The Anthem Tipping Point

Posted on March 27th, 2015 by Dan Rampe

Standard-Header-Reed

The Anthem security breach is a tipping point for all businesses and individuals that use the Internet to conduct their day-to-day business. The ramifications of more than 80 million personal identities in the hands of cybercriminals will result in the loss of untold millions of dollars to anyone and everyone that becomes a victim of this crime for many years to come.

Rather than dwell on the negatives of this event, let’s turn our attention to what good may come out of it.

Anthem’s misfortunes just might get the attention of senior management and boards of directors to recognize that cybersecurity is just as important to the enterprise as the operations of their customer-facing Internet applications themselves. Rather than putting their fingers in the dyke to patch up security holes after the damage has been done, maybe companies will recognize that protecting sensitive and critical data is equally important to their customers, and therefore to the enterprise itself, as the purchase of the products and services the company hopes customers buy in support of the business.

Businesses believe they exist on islands of commerce and all that matters are the attacks that are being directly targeted toward them. This misconception drives the decision to exclude the wealth of information that is collected through the use of global shared intelligence across the internet.

During a recent speech at Stanford University, President Obama discussed his executive order urging companies to join information-sharing hubs to exchange data about online threats. In other words, these hubs will create an environment of global shared intelligence for the purpose of stopping cybercrime using the shared information collected by all enterprises, whether the enterprises are in the same industry or not. What President Obama is asking all of us to do is to create a global “Neighborhood Watch Group” where every enterprise online participates in the protection of every other enterprise on the Internet.

The real consequences of the Anthem breach lie in the millions of stolen identities that will be used to defraud individuals across every aspect of their lives online. While most enterprises continue to focus on securing their internal networks, what is really required is broad adoption and use of secure, anonymized global shared intelligence that will identify what for and where those 80 million stolen identities are being used.

So then comes the critical question. Will enterprises simply add to their already ineffective methods of protecting critical data on the advice of vendors who are selling products designed to recognize intrusions only after the attack has occurred; or will they embrace the fact that today’s threats need to be stopped before the damage is done, outside of the firewall and on the Internet itself?

ThreatMetrix® and our customers believe that in order to protect enterprises from data breaches, a new approach is needed to differentiate between trusted users and cyber threats. At ThreatMetrix, we know that in cyberspace, our identities and personas are inextricably tied to the devices on which they are used, their security posture, their location, behavior and their associations built over time across the myriad of online services they use each day. In order to be me, you need to not only assume my identity and device at a point in time but for all time in order to replicate my digital fingerprint. Better yet, using a privacy-by-design approach, ThreatMetrix doesn’t need to know your name to know you’re not who you say you are. We are the first digital identity network that doesn’t just encrypt data, but also anonymizes data with a one-way filter so that personally identifiable information remains secure against both intentional and unintentional breaches.

ThreatMetrix is the leader in anonymized global shared intelligence to protect digital identities from being exploited. In real time ThreatMetrix protects more than 15,000 websites servicing more than 250 million consumer accounts who in turn execute tens of billions of transactions per year on a global basis. ThreatMetrix stops cybercrime, not customers, by using real-time identity, fraud and security analytics powered by the world’s largest trusted identity network. By creating an anonymized digital identity of consumers based on device, persona and behavior from every interaction (account origination, login and access, and purchase) and comparing it in real time to previous activities, ThreatMetrix enables enterprises to accurately identify good customers from cybercriminals – regardless of channel.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

Apple Watch Could Be a Real Steal

Posted on March 25th, 2015 by Dan Rampe

Apple Watch

Time Will Tell Whether Apple Watch Increases Fraud by Making It Easier and Cheaper to Use Stolen Data for In-Store Purchases

Using Apple Pay on iPhone 6 and stolen credit card numbers, cybercriminals have been buying high-end goods at brick-and-mortar stores, especially Apple stores. Experts have a one word description for this fraud — “rampant.”

If things look bad now, Al Sacco in his piece on cio.com says just wait until Apple Watch is released in April. The following has been excerpted from Sacco article and edited to fit our format. You may find the full unedited story by clicking on this link.

