The Password Apocalypse has Happened and ThreatMetrix Predicted It

Posted on August 6th, 2014 by Dan Rampe

Apocalypse

Russian Crime Ring Rips Off 1.2 Billion Username/Password Combos and More than Half-a-Billion Email Addresses

The crime is mind boggling. It’s as if one in every seven people on the planet had been burglarized. The gang who breached 420,000 websites from obscure to household names, was discovered by Hold Security.

Alex Holden, Hold Security’s founder and chief information security officer, said, “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”

ThreatMetrix predicted this would happen as early as 2013 when  Alisdair Faulkner, ThreatMetrix chief products officer, ThreatMetrix, wrote: “2013: The Year of the Password Apocalypse.”

Early this year Andreas Baumhof, ThreatMetrix chief technology officer, wrote on the same subject, “3 Steps Businesses Can Take to Guard Against ‘Password Apocalypse’ in Wake of Data Breaches.”

And finally, ThreatMetrix provided you with an infographic titled “Data Breach! What Happens Next.”

In their nytimes.com story, Nicole Perlroth and David Gelle explore the background and ramifications of this unprecedented and wide-ranging security breach. The following has been excerpted from their piece and edited to fit our format. You may find their full article by clicking on this link.

[The] size of the latest discovery has prompted security experts to call for improved identity protection on the web.

“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at Gartner, the research firm. “Until they do, criminals will just keep stockpiling people’s credentials.”

Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.

So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.

But selling more of the records on the black market would be lucrative.

The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are believed to be in Russia.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.

Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets…. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to… a SQL injection [where] a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

The average total cost of a data breach jumped 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Winner: Best in Biz Awards 2014 International

Posted on August 5th, 2014 by Dan Rampe

BestinBizAwards_final_2013_international_green

ThreatMetrix Takes Silver in “Enterprise Product of the Year – Software”

Representing virtually every sector of the economy, the Best in Biz Awards 2014 International recognizes success in a number of categories as judged by industry analysts and members of the press. Journalists from financial, business and trade publications as well as industry experts objectively evaluate each of the entries to choose the world’s top companies, teams, executives and products.

“It’s quite a feat to not only be recognized among other major providers of cybersecurity solutions, but among companies of varying industries and scope around the world,” said Reed Taussig, CEO, ThreatMetrix. “Our TrustDefender Cybercrime Protection Platformenables us to differentiate ourselves from other providers of security and fraud prevention solutions as well as other global companies in the enterprise software industry. Through the platform, we can quickly identify threats and protect our enterprise customers and businesses across industries in real time.”

Leveraging the power of the ThreatMetrix™ Global Trust Intelligence Network (The Network), the TrustDefender Cybercrime Protection Platform creates trust across all types of online transactions. It guards against account takeover, card-not-present, and fictitious account registration fraud.

The Network – the largest trusted identity network of shared intelligence – processes transactions using shared intelligence that provides predictive analytics to protect online businesses and reduce customer friction.

Recently, ThreatMetrix expanded its enterprise solutions through its integration with Ping Identity’s PingFederate identity bridge. Integrating ThreatMetrix and PingFederate leverages context-based authentication and single sign-on. This enables enterprises to deliver users secure, frictionless access to their business productivity applications.

For a full list of winners, visit http://intl.bestinbizawards.com/intl-2014-winners/.

In addition to Best in Biz International Awards, ThreatMetrix has been recognized through several additional awards so far this year:

  • Named to the 2014 AlwaysOn Global 250 Top Private Companies List
  • Named to the 2014 Lead411 Hottest Companies in Silicon Valley list
  • Products Guide (NPG) 2014 Hot Companies and Best Product Award Winner for the “Best Products and Services – Information Security and Risk Management” category and also in the “Best Products and Services – Security Software” category.
  • Judges Choice for Best Overall Fraud/Security Solution at the 2014 CardNotPresent.com (CNP) Awards for the ThreatMetrix TrustDefender Cybercrime Protection Platform
  • A 2014 Info Security Products Guide Global Excellence Award for Most Innovative Company of the Year (Security)
  • 2014 Cyber Defense Magazine Award Winner in 2 Categories: Most Innovative Anti-Malware Appliances Solution & Best Product Network Access Control Solution

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

Austrian, Japanese, Swedish, Swiss Banks Hit

Posted on August 4th, 2014 by Dan Rampe

Android

Sophisticated Cybercriminals Attack 34 Banks. Side-step Two-Factor ID and Make off with a Million or More.

