Posts Tagged ‘ponemon institute’

For anybody who is unfamiliar with it. Queens is one of New York City’s five boroughs. It is the home of the New York Mets, JFK and LaGuardia airports, the U.S. Open tennis tournament and now, the biggest identity theft bust in U.S. history.

Restaurant workers, bank tellers and other service employees skimmed, swiped and scammed millions of dollars worth of personal credit information from thousands of American and European consumers. The cost to victims, financial institutions and retail business was more than $13 million over a 16-month period. Now 111 people are charged and 86 are in custody.

In New York, employees of banks, retail outlets and restaurants would skim credit card information while swiping customers’ credit cards. Others were tasked with stealing credit card information online.  The numbers were then handed off to teams who, using blank credit cards from overseas, forged Visas, MasterCards, Discover and American Express cards as well as fake IDs.

Sometimes the alleged crooks would employ an “impersonator,” an individual who contacted financial institutions or retail stores and impersonated the true cardholder to check on the actual cardholders’ credit.  After all, they probably didn’t want to get charged fees for going over their credit limits.

Anyway…

The bogus plastic was turned over to teams who went on spending sprees at higher-end stores including Apple, Bloomingdale’s and Macy’s in New York, Florida, Massachusetts and Los Angeles. During these shopping sprees, criminals used forged credit cards to stay at such five-star hotels as the Fontainebleau and The Royal Palm in Miami Beach and the high-end private villas of the El Conquistador in Puerto Rico. They are also alleged to have used forged credit cards to rent Lamborghinis and Porsches and, in one instance, a private jet to take them from New York to Florida.

The groups would then resell the merchandise that included iPads, iPhones, computers, watches and upscale handbags from Gucci and Louis Vuitton in China, Europe and the Middle East.

In addition to credit card fraud, twenty-four defendants were variously charged with burglaries and robberies throughout Queens County, including conspiring to commit a bank robbery. Five are charged with stealing more than $95,000 worth of cargo from Kennedy Airport and seven of stealing approximately $850,000 worth of computer equipment from the Citigroup Building in Long Island City.

“This is by far the largest – and certainly among the most sophisticated – identity theft/credit card fraud cases that law enforcement has come across,” said District Attorney Brown. “Credit card fraud and identity theft are two of the fastest growing crimes in the United States, afflicting millions of victims and costing billions of dollars in losses to consumers, businesses and financial institutions…. Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years.”

The investigation involved physical surveillance, intelligence gathering and court-authorized electronic eavesdropping on dozens of different telephones in which thousands of conversations were intercepted. Many required translation from Russian, Mandarin and Arabic to English.

Indictments charge that Imran Khan, Ali Khweiss, Anthony Martin, Sanjay (a/k/a/ Rocky) Deowsarran and Amar Singh were “bosses” of the criminal enterprise.

In what could be considered an act of irony or chutzpa or both, one defendant, Nelson Feliciano, who owns a security firm, allegedly allowed others to make a counterfeit credit card using his business account information and to use that account to make $50,000 in purchases before claiming that the charges were fraudulent and that he was a victim of identity theft.

The indictment also alleges that Jonathan Ortiz, Wilfred Rodriguez, Travis Hassang, Angel Quinones and two other individuals, who have not been apprehended, were charged with stealing approximately $850,000 in computer equipment. In a stirring demonstration of motherly devotion, Jonathan Ortiz’s mother, Maria, has been charged with hindering prosecution by logging into her son’s Facebook account to create an alibi for him – allegedly.  Now, don’t you just hate it when parents insist on checking what their kids do online

Govinfosecurity.com’s Managing Editor, Tracy Kitten, gathered analysis from security experts:

Gartner’s Avivah Litan, says “I think this does point out that U.S. law enforcement has beefed up multilingual capabilities in Russian, Mandarin and Arabic, which is critical to its activities, and is a big improvement over the situation pre- 9/11.”

Aite Group’s Julie McNelley observes, “While the operation spanned the five continents, the focus of this bust appears to be the hub of the operation in Queens.”

Security author and writer Neal O’Farrell notes, “We know there are scams like this being run in almost every city, usually in the $500,000 to $1 million range. That usually makes them too big for local law enforcement to investigate and too small for federal agencies to pick up. The big problem we’re seeing is that because the low- to mid-level crooks and gangs are going unchallenged, they simply have more time to get better, perfect their art, steal more, and hide their tracks. By the time law enforcement uncovers them, there’s little left to prosecute.”

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform offers a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all of ThreatMetrix customers. The information is always up-to-date and always available. The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, lets financial institutions and others verify new accounts, authorize payments and transactions and authenticate user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, cybercriminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

Right up there — or down there — with recent approval ratings for Congress (15%) and the President (41%) are consumer approval ratings for not getting taken in online (21%).