For cheap crooks

[Apple Watch], when it’s released in April, could take [the hike in fraud using Apple Pay] further, because it also supports Apple Pay and offers a cheaper option than buying a new iPhone, at least without a carrier subsidy.

How Apple Pay works Apple Watch

To add payment cards to Apple Watch, you simply open up the companion iOS app, which is now available in iOS 8.2, and use the Passbook & Apple Pay option to enter credit card data. After you save the information, and Apple runs a quick check for potential red flags, you’re good to go. (It’s unclear whether or not the Watch will automatically import payment information iPhone 6 users already store in Passbook.)

Next, you head on over to a local retailer with NFC-compatible POS terminals, pick up some goodies, head to the cashier, double-tap the bottom button on the side of the Watch and then hold it close to the payment terminal.

Security

For security purposes, you have to authenticate yourself via a passcode anytime you remove and replace the Watch and then try to access Apple Pay.

[While] Touch ID authenticates Apple Pay purchases when you use an iPhone 6, a passcode protects your card information when you pay via Apple Watch. After you type in your code once, you don’t have to retype it to make additional payments — as long as you don’t remove the device, causing it to break contact with your skin.

Apple Watch and Apple Pay fraud

[You] need an iPhone to do just about anything on the Apple Watch. It is, after all, a companion device, and without an iPhone buddy it does little more than track your steps and, you know, tell time.

Apple Watch and cheap iPhone cost less than iPhone 6

[Cybercriminals] who exploit Apple Pay to make fraudulent purchases don’t steal iPhones to use owners’ payment information. Rather, they buy or steal card data from another source and then add it to their own iPhones and use Apple Pay to turn that data into something physical that can be used in stores.

Today, you need an iPhone 6 or iPhone 6 Plus to perpetrate such a crime, because they’re the only Apple devices that support in-store Apple Pay. Both of these devices are relatively expensive….However, the Apple Watch works with earlier iPhones, including the 5 and 5s. Starting on April 10, bad guys will be able to purchase the cheapest version of Apple Watch for $349 and then jump on eBay (or some similar site) and snag a used iPhone 5 or 5s for as little as 99 cents.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

“Unsafe at Any Speed” — Even Standing Still

Posted on March 25th, 2015 by Dan Rampe

car on internet

Senator Proposes New Rules of the Road for Connected Cars That Leave Drivers Open to Invasions of Privacy and Cyberattack

When Ralph Nader’s Unsafe at Any Speed was published half a century ago accusing car manufacturers of resistance to spending money on safety, it caused a sea change in the auto industry. No. Not amphibious cars. But, it did lead to mandatory seat belt laws and the introduction of a host of other safety features.

Recently Sen. Ed Markey of Massachusetts released a report on the risks of cyberattack and loss of privacy posed by cars connected to the Internet. In a statement, he warned that “automakers haven’t done their part to protect us from cyber-attacks or privacy invasions [adding that even] as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

In her piece on washingtonpost.com, Andrea Peterson explores the many questions raised by the new Internet of Things smart cars and a few answers. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

Who’s foot is on the brake pedal?

Cybersecurity experts have long warned that cars’ electronic systems might be vulnerable to hackers, especially as auto-makers started building wireless connections to the outside world into vehicles. Researchers Charlie Miller and Chris Valasek demonstrated how to take over the steering and brakes of a Ford Escape and a Toyota Prius using a laptop connected to the vehicles with a cable in 2013.

Many attack surfaces

Last year, the pair released a report detailing the wireless “attack surfaces” of a wide variety of vehicles on the market — things like Wi-Fi, keyless entry systems, and Bluetooth that might be targeted by a malicious hacker.

Inconsistent and haphazard

Nearly all cars on the market “include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions,” according to Markey’s report…. Security measures to prevent remote access to a car’s electronic systems are “inconsistent and haphazard across all automobiles” and many manufacturers “did not seem to understand” the questions the legislator was asking. However, most manufacturers were either unaware or unable to report on previous hacking incidents.

