Posts Tagged ‘Botnets’

“It” refers to data. Data Privacy Day, scheduled for January 28, is about keeping data to yourself and out of the hands of cybercriminals.  This annual international celebration is designed to promote awareness about privacy and education about privacy best practices. Official sponsors for Data Privacy Day are EBay and Intel, who are joined by a host of partners including Microsoft, Intuit, Comcast, MasterCard, AT&T, Facebook, Google, the International Association of Privacy Professionals, the State of West Virginia and….

Did we leave anybody out? Probably. But it’s a long list because Data Privacy Day is an excellent cause. Without it, literally the financial, social and political structure of society is at risk. HOLD ON. Just remembered somebody we left out —ThreatMetrix™.  ThreatMetrix strongly supports Data Privacy Day.

“We have entered a world of unprecedented identity theft and surveillance for monetary gain,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Every site we visit, everything we search for, to everything we now do, buy and share online is tracked by a growing number of powerful players. Unfortunately the evidence suggests that no data is unreachable or un-exploitable by adversaries or advertisers. Whether it be due to data breaches, phishing attacks or over-sharing, the implication is that identity can no longer be relied-on to authenticate a customer online. The distribution of our identities across the net not only threatens our privacy but also makes us all preposterously easy to impersonate.”

We  should all be concerned about data security being at risk in today’s cybercrime infested environment. And the list of companies and institutions that have had data compromised continues to grow at an alarming rate. From the criminals’ perspective, it just makes good sense. Why try knocking over a bank with a gun and a good chance of getting caught or killed when you can sit back on a beach six time zones away and with your trusty laptop steal more money in one day than bank robbers Willie Sutton, John Dillinger and Baby Face Nelson and Bonnie and Clyde did in their whole lives?
Just a cursory glance at the number and types of recent breaches that compromised personal data from finance to health records and employment histories underscores the importance of calling attention to this Pandora’s Box.

• Facebook (Social Networks): A computer worm stole 45,000 login credentials from Facebook accounts in the UK and France.

• Yale University (Academic Institutions): 43,000 Yale University faculty, staff, students and alumni names and Social Security numbers were made public via Google because a File Transfer Protocol (FTP) where data was stored became searchable.

• Cyworld (Online Gaming): 35-million records including phone numbers, email addresses, names and encrypted information about the sites’ members were taken from South Korea’s largest social networking site, Cyworld.

• PBS (Communities): Thousands of user names and passwords were compromised when a PBS Website was hacked.

• Patco Construction (Online Banking): $300,000 was stolen from Patco Construction Company’s online bank account when hackers gained access to the company’s account credentials by sending employees email with Zeus, a password stealing trojan, that infected the company’s computers.

• Citbank (Financial Services): 360,000 Citibank customers (originally Citibank said it was 210,000 customers) had their account numbers and contact information stolen by hackers.

• Pittsford, N.Y. (Government): $139,000 was stolen from the hamlet of Pittsford, a town of 25,000 near Rochester, N.Y. when cyberthieves logged onto the town’s online commercial bank account. Initiating a small batch of automated clearing house (ACH) transfers, the thieves covering their tracks by sending the transfers to “money mules” around the country.

• Comerica Bank (Banking): $560,000 of Experi-Metal Inc. (EMI) hard-earned cash slipped away when Comerica Bank let fraudsters waltz away with it.

• Sony PlayStation (Online Gaming): 70-million Sony customers were put at risk when hackers broke into Sony’s PlayStation Network (PSN) and stole credit card details. The security breech caused Sony to take down the network for “maintenance.” Subsequently, 93,000 Sony customer accounts were hacked in a separate incident. Sony believed those customers used the same Sony login credentials to logon to other sites and that the other sites were hacked, providing access to the customers’ PII (personally identifiable information).

• Sega (Online Gaming): 1.3 million users had personal information put at risk by a Sega online network breach causing the company to temporarily shut down its online network.

• Washington Post (Media): Either 1.27 million, 1.3 million or 1.6 million user IDs and email addresses were ripped off from the Washington Post’s job section.

• Pentagon (Government): 24,000 military files were stolen from a defense contractor doing business with the Pentagon in a cyberattack. On a side note, the Pentagon is now consider cyberattacks as an act of war.

