takes data encryption to a whole new level.  Addressing strict security requirements, the new feature provides multi-layered encryption of customer-siloed data and global customer data with minimum impact on customer response times.

Should any one customer account be compromised, data loss is limited to that one customer.  Even if the data center hosting ThreatMetrix services were compromised, the encrypted data would remain confidential. Customer data shared with ThreatMetrix™ for fraud protection purposes remains secure. And, there’s no worry about a degradation in performance.

“It’s our goal to raise the bar for the level of security and privacy of online transactions,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “The question is not if a consumer’s identity will be compromised, but it’s a matter of when it will be compromised. Credit card companies can update their credit cards if they’ve been compromised, but consumers can’t simply recycle their identity. ThreatMetrix is staying one step ahead so fraudulent activity is minimized and our clients can do a better job of protecting their customers.”

Faulkner added, “ThreatMetrix, in broadening its strategy as a leader in digital cyber identification, views the new data encryption feature as a critical next-step toward protecting privacy and enhancing the security of confidential consumer information during online transactions. Activities associated with hacker group LulzSec and many recent high-profile data breaches like Epsilon and PlayStation — which resulted in millions of compromised accounts — underlines the need for new encryption technology that better protects both online brands as well as consumers.”

The new release offers a host of new benefits including new fraud detection rules, device identification improvements, administrative enhancements, queue management improvements, and changes to the ThreatMetrix Portal around access and data privacy.

Faulkner observes, “PII is no longer an effective authentication tool by itself, as it can’t authenticate the person behind the transaction.  Context is key, which means looking past the device and also considering other factors associated with the device, like phone number and email. We’re looking for anomalies in customer data, in conjunction with the underlining device reputation behavior. It’s whether or not all transactions and customer and device information make sense in the context of that transaction. We then apply this intelligence across a comprehensive global network to stop fraud in real-time and better protect consumers.”

Today, ThreatMetrix serves social networks, financial services, e-commerce companies et al. by authenticating payments, new accounts, and customers in real-time —without hassling those customers for personal information like Social Security Numbers, mothers’ maiden names, etc. It’s estimated that ThreatMetrix helps screen up to one-billion online transactions each month and is successfully eliminating the threat of an estimated 300,000 fraudulent attempts every day!  That’s why ThreatMetrix has become the fastest growing provider of cloud-based fraud prevention solutions that don’t require personally identifiable information.

Anonymous took more than 600 MB of data from the International Association of Chiefs of Police and took down the IACP’s Website for good measure. Then Anonymous released data which included internal documents, membership rosters, home addresses, passwords, Social Security numbers, etc.

Now, if you agree with Occupy Wall Street, you may feel the hacker group Anonymous has its heart in the right place. But, wherever Anonymous’s heart is, the rest of its geography seems a bit skewed.

As everybody who’s ever lost money in the market knows, Wall Street’s in New York. But Anonymous revealed 1000 names and passwords from the Boston Police Patrolmen’s Association; 1000 names, ranks, social security numbers, addresses and phone numbers from Alabama law enforcement systems; and the full contact database from Arlington Virginia’s Matrix Group, a web development agency serving government Websites.

Attacking police in Boston and Alabama to support a protest in New York? Some observers might be tempted to draw a parallel between these Anonymous attacks and the invasion of Iraq as retribution for 911 which was carried out by Bin Laden from Afghanistan.

Anyway…

According to Meghan Kelly in VentureBeat.com, the Anonymous rationale for the attacks wasn’t supposed to be along geographic lines. “Anonymous said it wanted to attack the police directly because they act as a protector of ‘the one percent,’ or what OWS protesters describe as the fortunate few who hold the majority of the wealth that would otherwise benefit the remaining ‘99 percent.’”

Anonymous has attacked police in the past in an effort to “expose corruption and brutality.” In Anonymous’s own words, ““We have no problem targeting police and releasing their information even if it puts them at risk because we want them to experience just a taste of the brutality and misery they serve us on an everyday basis.”  Spoken like somebody who was caught in a speed trap. Or had his/her vehicle ticketed and towed when the meter was busted. Or got cited for jay walking at 3 in the morning on a deserted side street in a hurricane. Sort of sounds like that.

In an odd twist, Kelly points out that a call to the Baldwin County, Alabama Sheriff’s office via Skype came from a man with a British accent, who claimed he hacked the Sheriff’s website because he was bored.  Kelly’s conclusion – the man was calling from the U.K. and this was an example of how Anonymous is “disjointed.”

No matter how anybody feels about Anonymous’s goals, its tactics, which disclose personal identifying information, are either regrettable or reprehensible. No matter which, there’s one solution designed to thwart an Anonymous attack. And that solution comes from ThreatMetrix™. ThreatMetrix doesn’t rely on passwords, user names or any other personal identifying information to protect its clients. Instead the ThreatMetrix™ Cloud-Based Fraud Prevention Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to stop the bad guys and let the good guys go.

Following a rash of security breaches at Sony, Google, Lockheed Martin, Citigroup, the International Monetary Fund and more, the Securities and Exchange Commission told public companies to disclose cyberattacks that could potentially lead to unexpected losses.

Senator John Rockefeller asked the SEC to issue rules governing what companies are required to disclose. The guidelines come as a result of the concern that companies might be failing to mention data breaches in their public filings.

According to a report in Venturebeat.com, the SEC said that if a cyber attack leads to losses, companies have to disclose the losses, or at least “reasonably possible” estimates of those losses.

In a statement to Reuters, Rockefeller noted, “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything.”

Because it could help cybercriminals, companies would not be required to describe how they would go about protecting themselves. However, companies are responsible for disclosing:

• The costs of fixing compromised networks

• Increased cyber protection costs that might involve changes to personnel

• Lost revenue from unauthorized access to information

• Losses related to the failure to retain customers after an attack

• Litigation costs, and reputation damage after an attack

There’s one way not to have to report bad news.  That’s not to have bad news to report. With ThreatMetrix™ solutions, the news is invariably good.  Without requiring personal identifying information that can be compromised, ThreatMetrix solutions catch cybercriminals in real time before they can do real damage.

ThreatMetrix combines a computer’s packet signature data with transaction details and credentials that are obtained anonymously and “unlinkably” by the user to differentiate between cybercriminals and genuine customers.