“Cavalry” involved

Other groups have raised concerns about the security practices of auto-makers. I am the Cavalry, a group focused on where computer security intersects with physical safety, has urged vehicle manufacturers to adopt a five-star-style rating system for security best practices, akin to the ratings for traditional vehicle safety.

Your car is listening

The report also found that modern cars collect a significant amount of information on driving history and that drivers often cannot opt out of data collection without disabling features such as navigation. “A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data,” it said.

Markey calls for new regulatory standards

[Markey] calls for the National Highway Traffic Safety Administration to set new regulatory standards with input from the Federal Trade Commission. The standards should ensure that car’s wireless and data-collection features protect against hacking and security breaches, require that carmakers test their systems with penetration testing, require drivers be explicitly told about how data is collected and used, and give drivers a way to opt out of such features, the report argues.

Rules of the road enforced

“We need to work with the industry and cyber-security experts to establish clear rules of the road – not voluntary agreements – to ensure the safety and privacy of 21st-century American drivers,” Markey said.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

16 Million Mobile Devices Hit. Malware Infections Up 25 Percent.

Posted on March 24th, 2015 by Dan Rampe

Malware

Latest Study by French Telecom Equipment Company Alcatel-Lucent Shows 2014 Was a Banner Year for Bad Guys.

The Motive Security Labs division of Alcatel-Lucent recently published a report that found mobile device malware infections increased 25 percent compared with a 20 percent increase in 2013. Extrapolated out that comes to 16 million infected devices.

In his piece on zdnet.com, Leon Spencer highlights major findings from the report, officially titled, Motive Security Labs malware report – H2 2014. The following has been excerpted from Spencer’s zdnet.com story and edited to fit our format. You may find the full article by clicking on this link.

Mobile spyware big threat

[Six] of the mobile malware top 20 spyware…apps that are used to spy on the phone’s owner, and can track a phone’s location, monitor incoming and outgoing calls and text messages, monitor emails, and track a phone user’s web browsing.

Android devices now as popular with cybercriminals as Windows’ devices

[Android] devices have caught up with Windows laptops in terms of malware attack numbers, with infection rates between Android and Windows devices split 50/50.

iPhone and Blackberry not cybercriminals favorite target…yet

Less than 1 percent of infections came from iPhone and BlackBerry smartphones. However, new vulnerabilities, such as the “Find My iPhone” exploit discovered last year, have emerged in the past 12 months, showing that Apple is not immune from malware threats.

Owners not responsible

[The] growth in malware infections has been aided by mobile device owners not taking “proper” device security precautions. A recent Motive Security Labs survey found that 65 percent of the security platform subscribers expected their service provider to protect both their mobile and home devices.

Who’d ‘ve “thunk” it?

The report also found that, somewhat counter-intuitively, consumers who avoid shopping online out of fear that their credit or debit card information may be stolen may, in fact, be exposing themselves to greater risk. A spate of retail payment systems security breaches in 2014 showed that malware infections are more likely to be found on cash registers or point-of-sale terminals, rather than on online store payment portals.

Increase in DDoS

[Researchers] found that there was an increase in distributed denial-of-service (DDoS) attacks using network infrastructure components such as home routers, DSL modems, cable modems, mobile Wi-Fi hotspots, DNS servers, and NTP servers.

Additionally, the first DDOS attacks launched from mobile phones took place, suggesting how so-called “hacktivism” movements against the mobile infrastructure might be launched in the future….

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Browser Beware

Posted on March 23rd, 2015 by Dan Rampe

Browsers

Ponemon Survey of 645 Information Tech Companies Says Half of All Malware Was the Result of Web Browsers That Weren’t Secure

Less than a third of respondents thought major browsers had “effective security tools for blocking web-borne malware.” And, close to 70 percent of IT professionals thought browser-borne malware was getting worse and was “a more significant threat today than [just] 12 months ago.” These were among the observations brought to light in the Ponemon study as reported by Cory Bennett on thehill.com. The following has been excerpted from Bennett’s article and edited to fit our format. You may find his full article by clicking on this link.

