Archive for the ‘Uncategorized’ Category

Scammers threaten to make casual gaming not-so-casual. Virtual goods—the currency of trade for social games are coveted by cybercriminals for their hard cash value. According to a new article in the Wall Street Journal titled Fraudsters Like Virtual Goods, “merchants that sell digital goods lost 1.9% of all revenue to fraud in 2009, compared with a 1.1% fraud rate for companies that sell physical goods online,” based on data from CyberSource Corp. (a ThreatMetrix partner). The WSJ points out “at first glance it’s hard to imagine fraudsters’ interest in items like computerized swords for a fantasy game. But these goods are often easier to obtain.”

Digital goods purchases are different than physical goods purchases. The WSJ reports that PayPal transacted more than $2 billion in digital goods transactions, with a PayPal spokesperson describing the category as having “a higher degree of nefarious activity.”

These transactions are unique in that they cater to the gamer’s desire for instant gratification and low tolerance for hassle getting online. That means fraud prevention measures must be transparent to the gamer and effective at detecting/preventing fraud. Because gamers are especially sensitive to any delay, and because digital fulfillment is typically instantaneous fraud detection must occur instantly—and not simply an accept or reject call, but supporting data that gives the fraud analysts the full context of the transaction (for example, the true IP address and geolocation if the gamer is using a hidden proxy).

Taking the pulse of attendees and exhibitors here at Casual Connect 2010 in Seattle this week, it’s clear that scammers have become a big concern for many from payment facilitators to household name gaming companies. Much more this year than last, they are very aware of the kinds of games the scammers play to rob them of revenue. This fast growing segment of the industry appears ready to do more to blunt the scammers.

- Tom

The Internet Crime Complaint Center (IC3) just published their 2009 Annual Internet Crime Report. The IC3 was established in 2000 “as a partnership between the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation (FBI) to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cybercrime.

The number of complaints received in 2009 increased from 275K to 336K (up 22%) and the dollar losses nearly doubled from $264M to $560M.  The data reported by the IC3 in terms of big scary web fraud numbers published elsewhere don’t really move the needle on the fear factor scale, but the percentages show Internet fraud as an industry that experienced considerable growth in 2009.

The IC3 report describes the top Internet scams for 2009, each with its own descriptive name:  Hitman Scam, Astrological Reading Scam, Economic Stimulus Scam, Job Site Scams, and Fake Pop-up Ads for Anti-Virus Software; each scam uses one or more tools-of-the-trade including email, online money transfer services, spam, viruses, Trojans, and key loggers.  The report understates the importance that anonymity affords cybercriminals: “…it is also vital to gain insight into who the typical perpetrators are. This can prove to be difficult in the world of cybercrime, where a mask of anonymity can impede law enforcement efforts.”

The risk of fraud lives anywhere on the web where someone can create a new account, pay with a credit card, or login giving fraudsters enough targets to cherry-pick the ones they want to hit.  ThreatMetrix’s own Alisdair Faulkner describes the problem this way in a new white paper:

Online fraud is an asymmetric problem because fraudsters can quickly adapt their methods to exploit weaknesses in online fraud protection systems. Cybercriminals take advantage of automation, tools, shared knowledge, and expertise to commit crimes while their targets—virtually any organization doing business online —are at a disadvantage due to IT scheduling, shortage of trained people, fixed processes, applications and verification services that do not leverage the investment of others.

In other words, cybercriminals hold the high ground in the war on fraud.  Faulkner’s new white paper coincides with our announcement today of ThreatMetrix Fraud Network–our next-generation web fraud solution to help companies stop online fraud and accelerate e-commerce.  Since ThreatMetrix’s U.S. launch in January last year, we presented our fraud prevention SaaS as a device identification solution.  Device ID (aka device fingerprinting) drew a lot of interest and attention last year helping to propel our customer base to over 100 customers–and growing fast.  The ThreatMetrix Fraud Network delivers unparalleled control over fraud and abuse from the cloud without requiring PII , integrated “out of the box” with anti-fraud, authentication and identification applications that leverage our proven device identification capabilities:

• Fully integrated fraud solution for account origination, account takeover and card not present purchases
• Customer accessible rules that enable anyone to tailor ThreatMetrix to their business
• No Personally Identifiable Information required
• Cost effective, easy to install and easy to maintain
• Easy to deploy and integrate with existing applications and processes
• Real-time operation and information delivery
• Proxy piercing device identification that stops fraud at the point of origination
• Enterprise and global fraud intelligence

You can learn more on our new website where you can download Alisdair’s white paper and watch his video on the ThreatMetrix Fraud Network.

-          Tom

P.S.  We’ll be at the Annual Merchant Risk Council event in Las Vegas this week, if you’re attending stop by our booth# 604

Thankfully our comic strip illustrator Andy Warner returned from an extended break with a new episode in our ongoing cartoon series starring  two online fraudsters Gromyko and Natasha. Every comic tells a different story of web fraud through the schemes of these two determined cyber criminals.

