As UK Fraud Continues to Rise, a New Way to Stop the Bad Guys

Posted on April 1st, 2015 by Dan Rampe

Standard-Header-Tony

The latest official UK fraud figures for 2014 are out and once again it doesn’t make for particularly pleasant reading. The most obvious ongoing trend they point to is the unfettered growth of card not present and online banking fraud – the latter soaring a whopping 48% to reach losses in excess of £60 million. With the bad guys continuing to go after the lowest hanging fruit, businesses need to assume that traditional identity data has already largely been compromised.

The fight back must begin with new anti-fraud systems using passive multi-factor authentication built on shared global intelligence systems.

Another bad year?

The stats from Financial Fraud Action (FFA) UK paint the picture of an industry ill-equipped to cope with an agile, well-resourced and determined cyber foe. It’s an enemy keen to exploit under-powered fraud prevention systems and gaps in consumer knowledge about cyber threats, all the while operating under a cloak of anonymity.

Thanks to the success of Chip and PIN on the high street, the lowest hanging fruit in the UK most definitely remains card not present (CNP) fraud and online banking – where stolen credentials can be used to fraudulently purchase items, and increasingly to create and take over customer accounts. As a result, we see e-commerce fraud up 14% year-on-year to reach £217m, accounting for the majority of CNP fraud. The aforementioned large rise in online banking losses, meanwhile, equates to over 53,000 separate incidents last year – and that’s just the reported ones.

FFA UK advised consumers to protect themselves from phishing and information-stealing malware by regularly updating their security software; to be suspicious of unsolicited emails; and to only shop on secure websites. Businesses were urged to enrol in 3D Secure – which offers an extra layer of password-based authentication for customers, designed to reduce fraud. FFA UK also counselled firms to be wary of high value or unusual orders, and to sign up to the Address Verification Service – which matches billing address to delivery address.

A new way forward

This isn’t bad advice, but we’re living in an age where huge amounts of identity information are bought and sold on underground markets every day. Large scale data breaches and individual malware attacks on consumers have exposed huge amounts of data which the bad guys can use to launch follow-up fraud attempts. And with the internet to protect them they largely don’t have to worry about getting caught.

So how should firms respond?

Most don’t have the resources or expertise in-house to tackle fraud on a large scale, so it’s all about finding a specialist provider who can offer industry-leading capabilities. We believe in a form of multi-factor authentication – which combines something a user has, like the device they connect with, and something they are, like their location. Adding this context to online transactions adds extra layers of security on top of the traditional user name/password combo. This must all be done passively – in the background and in real-time – along with malware detection, so that there is no impact on the user experience.

The ThreatMetrix® platform does exactly this, using data generated by our Global Trust Intelligence Network which analyses over one billion transactions each month to allow firms to spot fraudulent transactions in real-time at a cost of less than a penny per transaction. As UK fraud levels continue to rise, there’s never been a more urgent need for protection that works every time – protecting profits and keeping your customers happy.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Why Doing the Right Thing is So Important. How Ignoring Issues Will Cost you Dearly.

Posted on April 1st, 2015 by Dan Rampe

Standard-Header-Carmen

This year marks my ninth year in the fraud prevention space. Having been a consultant as well as running fraud departments for various e-commerce businesses, I always wondered why it seemed so difficult for corporations to do the right thing.

Many companies have been notoriously stingy when it came to giving me the technological and staffing resources I needed to do my job. The general response was that chargebacks were well below the obligatory 1%, making resources unnecessary. The fraud operation was seen as a revenue drain and hardly ever got the attention it deserved – until all hell would break loose.

Once the fraudsters found their way in, the losses were merciless, the chargebacks increased and the next thing the company knew, it was put on one, or many of the excessive chargeback programs enforced by both, Visa and MasterCard. Fraud prevention was always reactionary, always after the fact and sometimes when it was almost too late. Trying to recover and save the business or stop the losses often cost thousands, if not millions of dollars.

