What’s Happening with Mobile Device Payments Is Criminal

Posted on February 23rd, 2015 by Dan Rampe

Mobile Devices

Mobile Device Fraud Makes Up a Disproportionate Share of the $6 Billion Fraud Costs Merchants and Card Issuers in the U.S. Each Year

Forrester Research says mobile payments accounted for $52 billion worth of U.S. transactions in 2014, up from $32 billion in 2013. And this year that number is expected to hit $67 billion.

A LexisNexis survey of 1,100 companies found that while mobile payments account for 14 percent of transactions among merchants, they make up 21 percent of fraud cases. In her story on bloomberg.com, Olga Kharif details how cyberthieves have continued to shift their focus to mobile devices. The following has been excerpted from her piece and edited to fit our format. You may find her complete article by clicking on this link.

More mobile fraud than on PCs

“We certainly see a surge in mobile payment attacks,” says Tomer Barel, chief risk officer at PayPal, who says his company deals with more cases of fraud on mobile devices than on PCs. “There are many more avenues for fraudsters to try.”

Every dollar of mobile fraud costs merchants $3.34

Each dollar worth of misbegotten mobile payments winds up costing a fooled merchant $3.34. That’s slightly more than the cost of a fraudulent credit card swipe or mail order, 27 percent more than a similar payment made from a PC.

Merchants aren’t equipped to handle mobile fraud

Along with the cost of lost merchandise, the total includes investigation of the fraud. That’s tougher on phones than on PCs, because many businesses aren’t equipped to track mobile devices’ unique identifiers such as IP addresses. Stores often don’t catch when a card issued in Los Angeles is used for a mobile order from Mexico, says Aaron Press, director of e-commerce and payments at LexisNexis Risk Solutions. “It’s kind of a wake-up call,” he says.

Lower-tech fraud

Some mobile fraud remains low-tech. Last year, the Better Business Bureau warned consumers about a scam in which people posted absurdly cheap offers for used cars online, then tricked interested buyers into wiring funds through a phony version of Google Wallet.

Higher-tech fraud

Other frauds are more technical, such as the hackers who found a bug in a Chilean public transportation app that let them top off their travel credits for free.

The weak link

Like the brief flurry of duplicate charges that accompanied Apple Pay’s debut in October, such glitches highlight the vulnerability inherent in a system that requires banks, card networks, and software makers to keep pace with thieves. “If you don’t make the proper investment, they’ll be attracted to the weakest link,” says PayPal’s Barel.

Biometrics may stop some cybercriminals

Smartphone operating systems, at least, are tougher to infiltrate than those of PCs. Phones with biometric sensors can also make a person’s identity tougher to steal. Mobile payment service LoopPay says it’s adding support for biometric features such as Apple’s fingerprint reader, despite hackers’ claims that they can fool the iPhone’s sensor. Rival CurrentC says it’s considering similar measures….

“There’s no perfect system,” says Will Graylin, chief executive officer of LoopPay. “It’s always a game of cat and mouse.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Named to OnCloud’s “Top 100” and CEO Tapped as Keynote for OnCloud 2015 Summit

Posted on February 17th, 2015 by Dan Rampe

Standard-Header-Reed

A Panelist at the Annual AlwaysOn Summit, ThreatMetrix CEO Reed Taussig Will Deliver His Keynote Speech on Security in the Cloud

AlwaysOn’s OnCloud 2015 Summit will take place at the College of San Mateo (San Mateo, CA) on February 26, 2015. The Summit brings together “the best and the brightest” including top entrepreneurs, investors, and corporate players in the business-to-business application and cloud infrastructure space to discuss and debate the future of cloud technology.

Reed Taussig’s keynote

Titled “Global Shared Intelligence: The Best Solution to Combat Cybercrime,” Taussig’s keynote presentation will take place at 11:30 a.m. PST. Over the course of his speech, he’ll be providing an overview of the current cybercrime landscape.

Using examples from ThreatMetrix’s TrustDefender Cybercrime Protection Platform, Taussig will show how ThreatMetrix discovered and defeated organized crime rings by leveraging the power of the ThreatMetrix Global Trust Intelligence Network (The Network).

A distinguished panel

Taussig will also be participating in a panel alongside host Aditya Singh, partner at Foundation Capital and co-panelist Barmak Meftah, president and CEO at AlienVault. The subject of the discussion will be “The New Frontier in Cloud Infrastructure” and will take place at 11:45 a.m. PST.