A recent report “Finding Holes: Operation Emmental*” says cybercriminals used the Android platform’s openness to install apps from third-party sites to make off with at least seven figures from 34 banks.

*Like Swiss cheese, i.e., full of holes.

The attackers were able to marry traditional phishing attacks to get a person’s username and password with malicious mobile apps to get the session tokens sent to their mobile devices.

Authored by security experts David Sancho, Feike Hacquebord and Rainer Link, the report says that Operation Emmental is a complex operation that involves several components. “The infrastructure required to pull the attack off is not inconsequential—the attackers need a Windows malware binary, a malicious Android app sporting various banks’ logos, a rogue DNS resolver server, a phishing Web server with several fake bank site pages, and a compromised command-and-control server,” [the report] says, adding that the attack vector is one that has likely evolved over time.

“The fact that the most salient part of the attack — the PC malware — is not persistent [i.e., not lost when “turned off” or not in use] likely helped the attackers keep a low profile. We believe this allowed them to use different infection strategies, not just through emails, although we have not been able to detect any other means…”

In his piece on scmagazineuk.com (link to article), Steve Gold cites Sarb Sembhi, a director with STORM Guidance, observing a need for banks to put their heads together to develop common and more secure methodologies for the mobile phone and software industries.

Sembhi notes that the attack model is so highly sophisticated that cybercriminals established five or six fallback positions in the event one or more of their methods of attack are compromised. “Banks need to understand what attack model the cybercriminals are looking at, and then get together to discuss the issue, most notably how the security of the Android platform can be enhanced to stop things like this going wrong.”

In case you were wondering, the attackers are likely from Russia and Romania. How do researchers know? They found “obnilim rid” (That’s transliterated from Cyrillic) in the app’s code. That’s Russian slang for “set to zero.” The researchers said they also found a Romanian connection.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Millions Spend a Billion-a-Day in UK

Posted on July 14th, 2014 by Dan Rampe

BBA

BBA Report Has Brits Spending Close to £1 Billion (1.5 billion USD) per Day Using Mobile and Online Devices

The accounting firm, EY, and British Bankers Association (BBA) report, “The Way We Bank Now: It’s in Your Hands,” (link to report) notes that millions of UK customers use contactless cards (pocket-sized cards with embedded chips for processing and storing data), payment by mobile and SMS balance alerts. And, this year, in the UK, more than 15,000 people each day will be downloading banking apps.

Highlights from the report:

  • Internet and mobile banking is now used for transactions worth £6.4 billion (11 billion USD approximately) a week – up from £5.8 billion (9.9 billion USD approximately) last year.
  • Banking apps for mobiles and tablets have now been downloaded more than 14.7 million times – a 2.3 million rise since January at a rate of around 15,000 per day in 2014.
  • Internet banking services typically receive 7 million log-ins a day
  • Spending on contactless cards is expected to rise to £6.1 million (10 million USD approx.) a week this year – up from £3.2 million (55 million USD approximately) in 2013.

CEO of BBA

“This report shows just how enthusiastically the British public is embracing mobile banking, contactless cards and a range of other consumer-friendly banking technologies,” said Anthony Browne, chief executive of the BBA.

“This study shows that banks have, are and will continue to compete against one another to offer customers innovative technology. It’s a revolution putting more power in your hands.”

Mobile on the move

In his article on cbronline.com (link to article), Michael Moore cites Juniper Research’s prediction that more than 1.75 billion mobile phone users will be using their devices for banking by the end of 2019 compared to 800 million this year, and that countries like India and China will be driving this growth over the next several years.

Juniper Research’s Nitin Bhas, who wrote the report says, “The level of maturity in number and innovation of services being offered in the market across several geographical areas demonstrates that banks now regard the mobile channel as an indispensable revenue-stream.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Eating at P.F. Chang’s Could Give You Heartburn — And Not Because of the Food.

Posted on June 16th, 2014 by Dan Rampe

PFChang

Wendy’s once ran an iconic ad campaign “where’s the beef?” P.F. Chang’s may have its own version, “where’s the breach?” And, if you’re a P.F. Chang’s patron, who used a credit or debit card, you have to be wondering.

Brian Krebs in his blog, krebsonsecurity.com, reported that the restaurant chain is “investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.”

