Ericka Chickowski, a contributing editor at Darkreading.com, did a piece titled “Tales of De-Crypt 2011.” Considering it was scheduled to run sometime around Halloween, the title was “scary clever” while the subject matter was just plain scary. Chickowski observes that 2011 has been “a banner year for authentication and Identity and Access Management (IAM) failures, with embarrassments of epic proportions hitting the headlines nearly every month…. [There have been] targeted authentication tokens, sophisticated password-stealing Trojans, rogue certificates, stolen passwords and misappropriated accounts.”

Compiled by Ms. Chickowski is a list of the top ten worst “hacks, vulnerabilities and screw-ups to hit the headlines in 2011.” The upside is that the top-ten list only has seven entries.  It also has some lessons to be learned.

1. The RSA Tokens That Took a Lot of People for a Ride. “After a junior employee at security heavyweight RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. RSA confirmed that some ‘information related to the RSA SecurID product had been extracted.’” Extracted is another way of saying ripped off.

So what was learned? Don’t put all your eggs in one basket and leave the basket where anybody can trip over it. Or as Darkreading.com put it, “Security experts were aghast that the token seeds were resident in a place on the network where a hacker could even find them. The incident illustrates that network segmentation is a key best practice to mitigate the risk of a company’s most critical assets.”

2. The Death of DigiNotar.  A hacker with the moniker, ComodoHacker created fraudulent Comodo SSL certificates in March, then, later, hacked CA DigiNotar to issue 500 more certificates. The actions of ComodoHacker, who claimed to have hacked other certificate authorities, ultimately led to the demise of the company.

So what was learned? A stitch in time saves nine?  A penny saved is a penny earned? A wet bird never flies at night?  No, what was learned was, “DigiNotar knew about the fake certs long before the news went public and did nothing to get the word out. The situation is a good reminder at how important communication is in high-impact breach situations. It also illustrates that the fundamental basis of trust for Internet authentication still needs work.”

3. HBGary Federal’s “federal case” Over Anonymous Backfires.  After the company’s CEO said he was about to release information about Anonymous, the group infiltrated HGGary’s network through SQL injection, stole stored passwords and got control of the company’s email, internal accounts and its executives’ social media accounts.

So what was learned? As they used to say in the U.S. Infantry (and probably still do) in not such genteel terms, “Don’t let your alligator mouth overload your hummingbird ass.” Darkreading.com put it this way, “Hubris is not becoming of security executives who run companies that store passwords on insecure servers. Even the humble should learn to keep passwords better protected from multi-stage attacks that start with SQL injection. Anonymous was able to use Rainbow tables to crack the passwords’ encryption because the firm used weak MD5 hashes to protect them.”

4. Beware the LulzSec. After breaking into networks, LulzSec members distributed unencrypted passwords and other sensitive information, such as emails that impacted everyone from Sony to the U.S. Senate and compromised millions of accounts.

So what was learned? The bigger they come, the harder they fall. That could be one of the things learned.  But, Darkreading.com pulled out some other lessons like, “a lack of input validation or database monitoring [allow LulzSec] to commit SQL injection attacks at will. And …organizations [have a tendency] to store login information unencrypted and unprotected within network systems.”

5. Don’t Count on Citi Account Numbers. Darkreading.com says, “Hackers were able to game Citgroup’s online account site by manipulating the account number that appeared in the Web address browser bar to randomly guess other account numbers and gain access to random customers’ accounts. The trick gave them access to customer names, account numbers, and transaction information.”

So what was learned? Money is the root of all evil?  Or rather lack of money is the root of all evil?  No.  Actually it’s that, “web applications providing access into sensitive information, financial or otherwise, must be tested not only for vulnerabilities but also for business logic flaws such as the one that allowed hackers to circumvent Citi’s online banking authentication engine.”

6. Bank of America Rogue Employee Was a Rogue. A Bank of America employee leaked information to an identity-theft ring.  Fake accounts were created under victims’ names and $10-million was stolen before the thieves were nailed.

So what was learned? One rotten apple can spoil the whole barrel. He/she can also steal $10-million. The other thing that was learned is frequent reviews of access controls might have prevented this type of theft.

7.Duqu Worms Its Way Into the World. “A refinement on the code foundation laid down originally by Stuxnet… this password- and data-stealing Trojan features a rogue certificate [now revoked. However,] it’s able to fly under the detection radar by injecting itself into running processes.”

