ThreatMetrix and the Ponemon Institute have announced the second set of findings from their recent survey around consumers’ reactions to online fraud today. This second round of data was gathered from survey questions around behavioral advertising specifically, on the heels of the recent McCain-Kerry privacy bill.
The study revealed the majority of consumers are comfortable with online behavioral tracking for fraud prevention purposes, but remain hesitant around advertising and promotional purposes. The results are outlined in a report, “Consumers’ Reaction to Online Fraud.”
Other highlights of the findings include:
Seventy-four percent of consumers expressed some level of concern about online advertisers collecting and using their information for future promotional activity. Half of the respondents, however, feel it acceptable to use information about their online behavior as long as it’s to detect potential fraudsters.
Twenty-four percent of consumers said they don’t think behavioral targeting in any form is appropriate, whereas 26% said it is okay for online businesses to use their information to either send them ads or monitor potential fraudsters.
Only 16 % of consumers said that advance consent is necessary for each transaction, when asked about the extent of obtaining consent to use their online behavior information for fraud detection. One third said consent was not necessary at all, while the majority (36%) said consent only once in advance is sufficient.
The majority of consumers (70%) reported that if they were assured their personal information was not collected when used for fraud detection purposes, they were comfortable with an online business authenticating their identity through a digital fingerprint. Another 22% said they were unsure.
The research also looked at consumer sentiment about fraud prevention across the banking, social media and Web 2.0 industries and mobile channel.For more information about the findings, download a copy of the report athttp://info.threatmetrix.com/ConsumerSurveyOnlineFraud2011.html.
Fighting web fraud is a game of cat and mouse between fraud analysts and cybercriminals where the odds are stacked against fraud analysts. The bad guys have the upper hand pitting tools, targets, time and tenacity against fraud analysts doing their best to identify fraudulent transactions, prevent web fraud while at the same time not stopping good customers from transacting at their web site. How does data help fraud analysts stop and prevent fraud? It depends on the nature and context of the transaction. I’ll use an example from the non-digital realm to [...] continue reading
We keep finding new and interesting ways to use our ThreatMetrix comic characters to spread the word about our SaaS web fraud solution — now here’s a new one that’s good for more than just a laugh: educational “how-to’s” so you can get under the hood of The ThreatMetrix Fraud Network. Here’s our first installment cooked up by ThreatMetrix Chief Products Officer Alisdair Faulkner: ThreatMetrix Web Fraud 101 “how to” series learn about Botnets and Proxies—two powerful tools in the fraudster toolkit and how ThreatMetrix turns these tools against them.
The tight confines of our blog make the panels a bit hard to read so head over to our website to get the full sized version of the entire series.
Yesterday the New York Times reported on a new wave of computer infections by a worm that has turned millions of consumer and business PCs into botnets – an army of devices capable of carrying out illegal transactions on behalf of their controller.
So what’s new?
Unlike worms that were previously designed to bring down computer networks or send spam, these infected computers are now able to be used to conduct online credit card transactions. They act like middle-men to trick fraud filters into thinking that the transaction originated domestically instead of from Nigeria, Estonia, Russia and other high risk countries.
This ready availability of infected PCs, combined with millions of breached credit card details sets up a perfect storm for online credit card fraud which is very bad news for merchants, gateways and credit card issuers.
Security companies like Symantec and Mcafee try to protect consumers from having their computers infected in the first place. But when the inevitable does happen, who protects online merchants and websites from these PC’s once they are infected?
2009 was the year the worlds most popular flu vaccine Tamiflu was rendered 99% ineffective due to a spontaneous mutation. Last year major flue strains were only 11% resistant.
The Washington Post reported that another large Payment Processor disclosed that they had been breached, potentially exposing 100′s of millions of credit card details to fraudsters.
Robert Baldwin, CFO of Heartland Payment Systems conceed that credit card numbers, expiry dates and names were compromised but commented that
The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address
Im wondering if fraudsters and hackers with this level of sophistication also have access to a White Pages or Facebook search?
Even if information such as CVV code data is not compromised along with the card data, an online merchant still has the option not to decide to make this extra verification information mandatory. Worse, I had a meeting with an Online Payment Gateway yesterday who described how fraudsters pose as legitamet merchant accounts but will then authorize a large volume of stolen credit card transactions which ultimately leave the payment gateway holding hundreds of thousdands in losses.
