“Do-Nothing” House Does Something

Posted on September 18th, 2014 by Dan Rampe

House of Reps

U.S. House of Representatives Passes Bill That Comes Down Hard on Tax Return ID Thieves

Who says Congress doesn’t do anything? Well just about every American of voting age (Headline from August 2014 on politico.com: Poll: Congress approval hits new low).

Could the House passing H.R. 744 be a portent of things to come? Maybe, but it would be kind of like Apple donating the gross sales for iPhone 6 to charity.

In any case, if the bill passes the Senate and is signed by the President, tax return identity thieves will be facing 20 years in jail.

In her piece on thehill.com, Cristina Marcos details some of the major provisions of the legislation. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

Victims to include organizations

The measure would further broaden the definition of tax return identity theft victims to include organizations, instead of only individuals.

Another provision of the bill would direct the Justice Department to submit a report to Congress within 180 days on trends in tax return identity theft and recommendations on how to prosecute the crime.

Similar bill failed in 2012

The House passed a similar version of the legislation in 2012 in the previous Congress, but it never received action in the Senate.

For more on tax fraud and identity theft, please see our previous blog posting and infographic, “ThreatMetrix Tax Tips to Avoid Losing Your Identity and Uncle Sam’s Taxes to the Cyberthieves Who Stole Close to $4 Billion Last Year.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Is Buying an iPhone 6 Buying Trouble? Or Peace of Mind?

Posted on September 17th, 2014 by Dan Rampe

iPhone6

ThreatMetrix Explores the Pros and Cons of iPhone 6 as They Relate to Privacy and Cyberfrauds’ Shift to Online Channels

When it comes to security, do the “I”s have it? ThreatMetrix takes a hard look at iPhone 6 and iPhone 6 Plus, exploring whether some of their newest features will be making their owners more secure or bigger cybercrime targets. (For a quick overview, ThreatMetrix prepared the following infographic on iPhone 6 and iPhone 6 Plus cybersecurity pros and cons.)

“The most recent iPhone has received a ton of buzz, especially regarding some of its latest features such as Apple Pay, which has the potential to revolutionize the way consumers and retailers alike do business,” said Alisdair Faulkner, chief products officer at ThreatMetrix. “However, the fact remains that these features may also potentially make Apple the new prime target for cybercriminals all over the world, as the iPhone 6 increasingly becomes the remote control of its owners’ life.”

By the end of 2014, some 25 million iPhone users will have upgraded their devices. Following ThreatMetrix security experts critique the newest features and how they affect security.

  • Apple Pay a Safer Way– Passbook isn’t an entirely new feature of the iPhone, which previously enabled users to store purchased tickets and other virtual goods. These could then be presented on their iPhones in lieu of tickets, etc. Now, Passbook enables users to register credit cards at the click of a button and access them for secure, one-touch transactions using the iTouch fingerprint reader. The Passbook does not store credit-card details on the actual device or in iCloud. Instead it stores a token on a Secure Element. This means that any malware attempting to intercept a transaction will not be able to get access to the real credit card number. This is a net positive for transaction security.
  • Fraud Pushed from Banks to Online Merchants –Apple supports Near Field Communications (NFC) technology, which prevents store employees from taking copies of card data. In October 2015, EMV payment systems become mandatory in the U.S. and will cause criminal gangs to shift more of their attention to online channels. Modern card terminals typically support both EMV payment systems and NFC, and the new Apple Pay functionality will further drive adoption of these new readers in stores. Now, unlike in-store purchases that are covered by banks, online merchants have to cover the costs of inadvertently accepting fraudulent transactions. The other major impact will be a significant increase in online credit card origination theft. If it’s more difficult to breach data in-store and create counterfeit cards because of EMV payment systems and Apple Pay, criminals will focus more of their efforts online.
  • Increased Account Compromise Risk – iCloud is like a remote control for users’ lives. If hackers gain access to a username and password, which is often shared across sites, they can use the Find My Phone feature to not only disable Apple Pay purchasing from your device, but also get access to backup photos and remotely delete and reset your password as well.“Consumers have the opportunity to upgrade to two-factor authentication for better online protection as account compromise risks increase,” said Julie Conroy, research director at Aite Group. “However, very few consumers will do so due to inconvenience and added effort of such security measures.”
  • Privacy Concerns – Apple has stated that it does not track Apple Pay purchases, and that health data collected by HealthKit will remain encrypted on the phone and not stored on Apple’s servers. However there may be future business pressure to better monetize Apple’s iAd network. While HealthKit App Developers require an iPhone owner’s consent to access health data, consumers do not have good ways of ensuring their data remains protected once it is stored off their phones.
  • Selling and Gifting Older Models – Many consumers will want to get rid of their older iPhone models and this can lead to multiple security risks, such as previously jailbroken devices, devices that have pre-stored malware and unwiped devices that still have personal information stored on them. Before selling or gifting older models, consumers must make sure that they have deleted all content (Settings > General > Reset > Erase All Content and Settings) and remove the devices from their iCloud accounts.