So what was learned? “[This was] another instance of hackers manipulating the certificate authority ecosystem…”

Perhaps the most important lesson to be taken from the seven disasters described above is many could have been averted by using ThreatMetrix solutions. The first perimeter and the most effective element in a multi-layered defense against cyber criminals is device identification. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

How far will a gamer go to get virtual currency? Well, let’s just say it’s probably safer to get between a lion and raw meat. Which is why Super Rewards has a fraud protection system for detecting fraud better and faster than any monetization platform on the market today.

Not familiar with Super Rewards? It’s the platform for online games and social networks on the Adknowledge ad network. Super Rewards delivers targeted advertising offers to millions of global website and social network users and lets gamers earn in-game points by filling out surveys, watching videos or subscribing to online services.

Adam Caplan, vice president virtual currency, Adknowledge comments, “Some users are so passionate about the games they play that they will go to extraordinary lengths to acquire excess virtual currency, including abusing advertising offers that we make available on our platform. In other cases, fraudsters will use stolen credit cards or other abusive payment mechanisms to accumulate virtual currency to sell to others in the game for profit. It’s critical for us to separate the abusers from the vast majority of users who are interested in the brands and the products they sign up for, or validly pay for the virtual currency they use.”

How Super Rewards Three-Pronged Approach Works to Prevent Fraud and Abuse:

Automated Security Internal Systems: Super Rewards’ internal automated systems prevent fraud through the use of pattern recognition velocity management, identification of bots and spam, and monitoring of other high-risk activities.

Manual Review 24/7 Manual Reviews in Real Time: Super Rewards’ fraud management team monitors complaints and uses data gathered by internal systems to make decisions based on user activity and patterns. This process makes it possible to identify suspicious activity and manually block users who are trying to abuse the system.

Fraud Filter Powered by ThreatMetrix: ThreatMetrix enables Super Rewards to instantly review and analyze transactions based on ThreatMetrix’s tracking of global fraud networks.

Using a variety of device- and transaction-related data, ThreatMetrix builds a “contextual score” that delivers all the information Super Rewards needs to make a thoughtful “go, no-go” decision about a customer. The data that’s collected is deep intelligence about the user’s device, key transaction details and past behavior, both on-site and globally. With ThreatMetrix, Super Rewards is able to customize the rules within its system, allowing the company to specify in real-time what is considered potential abuse or risk. And, through this partnership, Super Rewards can quickly identify and block fraud and system abuse.

Like the knights of yore who converged on King Arthur’s Round Table (not to be confused with the pizza restaurant) to discourse on fighting dragons and saving distressed damsels, industry leaders are coming together at the Monterey Plaza Hotel and Spa in Monterey, California (October 9-10) to address the threat of online fraud and to promote e-commerce.

Based around the theme, “Defeating Online Fraud and Promoting E-Commerce Together,” the ThreatMetrix 2011 Fraud Fighters Summit brings together the top fraud-fighting professionals in the industry, people who have maximized the effectiveness of their ThreatMetrix solutions.

Attendees will have an opportunity to network with peers and share fraud-fighting strategies. They’ll learn new ways to benefit from the ThreatMetrix Cloud-Based Fraud Prevention Platform from experts and come away better informed, motivated and prepared to wage the daily battle against fraudsters.

Presentations from well-known brands will be a highlight of the packed, two-day summit agenda. Featured presenters include:

• Reed Taussig, ThreatMetrix CEO and president, who will formally open the summit and provide an industry overview.
• David Burns, manager of operational risk, Optimal Payments, who will speak on: “Incorporating ThreatMetrix into Real-Time Rule Decisions.”
• Julie Conroy McNelley, senior analyst with the Aite Group’s Retail Banking practice, who covers fraud, data security, anti-money laundering, and compliance issues, will present on “Online and Mobile:  Navigating the Risk Environment.”
• Rhonda MacLean, founder of MacLean Risk Partners LLC, a consulting firm that provides strategic advisory services, will lead a financial service fraud prevention roundtable.
• Steven Boutelle, Lieutenant General, U.S. Army (Retired) and former chief information officer of the U.S. Army responsible for the U.S. Army’s use of information technology, will present on “Cybersecurity: A Government Perspective.”
• Alisdair Faulkner, ThreatMetrix chief products officer, will present a product development roadmap.

