A Civil War Between the States and Federal Government Over One Law for All Breach Notifications

Posted on February 19th, 2014 by Dan Rampe

Data Breach

Unlike other recent Congressional fights, the dispute over a single federal law on how customers should be notified about breaches looks to be less rancorous and more civil. That’s because privacy concerns cut across party and ideological lines, often uniting staunch conservative Republicans with civil libertarian Democrats.

The renewed interest in a federal breach notification law covering all fifty states comes on the heels of the Target, Neiman Marcus and Michaels breaches. And while the same vitriol that was apparent in other Congressional battles may not be present, there is a lot to be considered, including how a federal law would affect state regulations that are already in force.

In her Reuters piece, tech/cyber policy reporter Alina Selyukh writes:

Although federal laws already regulate how specific industries, such as banks and hospitals, handle compromised data security, certain other kinds of companies, including retailers, face no such uniform standard.

Instead, 46 states and the District of Columbia have passed their own laws that tell companies when and how consumers have to be alerted to data breaches and what qualifies as a breach.

With that, negotiations over fitting state standards under an umbrella federal law face a tug of war between companies, consumer advocates and state authorities.

Large companies working across state lines argue that state laws present a patchwork of regulations and compliance poses a challenge. Companies often issue one nationwide notice to consumers with state-specific supplements at the end. “Certainly, one standard is easier to follow than 47,” John Mulligan, Target’s chief financial officer, told lawmakers…. The No. 3 U.S. retailer has stores in every U.S. state except Vermont.

The National Retail Federation in a January letter to Congress also restated its decade-old position in favor of a nationwide standard that would pre-empt state rules. “A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live.”.

Some state attorney generals worry above all that federal standards would dilute their power to pursue violators….

“There are 47 state standards, there’s no reason to add a 48th,” said [Representative Lee] Terry, the most prominent Republican leading a legislative effort at this point.

Consumer advocates say that the companies’ call for a single law masks the goal of having a weaker federal standard that would trump stricter laws on the books in states like California and Massachusetts.

“None of the federal proposals are as strong as the strongest state laws and that’s wrong,” said Edmund Mierzwinski, consumer program director at U.S. Public Interest Research Group. “I don’t think we need (a federal law) that’s weaker than California’s.”

California was the first state to adopt a data breach law in 2003. After a decade of fine-tuning, it requires a detailed disclosure to consumers “in the most expedient time possible and without unreasonable delay” when personal information, including emails with passwords, is “reasonably believed” to have been stolen.

Though many state requirements are broadly similar, some states, such as Montana and Ohio, require notification only if a breach poses or is believed to pose harm or material risk such as identity theft.

Many states also use more limited definitions of what personal information is included. A common definition includes name combined with the Social Security number, driver’s license number or payment card number together with information needed to access financial records.

Alabama, Kentucky, New Mexico and South Dakota do not have their own data breach notification laws.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

A New Model for Building Trust on the Internet

Posted on January 28th, 2014 by Dan Rampe

Reed-Header

The beginning of a new year is often a time of reflection. At ThreatMetrix™, we have a lot to reflect on and look forward to. ThreatMetrix turns seven this year. In Internet- and dog-years alike, that’s a long time.

When we started ThreatMetrix, the online world was a simpler place. While we were developing our advanced device identification technologies in 2007, with proxy piercing and global device identification, Apple announced the iPhone. Amazon launched the Kindle in November of 2007. Those devices and others changed the way that we connect with the world.

We’ve worked hard to keep pace with those changes:

  • Since one size doesn’t fit all, we added customer-configurable rules to our risk analysis.
  • As cybercriminals got better at disguising their identities, we developed ThreatMetrix ExactID™ and ThreatMetrix SmartID™ technologies to look beyond the devices to the people using them.
  • Recognizing that legitimate user devices can be compromised by malware, we became the first advanced device identification technology to integrate malware detection.
  • Because it’s just as important for businesses to allow legitimate customers or employees access to applications as to keep out the false ones, we created ThreatMetrix™ Persona ID and ThreatMetrix™ Trust Tags technologies to help streamline access for trusted visitors.