ThreatMetrix’s CEO on global shared intelligence

“The global cybercrime landscape is constantly evolving to include new, more sophisticated threats and the only way to combat these threats is through collective intelligence,” said Taussig. “This isn’t a threat any business or consumer can fight alone. It requires a collective network that leverages data from across a global information base. I’m honored to share what ThreatMetrix has accomplished in the fight against cybercrime by leveraging global shared intelligence with this year’s OnCloud attendees. The OnCloud summit hosts key industry players who can help to make shared intelligence an industry standard.”

ThreatMetrix on OnCloud’s Top 100 private companies list

The annual list honors companies in the B2B applications, management tools, security and infrastructure sectors that are rising to the challenge of bringing the world’s businesses and enterprises into the cloud. This year’s OnCloud 100 companies were selected based on a set of five criteria: innovation, market potential, commercialization, stakeholder value and media buzz. A full list of the OnCloud Top 100 winners is available here.

Validation of our continued innovation

“The OnCloud Top 100 honors companies that take big data and create useful, actionable intelligence from it to make high-powered decisions,” said Taussig. “In the case of ThreatMetrix and The Network, such decisions have the power to stop cybercriminals in real time. ThreatMetrix leverages data from the largest shared intelligence network available to make an immediate and educated decision to differentiate between authentic and fraudulent transactions. Being named to OnCloud’s Top 100 private companies list serves as validation of our continued innovation in advanced fraud prevention and context-based authentication.”

For more information on the OnCloud 2015 summit, click here.

ThreatMetrix has garnered a host of awards. Following are some of the most recent:

  • The Channel Company’s CRN 100 Coolest Cloud Computing Vendors of 2015
  • Gold Stevie in New Product or Service of the Year – Security Solution category and a Silver in the Most Innovative Tech Company of the Year – Computer Software category.
  • Gold for “Innovative Company of the Year” and for “Integrated Security (Software) Innovation” at the 2014 Golden Bridge Business Awards
  • CIOReview100 for the “100 Most Promising Technology Companies in the U.S.”
  • Best in Biz Awards 2014 International Silver for “Enterprise Product of the Year – Software”
  • The AlwaysOn Global 250 Top Private Companies in the “B2B Cloud and Infrastructure” category
  • Lead411’s 2014 “Hottest Companies in Silicon Valley” list
  • Products Guide (NPG) Hot Companies and Best Product Award Winner for the “Best Products and Services – Information Security and Risk Management” category and also in the “Best Products and Services – Security Software” category.
  • Judges Choice for Best Overall Fraud/Security Solution at the 2014 CardNotPresent.com (CNP) Awards for the ThreatMetrix TrustDefender Cybercrime Protection Platform
  • A 2014 Global Excellence Award for Most Innovative Company of the Year (Security)
  • 2014 Cyber Defense Magazine Award Winner in 2 Categories: Most Innovative Anti-Malware Appliances Solution & Best Product Network Access Control Solution

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites and mobile applications.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

If Imitation Is the Sincerest Form of Flattery, Facebook Sure Did Flatter Us.

Posted on February 13th, 2015 by Dan Rampe

ThreatExchange

Facebook Launches ThreatExchange for Security Pros to Exchange Info about Cyberthreats

Does the concept of exchanging information about cyberthreats to make everyone safer sound somehow vaguely familiar? You know, like you’ve heard it somewhere before?

Well, how about the name “ThreatExchange?” That remind you of another company name? Like ThreatMetrix® perhaps?

Okay, it’s possible to chalk up Facebook’s latest “idea” to coincidence. Something that looks like a duck, waddles like a duck and quacks like a duck could turn out to be an ugly swan with a sprained ankle and deviated septum. Then, of course, there’s another explanation. It could be Facebook is validating the extremely successful concept pioneered years ago by ThreatMetrix.

In a recent article that appeared in Infosecurity, ThreatMetrix Chief Products Officer Alisdair Faulkner issued this cautionary note: “Shared threat intelligence is essential for stopping the bad guys, you just need to be careful you don’t stop customers as well. Reputation around shared identifiers like IP addresses can be a double edged sword.”

In his piece on mashable.com Rex Santus discusses Facebook’s launch. The following has been excerpted from his piece and edited to fit our format. You may find the full article by clicking on this link.

What a concept!