• Zappos (E-Commerce): 24 million customers’ personal information was put at risk when Zappos, the online shoe outlet owned by Amazon, was hacked.

• Toshiba (Computer Manufacturing): 7,520 Toshiba customers’ email addresses, telephone numbers and passwords were stolen by cybercriminals.

• NATO (Government/Military): A Gigabyte of NATO data was stolen by Anonymous which had accessed NATO servers.

• FTC (Government): More than 18,000 cases of child identity theft were reported to the Federal Trade Commission. Children’s identities provide the kind of clean backgrounds that make it possible for thieves to create entire fictional credit histories. Often the theft is not found until the person turns 18 and starts college or looks for a job.

• Credit Card Fraud: Restaurant workers, bank tellers and other service employees skimmed, swiped and scammed millions of dollars worth of personal credit information from thousands of American and European consumers. The cost to victims, financial institutions and retail business?  More than $13 million over a 16-month period.

• RSA (Security): After a junior employee at security firm RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. The attack compromised RSA tokens requiring users to enter a unique number generated by the token each time they connected to their networks. Facebook, Amazon, Abbot Laboratories, Charles Schwab, Microsoft — In all 20% of the Fortune 100 had been compromised.

• Online Advertising: An East European cybergang hijacked at least four million computers in over 100 countries. Included in the half-million hijacked computers in the United States were some at NASA.  Using these computers, the gang stole $14 million in four years with a PPC and ad scheme based on redirecting traffic and replacing genuine ads with their own.

• Steam (Online Video Game Distribution): In a major hack, 35 million user accounts at Steam, one of the world’s largest distribution networks for online video games, may have been compromised exposing credit card details and billing addresses.

• Stratfor Global Intelligence Service (Security): Stratfor Global Intelligence Service, a company which helps clients with security and is famous for its secrecy and its top-secret client list was hacked resulting in names, emails, credit card details, passwords and home addresses for some 4,000 people being compromised. Additionally, this information was used to have clients involuntarily donate to charity to the tune of a million bucks.  The hackers also said they had details for more than 90,000 credit card accounts.

• San Francisco City College (Education): For more than a decade San Francisco City College servers have been stealing personal banking information and other data from thousands, or even tens of thousands, of students, faculty and administrators in what the San Francisco Chronicle refers to as “an infestation” of computer viruses with origins in criminal networks in Russia, China et al.

• South Africa’s Postbank (Government): $6.7 million was stolen from South Africa’s Postbank when cyberthieves accessed a computer from a remote location and hacked into Postbank’s server system using stolen login details for a Postbank teller and a call-center agent.

• Epsilon (Email Marketing Services): Epsilon, a large email marketing services company, reported a data breach that could affect the email addresses of thousands of customers of major banks, retail and hotel chains. This impacted financial services institutions such as Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank of Delaware. However, the only Barclays Bank of Delaware customers affected were the ones who have an LL Bean VISA card. In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger. TiVo is also included in this list.

• WordPress.com (Blogs): WordPress.com, which hosts more than 19 million blogs, had its servers compromised and sensitive data taken.

• The State of Texas (Government): 3.5 million Texans had their names and Social Security numbers (and in some cases their dates of birth and driver’s license numbers publicly posted in a data breach at the Texas state comptroller’s office.

• International Monetary Fund (Banking/Government): Damage still not assessed or admitted to by the International Monetary Fund which fell victim to a large and sophisticated cyberattack that led the IMF to cut the link that allowed it and the World Bank to share confidential information.

Keep it to yourself. Protect your data with ThreatMetrix solutions. Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Either by turning away real customers or letting cybercrooks get their hands on goods without paying for them, online retailers could find themselves “on the hook” for a big chunk of money on Cyber Monday.

Officially nicknamed (as opposed to unofficially nicknamed) “Cyber Monday” in 2005, Cyber Monday is the Monday after Black Friday, which is the Friday after Thanksgiving, which is the last Thursday in November. Or, put another way, Cyber Monday is the first Monday after Thanksgiving.

Anyway, in 2010, comScore, which claims to be ” the global leader in measuring the digital world” reported that last year consumers spent $1.028 billion online on Cyber Monday, the highest spending day of 2010. And while other countries don’t celebrate America’s Thanksgiving, they do, indeed, celebrate Cyber Monday everywhere from Canada to New Zealand.