An unsettling thought

Over three quarters [of IT professionals] thought it was certain or very likely their organization had an undetected infiltration from browser-based malware.

Google hunting for bugs

[Google is taking …steps to root out more bugs in its Chrome browser, which recently became the second-most popular browser behind Microsoft’s Internet Explorer.

The [company] said it [would] start giving no-strings-attached grants to independent researchers to suss out flaws in its products, including Chrome. The company will post vulnerabilities they are looking to eradicate and will dole out up to $3,133.70 to researchers willing to take a shot at it.

The hunt gets harder

Since 2010, Google has rewarded researchers if they discovered flaws in Google products and services. The company said it’s adding the new grant program because these vulnerabilities are increasingly difficult to find, after years of independent researchers and Google’s in-house team working on the issue.

“Of course, that’s good news, but it can also be discouraging when researchers invest their time and struggle to find issues,” said Google security engineer Eduardo Vela Nava.

Chrome chief beneficiary

Chrome has benefited from these rewards as much, if not more, than any other product, Nava said. In 2014, more than half of the Chrome bugs discovered by outside researchers were found in beta versions of the browser.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

Yah Who?

Posted on March 19th, 2015 by Dan Rampe

Yahoo

Yahoo Offers Optional On-Demand Password-Free Email Login. Now Unnecessary for Users to Remember Passwords to Login.

Last year, Yahoo suffered a massive hack that compromised Yahoo Mail usernames and passwords. In response to that attack, writes Samantha Murphy Kelly on mashable.com (link to article), “[Yahoo wanted] to provide a safe, encrypted way to keep accounts secure.”

How Yahoo’s password-free login works

Murphy writes that the “new on-demand login feature…sends…a specialized code to [users’] mobile devices to gain access. The code is generated only for that account [and] changes each time [users] log in.” The same password is never used twice.

For years, ThreatMetrix warned that passwords offer minimal security

In a 2013 blog titled “ThreatMetrix Strategies for Helping Your Business Avoid Its Own Password Apocalypse,” the company pointed to the 130 million people who had their identities stolen or bank accounts drained when Adobe and LivingSocial were breached (Since that time, of course, tens of millions more people have had their personal information compromised in breaches from Target to Anthem.) and noted that password systems were not up to the task of protecting those people.

Alisdair Faulkner, ThreatMetrix’s chief products officer, observed in the same blog:

“Retailers are caught between a rock and a hard place. They loathe introducing speed bumps, such as resetting passwords or requiring two-factor authentication, as these steps pose an inconvenience to their customers. It’s crucial to adapt effective technologies that can quickly identify potential threats without negatively impacting the user experience for customers.”

Other companies offering similar password protection to Yahoo’s

Murphy notes that “Many companies like Twitter, Facebook and Google have offered a similar option — two-factor authentication — for some time. This method is like double-locking your door at night (you need both a standard password and the messaged code to enter). Yahoo differs because you don’t need a permanent password, just the one that the company sends you on demand.”

Even though Yahoo’s method differs slightly, no doubt there are going to be users who are turned off by having to jump through hoops just to check their email.

What happens if Yahoo email user loses his device or has it stolen?

Writing on techcrunch.com (link to article), Jon Russell notes that “if you lose your phone, the person in possession of it has a ticket into your email. In some cases, if you get SMS notifications on your lock-screen, the on-demand password will show up even if your phone is locked. So, if you lose it, the person who picks it up doesn’t even need to know your passcode to get into your Yahoo account once they know your ID.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

New ThreatMetrix TrustDefender Mobile App Enhancement Helps Businesses Meet PCI DSS

Posted on March 18th, 2015 by Dan Rampe

MRC

Extended Mobile App Reputation and Device Analysis Enables Businesses to Meet Latest Payment Card Industry Data Security Standards

ThreatMetrix’s latest TrustDefender Mobile release, the mobile software development kit (SDK), helps ThreatMetrix customers identify fraudulent behavior and reduce friction for transactions originating from mobile apps.