“The newest iPhone has the potential to be one of the most groundbreaking models to date,” said Faulkner. “However, consumers making the switch should be aware of the pros and cons of doing so, especially if they are in the first round of buyers. Consumers need to be mindful that the data they sync to iCloud is now likely only protected by a weak username and password combination.”

The widespread adoption of the iPhone 6 means there will be new threats to consumers’ sensitive information and privacy. Businesses such as Apple need a way to protect their customers beyond simple username and password combinations. They need a collective, global network. The ThreatMetrix® Global Trust Intelligence Network analyzes more than 850 million monthly transactions and combines device identification, threat assessments, identity and behavioral intelligence to accurately identify cybercriminals without creating friction for good users.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

ThreatMetrix Outlines Cybersecurity Pros and Cons for Consumers Purchasing the New iPhone 6

Posted on September 17th, 2014 by Dan Rampe

As Millions of Consumers Make the Shift to the Newest iPhone, They Must be Aware of Privacy Concerns and Fraud Shifting to Online Channels

San Jose, CA – September 17, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced the security pros and cons associated with some of the newest features of the iPhone 6 and the iPhone 6 Plus, both hitting shelves today.

“The most recent iPhone has received a ton of buzz, especially regarding some of its latest features such as Apple Pay, which has the potential to revolutionize the way consumers and retailers alike do business,” said Alisdair Faulkner, chief products officer at ThreatMetrix. “However, the fact remains that these features may also potentially make Apple the new prime target for cybercriminals all over the world, as the iPhone 6 increasingly becomes the remote control of its owners life.”

With 25 million iPhone users planning to upgrade their devices by the end of 2014, there are a multitude of security pros and cons associated with the features of the latest iPhones that those making the switch should be aware of prior to purchasing. These include:

  • Apple Pay a Safer Way– Passbook isn’t an entirely new feature of the iPhone, which previously enabled users to store purchased tickets and other virtual goods that they could then present on their iPhones in place of its physical counterpart. Now, Passbook enables users to register credit cards at the click of a button and access them for secure, one-touch transactions using the iTouch fingerprint reader. The Passbook does not store credit card details on the actual device or in iCloud. Instead it stores a token on a Secure Element. This means that any malware attempting to intercept a transaction will not be able to get access to the real credit card number. This is a net positive for transaction security.
  • Fraud Pushed from Banks to Online Merchants – With Apple supporting Near Field Communications (NFC) technology, this prevents store employees from taking copies of card data. In addition, when EMV payment systems become mandatory in the U.S. in October 2015, criminal gangs will shift more attention to online channels. Modern card terminals typically support both EMV payment systems and NFC, and the new Apple Pay functionality will further drive adoption of these new readers in stores. Unlike in-store purchases that are covered by banks, online merchants have to cover the costs of inadvertently accepting fraudulent transactions. The other major impact will be a significant increase in online credit card origination theft. If it’s more difficult to breach data in store and create counterfeit cards due to EMV payment systems and Apple Pay, then criminals will focus more efforts online.
  • Increased Account Compromise Risk – iCloud is like a remote control for users’ lives. If a hacker gains access to a username and password, which is often shared across sites, they can use the Find My Phone feature to not only disable Apple Pay purchasing from your device, but also get access to backup photos and remotely delete and reset your password as well. “Consumers have the opportunity to upgrade to two-factor authentication for better online protection as account compromise risks increase,” said Julie Conroy, research director at Aite Group. “However, very few consumers will do so due to inconvenience and added effort of such security measures.”
  • Privacy Concerns – Apple has stated that it does not track Apple Pay purchases, and that health data collected by HealthKit will remain encrypted on the phone and not stored on Apple’s servers, however there may be future business pressure to better monetize Apples iAd network. HealthKit App Developers need consent to access health data, but consumers do not have good ways of ensuring their data remains protected once data is stored off their phone.
  • Selling and Gifting Older Models – Many consumers will want to get rid of their older iPhone models and this can lead to multiple security risks, such as previously jailbroken devices, devices that have pre-stored malware and unwiped devices that still have personal information stored on them. Before selling or gifting older models, consumers must make sure that you have deleted all content (Settings > General > Reset > Erase All Content and Settings) and remove the devices from their iCloud accounts.

“The newest iPhone has the potential to be one of the most groundbreaking models to date,” said Faulkner. “However, consumers making the switch should be aware of the pros and cons of doing so, especially if they are in the first round of buyers. Consumers need to be mindful that the data they sync to iCloud is now likely only protected by a weak username and password combination.”

In the wake of the new potential threats to consumers’ sensitive information and privacy with the widespread adoption of the iPhone 6, businesses such as Apple need a way to protect their customers beyond simple username and password combinations with a collective, global network. The ThreatMetrix® Global Trust Intelligence Network analyzes more than 500 million monthly transactions and combines device identification, threat assessments, identity and behavioral intelligence to accurately identify cybercriminals without creating friction for good users.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

 

 

 

Reminder: October Approval Expected for New EU Breach Notification Law

Posted on September 16th, 2014 by Dan Rampe

European Union

Law Applies to All Companies Doing Business in Europe

The European Union’s updated data protection law requires any business that suffers a data breach involving personal information to alert regulators and directly notify affected individuals “without undue delay.” What makes a delay an “undue delay”? Could there be some legal wiggle room?

In his article on bankinfosecurity.eu (link to article), Mathew J. Schwartz cites security expert Jacky Wagner, managing director at the consultancy PricewaterhouseCoopers, observing that current EU laws “don’t have any explicit requirement around notifying either regulators or individuals if there’s been some sort of breach of their personal information.”

Wagner adds, “”We’ve seen – over the last several years – most of the states in the U.S. pass notification laws that require explicit notification if an individual’s data has been breached.” The revised EU law includes a similar provision.

Schwartz writes that in addition to tough breach notification requirements, the measure also would require businesses of a certain size to hire data protection officers.

Included in the new law may be the” right to be forgotten” where EU Internet users could demand Google and other search engines remove certain sensitive information about them from searches.

While the new law may burden some businesses, it might help others who, instead of having to comply with a patch-work of regulations country-by-country, now only have to comply with one law.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Who Says Mac OS X Doesn’t Need Malware Protection?

Posted on September 15th, 2014 by Dan Rampe

mac os x

…Not the 18 Companies Creating Anti-Malware for It

Okay, compared to attacks on Windows and Android operating systems, there are a lot fewer Mac attacks. Not exactly news. And the reason why is also not news. With fewer devices running OS X rather than Windows or Android, it just makes sense hackers would look for targets with better returns. Every day, independent test lab AV-TEST.org captures more than 400,000 new malware samples for Windows and 5,000 new samples for Android compared to less than 100 per month for Mac.