The Trust Trifecta: Technologies, Processes and Data

Advanced device identification and malware detection were just the first phase in the evolution of the ThreatMetrix solution set. Although we started out as a first line of defense in the fight against fraud, in working with our customers we dove into the broader issues of online trust. In doing so, we have expanded our innovations to include processes for configuring and validating business policies and a global data set of shared intelligence.

For example, the Persona ID technology addresses the broader issue of tracking the behavior of a person online – whether or not you know exactly who that person is. The ThreatMetrix Persona ID approach is both passive and anonymous from the user’s perspective. This type of analysis is only possible by tracking and analyzing online behavior across sites – something we do through the ThreatMetrix™ Global Trust Intelligence Network.

So in addition to innovative technologies, we now have a core set of processes, a massive data set generated and refreshed daily by a global network, and comprehensive data analysis from that data. This combination of technologies, processes and data significant broadens the scope of the ThreatMetrix solution in the online world. We can address broader issues of risk assessment and identity authentication.

ThreatMetrix Today: Building Trust on the Internet

Which brings me to where the company is today, in early 2014. We’ve changed our tagline to reflect our broader purpose: Building Trust on the Internet. We’re building and growing our ThreatMetrix™ Global Trust Intelligence Network, which monitors and scores more than 500 million transactions per month. Our Persona ID and Trust Tag technologies, enhanced with our global network and data, enable a new kind of passive, context-based authentication for all kinds of online sites and applications. And we’re working not only with online banks and retailers, but also enterprises and government agencies to help streamline access for legitimate users and keep out those who don’t belong.

No one can see what twist and turns the Internet will take in the coming years – but building a foundation of trust with employees and customers is an important first step. And that’s where we’re putting all of our efforts from this point forward.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Balancing Online Privacy and Security

Posted on January 28th, 2014 by Dan Rampe

Data Privacy 3Online security and privacy have a love/hate relationship. We need security measures to protect our online privacy. However, complete online privacy (anonymity) can defeat security measures by giving cybercriminals an undetected place to operate. And we often sacrifice data privacy in the name of security – the NSA Prism project being one visible example.

The strange relationship between privacy and security is perfectly illustrated in the story of Tor, a software program for online anonymity. According to last week’s BusinessWeek article on Tor, much of its original funding came from the Department of Defense. Now the NSA is spending a huge amount of time and energy trying to defeat Tor in the name of security. Security and privacy would appear to be on opposite teams.

I don’t think that has to be true. It’s possible to respect the online privacy of your customers while protecting the security of their data and your applications. Striking the right balance is something that every business has to do for its specific customer needs and use cases.

In honor of Data Privacy Day, here are some thoughts on how businesses can and should balance privacy and security.

Stop Asking People to Give Up Privacy for Security

As I wrote in a previous blog, be wary of asking people for more personal information in the name of giving them better security. The more of their personal information you hold, the greater your obligation to guard that data – and the more attractive target you become for identity thieves. Even credit bureaus and identity data aggregators have been breached and hacked, so even outsourcing data collection to third parties is problematic.

Consider Context When it Comes to Privacy

People have many ways of trying to operate anonymously online, from disguising IP addresses or true location to cookie wiping. Many people want to escape the scrutiny of marketers tracking their movements. Businesses need to look for indicators of people obscuring their real identity in those situation that represent risk of identity takeover.

Let’s say someone is disguising their IP address online – should that be a concern? It depends on the business and online context. When connecting to a social network, someone might legitimately want to disguise their IP address or use a VPN connection. For example, they might be traveling in a country that bans the network. The social network might detect the activity but not deny access unless there were other behavioral factors.

However, if someone tries to create a credit card account while disguising their IP or geolocation, that should be a red flag. The context of the transaction or online interaction is a critical factor.