The latest installment is based on the very real challenge of online dating fraud that exposes millions of consumers around the world to scammers trolling dating sites using love to mask their true intent. Here it is:

If you want to learn more about online dating scams check out this earlier blog entry Fraudster seeks SWF with loaded bank account willing to be duped then read how Chellaul uses ThreatMetrix to keep the scammers out of their dating network.

You can read all the ThreatMetrix comic installments here.

- Tom

You don’t need a crime scene chalk outline to figure out why a customer left never to return to your web site to shop if the customer was victimized by fraud in a prior transaction.  According to the new 2009 LexisNexis® True Cost of Fraud Benchmark Study more than four in ten victims will avoid certain merchants consequent to being victimized due to fear resulting from an unauthorized purchase made at a particular merchant.

The LexisNexis study backed by research from Javelin Strategy and Research delves further into this subject suggesting that merchants should do more than just educating their customers on how to protect themselves from online fraud.  The study says that merchants must show customers that they’re taking a proactive role in protecting their customers from online fraud in ways that are “visibly robust” to consumers as a critical factor to promote customer retention and loyalty.  Further, three in ten fraud victims cut back on overall online purchases.  This chilling effect that online fraud has on its victims is one of the cost elements of fraud assigned to merchants, banks and consumers to quantify the “true” cost of fraud.

You could say the buck stops with consumers—literally—when they fall victim to fraud and associate negative feelings with the merchant.  I believe that the impact consumer’s perceptions have on merchants and banks when it comes to anti-fraud efforts will have a much greater impact on their business and how aggressively they invest in visibly making their customer’s experiences safe from fraud.  Consumers will vote with their wallets by selectively engaging with online businesses that promote and prove that they are doing everything possible to make their customers safe and their online experience convenient.

This consumer chilling effect from online fraud extends beyond merchants. Twenty-two percent of the respondents said they no longer bank online as a result of being a victim of online fraud. You can bet it doesn’t end there: online dating, gaming, and social networks are subject to the big chill effect too—Web 2.0 say hello to online fraud.

If you’re a merchant or financial institution this LexisNexis study is a must-read.  In fact any online business can benefit from its findings and recommendations. The cost figures in the study are staggering with merchants suffering $100 billion in fraud losses from unauthorized transactions and fees/interest associated with chargebacks.

A key finding in the report notes the low satisfaction and effectiveness ratings merchants have for fraud technology solutions, pointing out that this presents an opportunity for merchants to “assess the cost-effectiveness of the latest fraud-fighting technologies and apply improvements.” Device identification (AKA device fingerprinting) is a strong contender here, offering a new source of anti-fraud data and decision-making power that can further reduce fraud rates, lower costs and improve online customer experience.

Caveat emptor/venditor emptor. Buyers and sellers beware when online fraud shapes consumer perceptions that put a chill on ecommerce.

- Tom

That’s just one of the interesting findings in our Internet Retailer Conference 2009 informal survey from last week’s event in Boston. The final results are tabulated and ready for your consideration. Some of the comments hands written on the survey forms were insightful. Here’s one that I found especially telling on the question of who’s winning the war on fraud: “nobody wins—the best we can hope for is a draw.” The notion of a “draw” resonates because fraudsters are driven (and highly motivated) to constantly innovate. There’s always room for improvement when it comes to new ways and means to commit cyber fraud.

That’s why the good guys tasked with preventing fraud say “I’m always looking for new ways to fight online fraud.” I heard that a lot at IRCE last week—more evidence that device fingerprinting is the “new new thing” to fight fraud.

Click here to see the full report from our IRCE 2009 survey.

- Tom

Would you feel safe purchasing goods with your credit card from your cell phone? If you answered “yes” then you’re in agreement with about half the respondents in a recent Harris Interactive survey reported by Internet Retailer who consider it “at least somewhat safe” to make a purchase through their cell phone.

Of course that presumes you are willing to overlook the inconvenience factor that goes with entering your credit card number and personal information on your cell phone—which depending on your cell phone can be a minor inconvenience or royal pain. According to the survey, “46% of cell phone owners said that, assuming they could purchase securely through cell phones, they’d be willing to make purchases this way.”

As smartphones like Apple’s iPhone get easier and consumer adoption increases it’s a fair bet that so will online purchases made from smartphones…and online banking…and social networking…and just about any web activity you would typically undertake on your computer today. Etailers and businesses that rely on customers to connect via their computer will undoubtedly invest more in technology to instill trust and confidence in smartphone users so they feel very safe interacting with them via their smartphones. While 46% may seem like a healthy number, I’m sure the survey results made more than a few etailers cringe.

As smartphones take on more everyday computing tasks they are also likely to become a desirable platform for fraudsters. Georgia Tech in its Emerging Cyber Threats Report for 2009 predicts as much. According to Patrick Traynor, an assistant professor at the university, “malware will be injected onto cell phones to turn them into bots.” He goes on to say “at this point, mobile device capability is far ahead of security….we’ll start to see the botnet problem infiltrate the mobile world in 2009.”

For now it pays to be extra careful when banking or buying from your smartphone. I’ll have more to say about mobile computing and fraud prevention in the coming weeks.