Fraud and breaches do so much more than just cause chargebacks. Fraud will cost you revenue from legitimate customers, which you are turning away, because now you have have stringent rules in place that aren’t fine-tuned yet. In addition, fraud will cost the company dearly in reputation and will truly damage the brand in ways most will never truly be able to comprehend or predict – until it happens. Lastly, you can and, in some cases, will get sued and that will often drive the proverbial nail in the coffin, as some smaller companies may never recover from that or even go under.

Not doing the right thing and deliberately ignoring a potential issue or looking the other way can and will have consequences. And although it is difficulty to solve for something you haven’t seen (yet), it is necessary to anticipate fraud and understand that fraud is never a question of if, but always one of when. The examples I outline below focus on the payment processing/banking space this time, in order to not single out specific e-commerce businesses.

FTC vs. Wyndham – filed in 2012

Three security breaches in two years led to fraudulent charges on consumers’ accounts and more than $10.6 million in fraud losses.

Primary allegation: Wyndham violated Section 5 of the FTC Act, which prohibits unfair or deceptive practices, by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information.

Deceptive: Statements on web site privacy policies that Wyndham used commercially reasonable efforts to safeguard information using industry standard practices

Unfair: Wyndham failed to employ reasonable and appropriate measures to protect personal information against unauthorized access, which caused injury to consumers that they could not reasonably avoid themselves

Wachovia Bank – 2008

Background: Telemarketers obtained bank account info over the phone by offering questionable products and services (grant writing kits, identity theft certificates, medical discount plans, discount travel and groceries); many elderly victims; use of remotely created checks.

Bank Regulatory Action: OC directs Wachovia to make $125 million restitution to consumers harmed by the bank’s relationships with telemarketers and third party payment processors.

First Bank of Delaware – 2012

Background: Department of Justice (DOJ) allegations: bank knew, or turned a blind eye to, the fact that authorizations obtained by fraud; banking industry had been explicitly warned by federal banking regulators after the 2008 Wachovia case; while many banks heeded the guidance, First Bank of Delaware recognized RCCs as a source of new revenue. They knew the risks and determined the profits outweighed the risks.

Bank Regulatory Action: $15 million penalty by FDIC and FinCen, because bank failed to implement an effective AML compliance program with internal controls to report evidence of money laundering or other fraud. Settled DOJ charges that the bank violated the Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA) by originating withdrawals totaling more than $138 million from consumers’ accounts on behalf of the fraudulent merchants.  Lost its state charter to operate!

FTC vs. IRN Payment Systems – June 2014

Background: Allegations that IRN knew, or deliberately avoided knowing, that the merchant was selling debt relief services in violation of the FTC’s Telemarketing Sales Rule

FTC: IRN ignored facially deceptive telemarketing scripts, 20%-40% chargeback rates, poor Better Business Bureau report, past state investigations; advised merchant on defeating chargebacks through deceptive document; broke up sales transactions into pieces, assisted in challenging chargeback disputes

Settlement: $3.48 million judgment (suspended with $400K payment); ban on processing for debt relief services; screening requirements; immediate termination if certain merchants exceed 1% chargeback rate; investigate other merchants that exceed 1% chargeback rate

There are many more examples, but as we can clearly see here, ignoring chargebacks, opting for revenue over doing the right thing and thinking that it may all work out has its price. I would argue that having proper fraud and security controls in place would have been a mere fraction of the price than what the fines, penalties, chargebacks, lawsuits and loss of trust in your brand amounts to once fraud hits your system.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real-time customer-driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Retailer “To Do” List

Posted on March 30th, 2015 by Dan Rampe

online retailers

New Survey of Retailers Has Security and Upgrading Point-of-Sale Payment Systems as Top Priorities

Boston Retail Partners, an independent consulting firm, recently surveyed more than 500 retailers. Even a quick glance at the survey’s results suggests that top-of-mind subjects for retailers are protecting customer data from breaches, the shift in liability for those breaches from banks and credit card companies to retailers and upgrading point-of-sale systems to take advantage of EMV and NFC technologies.