Honor the Customer’s Trust

Ultimately, striking the right balance of security and privacy comes down to honoring the customer’s trust.

• Don’t collect personally identifiable information unless you need it. Use behavior-based and data anonymization to prevent the need to share data with third-parties about your customer’s personal lives.

• Whatever information you do gather for security reasons, you should only use for protecting the customer identity and data. Do not share it or sell it for marketing purposes. Partner with companies that are in the business of protecting trust, not monetizing identities.

• Protect customer identity in use – during the point of a transaction or at the moment of login. As I wrote in the blog Let’s Do Something Different for Data Privacy Day, online businesses need to be accountable for protecting the customer identity when it is used on their site – even if the identity was stolen elsewhere. By preventing account takeover you can maintain customer trust.

For more information, see the press release, “ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security

Posted on January 28th, 2014 by Dan Rampe

Data Privacy 3

Businesses Can Protect Customer Identities While Enabling Confidentiality on the Internet Through Anonymized Trusted Identity Networks

San Jose, Calif. – January 28, 2014 – ThreatMetrix™, the fastest-growing provider of context-based authentication and advanced Web fraud solutions, commemorates Data Privacy Day by announcing strategies for businesses to protect consumer identities without compromising privacy.

In the age of big data enterprises are collecting and sharing unprecedented amounts of customer information, many times unintentionally. When a single employee can steal up to 40 percent of a country’s credit data on a USB stick, and identity thieves can illegally purchase credit data, better practices are urgently needed for protecting access to online information and identities. The flip side however, is that in order to protect against data breaches and malware, big data approaches to cybersecurity are essential for total situational awareness.

“Often, bad things happen to good people and sometimes good people – even a company’s own employees – go bad and compromise online security and privacy,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Therefore, enterprises need to combine big data techniques with a new approach to protecting privacy and unlawful access to customer and employee accounts.”

At the heart of the problem is the way trust is evaluated online. In the offline world, trust is situational, continually evaluated over time based on observed behavior and informed by reputation. In the online world, however, the vast majority of data and commerce is protected by static checks such as passwords, payment information or supposedly private “out-of-wallet” information. The problem is exacerbated by the lack of privacy-protecting intelligence sharing, meaning companies either operate in a silo, or customers must trust their identity information will not be abused by marketing organizations or breached by hackers.

“There is a fine line between offering customers comprehensive security and invading their privacy,” said Faulkner. “Finding the balance is essential to effectively protecting sensitive data while maintaining trust and preventing customer identities from falling into the hands of cybercriminals. With the advent of controversies surrounding government spying programs, the tightrope between privacy and security has become even narrower.”

Added complexity lies in differentiating between cybercriminals, who are looking for anonymity to hide their fraudulent activity, and consumers who simply want privacy. For example a person using an anonymized IP Address to read political news is one thing and it’s a completely different matter if the user is accessing a Tor network while applying for a credit card. The expectations for privacy by a legitimate consumer and what is viewed by a business as acceptable behavior are very different based on the context of the action taken.

Key strategies ThreatMetrix recommends businesses implement to achieve the balance between privacy and security include:

CEO-Sponsored Trust Protection Taskforce – It’s essential that the CEO takes a leadership stand in framing the privacy and security tightrope as a competitive opportunity to build brand trust and remove obstacles to increasing revenue. The often-competing requirements of security, privacy and marketing need to come together under a coherent strategy that moves the internal conversation beyond compliance to protection.

Anonymized Shared Intelligence – A collective problem requires a collaborative solution. Leverage trusted identity networks that use strict anonymization practices to share risk intelligence and improve security without compromising privacy. Anonymized networks used in this way enable trust to be federated across applications and companies using big data techniques without falling afoul to privacy laws and consumer trust.