Doing what it does best, Facebook has created a platform — or a mini-social network, if you will — but this time for cybersecurity specialists. The concept is that researchers and professionals can learn from each other, and help keep everyone’s systems safer.

Been there. Done that.

“Our goal is that organizations anywhere will be able to use ThreatExchange to share threat information more easily, learn from each other’s discoveries, and make their own systems safer,” Mark Hammell, Facebook’s manager of threat infrastructure, wrote in a blog post announcing the project.

Déjà vu “all over again”

Security threats aren’t typically relegated to just one target, and the lack of communication between malware targets ends badly for everyone, according to ThreatExchange. So far, some pretty big-name Internet players have joined Facebook on ThreatExchange, including Bitly, Dropbox, Pinterest, Tumblr, Twitter and Yahoo. The platform expects to attract more partners as time goes on.

The new platform builds on Facebook’s ThreatData, a framework that stores cyberthreat information (such as bad URLs) for analysis by security pros.

A year ago you say?

The idea for ThreatExchange came about a year ago, when Facebook and others were facing a malware spam attack. The social network’s security specialists “quickly learned that sharing with one another was key to beating” the problem, Hammell wrote.

Share and share alike. Not exactly

To quell any fears that potential partners may have about sharing too much information publicly, Facebook said participants can tweak settings to pick and choose with whom they share their information. For example, a company may only want to share sensitive data with another partner that is experiencing the same attack.

An original thought that’s been heard before

“That’s the beauty of working together on security,” Hammell wrote. “When one company gets stronger, so do the rest of us.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

Happy Data Privacy Day. Keep It Under Your Hat.

Posted on January 26th, 2015 by Dan Rampe

Standard-Header---Logo-Faulkner

In Conjunction with Data Privacy Day, ThreatMetrix Offers Strategies to Help Business Protect Privacy, Secure Data and Build Trust on the Internet.

Little more than a week after the President’s State of the Union call for vastly improved cybersecurity and privacy measures comes Data Privacy Day.

Coordinated and led by the National Cyber Security Alliance (NCSA), Data Privacy Day is held each year on January 28th to raise international awareness and empower individuals and businesses to better protect their privacy. This year’s theme is “Respecting Privacy, Safeguarding Data and Enabling Trust.”

ThreatMetrix Data Privacy Day Champion

For its third consecutive year, ThreatMetrix has signed on as a Data Privacy Day Champion, supporting the ideal that individuals, organizations, business and government all share the responsibility to be aware of data privacy challenges.

Cybersecurity on both Democratic and Republican agendas

The State of the Union address made it clear that cybersecurity is an urgent and growing concern for government, business, consumers, students — everyone. And, it is at least one thing that both parties agree on.

Privacy Bill of Rights

The proposed Privacy Bill of Rights would let consumers decide what personal data could be collected by companies and how the data would be used. Under the proposed legislation consumers could prohibit companies which collect data for one purpose to use it for another. These changes have the potential to significantly impact the way businesses process customer data.

Alisdair Faulkner, ThreatMetrix’s chief products officer

“The only way we can build trust on the Internet is through better control of the consumer data processed online. Obama’s proposed Privacy Bill of Rights will raise the bar for privacy protections, keeping all companies no matter where they reside to the same standards. It may seem backwards, but to build trust, businesses and government entities need to increase data sharing while ensuring privacy. This means implementing security solutions that share data in real time, but preserve customer privacy through encryption and tokenization.”

Businesses may have the will, but no way to ensure privacy and security

Many businesses are well-intentioned, but they lack the resources or knowledge to protect their customers’ privacy and data. And, through their use of stolen identities, compromised devices, and masked IP addresses, cybercriminals are often virtually impossible to locate or stop without special skill and resources.

Alisdair Faulkner

“All businesses, regardless of industry, need efficient, automated processes for fraud detection and customer notification,” said Faulkner. “Any company that uses some form of online user authentication is now going to be held accountable for at least a minimal level of protecting customer privacy. The proposed Privacy Bill of Rights requires customers be notified by businesses about a data breach within 30 days, but cybercriminals can take data in the blink of an eye. Thirty days gives cybercriminals an eternity to monetize that information. Ideally, businesses need to be able to measure unauthorized access in real time, address the problem and notify customers immediately.”