18 anti-malware products tested

In his piece on zdnet.com, Larry Seltzer discusses the 18 anti-malware products now available for OS X and how they made out in AV-TEST.org tests. The following has been excerpted from his article and edited to fit our format. You may find the full article by clicking on this link.

  • avast! Free Antivirus 9.0 (41877)
  • AVG AntiVirus 14.0 (4715)
  • Avira Free Antivirus 2.0.5.100
  • Bitdefender Antivirus for Mac 2.21.4959
  • Comodo Antivirus 1.1.214829.106
  • ESET Cyber Security Pro 6.0.9.1
  • F-Secure Anti-Virus for Mac 1.0.282 (13406)
  • G Data Antivirus for Mac 2.30.5095
  • Intego VirusBarrier 10.8.1
  • Kaspersky Internet Security 14.0.1.46c
  • McAfee Internet Security 3.1.0.0 (1702)
  • Microworld eScan for Mac 5.5-8
  • Norman Antivirus for Mac 3.0.7664
  • Panda Antivirus 10.7.8 (772)
  • Sophos Anti-Virus 8.0.23
  • Symantec Norton Internet Security 5.6 (25)
  • Trend Micro Titanium 3.0.1251
  • Webroot SecureAnywhere 8.0.6.105: 181

You can find complete results [on the a-v test.org site.] Five of the products (avast!, Sophos, AVG, Comodo and Avira) are free.

About testing methods

AV-TEST used “…the products which are offered at the AV vendor’s websites as downloads. The versions available at the Mac App Store might be limited in functionality, as they cannot access all APIs.”

AV-TEST provides test results for malware detection, both on-access and on-demand; false positives; impact on system performance; and ancillary features, specifically anti-spam, anti-phishing, personal firewall, safe browsing, parental control, backup and encryption.

How some products fared

The products from avast!, Bitdefender, G Data, Norman, ESET, Intego, Panda, Microworld, F-Secure, Sophos and Kaspersky detected a very high percentage of the malware on-access. AV-TEST also gives results for on-demand scanning, but their importance pales (in our opinion) in comparison to those of on-access. Kaspersky detected 95.2% on-access, several others detected 97.6% and 98.8% and four products detected 100% of malware on-access. All of these numbers are excellent, but obviously it doesn’t get better than 100%.

Disappointing products

Several products, all with well-known brands, had disappointing results. Trend Micro (33.3%), Webroot (22.6%) and McAfee (21.4%) all stand out in a bad way.

None of the products had a single false positive. This may be possible because of the relatively low number of samples.

Compared to PC products, the Mac products offer very few additional features. Eight of them add no extra features (as counted by AV-TEST). Only five offer more than one. The only real stand-out is ESET Cyber Security Pro, which offers anti-spam, personal firewall, safe browsing and parental control.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

They Could Call It “Click-Before-You-Think” Insurance

Posted on September 12th, 2014 by Dan Rampe

Chubb

Company Offers Insurance Against Losses from Socially Engineered Scams

In the U.S. Army, they used to call it the 10 percent — the 10 percent who didn’t get it no matter how often something was explained. Don’t click on a link in an email because the email appears to have come from the company’s bank. Don’t provide passwords and other private information to disembodied voices on a phone just because they say they’re IRS agents. Don’t click on a website’s URL unless you’re certain it’s genuine and not one that’s been set up to spoof a legitimate site with a URL spelling that’s a letter off.

According to the insurancejournal.com (link to article) (note this is a legitimate link), the Chubb Group’s Social Engineering Fraud Endorsement Insurance “provides coverage for an organization’s losses when an employee is tricked into making a payment through email, telephone, letter or other means to someone who purports to be a vendor or client.”