In his story on digitaltransactions.net, Kevin Woodward details results of the Boston Retail Partner’s report. The following has been excerpted from Woodward’s piece and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Security is number one

In the survey…63% cited payment security as their top priority in 2015.

Equipment for processing EMV

[Retailers] need new equipment to accept [EMV] cards. [The] survey found a 650% increase in the number of retailers supporting EMV transactions within the next year.

Encryption, tokenization, NFC

Forty-five percent…said they expect to add encryption services by October to help protect card data as it moves within their payment networks, with 40% planning to add tokenization by channel to mask the card data. Thirty-five percent plan to add near-field communications (NFC) support, and 23% plan a single tokenization scheme across all of their sales channels.

Emphasis on protecting customer data

The combination of EMV, tokenization, and encryption signals a retail strategy to protect customer data on a variety of fronts. [Ryan Grogman, a vice president at Boston Retail Partners] says. “Retailers realize there are significant costs associated with a breach event and are taking significant steps to protect their customers’ data on a variety of fronts,” he says. “Retailers [who] employ a multitiered approach, combining EMV compliance with [end-to-end encryption] and tokenization, will have the strongest payment security platform.”

Apple Pay outdistancing rivals

As for why 35% of retailers plan to add NFC support, part of the explanation is that Apple Inc.’s Apple Pay has excited consumers. The survey found that 30% of retailers plan to add Apple Pay support within the next 12 months. That is the highest rating among the alternative-payments types. Only 18% plan to add PayPal support, with 13% anticipating in-app acceptance; 15% Google Wallet; 13% Softcard; and 8% each for CurrentC and Bitcoin.

One Apple Pay alternative could be a contender. Or not

With the future of Softcard uncertain, CurrentC, the mobile-payments app proffered by Merchant Customer Exchange, could be a top contender. “While CurrentC may [catch the attention of] many retailers [who] are excited by the opportunity to eliminate credit card fees, the key issue is how cumbersome the process is for consumers and sales associates,” Grogman says. “Consumers have to open the CurrentC app on their phone, open the scanner, scan the code from the cashier, and wait for the transaction to be confirmed. That may present more friction from consumers than simply paying with a credit card, and it’s certainly more clunky than the sexy interface on Apple Pay.”

Retailers looking to Apple Pay as the answer?

Apple’s branding expertise may be a factor. “However, when you combine Apple’s iconic brand, their significant investment and marketing efforts behind this service with the iPhone 6 line, and their savvy and loyal customer base, it is widely expected that adoption of Apple Pay as a payment source will continue to increase dramatically,” says John Eagles, a vice president at the consulting firm. “This will also allow retailers to start to recoup some of their investment dollars from their payment-terminal upgrades, which should create a win-win situation for both merchants and customers.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

The Anthem Tipping Point

Posted on March 27th, 2015 by Dan Rampe

Standard-Header-Reed

The Anthem security breach is a tipping point for all businesses and individuals that use the Internet to conduct their day-to-day business. The ramifications of more than 80 million personal identities in the hands of cybercriminals will result in the loss of untold millions of dollars to anyone and everyone that becomes a victim of this crime for many years to come.

Rather than dwell on the negatives of this event, let’s turn our attention to what good may come out of it.

Anthem’s misfortunes just might get the attention of senior management and boards of directors to recognize that cybersecurity is just as important to the enterprise as the operations of their customer-facing Internet applications themselves. Rather than putting their fingers in the dyke to patch up security holes after the damage has been done, maybe companies will recognize that protecting sensitive and critical data is equally important to their customers, and therefore to the enterprise itself, as the purchase of the products and services the company hopes customers buy in support of the business.

Businesses believe they exist on islands of commerce and all that matters are the attacks that are being directly targeted toward them. This misconception drives the decision to exclude the wealth of information that is collected through the use of global shared intelligence across the internet.

During a recent speech at Stanford University, President Obama discussed his executive order urging companies to join information-sharing hubs to exchange data about online threats. In other words, these hubs will create an environment of global shared intelligence for the purpose of stopping cybercrime using the shared information collected by all enterprises, whether the enterprises are in the same industry or not. What President Obama is asking all of us to do is to create a global “Neighborhood Watch Group” where every enterprise online participates in the protection of every other enterprise on the Internet.