ThreatMetrix strategies businesses can implement for combating cybercrime while building trust online:

  • Digital Identity Proofing–Traditional identity verification technologies, e.g. challenge questions, rely on personal information that has already been breached and in the hands of the criminals they are trying to vet. Businesses need a different approach. By analyzing global patterns of identity usage, including locations, devices, accounts, transactions and associations over time, it’s possible to factor in all aspects of a user’s behavior without putting artificial speed-bumps in his/her path.
  • Secure Anonymized Shared Intelligence– You have to have a network to fight a network. Additionally, you need “privacy by design” built into the ecosystem. Intelligence networks must anonymize and secure data not just from outside attacks, but also internal theft and social engineering attacks. Legal restrictions, such as those proposed by the President will fail to protect consumer data if not backed by solid technology and processes.
  • Endpoint Threat Intelligence – To differentiate between trusted users and cybercriminals, businesses must consider the context of every access attempt and transaction from each user. Whether initiated by a customer or an employee, businesses have to establish the credibility of the transaction in real time based on the full context of the user’s identity, behavior over time and device threats. These threats include Man-in-the-Middle and Man-in-the-Browser attacks, account compromises, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites and mobile applications.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Shares Strategies for Businesses to Protect Privacy, Safeguard Data and Build Trust on the Internet in Alignment with Data Privacy Day

Posted on January 26th, 2015 by Dan Rampe

Standard-Header---Logo-Faulkner

Following President Obama’s State of the Union Address, Businesses Must Increase Data Sharing to Protect Consumer Privacy While Combatting Fraud

San Jose, CA – January 26, 2015 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced its alignment with Data Privacy Day by outlining strategies for businesses to build trust on the Internet through better cybersecurity measures without compromising consumer privacy.

Coordinated and led by the National Cyber Security Alliance (NCSA), Data Privacy Day is held each year on January 28 to raise international awareness and empower individuals and businesses to better protect their privacy, centered on the theme of “Respecting Privacy, Safeguarding Data and Enabling Trust.” For its third consecutive year, ThreatMetrix has signed on as a Data Privacy Day Champion, supporting the ideal that individuals, organizations, business and government all share the responsibility to be aware of data privacy challenges.

During President Obama’s State of the Union address last week, it was clear that cybersecurity is an urgent and growing concern among the U.S. government and its citizens. The proposed Privacy Bill of Rights would allow consumers to decide what pieces of their personal data are collected by companies and decide how that data is used. The legislation would also enable consumers to prohibit companies that collect their data for one purpose to use it for another. These changes have the potential to significantly impact the way businesses process customer data.

“The only way we can build trust on the Internet is through better control of the consumer data processed online,” said Alisdair Faulkner, chief products officer at ThreatMetrix. “Obama’s proposed Privacy Bill of Rights will raise the bar for privacy protection, keeping all companies no matter where they reside to the same standards. It may seem backwards, but to build trust, businesses and government entities need to increase data sharing while ensuring privacy. This means implementing security solutions that share data in real time, but preserve customer privacy through encryption and tokenization.”

Many businesses lack the resources or knowledge to fulfill their responsibility of protecting customers’ privacy and data. Cybercriminals are often virtually impossible to locate due to the use of stolen identities, compromised devices, and masked IP addresses and many businesses simply don’t know how to stop those networks of fraudsters.

“All businesses, regardless of industry, need efficient, automated processes for fraud detection and customer notification,” said Faulkner. “Any company that uses some form of online user authentication is now going to be held accountable for at least a minimal level of protecting customer privacy. The proposed Privacy Bill of Rights requires customers be notified by businesses about a data breach within 30 days, but cybercriminals can take data in the blink of an eye. Thirty days gives cybercriminals an eternity to monetize that information. Ideally, businesses need to be able to measure unauthorized access in real time, address the problem and notify customers immediately.”

To help combat cybercrime while maintaining customer privacy to build trust online, ThreatMetrix has outlined several strategies for businesses to implement:

  • Digital Identity Proofing–Traditional identity verification technologies such as challenge questions rely on personal information that has already been breached and is in the hands of the cybercriminals. Businesses need to take a different approach and analyze global patterns of identity usage, including locations, devices, accounts, transactions and associations over time to consider all aspects of a user’s behavior without putting artificial speed bumps in the way of the customer.
  • Secure Anonymized Shared Intelligence– Businesses need a network to fight a network, but they also need “privacy by design.” Intelligence networks need to anonymize and secure data not only against outside attacks but also internal theft and social engineering attacks. Legal restrictions such as those proposed by Obama will fail to protect consumer data if not backed by advanced technology and processes.
  • Endpoint Threat Intelligence – To differentiate between trusted users and cybercriminals, businesses need to consider the context of every access attempt and transaction from each user. Whether initiated by a customer or an employee, businesses need to establish the credibility of the transaction in real time based on the full context of the user’s identity, behavior over time and device threats. These threats include man-in-the-middle and man-in-the-browser attacks, account compromise, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.