Behavior-Based Identity Proofing – Simple reputation systems cause authentic customers and employees to be treated unfairly when their identities or accounts are abused. Analyze anonymized global patterns of identity usage including locations, devices, accounts, transactions and associations over time to provide ‘spoof-proof’ identity screening without false positives – incorrectly labeling legitimate users as fraudulent.

Context-Based Authentication – “Context is King” when it comes to differentiating between trusted users and cybercriminals. Businesses must dynamically establish the credibility of each and every access attempt and transaction, regardless of whether initiated by a customer or employee, based on business risk of the action and the full context of identity and device threats. These threats include Man-in-the-Middle and Man-in-the-Browser attacks, account compromise, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.

“At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft,” said Faulkner. “Otherwise, government agencies will be forced to step in. It’s crucial that privacy and security professionals move to frictionless solutions that can tell whether a user is who they say they are without needing to know their name. These standards can be used as a balancing pole for chief security officers and chief privacy officers walking the tightrope between privacy and security.”

ThreatMetrix uses an anonymized global data repository, the ThreatMetrix™ Global Trust Intelligence Network (The Network), to evaluate logins, payments, new account registrations and remote access attempts for validity in real time. The most comprehensive global repository of anonymized identity and trust data, The Network uses real-time analytics to protect hundreds of millions of accounts and identities each day from cybercrime.

Through sharing strategies to balance between privacy and security, ThreatMetrix continues its commitment to Data Privacy Day, an annual event sponsored by the National Cyber Security Alliance that encourages businesses and consumers to protect their online privacy and control their digital footprint. ThreatMetrix was named a Data Privacy Day Champion for its ongoing efforts to prevent cybercrime and preserve personal data on the Internet.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

 

Three Reasons We Need Behavior-Based Identity Proofing Now

Posted on January 22nd, 2014 by Dan Rampe

Data-Privacy-Day-Alisdair-PR-Blog

My debit card was compromised a couple of years ago. My bank’s response? In addition to cancelling my card while I was on holiday, I got a call on my personal mobile phone with an offer to upsell me “free” identity services that converted to a paid subscription – monetizing the fact that my identity was compromised.

I share this story because it nicely illustrates three huge problems with the current state of online identity protection and privacy:

1. The consumer bears the burden of protecting privacy.

2. The brand relationship is damaged both through breaches and the currently accepted measures to secure identity.

3. The “fix” of linking online identity to physical identity doesn’t increase my privacy – and may put it at greater risk.

Let’s look at each problem in isolation.

The Consumer Suffers

When there’s a data breach, the consumer has to take steps to repair the damage – reversing charges on their cards, changing passwords across accounts, or even signing up identity protection services.

Some businesses are offering their customers two-factor authentication services, which can add an extra layer of security but also create an additional burden at the point of login. If I want better security, I’m also in a Catch 22 position of needing to hand over even more personal data.

Brands Suffer from Erosion of Trust

My bank’s upsell offer did serious damage to my relationship with that institution. They had already lost my trust, then I felt they tried to capitalize on it. Is credit monitoring helpful? Sure, but even good intentions can sour brand relationships if not executed correctly and it still doesn’t protect my identity being re-used outside of the credit application process.

The problem of trust is not just limited to those businesses that suffer breaches. It’s a challenge for every business that interacts with customers online. If a criminal registers an account or buys a product from your business using stolen credentials, the person who owns those credentials will forever associate you and your brand with that breach of trust – even if the data breach happened somewhere else. Why? It’s hard for a consumer to differentiate between a business with insufficient fraud detection capabilities and one they think has somehow tricked them or their family to purchase or subscribe to a service online.

Our Privacy Continues to Decline

Worse, the traditional measures that businesses offer to increase the security of my online identity don’t protect my privacy well.

Identity theft protection plans offered by banks tap into services like credit bureaus. These bureaus aggregate data about my online identity with my real-world identity and sell it as a service to legitimate business. The problem is that these identity aggregation points are themselves targets for hackers and insider threats. According to Brian Krebs’s blog, at least one credit bureau has unintentionally sold data to an identity theft service, while another ID theft service has hacked into multiple data brokers and aggregators. Recently nearly 40% of the South Koreans were exposed due to insider theft.