The real consequences of the Anthem breach lie in the millions of stolen identities that will be used to defraud individuals across every aspect of their lives online. While most enterprises continue to focus on securing their internal networks, what is really required is broad adoption and use of secure, anonymized global shared intelligence that will identify what for and where those 80 million stolen identities are being used.

So then comes the critical question. Will enterprises simply add to their already ineffective methods of protecting critical data on the advice of vendors who are selling products designed to recognize intrusions only after the attack has occurred; or will they embrace the fact that today’s threats need to be stopped before the damage is done, outside of the firewall and on the Internet itself?

ThreatMetrix® and our customers believe that in order to protect enterprises from data breaches, a new approach is needed to differentiate between trusted users and cyber threats. At ThreatMetrix, we know that in cyberspace, our identities and personas are inextricably tied to the devices on which they are used, their security posture, their location, behavior and their associations built over time across the myriad of online services they use each day. In order to be me, you need to not only assume my identity and device at a point in time but for all time in order to replicate my digital fingerprint. Better yet, using a privacy-by-design approach, ThreatMetrix doesn’t need to know your name to know you’re not who you say you are. We are the first digital identity network that doesn’t just encrypt data, but also anonymizes data with a one-way filter so that personally identifiable information remains secure against both intentional and unintentional breaches.

ThreatMetrix is the leader in anonymized global shared intelligence to protect digital identities from being exploited. In real time ThreatMetrix protects more than 15,000 websites servicing more than 250 million consumer accounts who in turn execute tens of billions of transactions per year on a global basis. ThreatMetrix stops cybercrime, not customers, by using real-time identity, fraud and security analytics powered by the world’s largest trusted identity network. By creating an anonymized digital identity of consumers based on device, persona and behavior from every interaction (account origination, login and access, and purchase) and comparing it in real time to previous activities, ThreatMetrix enables enterprises to accurately identify good customers from cybercriminals – regardless of channel.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

Apple Watch Could Be a Real Steal

Posted on March 25th, 2015 by Dan Rampe

Apple Watch

Time Will Tell Whether Apple Watch Increases Fraud by Making It Easier and Cheaper to Use Stolen Data for In-Store Purchases

Using Apple Pay on iPhone 6 and stolen credit card numbers, cybercriminals have been buying high-end goods at brick-and-mortar stores, especially Apple stores. Experts have a one word description for this fraud — “rampant.”

If things look bad now, Al Sacco in his piece on cio.com says just wait until Apple Watch is released in April. The following has been excerpted from Sacco article and edited to fit our format. You may find the full unedited story by clicking on this link.

For cheap crooks

[Apple Watch], when it’s released in April, could take [the hike in fraud using Apple Pay] further, because it also supports Apple Pay and offers a cheaper option than buying a new iPhone, at least without a carrier subsidy.

How Apple Pay works Apple Watch

To add payment cards to Apple Watch, you simply open up the companion iOS app, which is now available in iOS 8.2, and use the Passbook & Apple Pay option to enter credit card data. After you save the information, and Apple runs a quick check for potential red flags, you’re good to go. (It’s unclear whether or not the Watch will automatically import payment information iPhone 6 users already store in Passbook.)

Next, you head on over to a local retailer with NFC-compatible POS terminals, pick up some goodies, head to the cashier, double-tap the bottom button on the side of the Watch and then hold it close to the payment terminal.

Security

For security purposes, you have to authenticate yourself via a passcode anytime you remove and replace the Watch and then try to access Apple Pay.

[While] Touch ID authenticates Apple Pay purchases when you use an iPhone 6, a passcode protects your card information when you pay via Apple Watch. After you type in your code once, you don’t have to retype it to make additional payments — as long as you don’t remove the device, causing it to break contact with your skin.