The most effective way for businesses to protect against cybercrime is through information sharing, leveraging an anonymized global data repository, such as the ThreatMetrix® Global Trust Intelligence Network (The Network), which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites and mobile applications.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites and mobile applications.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2015 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312-241-1178
Email: beth.kempton@walkersands.com

A Civil War Between the States and Federal Government Over One Law for All Breach Notifications

Posted on February 19th, 2014 by Dan Rampe

Data Breach

Unlike other recent Congressional fights, the dispute over a single federal law on how customers should be notified about breaches looks to be less rancorous and more civil. That’s because privacy concerns cut across party and ideological lines, often uniting staunch conservative Republicans with civil libertarian Democrats.

The renewed interest in a federal breach notification law covering all fifty states comes on the heels of the Target, Neiman Marcus and Michaels breaches. And while the same vitriol that was apparent in other Congressional battles may not be present, there is a lot to be considered, including how a federal law would affect state regulations that are already in force.

In her Reuters piece, tech/cyber policy reporter Alina Selyukh writes:

Although federal laws already regulate how specific industries, such as banks and hospitals, handle compromised data security, certain other kinds of companies, including retailers, face no such uniform standard.

Instead, 46 states and the District of Columbia have passed their own laws that tell companies when and how consumers have to be alerted to data breaches and what qualifies as a breach.

With that, negotiations over fitting state standards under an umbrella federal law face a tug of war between companies, consumer advocates and state authorities.

Large companies working across state lines argue that state laws present a patchwork of regulations and compliance poses a challenge. Companies often issue one nationwide notice to consumers with state-specific supplements at the end. “Certainly, one standard is easier to follow than 47,” John Mulligan, Target’s chief financial officer, told lawmakers…. The No. 3 U.S. retailer has stores in every U.S. state except Vermont.

The National Retail Federation in a January letter to Congress also restated its decade-old position in favor of a nationwide standard that would pre-empt state rules. “A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live.”.

Some state attorney generals worry above all that federal standards would dilute their power to pursue violators….

“There are 47 state standards, there’s no reason to add a 48th,” said [Representative Lee] Terry, the most prominent Republican leading a legislative effort at this point.

Consumer advocates say that the companies’ call for a single law masks the goal of having a weaker federal standard that would trump stricter laws on the books in states like California and Massachusetts.

“None of the federal proposals are as strong as the strongest state laws and that’s wrong,” said Edmund Mierzwinski, consumer program director at U.S. Public Interest Research Group. “I don’t think we need (a federal law) that’s weaker than California’s.”

California was the first state to adopt a data breach law in 2003. After a decade of fine-tuning, it requires a detailed disclosure to consumers “in the most expedient time possible and without unreasonable delay” when personal information, including emails with passwords, is “reasonably believed” to have been stolen.

Though many state requirements are broadly similar, some states, such as Montana and Ohio, require notification only if a breach poses or is believed to pose harm or material risk such as identity theft.

Many states also use more limited definitions of what personal information is included. A common definition includes name combined with the Social Security number, driver’s license number or payment card number together with information needed to access financial records.

Alabama, Kentucky, New Mexico and South Dakota do not have their own data breach notification laws.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

A New Model for Building Trust on the Internet

Posted on January 28th, 2014 by Dan Rampe

Reed-Header

The beginning of a new year is often a time of reflection. At ThreatMetrix™, we have a lot to reflect on and look forward to. ThreatMetrix turns seven this year. In Internet- and dog-years alike, that’s a long time.

When we started ThreatMetrix, the online world was a simpler place. While we were developing our advanced device identification technologies in 2007, with proxy piercing and global device identification, Apple announced the iPhone. Amazon launched the Kindle in November of 2007. Those devices and others changed the way that we connect with the world.