The Heartland Breach is only one of many, which calls into question the entire notion of a merchant or gateway being able to confidently process a credit card transaction based just on the user’s credentials alone. The shear number of both compromised credit card accounts and compromised computers that fraudsters can conduct transactions through mean that new solutions need to be sought out.
Programs like Verified by Visa mitigate this risk somewhat by requiring an additional password to authentiate the transaction, however this introduces friction into the purchasing experience and is not widely supported.
ThreatMetrix provides its Merchant and Payment Gateway customers with an alternative identity verification method that has zero impact to the customer and her purchasing experience by transparently profiling, identifying and recognizing the actual device used in the transaction.
This provides a number of unique benefits.
Detect credit card list washing: If the credit card details are stolen, ThreatMetrix will detect multiple credit card details linked to the same computer even if fraudsters attempt to spoof their location and IP Address with Proxies, even if transactions are conducted across multiple sites.
Stop first time fraud attempts: Even if a device in the transaction is not recognized, ThreatMetrix provides real-time anomaly detection such as if the transaction is being conducted through a botnet proxy or compromised PC that is infected and under the control of a fraud ring.
Accept more orders and registrations: ThreatMetrix enables merchants and websites to verify whether the combination of the user’s credit card and the device in the transaction has previously been successfully transacted before, allowing the confident acceptance of orders and registrations that might otherwise be rejected.
According to The New York Times the leading flu drug is now ineffective against 99% of infections. Last year resistance was found in only 11% of cases, with the dramatic change blamed on a spontaneous mutation of the virus and not just through overuse.
What does this have to do with online fraud detection?
Flu drugs like Tamiflu and Relenza are equivalent to first generation online fraud detection filters that rely on IP Intelligence, such as IP Velocity Checks and IP Geolocation. Based on our experience ThreatMetrix believes the effectiveness of these technologies are equivalent to Tramiflu circa 2008. They are still resistant to fraudulent attempts performed by opportunistic or unsophisticated fraudsters, but about to move through a phase of wide-spread obsolesence.
This spontaneous mutuation can be blamed on the nexus of three key factors:
The first is the rapid transfer of knowledge from sophisticated and professional fraudsters to the unwashed underbelly of opportunistic fraudsters
The third is the ready availability of botnets, infected PCs connected to always on broadband connections, which are used to spoof IP Addresses to bypass IP-based filters like IP Velocity checks and IP Geolocation checks.
So what are the implications?
The majority of fraud teams at leading ecommerce and online retail companies have been successful in keeping fraud costs to under 1% of total revenue by using a combination of manual review, identity verification and IP Intelligence.
ThreatMetrix has seen this new strain of botnet fraud cause a rapid spike in fraud rates from 2008 into 2009, causing many online businesses to not only loose significant amounts of money but also to fall afowl of credit card company chargeback thresholds and being turned off at the tap.
Last week I was discussing this very issue with a home entertainment electronics company that had lost access to the Discover Network due to a rapid spike in stolen credit card authorization attempts. Once fraudsters exploit a hole in your defenses they tend to be fast and effective in bleeding you dry.
This is a big concern that many fraud managers across online merchants of all sizes and across all industries secretly share – that even if they have a handle on fraud today, they feel that there is a real and present threat of being wiped out by the next big fraud outbreak.
At ThreatMetrix we are fortunate enough to work with the smartest and the brightest in online fraud detection for the largest and most successful online companies.
In recent conversations with three separate businesses across online retail, credit card processing and social networking it emerged as a definite trend that the Nigerians have been learning from the Russians.
Paraphrasing one of the conversations:
It used to be that Nigerians would just connect directly from their computer in Nigeria. They were pretty easy to pick off just based on the Geolocation of their IP Address alone. The Russians on the other hand will attempt to use some from of cloaking such as a proxy or compromised computer. Now, we are seeing a definite trend for Nigerian fraudsters getting smarter about covering their tracks. By doing some back-end analysis we can tell that the same patterns consistent with the Nigerians are there, but our front end systems are not as effective in screening them out anymore
This is the trickle down effect in action. In the security relm this effect was the birth of ‘script kiddies’ or just ‘skiddies’, for those in the know, that would reuse previously developed hacker programs for fun and fame. In fraud, this same trend sees the online world at an interesting juncture where even third world counties and teenagers have access to technology capable of circumventing the protections of first class fraud detection teams.
As a data point take a look at this youtube instructional video, over a year old now, of a young teenage hacker walking you through how to do an SQL injection in response to being teased as a ‘skiddie’.