Other topics will cover everything from “Building an Effective Fraud Prevention System,” to “Addressing Organized Stealth with ThreatMetrix SmartID,” to “The Identity Challenge,” as well as best practices surrounding the use of ThreatMetrix professional services.

As an added bonus, the conference concludes with a private dinner at the world-famous Monterey Bay Aquarium.

According to Cameron Kerry, the U.S. Department of Commerce’s general counsel, the market for online transactions is predicted to reach $24 trillion ONLY IF users can be convinced the cloud is secure.

Twenty-four trillion is a hard number to wrap your head around. With $24 trillion, you could pay off the national debt and, at a minimum, have enough left over to buy steaks for every dog on the planet. You didn’t really think dogs played cards for stakes, did you?

Anyway…Kerry’s keynote at the Computers, Freedom and Privacy Conference in Washington D.C., outlined two priorities for his Department: cyber security and privacy. Kerry pointed out that the principal roadblock to developing new services and achieving the $24 trillion in online transactions was a lack of confidence in security, noting that Citibank, RSA/Lockheed Martin, Sony, Nasdaq, the International Monetary Fund (IMF), PBS, and the United States Senate have all come under cyber attack.

Kerry explained that when credit cards were introduced, they faced similar security concerns.  What assuaged those concerns was the introduction of encryption. Advising his audience not to wait for legislation or additional regulations to improve security, he stressed the need to go beyond the standard name/password approach, while at the same time maintaining a “privacy bill of rights,” introduced in the Senate by Senator John Kerry, Cameron Kerry’s brother.

One company has a solution that fits both criteria – and it’s available today. That company is, of course, ThreatMetrix.  ThreatMetrix solutions don’t rely on passwords, user names and cookies that could compromise a user’s privacy rights.  Yet, its ThreatMetrix Cloud-Based Fraud Prevention Platform, which uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction that can spot a fraudster literally half-a-world away.

Following are cyber security principles the Obama administration has endorsed and Department of Commerce seeks to have in place:

• Instead of the current patchwork of laws that vary by state, breach notification requirements should be standardized and procedures for notifying customers simplified

• Companies should be encouraged to have better data security, especially for power grids, water systems, and other core critical infrastructure

• Increased criminal penalties for hackers

• Encouraging the sharing of information with law enforcement to improve the nation’s ability to detect and prevent cyber attacks

Two more principles that weren’t explicitly addressed by the Department of Commerce or the Obama administration, but should have been:

• As a matter of course, every company doing business on the Web should be required to check out ThreatMetrix

• “Dogs Playing Poker” exhibited as art should be prohibited by law

Just about everybody who’s put finger to keyboard has had it happen. It’s that sinking feeling – the one that hits the pit of the stomach when BAM, in the proverbial blink of an eye, all the effort, all the work is gone, vanished like a bulldog at bath time.

Of course, there are sinking feelings, like when a recipe for liver and onions vanishes from your drive. And then again there are SINKING FEELINGS, like when $467,500 vanishes. That’s what happened to a gentleman with the unfortunately apt online moniker, Allinvain.

Recently, when Allinvain booted up his computer, he discovered the 25,000 Bitcoins he was saving to start a Bitcoin business had vanished. Though the exchange rate for Bitcoins fluctuates sharply, his 25,000 Bit cons were worth a little under half a million dollars.

Recently, when Allinvain booted up his computer, he discovered the 25,000 Bitcoins he was saving to start a Bitcoin business had vanished. Though the exchange rate for Bitcoins fluctuates sharply, his 25,000 Bit cons were worth a little under half a million dollars.

Now, if you’re not familiar with them, Bitcoins or BTC is digital currency. Created in 2009 by open-source developer Satoshi Nakamoto as an alternative to modern currency, BTC also refers to its open source software and peer-to-peer Bitcoin network. Members exchange Bitcoins over the Internet with anyone who has a Bitcoin address to pay for online services, Web-based work for hire, tangible goods, and charitable donations.  Digital signatures and proof-of-work are meant to provide basic security functions, such as ensuring that Bitcoins can be spent only once per owner and only by the person who owns them. But, these security measures are likely to be cold comfort to Allinvain whose half-a-million dollars worth of Bitcoins are no longer in his possession.

To store Bitcoins, Netizens like Allinvain keep them in a “wallet file” or with a third party “wallet service,” a kind of digital bank. But, if a thief breaks in either through hacking or by transferring the wallet file to a portable flash drive, “Who ya gonna call ?”  Well, it might as well be Ghost Busters because no official government entity keeps an eye out for suspicious activity for an entirely user-driven virtual currency. When virtual currency is gone, it’s GONE.