We’ve worked hard to keep pace with those changes:

  • Since one size doesn’t fit all, we added customer-configurable rules to our risk analysis.
  • As cybercriminals got better at disguising their identities, we developed ThreatMetrix ExactID™ and ThreatMetrix SmartID™ technologies to look beyond the devices to the people using them.
  • Recognizing that legitimate user devices can be compromised by malware, we became the first advanced device identification technology to integrate malware detection.
  • Because it’s just as important for businesses to allow legitimate customers or employees access to applications as to keep out the false ones, we created ThreatMetrix™ Persona ID and ThreatMetrix™ Trust Tags technologies to help streamline access for trusted visitors.

The Trust Trifecta: Technologies, Processes and Data

Advanced device identification and malware detection were just the first phase in the evolution of the ThreatMetrix solution set. Although we started out as a first line of defense in the fight against fraud, in working with our customers we dove into the broader issues of online trust. In doing so, we have expanded our innovations to include processes for configuring and validating business policies and a global data set of shared intelligence.

For example, the Persona ID technology addresses the broader issue of tracking the behavior of a person online – whether or not you know exactly who that person is. The ThreatMetrix Persona ID approach is both passive and anonymous from the user’s perspective. This type of analysis is only possible by tracking and analyzing online behavior across sites – something we do through the ThreatMetrix™ Global Trust Intelligence Network.

So in addition to innovative technologies, we now have a core set of processes, a massive data set generated and refreshed daily by a global network, and comprehensive data analysis from that data. This combination of technologies, processes and data significant broadens the scope of the ThreatMetrix solution in the online world. We can address broader issues of risk assessment and identity authentication.

ThreatMetrix Today: Building Trust on the Internet

Which brings me to where the company is today, in early 2014. We’ve changed our tagline to reflect our broader purpose: Building Trust on the Internet. We’re building and growing our ThreatMetrix™ Global Trust Intelligence Network, which monitors and scores more than 500 million transactions per month. Our Persona ID and Trust Tag technologies, enhanced with our global network and data, enable a new kind of passive, context-based authentication for all kinds of online sites and applications. And we’re working not only with online banks and retailers, but also enterprises and government agencies to help streamline access for legitimate users and keep out those who don’t belong.

No one can see what twist and turns the Internet will take in the coming years – but building a foundation of trust with employees and customers is an important first step. And that’s where we’re putting all of our efforts from this point forward.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Balancing Online Privacy and Security

Posted on January 28th, 2014 by Dan Rampe

Data Privacy 3Online security and privacy have a love/hate relationship. We need security measures to protect our online privacy. However, complete online privacy (anonymity) can defeat security measures by giving cybercriminals an undetected place to operate. And we often sacrifice data privacy in the name of security – the NSA Prism project being one visible example.

The strange relationship between privacy and security is perfectly illustrated in the story of Tor, a software program for online anonymity. According to last week’s BusinessWeek article on Tor, much of its original funding came from the Department of Defense. Now the NSA is spending a huge amount of time and energy trying to defeat Tor in the name of security. Security and privacy would appear to be on opposite teams.

I don’t think that has to be true. It’s possible to respect the online privacy of your customers while protecting the security of their data and your applications. Striking the right balance is something that every business has to do for its specific customer needs and use cases.

In honor of Data Privacy Day, here are some thoughts on how businesses can and should balance privacy and security.

Stop Asking People to Give Up Privacy for Security

As I wrote in a previous blog, be wary of asking people for more personal information in the name of giving them better security. The more of their personal information you hold, the greater your obligation to guard that data – and the more attractive target you become for identity thieves. Even credit bureaus and identity data aggregators have been breached and hacked, so even outsourcing data collection to third parties is problematic.

Consider Context When it Comes to Privacy

People have many ways of trying to operate anonymously online, from disguising IP addresses or true location to cookie wiping. Many people want to escape the scrutiny of marketers tracking their movements. Businesses need to look for indicators of people obscuring their real identity in those situation that represent risk of identity takeover.

Let’s say someone is disguising their IP address online – should that be a concern? It depends on the business and online context. When connecting to a social network, someone might legitimately want to disguise their IP address or use a VPN connection. For example, they might be traveling in a country that bans the network. The social network might detect the activity but not deny access unless there were other behavioral factors.

However, if someone tries to create a credit card account while disguising their IP or geolocation, that should be a red flag. The context of the transaction or online interaction is a critical factor.

Honor the Customer’s Trust

Ultimately, striking the right balance of security and privacy comes down to honoring the customer’s trust.