Security expert, Jorge Steinfeld, in a Forbes Magazine piece notes that hackers will be gearing up for Cyber Monday this year by taking advantage of social media. “[Hackers] are busy creating fake profiles on social networking and e-commerce sites. These profiles and Web sites are meant to mimic well-known corporate brands, and coax users into clicking on their content. As a result, malicious content can now lay hidden within Twitter posts and Facebook links…” Social media is one more way cybercriminals can “gather personal and professional information, creating specific profiles on individuals and tricking them into divulging sensitive or personal information [from] credit card numbers to information about their employer’s organization.”

Social media and the continuing dramatic 50% growth in mobile transactions year-over-year since 2005 could make 2011 Cyber Monday a record-breaker. One aspect of Cyber Monday that a lot of people in the technology and retail sectors will be paying particular attention to is who will be the big winner of “Mobile Monday”?  Android or iOS?

Following is a breakdown of transactions by mobile device as compiled from the ThreatMetrix Global Network of more than 15-milllion daily transactions. From November 2010 to November 2011, ThreatMetrix found that mobile as a percentage of total transaction volume decreased for the iPhone by 35%, the BlackBerry by 51%, and the Palm by 96%. Conversely, Android mobile volume showed a massive uptick in 2011, with a 661% increase in overall transactions coming from a mobile device. Windows devices showed a more moderate increase, at 19% year-over-year.

“Based on our findings, the iPhone is still the dominant device where mobile transactions are taking place, but we’ve seen Android gain a lot of traction in 2011,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “It’s now become a two-horse race with mobile. The question does not center around whether or not consumers will make mobile purchases this season, but which device will come out ahead on what’s now deemed ‘Mobile Monday’.”

According to ThreatMetrix Fraud Facts, on average, 3% of transactions worldwide now come from a mobile device. That’s up from 2% in 2010.

“Mobile transactions have higher conversion rates because they are intention-driven,” added Faulkner. “This makes it even more critical for retailers to ensure they are not only delivering an excellent mobile experience, but have a solid mobile fraud prevention strategy in place.”

Faulkner noted that while many retailers will likely experience a record number of purchases coming from mobile this year, many still maintain insufficient or incorrect fraud tools in this channel. The consequence will be lost revenue based on both fraudulent transactions taking place, as well as valid customers being turned away because of incorrect fraud classifications. Faulkner predicts as many as one in four mobile transactions may be incorrectly classified this year.

Top Fraud Threats During Peak Season

With an increased volume of online transactions during the holidays, retailers have less time for manual screening and review of transactions – whether they are coming from a laptop, desktop computer, tablet or mobile device. It makes automated fraud screening vital during this high-volume period.

So what are the top five fraud threats during this time of year?

1. Mobile device spoofing – Merchants are put at increased risk with mobile transactions simply because it’s more user-friendly for fraudsters. Today, most fraud coming from the mobile channel actually originates elsewhere; the device acts like a mobile device.

2. Use of botnets and malware – This is a prominent concern on both traditional desktop and laptop computers, as well as mobile devices, as malware can steal passwords and payment account information. On top of that, many of today’s consumers fail to install appropriate fraud prevention software on their mobile devices, according to Faulkner. Analyzing anomalous behavior and checking third-party IP reputation can help detect malware.

3. Cookie-wiping – Merchants could previously track repeat visitors through cookies, yet many of today’s consumers and fraudsters remove cookies by using add-ons and private browsing modes. This makes it difficult to recognize suspicious repeat visitors and identify returning good customers; cookieless device identification is more important than ever.

4. IP address cloaking – It has also become easier for criminals to spoof or mask IP addresses. This makes it harder for merchants to know the “true” IP of the visitor and distinguish the good transactions from the bad. Identifying proxied visitors is crucial; this can be done by inspecting HTTP headers, maintaining a blacklist of known proxy sites, dynamically detecting proxied requests and piercing the proxy with a callback request.

5. Use of Virtual Private Networks (VPNs) – VPNs use separate software on the originating device to place it on a different network, showing traffic is originating from a different address than its true network. To identify fraudsters who are using VPNs, it’s important to monitor time zone and language settings, as well as global anomalies.