He writes that earlier this month thousands of stolen credit and debit cards were being sold on an underground store that also sold “tens of millions of cards stolen in the Target breach.” And he adds, “A new ad that debuted on June 9 for a fresh batch of cards apparently stolen from P.F. Chang’s China Bistro locations.

“The ad for the Ronald Reagan batch of cards also includes guidance for potential customers who wish to fund their accounts via Western Union or MoneyGram wire transfers, advice that strongly suggests those involved in this apparent heist are once again from Russia and Eastern Europe:”

You can find Krebs’ full article by clicking on this link.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

A Sign of the Times — Hacking Signs. Electronic Road-Sign Hackers Reveal a Downside to “the Internet of Things.”

Posted on June 6th, 2014 by Dan Rampe

Internet of Things

Remember the good old days when defacing road signs meant two barrels of double-ought buckshot in a deer-crossing sign on a rural dirt road? (Note: If it needs saying, we are indeed joking. Oh, you knew it all along.)

Anyway, the modern equivalent of the shotgun, but capable of being just as dangerous, is hacking into the software controlling an electronic road sign and changing the message — for instance from “DANGER BRIDGE OUT” to “HAPPY MOTORING. DON’T FORGET TO BUCKLE UP.”

The Internet of Things provides the ability to virtually control anything that connects to the Internet and offers up all kinds of possibilities for improving life from checking the security of the home while you’re on vacation to ensuring the dog isn’t eating the sofa while you’re at work. It also has downsides.

In his blog, KrebsonSeurity, Security Expert Brian Krebs, writes that authorities in several states have reported that hackers have broken into and defaced electronic highway road signs in several states. He quotes the Multi-State Information Sharing and Analysis Center (MS-ISAC) as observing “changes to road signs create a public safety issue because instead of directing drivers through road hazards, they often result in drivers slowing or stopping to view the signs or take pictures.

“That same MS-ISAC notice…points out that these incidents appear to be encouraged by sloppy security on the part of those responsible for maintaining these signs.” You may read Krebs’ entire article by clicking on this link.

Andreas Baumhof, ThreatMetrix’s chief technology officer, maintains, “the Internet of Things is coming on faster than we can cope with it. Soon enough, we will be living in smart houses and all of our critical infrastructure will be managed online. This extensive interconnectivity poses a severe risk with cybercriminals having more and better opportunities to disrupt critical utilities such as our nation’s water supply and other vital infrastructure.”

As well as warning of the dangers presented by the Internet of Things, Baumhof talks about a positive solution. “Given today’s sophisticated cybercriminals [and hackers, organizations] must collaborate through a global network for a collective response to cybercrime.”

To protect themselves against this newest threat to security, organizations including state governments, financial services, e-commerce, payments, enterprises, social networks and others can turn to global data repositories such as ThreatMetrix’s Global Trust Intelligence Network, nicknamed The Network.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

MasterCard and Visa Push Hard for EMV Chip Adoption. But There’s Strong Pushback by Others.

Posted on May 27th, 2014 by Dan Rampe

EMV

What do Canada, Mexico and most of Western Europe have that the U.S. doesn’t? EMV chips. That was too easy. The headline practically gave away the answer.

Now, here’s a question that’s a lot harder to answer. Why hasn’t the United States rushed to replace magnetic stripes on the backs of credit and debit cards with EMV microchips? Especially since they would eliminate a substantial amount of plastic fraud and make shopping safer for consumers? Not to mention for banks which generally have to pony up for credit card losses?

In her AP piece, Bree Fowler focuses on the players involved and explains who’s pushing for EMV, who’s pushing against adopting the technology…and most importantly why. The following has been edited to fit our format. You can find the complete article by clicking on this link.

Chips aren’t perfect, says Carolyn Balfany, MasterCard’s group head for U.S. product delivery, but the extra barrier they present is one of the reasons criminals often choose to target U.S.-issued cards, whose magnetic strips are easy to replicate.

“Typically, fraudsters are going to go to the path of least resistance,” Balfany says.

The chip technology hasn’t been adopted in the U.S. because of costs and disputes over how the network would operate. Retailers have long balked at paying for new cash registers and back office systems to handle the new cards. There have been clashes between retailers, card issuers and processors over which processing networks will get access to the new system and whether to stick with a signature-based system or move to one that requires a personal identification number instead. These technical decisions impact how much retailers and customers have to pay — and how much credit card issuers make — each time a card is used.