• Don’t collect personally identifiable information unless you need it. Use behavior-based and data anonymization to prevent the need to share data with third-parties about your customer’s personal lives.

• Whatever information you do gather for security reasons, you should only use for protecting the customer identity and data. Do not share it or sell it for marketing purposes. Partner with companies that are in the business of protecting trust, not monetizing identities.

• Protect customer identity in use – during the point of a transaction or at the moment of login. As I wrote in the blog Let’s Do Something Different for Data Privacy Day, online businesses need to be accountable for protecting the customer identity when it is used on their site – even if the identity was stolen elsewhere. By preventing account takeover you can maintain customer trust.

For more information, see the press release, “ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security

Posted on January 28th, 2014 by Dan Rampe

Data Privacy 3

Businesses Can Protect Customer Identities While Enabling Confidentiality on the Internet Through Anonymized Trusted Identity Networks

San Jose, Calif. – January 28, 2014 – ThreatMetrix™, the fastest-growing provider of context-based authentication and advanced Web fraud solutions, commemorates Data Privacy Day by announcing strategies for businesses to protect consumer identities without compromising privacy.

In the age of big data enterprises are collecting and sharing unprecedented amounts of customer information, many times unintentionally. When a single employee can steal up to 40 percent of a country’s credit data on a USB stick, and identity thieves can illegally purchase credit data, better practices are urgently needed for protecting access to online information and identities. The flip side however, is that in order to protect against data breaches and malware, big data approaches to cybersecurity are essential for total situational awareness.

“Often, bad things happen to good people and sometimes good people – even a company’s own employees – go bad and compromise online security and privacy,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Therefore, enterprises need to combine big data techniques with a new approach to protecting privacy and unlawful access to customer and employee accounts.”

At the heart of the problem is the way trust is evaluated online. In the offline world, trust is situational, continually evaluated over time based on observed behavior and informed by reputation. In the online world, however, the vast majority of data and commerce is protected by static checks such as passwords, payment information or supposedly private “out-of-wallet” information. The problem is exacerbated by the lack of privacy-protecting intelligence sharing, meaning companies either operate in a silo, or customers must trust their identity information will not be abused by marketing organizations or breached by hackers.

“There is a fine line between offering customers comprehensive security and invading their privacy,” said Faulkner. “Finding the balance is essential to effectively protecting sensitive data while maintaining trust and preventing customer identities from falling into the hands of cybercriminals. With the advent of controversies surrounding government spying programs, the tightrope between privacy and security has become even narrower.”

Added complexity lies in differentiating between cybercriminals, who are looking for anonymity to hide their fraudulent activity, and consumers who simply want privacy. For example a person using an anonymized IP Address to read political news is one thing and it’s a completely different matter if the user is accessing a Tor network while applying for a credit card. The expectations for privacy by a legitimate consumer and what is viewed by a business as acceptable behavior are very different based on the context of the action taken.

Key strategies ThreatMetrix recommends businesses implement to achieve the balance between privacy and security include:

CEO-Sponsored Trust Protection Taskforce – It’s essential that the CEO takes a leadership stand in framing the privacy and security tightrope as a competitive opportunity to build brand trust and remove obstacles to increasing revenue. The often-competing requirements of security, privacy and marketing need to come together under a coherent strategy that moves the internal conversation beyond compliance to protection.

Anonymized Shared Intelligence – A collective problem requires a collaborative solution. Leverage trusted identity networks that use strict anonymization practices to share risk intelligence and improve security without compromising privacy. Anonymized networks used in this way enable trust to be federated across applications and companies using big data techniques without falling afoul to privacy laws and consumer trust.

Behavior-Based Identity Proofing – Simple reputation systems cause authentic customers and employees to be treated unfairly when their identities or accounts are abused. Analyze anonymized global patterns of identity usage including locations, devices, accounts, transactions and associations over time to provide ‘spoof-proof’ identity screening without false positives – incorrectly labeling legitimate users as fraudulent.

Context-Based Authentication – “Context is King” when it comes to differentiating between trusted users and cybercriminals. Businesses must dynamically establish the credibility of each and every access attempt and transaction, regardless of whether initiated by a customer or employee, based on business risk of the action and the full context of identity and device threats. These threats include Man-in-the-Middle and Man-in-the-Browser attacks, account compromise, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.