Android and iOS devices

In addition to Android, the release extends ThreatMetrix’s industry-leading Mobile App Reputation and Integrity capability to iOS devices.

Dean Weinert, ThreatMetrix director of mobile products, on stopping malware apps from different vendors

“One of the challenges our customers face in the mobile channel comes with the explosion of apps from a multitude of different vendors – many of which are used as vehicles to deliver malware. It’s important for businesses to distinguish between real, trusted apps and apps that have been altered, but that requires a significant amount of data, especially for mobile devices. ThreatMetrix provides a solution that is lightweight on users’ devices, putting those device attributes and threat risks into our digital identity network. The network is constantly learning about the growing mobile attack surface so our customers don’t have to.”

One billion transactions analyzed each month

This month, ThreatMetrix announced that the ThreatMetrix Global Trust Intelligence Network (The Network), the largest digital identity network in the world, has reached one billion transactions analyzed monthly, more than 250 million of which originate from mobile devices from more than 200 countries. The ThreatMetrix mobile solution further enhances the value of The Network by creating an anonymized digital identity of consumers based on device, persona and behavior from every transaction and comparing it in real time to previous activity. This growing network enables ThreatMetrix customers to understand users and associated devices, gain effective fraud intelligence without in-house expertise and ensure application integrity to stop fraud, not customers.

Vanita Pandey, ThreatMetrix senior director, strategy and product marketing, on the expansion of mobile in banking and ecommerce

“Mobile and other connected devices are fast becoming the leading way for users to access commerce and banking services. Mobile is the biggest emerging opportunity and risk for businesses and financial institutions trying to deliver frictionless experiences to their customers. Continued growth of mobile payments and banking will lead to stricter rules and regulations to secure these transactions.”

New mobile 2015 Payment Card Industry Data Security Standards

The recently instituted 2015 Payment Card Industry Data Security Standards (PCI DSS) for mobile devices are now stricter, including requirements for detecting rooted or jailbroken devices, detecting malware, and more.

The latest release of TrustDefender Mobile delivers enhanced capabilities to meet these new standards including:

  • Mobile App Reputation extended to iOS devices in addition to Android – This provides protection against malware and malicious applications across these platforms. Leveraging the intelligence from The Network with real-time reputation data from more than 14 million applications, ThreatMetrix can identify and classify millions of mobile applications, compared to the hundreds identified by competitors.
  • New mobile-specific attributes analyzed – The newest attributes analyzed by ThreatMetrix include additional details of device networks and security, as well as details of application “deep linking” to further identify unique devices and more importantly, to highlight devices compromised by malicious actors and malware.
  • Continues to leverage The Network – As with all ThreatMetrix products, the newest release is fully integrated with the ThreatMetrix digital identity network and analysis engine to help stop cybercriminals across mobile and other connected devices, using a common set of intelligence and policies.

iOS gains in the marketplace could make it a more tempting target

“iOS drives a significant percentage of mobile commerce,” said Pandey, “During Cyber Week 2014, The Network found that 39 percent of transactions originated from mobile devices, with nearly 80 percent of those transactions originating from iOS. While Android is at higher risk for malware, iOS is more prevalent. Extending the Mobile App Reputation and Integrity capabilities of TrustDefender Mobile to iOS offers our customers a more consistent solution.”

Visit ThreatMetrix at MRC Vegas 2015

ThreatMetrix is sponsoring and exhibiting its latest TrustDefender Mobile capabilities in booth 119 at MRC Vegas 2015, the industry-leading conference for merchants to discuss the latest trends in risk and payments, March 23-26 in Las Vegas. ThreatMetrix will participate in several speaking sessions and panels at the event, including:

Merchant Focus Group – Tuesday, March 24

  • 12:15-1:30 p.m. PST, Bristlecone 3 Room
  • Speaker: Carmen Honacker, director of customer advocacy at ThreatMetrix
  • Topic: Building a Fraud Prevention Community (Invite Only)