Anonymized Behavior-based Identification Solves These Problems

Traditional ways for proofing online identity often rely on services that aggregate identity information and connect online identity with our real-world identities. We need a new approach – and I think behavioral-based identity proofing is the right way to go.

At ThreatMetrix™, we enable context-based security for frictionless multi-factor authentication – it entails determining someone’s online persona by linking anonymized credentials to related identities, devices, behaviors and associations based on a dynamic matrix of attributes. In the same way that “actions speak louder than words” your online identity (a Persona ID) is created and verified through global online behavior and not simply reliant on knowledge of your offline identity. Unlike identity bureaus that are in the business of monetizing your identity, ThreatMetrix is only in the business of protecting trust so our algorithms don’t need to know your actual name to know whether you are who you say you are.

Best of all, it takes the burden off the customer and helps businesses restore trust in online services without introducing friction.

For details on this new approach to securing online identity, see this week’s press release on frictionless identity protection.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Global Trust Intelligence – Changing Economics of Identity Theft

Posted on January 22nd, 2014 by Dan Rampe

Data-Privacy-Day-Alisdair-PR-Blog

ThreatMetrix Shares Strategies For Implementing Effective Security Measures Without Disrupting Authentic Users And Compromising Privacy

San Jose, Calif. – January 22, 2014 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime prevention solutions, continues its alignment with Data Privacy Day by announcing several strategies for businesses to change the economics of data breaches and identity theft through global trust intelligence.

The Identity Theft Resource Center recorded more than 600 data breaches in 2013, a 30 percent increase over the number of breaches in 2012. Target and Neiman Marcus are just two examples of companies that experienced significant breaches recently and more are expected to occur in 2014. Personally identifiable information exposed in past breaches includes credit card numbers, password hints, names, email addresses and other sensitive information.

To make matters worse, in the aftermath of data breaches, the solutions companies put in place to protect consumer identities are far from ideal. Businesses in the past have either implemented intrusive two-factor authentication solutions or offered customers credit monitoring.

“The current way in which companies prevent misuse of stolen identities is broken,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Many businesses that offer credit monitoring, two-factor authentication and other means of protecting personal information following a data breach end up causing additional damage to the customer relationship due to added charges, intrusive features or requesting more personal data. Instead we need solutions that make stolen identities worthless in the hands of cybercriminals.”

While two-factor authentication solutions such as SMS one-time passwords can provide an extra layer of protection, the reality is that they are expensive, can lead to abandonment and only protect the fraction of users that choose to adopt.

As an alternative to two-factor authentication, some businesses offer free trials of credit monitoring services, which expire and can require payment through automatic renewal. Instead of putting consumers at ease, these services can potentially cause backlash if customers perceive companies are profiting from their misfortune. In any case, credit monitoring doesn’t stop your identity being abused to hack accounts or commit payment fraud.

High profile breaches are a prime example of why businesses across industries – including retailers, financial institutions and others – should not rely on traditional identity verification services to screen users.

“Legacy identity verification solutions are largely a solution for a bygone era because they can prove that an identity exists, but not ownership of that identity,” said Faulkner. “The cat is out of the bag – cybercriminals and consumers are well aware that traditional verification and authentication solutions are no longer effective – and businesses need better strategies in place for customer identity protection.”

Instead of applying bandage-like solutions, ThreatMetrix recommends changing the economics of data breaches and identity theft by transparently rendering stolen data invaluable with global trust intelligence comprising of:

Anonymized Shared Intelligence – A collective problem requires a collaborative solution. Leveraging trusted identity networks that use strict anonymization practices to share intelligence improves security without compromising privacy. Anonymized networks used in this way enable trust to be federated across applications and companies to reduce challenge rates.