Apple Watch and Apple Pay fraud

[You] need an iPhone to do just about anything on the Apple Watch. It is, after all, a companion device, and without an iPhone buddy it does little more than track your steps and, you know, tell time.

Apple Watch and cheap iPhone cost less than iPhone 6

[Cybercriminals] who exploit Apple Pay to make fraudulent purchases don’t steal iPhones to use owners’ payment information. Rather, they buy or steal card data from another source and then add it to their own iPhones and use Apple Pay to turn that data into something physical that can be used in stores.

Today, you need an iPhone 6 or iPhone 6 Plus to perpetrate such a crime, because they’re the only Apple devices that support in-store Apple Pay. Both of these devices are relatively expensive….However, the Apple Watch works with earlier iPhones, including the 5 and 5s. Starting on April 10, bad guys will be able to purchase the cheapest version of Apple Watch for $349 and then jump on eBay (or some similar site) and snag a used iPhone 5 or 5s for as little as 99 cents.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

“Unsafe at Any Speed” — Even Standing Still

Posted on March 25th, 2015 by Dan Rampe

car on internet

Senator Proposes New Rules of the Road for Connected Cars That Leave Drivers Open to Invasions of Privacy and Cyberattack

When Ralph Nader’s Unsafe at Any Speed was published half a century ago accusing car manufacturers of resistance to spending money on safety, it caused a sea change in the auto industry. No. Not amphibious cars. But, it did lead to mandatory seat belt laws and the introduction of a host of other safety features.

Recently Sen. Ed Markey of Massachusetts released a report on the risks of cyberattack and loss of privacy posed by cars connected to the Internet. In a statement, he warned that “automakers haven’t done their part to protect us from cyber-attacks or privacy invasions [adding that even] as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

In her piece on washingtonpost.com, Andrea Peterson explores the many questions raised by the new Internet of Things smart cars and a few answers. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

Who’s foot is on the brake pedal?

Cybersecurity experts have long warned that cars’ electronic systems might be vulnerable to hackers, especially as auto-makers started building wireless connections to the outside world into vehicles. Researchers Charlie Miller and Chris Valasek demonstrated how to take over the steering and brakes of a Ford Escape and a Toyota Prius using a laptop connected to the vehicles with a cable in 2013.

Many attack surfaces

Last year, the pair released a report detailing the wireless “attack surfaces” of a wide variety of vehicles on the market — things like Wi-Fi, keyless entry systems, and Bluetooth that might be targeted by a malicious hacker.

Inconsistent and haphazard

Nearly all cars on the market “include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions,” according to Markey’s report…. Security measures to prevent remote access to a car’s electronic systems are “inconsistent and haphazard across all automobiles” and many manufacturers “did not seem to understand” the questions the legislator was asking. However, most manufacturers were either unaware or unable to report on previous hacking incidents.

“Cavalry” involved

Other groups have raised concerns about the security practices of auto-makers. I am the Cavalry, a group focused on where computer security intersects with physical safety, has urged vehicle manufacturers to adopt a five-star-style rating system for security best practices, akin to the ratings for traditional vehicle safety.

Your car is listening

The report also found that modern cars collect a significant amount of information on driving history and that drivers often cannot opt out of data collection without disabling features such as navigation. “A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data,” it said.

Markey calls for new regulatory standards

[Markey] calls for the National Highway Traffic Safety Administration to set new regulatory standards with input from the Federal Trade Commission. The standards should ensure that car’s wireless and data-collection features protect against hacking and security breaches, require that carmakers test their systems with penetration testing, require drivers be explicitly told about how data is collected and used, and give drivers a way to opt out of such features, the report argues.

Rules of the road enforced

“We need to work with the industry and cyber-security experts to establish clear rules of the road – not voluntary agreements – to ensure the safety and privacy of 21st-century American drivers,” Markey said.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

16 Million Mobile Devices Hit. Malware Infections Up 25 Percent.

Posted on March 24th, 2015 by Dan Rampe

Malware

Latest Study by French Telecom Equipment Company Alcatel-Lucent Shows 2014 Was a Banner Year for Bad Guys.