Ignite Session – Tuesday, March 24

  • 4:00-5:00 p.m. PST, Pinyon 2 Room
  • Speaker: Bert Rankin, chief marketing officer at ThreatMetrix

Speaking Session – Thursday, March 26

  • 9:55-10:35 a.m. PST, Bristlecone 3 Room
  • Speakers: Carmen Honacker and Peter Zeigler, senior products manager at TripAdvisor
  • Topic: Beyond Device ID: Using Digital Identification to Reduce E-Commerce Fraud

Joint ThreatMetrix and TripAdvisor session at MRC Vegas

Attendees at the joint ThreatMetrix and TripAdvisor speaking session on the final day of MRC Vegas will learn why and how e-commerce businesses need to move beyond simple device identification through the use of cookies to include other criteria. Cookies are easily compromised by hackers and privacy-conscious users alike. To complicate matters, IP address information is dangerously easy to spoof by using proxies, virtual private networks (VPNs) and botnets. This session will discuss how e-commerce merchants can take into account the context of an online event, resulting in historical evidence of persona behavior across all data.

For more information on MRC Vegas, visit www.merchantriskcouncil.org/Pages/home.aspx.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Advances Cybercrime Prevention with Extended Mobile App Reputation and Device Analysis

Posted on March 18th, 2015 by Dan Rampe

MRC

Latest Enhancements to ThreatMetrix TrustDefender™ Mobile Enables Businesses to Meet New Heightened Payment Card Industry Data Security Standards (PCI DSS)

San Jose, CA – March 18, 2015 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced the latest release of ThreatMetrix TrustDefender™ Mobile, the mobile software development kit (SDK) that helps ThreatMetrix customers identify fraudulent behavior and reduce friction for transactions originating from mobile applications. The newest release extends the industry-leading ThreatMetrix Mobile App Reputation and Integrity capabilities to iOS devices in addition to Android, and widens the breadth of attributes analyzed from mobile devices.

“One of the challenges our customers face in the mobile channel comes with the explosion of apps from a multitude of different vendors – many of which are used as vehicles to deliver malware,” said Dean Weinert, director of mobile products at ThreatMetrix. “It’s important for businesses to distinguish between real, trusted apps and apps that have been altered, but that requires a significant amount of data, especially for mobile devices. ThreatMetrix provides a solution that is lightweight on users’ devices, putting those device attributes and threat risks into our digital identity network. The network is constantly learning about the growing mobile attack surface so our customers don’t have to.”

This month, ThreatMetrix announced that the ThreatMetrix® Global Trust Intelligence Network (The Network), the largest digital identity network in the world, has reached one billion transactions analyzed monthly, more than 250 million of which originate from mobile devices from more than 200 countries. The ThreatMetrix mobile solution further enhances the value of The Network by creating an anonymized digital identity of consumers based on device, persona and behavior from every transaction and comparing it in real time to previous activity. This growing network enables ThreatMetrix customers to understand users and associated devices, gain effective fraud intelligence without in-house expertise and ensure application integrity to stop fraud, not customers.

“Mobile and other connected devices are fast becoming the leading way for users to access commerce and banking services,” said Vanita Pandey, senior director, strategy and product marketing at ThreatMetrix. “Mobile is the biggest emerging opportunity and risk for businesses and financial institutions trying to deliver frictionless experiences to their customers. Continued growth of mobile payments and banking will lead to stricter rules and regulations to secure these transactions.”

The recently instituted 2015 Payment Card Industry Data Security Standards (PCI DSS) for mobile devices are now stricter, including requirements for detecting rooted or jailbroken devices, detecting malware, and more.  ThreatMetrix’s mobile solution addresses these requirements. The latest release of TrustDefender Mobile delivers enhanced capabilities including:

  • Mobile App Reputation extended to iOS devices in addition to Android – This provides protection against malware and malicious applications across these platforms. Leveraging the intelligence from The Network with real-time reputation data from more than 14 million applications, ThreatMetrix can identify and classify millions of mobile applications, compared to the hundreds identified by competitors.
  • New mobile-specific attributes analyzed – The newest attributes analyzed by ThreatMetrix include additional details of device networks and security, as well as details of application “deep linking” to further identify unique devices and more importantly, to highlight devices compromised by malicious actors and malware.
  • Continues to leverage The Network – As with all ThreatMetrix products, the newest release is fully integrated with the ThreatMetrix digital identity network and analysis engine to help stop cybercriminals across mobile and other connected devices, using a common set of intelligence and policies.