So what’s the answer?  Obviously, it’s to keep the bad guys from getting to the virtual currency in the first place. And, that’s where ThreatMetrix comes in. ThreatMetrix’s flexible and powerful rules-based engine and scoring stops fraud the first time, in real-time providing added visibility into a user’s account information and online behavior – without relying on personally identifiable information (PII).  That’s why companies like Offerpal Media, which offers virtual currency monetization for online games, virtual worlds and social networks, have chosen ThreatMetrix.

It’s a real solution for a virtual world.

ThreatMetrix is exhibiting in Booth 1216 at the world’s largest e-commerce event this week, IRCE 2011. In its seventh year running, IRCE will round up more than 7,000 e-tailers at the San Diego Convention Center for four days of e-commerce-centric workshops, sessions and networking.

According to Internet Retailer, online retailers experienced losses of $2.7 billion or .9 percent of total revenues in 2010.  The real real losses  are obviously higher as most online retailers are reluctant to divulge their overall exposure  to and losses from  fraud.

The challenge for e-tailers is to screen more online orders while keeping order rejection and fraud rates as low as possible to maximize sales and profits.

Automation is a critical addition that helps e-merchants scale their efforts more efficiently and cost effectively than growing their fraud staff. International card-not-present (CNP) transactions pose an additional challenge to e-tailers who adopt higher rejection rates to reduce their risk — at the expense of more sales. Digital downloads like music and images also present a unique challenge for fraud detection with a fulfillment window of seconds rather than hours. While they must minimize fraud, e-tailers must also use every tool at their disposal to make their customer’s online purchase as hassle-free and simple as possible, or risk losing to a competitor just a click away.

ThreatMetrix device profiling brings a new and powerful approach to fighting fraud and enabling e-commerce that helps merchants manage CNP payments risk in real-time without relying on personally identifiable information (PII). ThreatMetrix device profiling goes beyond browser fingerprinting to identify the device, bypass proxies and detect the use of botnets to offer e-merchants an additional layer of protection that reduces lost sales from false negatives, reduces fraud chargebacks and chargeback fees and files, and minimizes fraud management expense by reducing the number of transactions sent for manual review.

Bert Rankin, vice president of marketing, and other ThreatMetrix employees will be exhibiting at Booth 1216, offering attendees insight into the latest in online fraud prevention around mobile transactions, ticketing, social media and Web 2.0, as well as emerging fraud technologies like the ThreatMetrix Cloud-Based Fraud Prevention Platform.

This year’s IRCE is built on a forward-looking theme: “E-Commerce Shifts into Overdrive—The Race is On.” The event is specifically designed to give e-tailers practical information they need to compete in today’s growing e-commerce market, and ThreatMetrix is looking forward to being part of that conversation.

ThreatMetrix and the Ponemon Institute have announced the second set of findings from their recent survey around consumers’ reactions to online fraud today. This second round of data was gathered from survey questions around behavioral advertising specifically, on the heels of the recent McCain-Kerry privacy bill.

The study revealed the majority of consumers are comfortable with online behavioral tracking for fraud prevention purposes, but remain hesitant around advertising and promotional purposes. The results are outlined in a report, “Consumers’ Reaction to Online Fraud.”

Other highlights of the findings include:

• Seventy-four percent of consumers expressed some level of concern about online advertisers collecting and using their information for future promotional activity. Half of the respondents, however, feel it acceptable to use information about their online behavior as long as it’s to detect potential fraudsters.

• Twenty-four percent of consumers said they don’t think behavioral targeting in any form is appropriate, whereas 26% said it is okay for online businesses to use their information to either send them ads or monitor potential fraudsters.

• Only 16 % of consumers said that advance consent is necessary for each transaction, when asked about the extent of obtaining consent to use their online behavior information for fraud detection. One third said consent was not necessary at all, while the majority (36%) said consent only once in advance is sufficient.

• The majority of consumers (70%) reported that if they were assured their personal information was not collected when used for fraud detection purposes, they were comfortable with an online business authenticating their identity through a digital fingerprint. Another 22% said they were unsure.

The research also looked at consumer sentiment about fraud prevention across the banking, social media and Web 2.0 industries and mobile channel. For more information about the findings, download a copy of the report at http://info.threatmetrix.com/ConsumerSurveyOnlineFraud2011.html.