Greg Bangs, vice president and worldwide crime insurance manager for Chubb, notes, “As organizations continue to seek to improve their computer security, social engineering scams are taking aim elsewhere – at human beings. It’s easy for a thief to pose as a vendor and request by email that a payment be directed to a new bank account. The company may not realize it was defrauded until weeks or months later when the vendor sends out an overdue payment notice.”

Coverage is available up to $250,000 per occurrence, although higher limits may be available to qualified customers. Considering the millions or tens of millions one occurrence could cost, will $250,000 help organizations that have been compromised? Looks like it’s up to those organizations.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

If You’re One of the 25 Million iPhone Users Planning an Upgrade, There Are Things You Ought to Know

Posted on September 11th, 2014 by Dan Rampe

iPhone6-InfographicThreatMetrix’s Latest Infographic Analyzes the Security Pros and Cons of iPhone 6 and iPhone 6 Plus, Apple Pay, Passbook and Much More

By the time people get around to singing auld lang syne (or trying to), some 25 million iPhone users will have upgraded to iPhone 6 and iPhone 6 Plus (according to comScore) with all kinds of new features and capabilities. You might like to check the review on techradar.com.

When it comes to security, like most new technologies, Apple’s latest products and services come with pluses and minuses. ThreatMetrix’s new infographic takes up the security pros and cons of Passbook, which enables users to upload and store credit cards including iTunes credit cards; NFC technology, enabling users to make one-touch contactless payments; Find My Phone which lets users stop Passbook payments when a device is lost; Apple Pay which works with American Express, MasterCard and Visa to make contactless payments possible; and selling and gifting older models.

With the vast numbers of people expected to be using Apple Pay and Passbook, ThreatMetrix believes security should not fall only on the shoulders of consumers, but rather there should be an emphasis on customer account protection to ensure security across the board.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

ThreatMetrix Execs to Speak on Real World Apps of Big Data Analytics at ISMG Fraud Summits

Posted on September 11th, 2014 by Dan Rampe

ISMG

Andreas Baumhof, Chief Technology Officer and Alisdair Faulkner, Chief Products Officer to Present at Information Security Media Group (ISMG) Annual Fraud Summits in Toronto, London and NYC

ISMG’s fraud summits will take place in Toronto on September 17th, London on September 23rd and in New York on October 21st.

At the Toronto summit, Andreas Baumhof will speak on the “Real World Applications of Big Data Analytics – Social Network Analysis and Post Breach Fraud Detection” panel focusing on how big data is being used to detect and prevent fraud. Specifically, the panel will focus on two use cases that are currently providing significant real-world value: social network analysis and post breach fraud detection.

Subsequently, Alisdair Faulkner will be presenting at both the London and New York summits.

“At ThreatMetrix, we know a collective approach to cybersecurity through the use of big data is far more effective than leaving every entity to fend for themselves,” said Bert Rankin, chief marketing officer at ThreatMetrix. “We’re thrilled to lend our expertise to ISMG for another round of their groundbreaking fraud summits.”

ISMG, which publishes BankInfoSecurity, CUInfoSecurity and InfoRiskToday, hosts the one-day events to showcase the top fraud trends of 2014. Supported by ThreatMetrix and other industry leading companies and associations such as (ISC)2, ISSA, ACT Canada, Interac, the summits offer a forum for experts to share practical insights to help combat the many forms of fraud impacting financial institutions, retail, card issuers, and law enforcement.

Summit attendees have an opportunity to get information from top experts in the industry, including attorneys, analysts, researchers and banking/security practitioners on topics ranging from account takeover to retail breaches, the mobile banking threatscape and bank Trojans.

In addition to ThreatMetrix’s Alisdair Faulkner and Andreas Baumhof, other confirmed speakers for upcoming summits include Julie Conroy of Aite, Tim Webb of RBS Citizens Bank, Dan McKenzie of RBC Bank and Mark Sullivan of Interac Association.