Behavior-Based Identity Proofing – Simple reputation systems cause authentic customers to be treated unfairly when their identities or accounts are abused. Analyzing patterns of usage including locations, identities, devices and associations over time provides ‘spoof-proof’ identity screening without false positives – incorrectly labeling legitimate customers as fraudulent.

Passive Two-factor Authentication– Use cookieless device identification technologies in combination with rich contextual information such as account usage, location profiles and business risk to reduce unwanted and intrusive step-up authentications.

“ThreatMetrix uses anonymized device, identity and transaction data to determine whether or not customers are who they claim to be without needing to know their name,” said Faulkner.

To effectively protect customers, businesses should leverage a global data repository that can process transactions in real time and verify their authenticity against anonymized user profiles and past behavior. The ThreatMetrix™ Global Trust Intelligence Network (The Network) is the most comprehensive global repository of identity and fraud data and protects hundreds of millions of users and revenues each day from cybercrime. Its real-time analytics evaluate logins, payments, new account registrations and remote access attempts to differentiate between good and bad actors.

Data Privacy Day takes place on January 28 and is sponsored by the National Cyber Security Alliance. ThreatMetrix, a Data Privacy Day Champion, will continue its commitment to Data Privacy Day by publishing additional news on protecting consumer identities throughout the month of January.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

 

Let’s Do Something Different for Data Privacy Day

Posted on January 13th, 2014 by Dan Rampe

Data-Privacy-Day-403x403

This coming January 28th marks the sixth annual Data Privacy Day (sponsored by the National Cyber Security Alliance.) And looking at the course of business history since the first Data Privacy Day in 2009, we’re not getting any better at managing privacy.

2013 still leaves lingering bad memories, with news cycles about NSA spying and massive data breaches at Target, Adobe, Snapchat and others. It was so bad that Dictionary.com chose privacy as the word of the year for 2013.

If the definition of insanity is doing the same things over and over and expecting different results, then we’re officially insane. We need to break the cycle that’s eroding trust in the Internet and our financial identities.

The Same Old Practices Aren’t Working Anymore

When it comes to data privacy, most businesses are concerned with data loss prevention. They focus on protecting data at rest (stored within their systems and applications) and in motion (in transit on networks). They use an array of information security techniques to prevent data breaches. But attackers and criminals frequently find ways around these safeguards, sometimes through human engineering.

Once those protections fail, businesses have nothing left to do but to notify customers of the breach and do damage control. (Some businesses aren’t even very good at those steps.) Those efforts are like closing the stable door after the horse has bolted. The customer’s data is out there.

I think we need to make significant changes to how we think about and manage data privacy. And the very first change I propose is this:

Let’s focus as much on protecting identities in use as data at rest and in motion.

Protecting Customer Identities in Use

A data breach does its real damage when the stolen data is used for illicit purposes. If businesses commit to protecting their customer identities ‘in use’ as well as data at rest and in motion, they can go a long way towards making cybercrime less successful and restoring trust.

What does it mean to protect identities in use? It means that business take accountability for protecting customer data – even if a breach happened elsewhere. When someone logs in or makes a transaction using the customers’ identity, the business will take every effort to make sure that the customer’s identity is legitimate, not stolen.

This change requires new ways of authorizing logins and transactions. It springs from a broader sense of accountability for data privacy. And it will depend on global collaboration across businesses to share information about online identities and devices.

ThreatMetrix is helping businesses protect identities in use today through the concept of Persona IDs. We’re adding context-based authentication to online identities, and enabling location authorization to confirm the location of a device making a transaction. And we’ve built a massive global data repository in the ThreatMetrix™ Global Trust Intelligence Network.

I will share more thoughts on data privacy in upcoming posts. To read more about what ThreatMetrix is doing for Data Privacy Day, see our press release.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

ThreatMetrix Shares Strategies for Businesses to Protect Identities in Use in Support of Data Privacy Day

Posted on January 13th, 2014 by Dan Rampe

Data-Privacy-Day-PR

Businesses Must Move Beyond Focusing Merely on Data at Rest and Protect Customer Identities Against Fraudulent Activity Following Data Breaches

San Jose, Calif. – January 13, 2014 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime solutions, kicks off its commitment to Data Privacy Day by announcing several strategies for businesses to protect identities in use following a data breach.