Scammers threaten to make casual gaming not-so-casual. Virtual goods—the currency of trade for social games are coveted by cybercriminals for their hard cash value. According to a new article in the Wall Street Journal titled Fraudsters Like Virtual Goods, “merchants that sell digital goods lost 1.9% of all revenue to fraud in 2009, compared with a 1.1% fraud rate for companies that sell physical goods online,” based on data from CyberSource Corp. (a ThreatMetrix partner). The WSJ points out “at first glance it’s hard to imagine fraudsters’ interest in items like computerized swords for a fantasy game. But these goods are often easier to obtain.”

Digital goods purchases are different than physical goods purchases. The WSJ reports that PayPal transacted more than $2 billion in digital goods transactions, with a PayPal spokesperson describing the category as having “a higher degree of nefarious activity.”

These transactions are unique in that they cater to the gamer’s desire for instant gratification and low tolerance for hassle getting online. That means fraud prevention measures must be transparent to the gamer and effective at detecting/preventing fraud. Because gamers are especially sensitive to any delay, and because digital fulfillment is typically instantaneous fraud detection must occur instantly—and not simply an accept or reject call, but supporting data that gives the fraud analysts the full context of the transaction (for example, the true IP address and geolocation if the gamer is using a hidden proxy).

Taking the pulse of attendees and exhibitors here at Casual Connect 2010 in Seattle this week, it’s clear that scammers have become a big concern for many from payment facilitators to household name gaming companies. Much more this year than last, they are very aware of the kinds of games the scammers play to rob them of revenue. This fast growing segment of the industry appears ready to do more to blunt the scammers.

- Tom

To a web fraudster, attacking a social game like Farmville or Mobsters 2 isn’t just fun—it’s profitable. There’s serious money in scamming the virtual goods world as evidenced by industry research cited in this new article posted today on GameBeat, co-written by web fraud experts Jeff Sawitke, Verifi vice president product strategy and Alisdair Faulkner,  ThreatMetrix chief products officer.

Cybercriminals know to match their tactics to the target—and social gaming is no exception. Here are some typical scenarios where the right fraud defenses can trip up fraudsters trying to game an online game.  Whereas a typical good customer uses one account from one computer, a fraudster would try to create and manage a half dozen accounts from a single computer—tipping his hand so that his computer can be flagged as suspicious and/or barred from playing. Besides the obvious losses from a fraudster/gamer using stolen credit cards, there is the downstream risk to the game publisher for chargebacks.  In this example, a gamer might be a gold farmer—this is a standard term for a player who tries to acquire items of value in a game to sell or trade for real currency.  They typically accomplish this by repeatedly (and rapidly) performing in-game actions that accumulate gains.  Automation with bots comes in handy here to get the most bang for the buck in as little time as possible. Here the scammer creates accounts using stolen (or legitimate) credit cards, then after a few weeks they call the credit card company and charge it back.  The rules credit card companies apply to chargebacks aren’t a good fit for digital goods, so the game publishers suffer fines from the card companies for exceeding chargeback rates.

The meteoric rise of popular social games like Farmville that cater to a growing population of mainstream players makes social gaming an increasingly popular entry point for cybercriminals to lie, cheat—and of course steal.    Fraud and risk management should be a top priority for every gaming publisher regardless of size to protect their business, their customers and the overall reputation of the industry.  Online game publishers that employ a winning anti-fraud defense can turn social gaming into a losing game for cybercriminals.

-          Tom

P.S.  For more proof that cybercriminals know to match their tactics to the target, check out this new article posted at Internet Retailer that describes how iReel.com sets the rules when it comes to stopping online fraud

If someone told me a few years ago that people would pay real money for goods that aren’t real—virtual goods that only exist in digital form—I would have joked that I had a virtual Brooklyn Bridge to sell them. Well the laugh’s on me if the buzz at the Virtual Goods Conference in San Jose this week is any measure of where the VG industry is today and where it’s heading. There’s real money changing hands for virtual goods in social gaming and lots of people are working hard to figure how to make it pay even more.

If you’re new to the world of virtual goods, here’s a great overview written by Lora Abe, director of marketing for Gambit, a leading payments engine for online games. Gambit’s booth was right next to ours at the conference (thankfully they let us play their pinball machine during the low-booth-traffic intervals). Read the rest of this entry »