For more information, schedules and to register for the individual events, please visit http://www.ismgcorp.com/fraudsummit?rf=thrtmtrx.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix to Present Real World Applications of Big Data Analytics at ISMG’s Fraud Summits

Posted on September 11th, 2014 by Dan Rampe

ThreatMetrix Executives to Participate in Three of the Top Security Publisher’s Unique One-Day Fraud Summits

San Jose, CA – September 11, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced it will present at the Information Security Media Group (ISMG) annual Fraud Summits in Toronto, London and New York on September 17, Sept. 23 and Oct. 21, respectively.

Andreas Baumhof, chief technology officer at ThreatMetrix, will speak on a panel at the Toronto summit entitled “Real World Applications of Big Data Analytics – Social Network Analysis and Post Breach Fraud Detection.” The panel will focus on how big data is being used to detect and prevent fraud, specifically focusing on two use cases that are currently providing significant real-world value: social network analysis and post breach fraud detection. Additionally, Alisdair Faulkner, chief products officer at ThreatMetrix, will present at the London and New York summits.

“At ThreatMetrix, we know a collective approach to cybersecurity through the use of big data is far more effective than leaving every entity to fend for themselves,” said Bert Rankin, chief marketing officer at ThreatMetrix. “We’re thrilled to lend our expertise to ISMG for another round of their groundbreaking fraud summits.”

ISMG, publisher of BankInfoSecurity, CUInfoSecurity and InfoRiskToday hosts the one-day events to showcase the top fraud trends of 2014. The ISMG summits, supported by industry-leading companies and associations such as (ISC)2, ISSA, ACT Canada, Interac, and most recently ThreatMetrix, are the forum for experts to share practical insights to help combat the many forms of fraud impacting financial institutions, retail, card issuers, and law enforcement. Attendees will hear from top experts in the industry, including attorneys, analysts, researchers and banking/security practitioners on topics ranging from account takeover to retail breaches, the mobile banking threatscape to banking Trojans. Other confirmed speakers for upcoming Fraud Summits include Julie Conroy of Aite, Tim Webb of RBS Citizens Bank, Dan McKenzie of RBC Bank and Mark Sullivan of Interac Association.

“The Fraud Summits focus exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges,” said Tom Field, vice president of editorial at ISMG. “Attendees enter these day-long sessions with questions, and they leave with new answers.”

The Fraud Summit 2014 series will be held at conference centers all over the world that provide easy access to public transportation and major highways. For more information, schedules and to register for the individual events, please visit http://www.ismgcorp.com/fraudsummit?rf=thrtmtrx.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

 

 

Who Gets Stuck with the Bill?

Posted on September 9th, 2014 by Dan Rampe

TriSummit Bank

Utility Sues Bank When Cybercriminals Raid Utility’s Bank Account

If something sounds oddly familiar about this story, it’s because you’ve likely heard it before. However, the last chapter comes out differently with each telling. The epilogue? That may end up being written by the U.S. Supreme Court. But, we’re getting ahead of ourselves.

In July, TEC Industrial Maintenance & Construction, a utility, sued TriSummit Bank, alleging the bank was to blame for a series of fraudulent payroll drafts sent from TEC’s account in 2012. TEC said the bank failed to have its ACH transactions approved by the utility before they were transmitted. The result was the utility lost $327,804 to cybercriminals, of which $135,148 was recovered by the bank. Now the utility wants the bank to pay the $192,656 the cybercrooks got away with.

In her piece on bankinfosecurity.com Tracy Kitten recounts this latest battle in “who’s on the hook” when cybercriminals raid a company’s account. The following has been edited to fit our format. You may find Kitten’s full article by clicking on this link.

This is but the latest in a series of high-profile account takeover cases, and experts say it is going to put the onus on the bank to prove it took every possible measure to protect its customer from fraud.