“iOS drives a significant percentage of mobile commerce,” said Pandey, “During Cyber Week 2014, The Network found that 39 percent of transactions originated from mobile devices, with nearly 80 percent of those transactions originating from iOS. While Android is at higher risk for malware, iOS is more prevalent. Extending the Mobile App Reputation and Integrity capabilities of TrustDefender Mobile to iOS offers our customers a more consistent solution.”

ThreatMetrix is sponsoring and exhibiting its latest TrustDefender Mobile capabilities in booth 119 at MRC Vegas 2015, the industry-leading conference for merchants to discuss the latest trends in risk and payments, March 23-26 in Las Vegas. ThreatMetrix will participate in several speaking sessions and panels at the event, including:

Merchant Focus Group – Tuesday, March 24

  • 12:15-1:30 p.m. PST, Bristlecone 3 Room
  • Speaker: Carmen Honacker, director of customer advocacy at ThreatMetrix
  • Topic: Building a Fraud Prevention Community (Invite Only)

Ignite Session – Tuesday, March 24

  • 4:00-5:00 p.m. PST, Pinyon 2 Room
  • Speaker: Bert Rankin, chief marketing officer at ThreatMetrix

Speaking Session – Thursday, March 26

  • 9:55-10:35 a.m. PST, Bristlecone 3 Room
  • Speakers: Carmen Honacker and Peter Zeigler, senior products manager at TripAdvisor
  • Topic: Beyond Device ID: Using Digital Identification to Reduce E-Commerce Fraud

Attendees at the joint ThreatMetrix and TripAdvisor speaking session on the final day of MRC Vegas will learn why and how e-commerce businesses need to move beyond simple device identification through the use of cookies to include other criteria. Cookies are easily compromised by hackers and privacy-conscious users alike. To complicate matters, IP address information is dangerously easy to spoof by using proxies, virtual private networks (VPN) and botnets. This session will discuss how e-commerce merchants can take into account the context of an online event, resulting in historical evidence of persona behavior across all data.

For more information on MRC Vegas, visit www.merchantriskcouncil.org/Pages/home.aspx.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2015 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312.241.1178
Email: beth.kempton@walkersands.com

 

Visa Kicks Off 20-CityTour to Overcome Small Biz Resistance to EMV

Posted on March 17th, 2015 by Dan Rampe

EMV

Tour Explains How EMV Technology’s Benefits Outweigh Costs of Implementation

Following on the heels of American Express’s “Small Merchant EMV Assistance Program,” a $10 million campaign to speed up adoption of EMV payment terminals, Visa is launching its own “Small Business Chip Education Tour.” The idea behind both tours is to get small merchants on-board with EMV, which has faced resistance from some merchants because they can’t see the cost versus benefits of adopting the new technology.

One huge cost could be in NOT implementing EMV. That’s because as of October, if merchants haven’t upgraded their point-of-sale systems to accept EMV cards, and a card they’ve accepted is used for fraud, liability for that fraud will fall to either the bank or merchant who hasn’t done an upgrade.

To answer both negative and positive questions by small businesses about EMV and to explain the technology, Visa is kicking off a twenty-city tour beginning in Austin, Texas. An article on pymnts.com discusses the tour and what it aims to accomplish. The following has been excerpted from the pymnts.com article and edited to fit our format. You may find complete piece by clicking on this link.

Merchants can speak with those who’ve already adopted EMV

[The tour launches at] the Greater Austin Hispanic Chamber of Commerce Small Business and Entrepreneurial Showcase, where guests will be able to speak with payments experts about payment and chip technology to better understand how it works. They will also be able to speak with merchants who’ve already migrated to the new tech to learn from firsthand experiences.