A joint study — “Mobile Payments & Online Shopping Survey of U.S. Consumers” —  by ThreatMetrix and The Ponemon Institute, which is dedicated to advancing responsible information and privacy management practices in business and government, determined that three in four consumers have either some concerns (53%) or serious concerns (26%) about online fraud. Forty-three percent reported already having been victimized, up a full percentage point from a study done earlier this year.

Despite the fact that most consumers have doubts about Web security, one-third say they intend to buy more online than in brick-and-mortar stores this holiday shopping season. “While consumers continue to show a preference for the convenience of shopping and browsing online, their concerns about becoming a victim of online fraud is also growing,” said Bert Rankin, vice president of marketing, ThreatMetrix. “With mobile thrown into the shopping mix, which is even more apparent this year, consumers and retailers alike need to be well equipped against fraudsters in every possible channel.”

Rankin pointed out that nearly one in three consumers believed the fraud risk was lower on a smartphone or tablet than desktop or laptop. When a group of consumers considered extremely active Internet users were included, that number increased to 39%.

Huh?

Anyway…

According to Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, “Consumers who have a high propensity to use the Internet for shopping, banking, gaming, social media interactions, and other activities, appear to have a stronger sense of security online — which is not exclusive only to desktops and laptops.  While these users may be savvier when it comes to the digital channel, their safety net may not always be there. Online transactions are a two-way street. While they may think they’re taking the necessary precautions to avoid online fraud, the sites they’re visiting must also be implementing online fraud prevention tactics.”

Adds Julie Conroy McNelley, senior fraud and risk analyst at the Aite Group, “Mobile, in particular, is difficult to protect from fraud. With around 4,000 different device types to secure, it’s often a daunting task. On top of that, few consumers are using anti-virus or anti-spyware software on their mobile devices. Mobile, just like more traditional e-commerce transactions from a desktop, has the potential to become a hotbed for fraud.”

So what devices will shoppers use for Cyber Monday and the upcoming holidays? Forty-nine percent indicated they’d use their desktop or laptop. Thirty-seven percent opted for a smartphone, and 12% a tablet. In fact, one in four respondents already used their smartphone or tablet to make a mobile payment of some kind, with the majority using either PayPal or credit cards for the transaction.

Extremely active Internet users tended toward smartphones (49%) and tablets (17%) with only 34% saying they’d use their desktop or laptop. Of this group 40% said their online purchases would likely exceed ones done in-store.

The most popular purchases using a mobile payments option on a smartphone or tablet are music downloads (77%), online service subscriptions or memberships (75%) and apps for smartphone or tablets (73%). Consumer electronics ranked slightly above clothing, at 48% and 43%, respectively.

For a free Executive Research Summary of the “Mobile Payments & Online Shopping Survey of U.S. Consumers” download it here.”

On one point in the study, there was overwhelming agreement. A whopping 84% of survey respondents said they thought it was important that a retailer express a commitment to protecting them from fraud.  And protecting online companies from cybercriminals is what ThreatMetrix does better than anybody.

The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, provides online businesses with the ability to protect themselves and their customers by verifying new accounts, authorizing payments and transactions and authenticating user logins in real-time — without relying on personally identifiable information (PII) such as birth dates, maiden names and Social Security numbers. And this protection is assured no matter which devices consumers may use.

When HP releases a report on cybercrime statistics, you’d better believe it.  After all, who knows more about cybercrime than a company that charges exorbitant prices online for its ink jet printer cartridges. Okay, even if HP’s price for replacement ink jet cartridges is a crime, it’s hardly criminal. Besides we were just kidding HP. No harm. No foul. Right? (Anybody know what happened to Carly Fiorina?)

Anyway, when it comes to the drain of cybercrime on the economy, it’s no joke. The Second Annual Cost of Crime Study, a report commissioned by HP and conducted by the Ponemon Institute, an independent organization that does research on privacy, data protection and information security policy, shows the median annual cost of cybercrime incurred by the organizations they polled was $5.9 million per year. That’s an increase of 56 percent over last year – the greatest expense coming from detection and recovery from attacks. The study reflects interviews with a representative sample of data protection and IT security professionals from 50 benchmark corporations across various industry sectors.

Of course, $5.9 million is an average, EMC CFO David Goulden revealed its recent breach of the system that stores secret codes for EMC’s RSA SecurID multifactor authentication tokens cost EMC $66.3 million in a single quarter.