- Tom

IT PRO has some interesting musings on a Global Fraud Report from RSA that brings new chilling predictions for online fraud. This report brings more than just the usual bad news we typically hear about. Findings in the report cast online fraud in a new light that underscores the monumental challenge fraud poses to the worldwide web. ‘Fast-flux botnets’ capable of hiding the content servers that serve up the malware and phishing content that fuels online fraud are expected to increase in the next year. Fast-flux botnets can change addresses much more quickly making them much harder to catch. The technology aspect is chilling, but the rapid commercialization of online fraud it ushers in is what makes this story noteworthy.

The means and expertise to commit online fraud have reached a tipping point where they are easy to learn and operate, more powerful, affordable (even free) and broadly available to just about anyone who wants to get into the business. IT PRO spoke with RSA’s Andrew Moloney who stated the problem in clear terms:

Moloney said: “Fundamentally what we’re seeing is a commercialization of the fraud industry at a level really greater than what we’ve ever seen before.

“The barrier for entry, if you’re a non-technical kind of person, has been significantly lowered.”

This was seen with ‘fraud-as-a-service’, which meant that people didn’t need technical expertise to infect a machine with a trojan or other type of attack, as they could simply buy what they needed.

Fraud-as-a-service has the potential to be a game-changer in favor of online fraudsters and against those conducting legitimate business on the worldwide web. The worldwide volume of account logins, new accounts, and online credit card purchases (CNP) increases year after year—and thanks to fraud-as-a-service the number of people willing and able to commit online fraud is likely to grow at a faster rate.

Increasingly coordinated fraud attacks and better tools available to anyone with the desire to steal will require even more vigilance on the part of etailers, banks, online social networks, web payment facilitators and governments in order to stay ahead of fraudsters. The rise of fraud-as-a-service makes an even more compelling case for device fingerprinting—the only fraud prevention method that can detect fraud before it occurs by profiling the computer instead of the person.

Does Geoffrey Moore’s famous chasm theory apply to fraud-as-a-service? Will it push online fraud across the chasm from early adopters to an early majority?

- Tom

Does real time data analysis really matter? Apparently I.B.M. thinks so. I.B.M. announced System S today, their new software application that analyzes huge amounts of data in real time to identify correlations. Six years in the making, I.B.M. expects this new application to prove useful in instantly analyzing financial, health, and scientific data as it “streams.”

In today’s New York Times article about the announcement, there are some great comments that speak to the rationale and benefit of real-time data analysis. ThreatMetrix also understands the value of real-time correlation of streaming data. More on that in a minute, first the excerpts from the NYT:

Bo Thidé, a scientist at the Swedish Institute of Space Physics, has been testing an early version of the software studies the ways in which things like gas clouds and particles cast off by the sun can disrupt communications networks on Earth. The new software, which I.B.M. calls stream processing, makes it possible for Mr. Thidé and his team of researchers to gather and analyze vast amounts of information at a record pace. “For us, there is no chance in the world that you can think about storing data and analyzing it tomorrow,” Mr. Thidé said. “There is no tomorrow. We need a smart system that can give you hints about what is happening out there right now.”

* * *

I.B.M.’s senior vice president for software Steven A. Mills, referring to financial companies says “The challenge in that industry has not been ‘Could you collect all the data?’ but ‘Could you collect it all together and analyze it in real time?’ ”

When it comes to online fraud prevention, ThreatMetrix couldn’t agree more: real-time is the ideal time to prevent online fraud. When ThreatMetrix says real-time we mean you get all the computer/session attribution with the device risk score and reason codes in about a second. Other device profiling technologies claim to operate in real time — but their interpretation falls well short of what’s required to make the right call at the point in time when someone’s knocking on your website door — before you let them in.

I don’t think anyone will be using System S to prevent fraud in real-time any time soon — at least not according to the NYT article that cites a cost of “hundreds of thousands of dollars.” Starting around $1K, ThreatMetrix real-time fraud prevention makes a lot more sense.

- Tom

Check out Elinor Mills‘ new article over on cnet news “FAQ: Demystifying ID Fraud.” Lots of good insights into the problem of online fraud including this fraudster tactic:”

“Often, the data is sold with a money-back guarantee in the event that the cards are found to have been reported as stolen or if the data is incorrect. Brokers have a number of ways of verifying cards. They can break into an e-commerce Web site and process small transactions on the card with a payment processor to see if the transactions go through. Or they can use the card data to make a $1 donation to a charity.”

The online fraud statistics in the article are sobering. When I was in the data encryption business we looked to data breaches in the headlines as a measure of the market opportunity. The bigger the breach, the better! Fraud is the downstream effect that results from data breaches. Fraud is where the ill-gotten goods get put to work in an attempt to convert stolen credentials and credit cards to cash. As the cnet article points out, the stolen data is cheap and readily available — thus the downstream effect of fraud is more prevalent. The underlying theme of Ms. Mills article? The data, tools and knowledge required to commit fraud are cheap, easy and plentiful.