For more information about these Cyber Monday threats, and tactics for defeating cybercriminals during this peak transaction period, check out ThreatMetrix videos, “The Mobile Fraud Threat,” “Malware and Mobile: How Big of a Threat Is It?” and “Top Three Tactics to Consider for Mobile Fraud Detection.”

Ericka Chickowski, a contributing editor at Darkreading.com, did a piece titled “Tales of De-Crypt 2011.” Considering it was scheduled to run sometime around Halloween, the title was “scary clever” while the subject matter was just plain scary. Chickowski observes that 2011 has been “a banner year for authentication and Identity and Access Management (IAM) failures, with embarrassments of epic proportions hitting the headlines nearly every month…. [There have been] targeted authentication tokens, sophisticated password-stealing Trojans, rogue certificates, stolen passwords and misappropriated accounts.”

Compiled by Ms. Chickowski is a list of the top ten worst “hacks, vulnerabilities and screw-ups to hit the headlines in 2011.” The upside is that the top-ten list only has seven entries.  It also has some lessons to be learned.

1. The RSA Tokens That Took a Lot of People for a Ride. “After a junior employee at security heavyweight RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. RSA confirmed that some ‘information related to the RSA SecurID product had been extracted.’” Extracted is another way of saying ripped off.

So what was learned? Don’t put all your eggs in one basket and leave the basket where anybody can trip over it. Or as Darkreading.com put it, “Security experts were aghast that the token seeds were resident in a place on the network where a hacker could even find them. The incident illustrates that network segmentation is a key best practice to mitigate the risk of a company’s most critical assets.”

2. The Death of DigiNotar.  A hacker with the moniker, ComodoHacker created fraudulent Comodo SSL certificates in March, then, later, hacked CA DigiNotar to issue 500 more certificates. The actions of ComodoHacker, who claimed to have hacked other certificate authorities, ultimately led to the demise of the company.

So what was learned? A stitch in time saves nine?  A penny saved is a penny earned? A wet bird never flies at night?  No, what was learned was, “DigiNotar knew about the fake certs long before the news went public and did nothing to get the word out. The situation is a good reminder at how important communication is in high-impact breach situations. It also illustrates that the fundamental basis of trust for Internet authentication still needs work.”

3. HBGary Federal’s “federal case” Over Anonymous Backfires.  After the company’s CEO said he was about to release information about Anonymous, the group infiltrated HGGary’s network through SQL injection, stole stored passwords and got control of the company’s email, internal accounts and its executives’ social media accounts.

So what was learned? As they used to say in the U.S. Infantry (and probably still do) in not such genteel terms, “Don’t let your alligator mouth overload your hummingbird ass.” Darkreading.com put it this way, “Hubris is not becoming of security executives who run companies that store passwords on insecure servers. Even the humble should learn to keep passwords better protected from multi-stage attacks that start with SQL injection. Anonymous was able to use Rainbow tables to crack the passwords’ encryption because the firm used weak MD5 hashes to protect them.”

4. Beware the LulzSec. After breaking into networks, LulzSec members distributed unencrypted passwords and other sensitive information, such as emails that impacted everyone from Sony to the U.S. Senate and compromised millions of accounts.

So what was learned? The bigger they come, the harder they fall. That could be one of the things learned.  But, Darkreading.com pulled out some other lessons like, “a lack of input validation or database monitoring [allow LulzSec] to commit SQL injection attacks at will. And …organizations [have a tendency] to store login information unencrypted and unprotected within network systems.”

5. Don’t Count on Citi Account Numbers. Darkreading.com says, “Hackers were able to game Citgroup’s online account site by manipulating the account number that appeared in the Web address browser bar to randomly guess other account numbers and gain access to random customers’ accounts. The trick gave them access to customer names, account numbers, and transaction information.”

So what was learned? Money is the root of all evil?  Or rather lack of money is the root of all evil?  No.  Actually it’s that, “web applications providing access into sensitive information, financial or otherwise, must be tested not only for vulnerabilities but also for business logic flaws such as the one that allowed hackers to circumvent Citi’s online banking authentication engine.”

6. Bank of America Rogue Employee Was a Rogue. A Bank of America employee leaked information to an identity-theft ring.  Fake accounts were created under victims’ names and $10-million was stolen before the thieves were nailed.