The Motive Security Labs division of Alcatel-Lucent recently published a report that found mobile device malware infections increased 25 percent compared with a 20 percent increase in 2013. Extrapolated out that comes to 16 million infected devices.

In his piece on zdnet.com, Leon Spencer highlights major findings from the report, officially titled, Motive Security Labs malware report – H2 2014. The following has been excerpted from Spencer’s zdnet.com story and edited to fit our format. You may find the full article by clicking on this link.

Mobile spyware big threat

[Six] of the mobile malware top 20 spyware…apps that are used to spy on the phone’s owner, and can track a phone’s location, monitor incoming and outgoing calls and text messages, monitor emails, and track a phone user’s web browsing.

Android devices now as popular with cybercriminals as Windows’ devices

[Android] devices have caught up with Windows laptops in terms of malware attack numbers, with infection rates between Android and Windows devices split 50/50.

iPhone and Blackberry not cybercriminals favorite target…yet

Less than 1 percent of infections came from iPhone and BlackBerry smartphones. However, new vulnerabilities, such as the “Find My iPhone” exploit discovered last year, have emerged in the past 12 months, showing that Apple is not immune from malware threats.

Owners not responsible

[The] growth in malware infections has been aided by mobile device owners not taking “proper” device security precautions. A recent Motive Security Labs survey found that 65 percent of the security platform subscribers expected their service provider to protect both their mobile and home devices.

Who’d ‘ve “thunk” it?

The report also found that, somewhat counter-intuitively, consumers who avoid shopping online out of fear that their credit or debit card information may be stolen may, in fact, be exposing themselves to greater risk. A spate of retail payment systems security breaches in 2014 showed that malware infections are more likely to be found on cash registers or point-of-sale terminals, rather than on online store payment portals.

Increase in DDoS

[Researchers] found that there was an increase in distributed denial-of-service (DDoS) attacks using network infrastructure components such as home routers, DSL modems, cable modems, mobile Wi-Fi hotspots, DNS servers, and NTP servers.

Additionally, the first DDOS attacks launched from mobile phones took place, suggesting how so-called “hacktivism” movements against the mobile infrastructure might be launched in the future….

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Browser Beware

Posted on March 23rd, 2015 by Dan Rampe

Browsers

Ponemon Survey of 645 Information Tech Companies Says Half of All Malware Was the Result of Web Browsers That Weren’t Secure

Less than a third of respondents thought major browsers had “effective security tools for blocking web-borne malware.” And, close to 70 percent of IT professionals thought browser-borne malware was getting worse and was “a more significant threat today than [just] 12 months ago.” These were among the observations brought to light in the Ponemon study as reported by Cory Bennett on thehill.com. The following has been excerpted from Bennett’s article and edited to fit our format. You may find his full article by clicking on this link.

An unsettling thought

Over three quarters [of IT professionals] thought it was certain or very likely their organization had an undetected infiltration from browser-based malware.

Google hunting for bugs

[Google is taking …steps to root out more bugs in its Chrome browser, which recently became the second-most popular browser behind Microsoft’s Internet Explorer.

The [company] said it [would] start giving no-strings-attached grants to independent researchers to suss out flaws in its products, including Chrome. The company will post vulnerabilities they are looking to eradicate and will dole out up to $3,133.70 to researchers willing to take a shot at it.

The hunt gets harder

Since 2010, Google has rewarded researchers if they discovered flaws in Google products and services. The company said it’s adding the new grant program because these vulnerabilities are increasingly difficult to find, after years of independent researchers and Google’s in-house team working on the issue.

“Of course, that’s good news, but it can also be discouraging when researchers invest their time and struggle to find issues,” said Google security engineer Eduardo Vela Nava.

Chrome chief beneficiary

Chrome has benefited from these rewards as much, if not more, than any other product, Nava said. In 2014, more than half of the Chrome bugs discovered by outside researchers were found in beta versions of the browser.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

Yah Who?