With malicious code, denial of service, stolen devices and web-based attacks making up more than 90 percent of the cost, over an average four-week period, organizations experienced 72 successful attacks per week. That’s an increase of close to 45 percent over last year.

So what are the best ways to mitigate costs?

• Resolve cyberattacks fast. The average time to resolve an attack is 18 days, with a cost of nearly $416,000, a 70 percent increase over last year. The faster the resolution, the lower the cost.

• Deploy advanced security intelligence and risk-management solutions. Organizations deploying security information and event management solutions saved approximately 25 percent over organizations that didn’t.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, noted, “As the sophistication and frequency of cyberattacks increases, so too will the economic consequences.”

If this information weren’t enough to get companies to bolster their security to save money, a reminder specifically for financial institutions is that the FFIEC’s (Federal Financial Institutions Examination Council) conformance deadline is rapidly approaching (January 2012).  And the FFIEC is calling for stronger authentication and layered security.

Providing device identification, the first and most effective layer in a multi-layered defense against cyber criminals, ThreatMetrix solutions are both effective and cost-effective. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real- time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies protection that can’t be beat — or beaten by cybercriminals.

Okay, Citigroup, what happened? First it took from May 3rd, when the breach happened, till June 3rd for Citigroup to warn customers that 210,000 Citibank account-holder names, account numbers and email addresses fell into the hands of hackers.

Now, Citigroup says, instead of 210,000 customers whose information was stolen, it was actually 360,000 customers. Off by a mere 150,000!  That’s like the entire population of Pasadena, California vanished.  No more Rose Bowl. No more Rose Parade.

The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, says it costs a company, on average, about $214 per compromised record. So, instead of $45-million that was originally at risk, Citigroup is looking at over $77-million in losses from the breach. Numbers like these have spurred an inquiry by the Connecticut Attorney General’s office, one of several state and federal authorities looking into the break-in.

From published reports, it appears the hackers gained access to Citibank data by changing URL numbers on the Citibank Website. ThreatMetrix solutions, which offer protection from bad scripts and fraudulent account logons, payments and transactions, can’t be compromised by the type of break-in suffered by Citigroup. That’s because ThreatMetrix solutions don’t rely on personally identifiable information (PII).  Instead ThreatMetrix solutions are designed to interdict attacks in real-time, while passively and transparently profiling users — without collecting extraneous personal identity information.

One question hangs over the entire incident.  How does a corporation whose primary business is numbers lose 150,000 customers?

ThreatMetrix and the Ponemon Institute have announced the second set of findings from their recent survey around consumers’ reactions to online fraud today. This second round of data was gathered from survey questions around behavioral advertising specifically, on the heels of the recent McCain-Kerry privacy bill.

The study revealed the majority of consumers are comfortable with online behavioral tracking for fraud prevention purposes, but remain hesitant around advertising and promotional purposes. The results are outlined in a report, “Consumers’ Reaction to Online Fraud.”

Other highlights of the findings include:

• Seventy-four percent of consumers expressed some level of concern about online advertisers collecting and using their information for future promotional activity. Half of the respondents, however, feel it acceptable to use information about their online behavior as long as it’s to detect potential fraudsters.

• Twenty-four percent of consumers said they don’t think behavioral targeting in any form is appropriate, whereas 26% said it is okay for online businesses to use their information to either send them ads or monitor potential fraudsters.

• Only 16 % of consumers said that advance consent is necessary for each transaction, when asked about the extent of obtaining consent to use their online behavior information for fraud detection. One third said consent was not necessary at all, while the majority (36%) said consent only once in advance is sufficient.

• The majority of consumers (70%) reported that if they were assured their personal information was not collected when used for fraud detection purposes, they were comfortable with an online business authenticating their identity through a digital fingerprint. Another 22% said they were unsure.

The research also looked at consumer sentiment about fraud prevention across the banking, social media and Web 2.0 industries and mobile channel. For more information about the findings, download a copy of the report at http://info.threatmetrix.com/ConsumerSurveyOnlineFraud2011.html.

I wish all of the websites I do business with would fingerprint my computer to validate my identity. I’d sleep better at night knowing that computers used by criminals attempting to steal from me would be barred from entry because their computer’s unique fingerprint could never match that of my computer. I know more than the typical consumer about the high risk that goes with entering your PII (personally identifiable information) like your mother’s maiden name and social security number into a web form. I also know that it’s getting very hard not to surrender PII to accomplish anything of substance online.

Dr. Larry Ponemon knows a lot about what consumers are thinking about when it comes to their online privacy. He founded Ponemon Institute, dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Several months ago we asked Dr. Ponemon to look into what consumers think about having their computers fingerprinted as a means to help protect them from online fraud. Read the rest of this entry »