Topics addressed

The tour will cover topics such as how EMV technology is used to prevent data breaches that involve sensitive account data being attacked. Demonstrations will also be given on how the technology works.

Partnering with the U.S. Hispanic Chamber of Commerce

“For small businesses, running smoothly and protecting their customers is of top importance, particularly in the digital age,” said Javier Palomarez, the president and CEO of the U.S. Hispanic Chamber of Commerce.

Webinars available

To further its mission, Visa has used this event to partner with financial institutions, business groups, media organizations and consumer advocacy groups to create educational events across the U.S. This includes a stop in Orlando, Florida, on April 3. Webinars will also be available on the Visa’s chip website.

Small merchants, biggest segment

“As the largest segment of merchants in the U.S., it’s critical that small businesses understand how chip technology works and what it means to the protection of their business and the data of their customers,” Kim Lawrence, senior vice president of Corporate Initiatives at Visa.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

How Apple Pay Problems Can Point a Way to Better Fraud Prevention

Posted on March 16th, 2015 by Dan Rampe

Standard-Header-Tony

At ThreatMetrix® we’ve been banging on about the importance of context-based, friction-free fraud prevention for years. We also predicted some months ago that mobile fraud would reach around half of all recorded cases by the end of the year, and have been alerting organizations to the fact that account creation fraud is becoming increasingly popular amongst the criminal fraternity. It’s fascinating, therefore, to see all of these trends intersecting with the recent problems the Apple Pay ecosystem seems to be having with scammers in the U.S.

One issuer has reportedly seen its fraud rate go as high as 6 percent. So what went wrong and what lessons can we learn?

What went wrong?

The reports have come in anecdotally thick and fast over recent weeks that fraudsters have found an Achilles heel to the mobile payment system: card provisioning. Virtually the first step a user must take to sign their card up to Apple Pay is have their identity validated by the issuing bank. To do this they can either take a photo of their card or input details manually. These are then sent securely to the issuing bank to check, along with some device usage and iTunes data.

The problem comes for those identity checks which need secondary authentication, because it’s down to the banks to decide what form this takes. Many are requesting static “card-not-present” personal information such as social security numbers. But these are easily obtainable, along with the stolen card data itself, on the kind of underground internet forums frequented by fraudsters. The problem is compounded by the fact that many issuers are forcing users to ring their call centres to validate.

Scammers are more than capable of socially engineering call centre staff into believing they’re talking to the real card holder.

So, hey presto, the fraudster has successfully authenticated some stolen card details onto their iPhone. All that remains now is to go on a high value retail binge – which many are reportedly doing at, you guessed it, Apple Stores themselves.

Least resistance

Don’t get me wrong, Apple Pay is a pretty robust platform, as mobile payments go. It has built in tokenisation, on-device encryption, NFC, Touch ID and more to keep the bad guys at bay. But we must always remember that if there’s even the slightest chink in the armour, they’ll find it. As with any type of online transaction, the key is for the bank, retailer, social network etc is to stop authenticating via the kind of data which can be easily sourced on underground forums.

Gartner distinguished analyst Avivah Litan said it best in her recent blog post:

“The key is reducing reliance on static data – much of which is [personally identifiable information] PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behaviour and relationships between non-PII data elements.”

But more than this, using call centres to authenticate users is not just less secure, it’s completely unscalable and creates way too much friction for the individual user. As payments expert Cherian Abraham said in his commentary on the subject:

“In short, provisioning must become secure, invisible and scalable.”

We couldn’t agree more. It’s what ThreatMetrix has been saying for years. We offer a fraud prevention service based on our Global Trust Intelligence Network, which crunches behavioural, device and identity data rather than PII to calculate in real time whether an individual is who they say they are. It’s smart, contextual, scalable and completely invisible to the end user.

Whoever’s to blame for the problems Apple Pay now finds itself in – and the issuers have certainly hit back of late by claiming they haven’t received enough support from Apple – we need to get smarter about fraud prevention.

The clock’s ticking…

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.