“At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft,” said Faulkner. “Otherwise, government agencies will be forced to step in. It’s crucial that privacy and security professionals move to frictionless solutions that can tell whether a user is who they say they are without needing to know their name. These standards can be used as a balancing pole for chief security officers and chief privacy officers walking the tightrope between privacy and security.”

ThreatMetrix uses an anonymized global data repository, the ThreatMetrix™ Global Trust Intelligence Network (The Network), to evaluate logins, payments, new account registrations and remote access attempts for validity in real time. The most comprehensive global repository of anonymized identity and trust data, The Network uses real-time analytics to protect hundreds of millions of accounts and identities each day from cybercrime.

Through sharing strategies to balance between privacy and security, ThreatMetrix continues its commitment to Data Privacy Day, an annual event sponsored by the National Cyber Security Alliance that encourages businesses and consumers to protect their online privacy and control their digital footprint. ThreatMetrix was named a Data Privacy Day Champion for its ongoing efforts to prevent cybercrime and preserve personal data on the Internet.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

 

Three Reasons We Need Behavior-Based Identity Proofing Now

Posted on January 22nd, 2014 by Dan Rampe

Data-Privacy-Day-Alisdair-PR-Blog

My debit card was compromised a couple of years ago. My bank’s response? In addition to cancelling my card while I was on holiday, I got a call on my personal mobile phone with an offer to upsell me “free” identity services that converted to a paid subscription – monetizing the fact that my identity was compromised.

I share this story because it nicely illustrates three huge problems with the current state of online identity protection and privacy:

1. The consumer bears the burden of protecting privacy.

2. The brand relationship is damaged both through breaches and the currently accepted measures to secure identity.

3. The “fix” of linking online identity to physical identity doesn’t increase my privacy – and may put it at greater risk.

Let’s look at each problem in isolation.

The Consumer Suffers

When there’s a data breach, the consumer has to take steps to repair the damage – reversing charges on their cards, changing passwords across accounts, or even signing up identity protection services.

Some businesses are offering their customers two-factor authentication services, which can add an extra layer of security but also create an additional burden at the point of login. If I want better security, I’m also in a Catch 22 position of needing to hand over even more personal data.

Brands Suffer from Erosion of Trust

My bank’s upsell offer did serious damage to my relationship with that institution. They had already lost my trust, then I felt they tried to capitalize on it. Is credit monitoring helpful? Sure, but even good intentions can sour brand relationships if not executed correctly and it still doesn’t protect my identity being re-used outside of the credit application process.

The problem of trust is not just limited to those businesses that suffer breaches. It’s a challenge for every business that interacts with customers online. If a criminal registers an account or buys a product from your business using stolen credentials, the person who owns those credentials will forever associate you and your brand with that breach of trust – even if the data breach happened somewhere else. Why? It’s hard for a consumer to differentiate between a business with insufficient fraud detection capabilities and one they think has somehow tricked them or their family to purchase or subscribe to a service online.

Our Privacy Continues to Decline

Worse, the traditional measures that businesses offer to increase the security of my online identity don’t protect my privacy well.

Identity theft protection plans offered by banks tap into services like credit bureaus. These bureaus aggregate data about my online identity with my real-world identity and sell it as a service to legitimate business. The problem is that these identity aggregation points are themselves targets for hackers and insider threats. According to Brian Krebs’s blog, at least one credit bureau has unintentionally sold data to an identity theft service, while another ID theft service has hacked into multiple data brokers and aggregators. Recently nearly 40% of the South Koreans were exposed due to insider theft.

Anonymized Behavior-based Identification Solves These Problems

Traditional ways for proofing online identity often rely on services that aggregate identity information and connect online identity with our real-world identities. We need a new approach – and I think behavioral-based identity proofing is the right way to go.

At ThreatMetrix™, we enable context-based security for frictionless multi-factor authentication – it entails determining someone’s online persona by linking anonymized credentials to related identities, devices, behaviors and associations based on a dynamic matrix of attributes. In the same way that “actions speak louder than words” your online identity (a Persona ID) is created and verified through global online behavior and not simply reliant on knowledge of your offline identity. Unlike identity bureaus that are in the business of monetizing your identity, ThreatMetrix is only in the business of protecting trust so our algorithms don’t need to know your actual name to know whether you are who you say you are.

Best of all, it takes the burden off the customer and helps businesses restore trust in online services without introducing friction.

For details on this new approach to securing online identity, see this week’s press release on frictionless identity protection.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.