Every time an identity is used online, especially when a new account is opened, there’s a chance that identity has been stolen or compromised. However, many organizations simply focus on guarding data at rest–inactive data stored on an internal server–rather than understanding the implications of identities in use and taking action to protect them.

Following a data breach, a significant implication is that customer and corporate identities are used without an individual or company’s knowledge. A key requirement for data protection is for businesses to assure personally identifiable information is screened against unauthorized use prior to being processed. Every year, ThreatMetrix protects more than four billion transactions and identities in use and has several strategies for businesses across industries to prevent spoofed or stolen identities.

Key strategies that businesses can implement to protect identities in use include:

Device Identification – Using a visitor’s browser and machine attributes as a passive form of two-factor authentication reduces effectiveness of cybercriminals reusing stolen credentials from a new or known fraudulent device. In addition, advanced proxy piercing and virtual private network (VPN) detection capabilities eliminate IP spoofing, the most common attack vector for identity thieves.

Malware Detection – Frictionless malware detection can analyze risk on a customer’s behalf giving businesses the option to prevent access to sensitive data if there is a known Trojan on the customer’s device.

Behavior-Based Identity Proofing – Analyzing patterns of usage including locations, identities, devices and associations over time provide ‘spoof-proof’ identity screening.

Anonymized Trust Federation – Passively leveraging prior authentication and verification information across departments and organizations reduces customer friction and authentication costs.

“Cybersecurity strategies often prioritize minimizing a company’s monetary losses following a data breach over protecting customer identities and data obtained by cybercriminals,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Personal identities, both consumer and workforce, account for a large amount of identities in use, and organizations and service providers must protect individual identities by investing in frictionless customer protection and fraud prevention technologies. Examples of fraudulent activity may include using a spoofed IP address to hide online location, using work-at-home scams for stolen goods deliveries or using bots for brute force attacks against customer account passwords.”

Customer data contains sensitive information–including banking credentials, email passwords, medical information and social security numbers. Once this data is exposed, it is at risk for fraudulent activity by cybercriminals or can be sold via online crime rings. To prevent such risks, businesses need to understand how stolen identities are used against consumers and companies – including fraudulent credit card transactions, social media logins and banking logins.

“Data breaches are a key focus for cybersecurity providers, but many companies don’t consider how stolen identities are eventually used against their customers for cybercrime,” said Faulkner. “ThreatMetrix is uniquely positioned to help businesses measure and understand how identities are used online, especially regarding the risks and implications of exposed customer identities following a data breach or cyber attack.”

One of the most effective ways businesses can protect online data is through an anonymized global data repository, such as the ThreatMetrix™ Global Trust Intelligence Network (The Network), to differentiate between authentic and suspicious transactions and online activity. The Network is the most comprehensive global repository of identity and fraud data, protecting hundreds of millions of users and data points each day from cybercrime. Its real-time analytics evaluate logins, payments, new account registrations and remote access attempts for validity.

By collaborating on a global level through a shared network, businesses can effectively build trust on the Internet by mitigating cybercrime risks. Given the severity of today’s high profile data breaches, no business can afford to stand alone in the fight against cybercrime and protecting customer identities.

Data Privacy Day, sponsored by the National Cyber Security Alliance, takes place annually on January 28, and encourages businesses and consumers to make protecting privacy and data a greater priority. Due to its alignment with online data protection and cybercrime prevention, ThreatMetrix was named a Data Privacy Day Champion by the National Cyber Security Alliance, which educates and empowers a digital society to use the Internet safely at home, work and school. ThreatMetrix will publish additional news surrounding data privacy throughout the month of January.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com