So what was learned? One rotten apple can spoil the whole barrel. He/she can also steal $10-million. The other thing that was learned is frequent reviews of access controls might have prevented this type of theft.

7.Duqu Worms Its Way Into the World. “A refinement on the code foundation laid down originally by Stuxnet… this password- and data-stealing Trojan features a rogue certificate [now revoked. However,] it’s able to fly under the detection radar by injecting itself into running processes.”

So what was learned? “[This was] another instance of hackers manipulating the certificate authority ecosystem…”

Perhaps the most important lesson to be taken from the seven disasters described above is many could have been averted by using ThreatMetrix solutions. The first perimeter and the most effective element in a multi-layered defense against cyber criminals is device identification. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

What? Not an Oscar?

Oh, ThreatMetrix won Red Herring’s much coveted “Top 100 North America Award.” In all honesty, it seemed like there was something fishy about ThreatMetrix winning an Academy Award.

Now, a Red Herring “Top 100 North America Award” on the other hand — nothing fishy about that. After all, without relying on passwords and cookies, ThreatMetrix solutions preserve user privacy while its ThreatMetrix Cloud-Based Fraud Prevention Platform, which uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction, is the ultimate weapon against fraudsters. In short, ThreatMetrix offers the best of both worlds: protection for the e-company, privacy for the user.

The Top 100 North America Award is based on financial performance, technology innovation, quality of management, execution of strategy, and integration into the industry. Given by Red Herring editors, the award has become a mark of distinction for identifying promising new companies and entrepreneurs, such as Facebook, Twitter, Google, Yahoo, Skype, Salesforce.com, YouTube, and eBay.

And, now ThreatMetrix.

Actually, ThreatMetrix believes you CAN handle the truth.

Just reach out. It’s a fingertip, mouse-click away, anytime day or night, anywhere.

Need to know what’s really going on in the world of fraudsters, cheats, thieves and scammers? Here’s the truth, the whole truth and nothing but….

It’s ThreatMetrix’s up-to-this-instant, exciting, brand-new initiative for tracking fraud-activity trends: ThreatMetrix™ Fraud Facts. Based on evaluations of over 15-million transactions taking place every day, you get a unique peek into the fraudster mindset. Here you discover his/her latest tactics, tricks and dodges, so you can formulate plans and adopt strategies for stopping them.  With this information, it’s far easier to cull the criminals hidden among the vast majority of honest customers.

The analysis will cover a range of online fraud, looking at:

• Percentage of Transactions from Compromised Devices

• Percentage of Transactions from Devices that have had Cookies Wiped

• Percentage of Transactions from Devices that are Associated with Multiple Email Addresses

• Percentage of Transactions Flagged as Higher Risk

• Percentage of High-Risk Transactions by Country

• Percentage of Countries with Highest Ratio of High-Risk Transactions

• Mobile Transaction Volumes

• Relative Mobile Transaction Volume by Country

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform is the only global online fraud prevention platform that stops web fraud in its tracks to speed up e-commerce for new account origination, web payments and account logins.

The truth that was only “out there” is now here.

Bookmark it — ThreatMetrix Fraud Facts — and stay way ahead of the bad guys.

ThreatMetrix is exhibiting in Booth 1216 at the world’s largest e-commerce event this week, IRCE 2011. In its seventh year running, IRCE will round up more than 7,000 e-tailers at the San Diego Convention Center for four days of e-commerce-centric workshops, sessions and networking.

According to Internet Retailer, online retailers experienced losses of $2.7 billion or .9 percent of total revenues in 2010.  The real real losses  are obviously higher as most online retailers are reluctant to divulge their overall exposure  to and losses from  fraud.

The challenge for e-tailers is to screen more online orders while keeping order rejection and fraud rates as low as possible to maximize sales and profits.

Automation is a critical addition that helps e-merchants scale their efforts more efficiently and cost effectively than growing their fraud staff. International card-not-present (CNP) transactions pose an additional challenge to e-tailers who adopt higher rejection rates to reduce their risk — at the expense of more sales. Digital downloads like music and images also present a unique challenge for fraud detection with a fulfillment window of seconds rather than hours. While they must minimize fraud, e-tailers must also use every tool at their disposal to make their customer’s online purchase as hassle-free and simple as possible, or risk losing to a competitor just a click away.