Onus is on the institution

In the wake of the 2011 FFIEC authentication guidance update, Doug Johnson, senior vice president of risk management policy for the American Bankers Association, says banking regulators have made it clear that it is [the] banking institutions’ responsibility to ensure they are providing layers of security to protect their customers’ accounts.

And George Tubin, a banking fraud expert …says even if a commercial customer’s account is taken over because of a phishing attack and subsequent malware infection that resulted because of the customer’s negligence, the onus is on the banking institution to detect and stop suspicious transactions.

“A lot of banks think out-of-band, one-time passwords protect them from malware-based fraud – they don’t,” Tubin says. In fact, unless a commercial customer explicitly declines to accept a certain security procedure offered by its bank, as was the case in the Choice Escrow and Land Title LLC account takeover incident, banks have struggled to prove their security measures were reasonable if fraud results….

“Based on the information presented, this case does not have a situation where the customer failed to use…or refused a security procedure….The fact that the customer was infected by malware, which enabled this fraud, will not be viewed as something the customer did wrong. Anybody can get infected with malware, unless they’re utilizing commercial-grade anti-malware software, which is usually only provided via the financial institution.”

Julie Conroy, a financial fraud and security analyst…says TEC has a compelling case, but she sees nothing here that will help banking institutions better understand what constitutes “reasonable security” in the eyes of the courts.

“The confusion and mixed messages that we’ve received from the courts is around what levels of security qualify as ‘commercially reasonable.’ I don’t see anything in this case that would help set a clear precedent in that regard.”

TEC’s claims

According to the complaint, on May 10, 2012, 55 separate payroll orders totaling $327,804 were sent by TriSummit Bank to different accounts located throughout the U.S. The bank, however, failed to verify those orders with TEC….

Not only did the funds go to accounts that had not previously been paid by TEC, but the amounts, which ranged from $550 to $11,000, were not customary for the utility, the suit alleges.

TEC says its agreement with the bank also required that the bank call the utility before any payroll transactions were authorized. All of those calls, per the agreement between TEC and TriSummit, should have been recorded.

TEC argues that the 55 separate transactions approved in May 2012 were not authorized via a telephone call.

TEC also alleges it alerted the bank of suspicious activity just days before the fraudulent transactions were approved. On May 8, TEC’s controller had trouble accessing the bank’s online-banking site. After contacting the bank, the controller was advised to visit the branch and load the payroll files there. The following day, the controller received a phone call from someone feigning to be from the bank, asking that the employee try once more to access the online banking site to see if it was now working properly.

TEC claims its controller mentioned this suspicious phone call to numerous bank employees the next day, May 9, during a separate authorization call. The bank told TEC it would look into the matter, TEC says. Allegedly, just hours before that call is when the bank approved the fraudulent transactions.

Going to trial?

If the calls between the bank and utility were recorded, then the bank should have a record of the authorization history, [says Tubin]. He [adds] that if the claims made by [the utility] are true, the bank would be wise to settle.

[How the courts viewed other cases]

In the Experi-Metal Inc. and PATCO Construction Inc. cases, the courts ultimately favored the commercial customers. But an appellate court in June supported a lower court’s ruling in the Choice Escrow case that favored the bank

The court found that Choice Escrow’s refusal to use a dual-person authorization service for wire-transfer approval offered by the bank shielded the bank from liability. Choice Escrow is considering an appeal of its case before the U.S. Supreme Court.

[Tubin says] in TEC’s case, the bank now must prove its security measures were ‘commercially reasonable.’

“Based on the information in the complaint, the bank should have detected this fraud….A ‘commercially reasonable’ security approach would have either detected and/or prevented the malware from stealing the user’s credentials, and an anomaly detection system would have picked up the double ACH transactions for double the typical weekly amount.”

Further, if the bank did not follow through on its voice confirmation of the fraudulent ACH transaction, as alleged, Tubin says, “The bank would clearly be at fault for not adhering to the security practice used every week to confirm the ACH transaction.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.