Posted on March 19th, 2015 by Dan Rampe

Yahoo

Yahoo Offers Optional On-Demand Password-Free Email Login. Now Unnecessary for Users to Remember Passwords to Login.

Last year, Yahoo suffered a massive hack that compromised Yahoo Mail usernames and passwords. In response to that attack, writes Samantha Murphy Kelly on mashable.com (link to article), “[Yahoo wanted] to provide a safe, encrypted way to keep accounts secure.”

How Yahoo’s password-free login works

Murphy writes that the “new on-demand login feature…sends…a specialized code to [users’] mobile devices to gain access. The code is generated only for that account [and] changes each time [users] log in.” The same password is never used twice.

For years, ThreatMetrix warned that passwords offer minimal security

In a 2013 blog titled “ThreatMetrix Strategies for Helping Your Business Avoid Its Own Password Apocalypse,” the company pointed to the 130 million people who had their identities stolen or bank accounts drained when Adobe and LivingSocial were breached (Since that time, of course, tens of millions more people have had their personal information compromised in breaches from Target to Anthem.) and noted that password systems were not up to the task of protecting those people.

Alisdair Faulkner, ThreatMetrix’s chief products officer, observed in the same blog:

“Retailers are caught between a rock and a hard place. They loathe introducing speed bumps, such as resetting passwords or requiring two-factor authentication, as these steps pose an inconvenience to their customers. It’s crucial to adapt effective technologies that can quickly identify potential threats without negatively impacting the user experience for customers.”

Other companies offering similar password protection to Yahoo’s

Murphy notes that “Many companies like Twitter, Facebook and Google have offered a similar option — two-factor authentication — for some time. This method is like double-locking your door at night (you need both a standard password and the messaged code to enter). Yahoo differs because you don’t need a permanent password, just the one that the company sends you on demand.”

Even though Yahoo’s method differs slightly, no doubt there are going to be users who are turned off by having to jump through hoops just to check their email.

What happens if Yahoo email user loses his device or has it stolen?

Writing on techcrunch.com (link to article), Jon Russell notes that “if you lose your phone, the person in possession of it has a ticket into your email. In some cases, if you get SMS notifications on your lock-screen, the on-demand password will show up even if your phone is locked. So, if you lose it, the person who picks it up doesn’t even need to know your passcode to get into your Yahoo account once they know your ID.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Are You Treating Your Customers Like Criminals?

Posted on March 18th, 2015 by Dan Rampe

Standard-Header-Tony

Picture this: you head to your favourite restaurant for dinner – a place you visit often and are well known. After a delicious meal you try to pay the bill, only to be marched out to the cashpoint in the rain, as your credit cards have been rejected.

Sound humiliating?

Loyal online shoppers are currently being subjected to this exact type of treatment. Every day, retailers turn away valuable business because their web fraud systems lack the intelligence to identify that they are genuine customers.

And even if they are accepted, many ecommerce regulars are turned off by burdensome second level authentication such as 3DSecure, and abandon their basket.

Current fraud management systems make it difficult to separate authentic customers from cybercriminals – and sometimes misidentify fraudsters as genuine shoppers.

To add to this challenge, many shoppers log on from multiple devices, and businesses fail to recognise high value ecommerce consumers when they log on from their mobile device. It’s costing the retail sector millions.

How can retailers simplify customer authentication without letting in criminals?

A new approach is needed to create a frictionless online customer experiences. Instead of pouring budget into manual checks to stop legitimate customers falling into fraud filters, retailers need to adopt a single platform that provides comprehensive context-based authentication and personal recognition.

By treating people like people, businesses can provide real-time defence to minimise credit card fraud and account takeover risks, while keeping the customer experience hassle-free and protecting their account login.

And this method has proven benefits – context aware authentication solutions halve fraud losses and reduce cart abandonment rates by 50%, as well as cutting ‘false positive’ results (where genuine customers are identified as cybercriminals) by 70%.

To reduce your fraud management burden and improve ecommerce customer service, download our guide: “Are You Treating Your Customers Like Criminals?” and learn how etailers can increase sales conversions and create frictionless customer experiences.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.