ThreatMetrix device profiling brings a new and powerful approach to fighting fraud and enabling e-commerce that helps merchants manage CNP payments risk in real-time without relying on personally identifiable information (PII). ThreatMetrix device profiling goes beyond browser fingerprinting to identify the device, bypass proxies and detect the use of botnets to offer e-merchants an additional layer of protection that reduces lost sales from false negatives, reduces fraud chargebacks and chargeback fees and files, and minimizes fraud management expense by reducing the number of transactions sent for manual review.

Bert Rankin, vice president of marketing, and other ThreatMetrix employees will be exhibiting at Booth 1216, offering attendees insight into the latest in online fraud prevention around mobile transactions, ticketing, social media and Web 2.0, as well as emerging fraud technologies like the ThreatMetrix Cloud-Based Fraud Prevention Platform.

This year’s IRCE is built on a forward-looking theme: “E-Commerce Shifts into Overdrive—The Race is On.” The event is specifically designed to give e-tailers practical information they need to compete in today’s growing e-commerce market, and ThreatMetrix is looking forward to being part of that conversation.

ThreatMetrix and the Ponemon Institute have announced the second set of findings from their recent survey around consumers’ reactions to online fraud today. This second round of data was gathered from survey questions around behavioral advertising specifically, on the heels of the recent McCain-Kerry privacy bill.

The study revealed the majority of consumers are comfortable with online behavioral tracking for fraud prevention purposes, but remain hesitant around advertising and promotional purposes. The results are outlined in a report, “Consumers’ Reaction to Online Fraud.”

Other highlights of the findings include:

• Seventy-four percent of consumers expressed some level of concern about online advertisers collecting and using their information for future promotional activity. Half of the respondents, however, feel it acceptable to use information about their online behavior as long as it’s to detect potential fraudsters.

• Twenty-four percent of consumers said they don’t think behavioral targeting in any form is appropriate, whereas 26% said it is okay for online businesses to use their information to either send them ads or monitor potential fraudsters.

• Only 16 % of consumers said that advance consent is necessary for each transaction, when asked about the extent of obtaining consent to use their online behavior information for fraud detection. One third said consent was not necessary at all, while the majority (36%) said consent only once in advance is sufficient.

• The majority of consumers (70%) reported that if they were assured their personal information was not collected when used for fraud detection purposes, they were comfortable with an online business authenticating their identity through a digital fingerprint. Another 22% said they were unsure.

The research also looked at consumer sentiment about fraud prevention across the banking, social media and Web 2.0 industries and mobile channel. For more information about the findings, download a copy of the report at http://info.threatmetrix.com/ConsumerSurveyOnlineFraud2011.html.

Would you feel safe purchasing goods with your credit card from your cell phone? If you answered “yes” then you’re in agreement with about half the respondents in a recent Harris Interactive survey reported by Internet Retailer who consider it “at least somewhat safe” to make a purchase through their cell phone.

Of course that presumes you are willing to overlook the inconvenience factor that goes with entering your credit card number and personal information on your cell phone—which depending on your cell phone can be a minor inconvenience or royal pain. According to the survey, “46% of cell phone owners said that, assuming they could purchase securely through cell phones, they’d be willing to make purchases this way.”

As smartphones like Apple’s iPhone get easier and consumer adoption increases it’s a fair bet that so will online purchases made from smartphones…and online banking…and social networking…and just about any web activity you would typically undertake on your computer today. Etailers and businesses that rely on customers to connect via their computer will undoubtedly invest more in technology to instill trust and confidence in smartphone users so they feel very safe interacting with them via their smartphones. While 46% may seem like a healthy number, I’m sure the survey results made more than a few etailers cringe.

As smartphones take on more everyday computing tasks they are also likely to become a desirable platform for fraudsters. Georgia Tech in its Emerging Cyber Threats Report for 2009 predicts as much. According to Patrick Traynor, an assistant professor at the university, “malware will be injected onto cell phones to turn them into bots.” He goes on to say “at this point, mobile device capability is far ahead of security….we’ll start to see the botnet problem infiltrate the mobile world in 2009.”

For now it pays to be extra careful when banking or buying from your smartphone. I’ll have more to say about mobile computing and fraud prevention in the coming weeks.

- Tom