The disputes have now largely been resolved. And the epic breach of Target’s computer systems in December, which involved the theft of 40 million debit and credit card numbers, along with smaller breaches at companies such as Neiman Marcus and Michaels, helped garner support for chip-based cards among retailers who were previously put off by the costs.

Chip cards are safer, argue supporters, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer’s register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards, say experts, are also nearly impossible to copy.

For its part, Target is accelerating its $100 million plan to roll out chip-based credit card technology in its nearly 1,800 stores. New payment terminals will appear in stores by September, six months ahead of schedule. Last month, the retailer announced that it will team up with MasterCard to issue branded Target payment cards equipped with chip technology early in 2015. The move will make Target the first major U.S. retailer with its own branded chip-based cards.

Even so, the protections chips provide only go so far, according to opponents who note that chips don’t prevent fraud in online transactions, where consumers often enter credit card numbers into online forms. Some opponents also point to other technologies, such as point-to-point encryption, as better long-term solutions.

Ken Stasiak, founder and CEO of SecureState, a Cleveland-based information security firm that investigates data breaches, says that while chips would be a big security improvement, they wouldn’t have stopped the hackers from breaching Target’s computer systems where they also stole the personal information, including names and addresses, of as many as 70 million people, putting them at risk of identity theft.

“Chip and pin is just another security component,” Stasiak says. “What matters is how companies like Target use consumer information, how they protect it.”

Banks generally pick up the tab for credit card-related losses, but companies such as Visa and MasterCard stand to lose too, if data breaches continue to occur with increasing frequency. After all, if consumers don’t feel safe using cards, they may choose other ways to pay for purchases.

“It’s not just about fraud and losses, it’s about the trust involved in electronic payments that’s destroyed,” says Ellen Ritchey, Visa’s chief enterprise risk officer.

In March, Visa and MasterCard announced plans to bring together banks, credit unions, retailers, makers of card processing equipment and industry trade groups in a group that aims to strengthen the U.S. payment system for credit and debit cards. The initial focus of the new group will be on banks’ adoption of chip cards.

That comes ahead of a liability shift set to occur in October 2015, when the costs resulting from the theft of debit and credit card numbers will largely fall to the party involved with the least advanced —and most vulnerable— technology. For example, if a bank has updated to chip technology, but the retailer involved hasn’t, the retailer will be liable for the costs.

Stasiak says many of the retailers he works with already have the technology in place. Once the banks start issuing chip cards, the retailers will activate their new systems, he says.

Banks say that despite the jump in high-profile data breaches, fraud still accounts for a small fraction of total transactions processed, while the cost related to issuing chip cards to all of their customers and switching out all of their ATMs is substantial. Banks have urged lawmakers to make retailers more accountable for their own security in hopes of recouping more of the losses from cybercrime.

Richard Hunt, CEO of Consumer Bankers Association, says that in cases of major fraud, banks have generally been able to collect only pennies on the dollar from the retailers involved.

Hunt says even if banks put chips in cards, it won’t do any good if retailers don’t upgrade their systems.

“We have to improve fraud prevention across the board,” he says. “There are people who get up every day across the world with one mission and that’s to break credit card technology. But there’s no magic pill out there. The solution involves everyone.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

ThreatMetrix CFO Frank Teruel Explores How Companies Can Authenticate Customers — Without an Involved Process that Loses Their Business.

Posted on May 8th, 2014 by Dan Rampe

Wired-PR

In a thoughtful and well-reasoned piece, “Trust: The Only Online Currency That Matters,” on wired.com, security expert and ThreatMetrix® CFO Frank Teruel tackles a dilemma facing every company selling products or services online. That is separating the wheat from the chaff. Or, put another way, authenticating real customers from cybercriminals without complicated processes that degrade user experience and cause customers to go elsewhere.

Teruel writes:

Is your company turning away good customers in an effort to stop bad actors? Regretfully, all too often, Internet fraud mitigation efforts are so constricting they turn away real customers.

The reason businesses often turn away good customers is because every site visit or event immediately manifests the natural query inherent in any online transaction – can this transaction be trusted? Determining whether or not a transaction can be trusted is an immensely complicated issue in a world of big data, compromised credentials, and highly trained, well-funded bad actors whose sole mission in life is to make you believe they are trusted users so they can gain access to your site.

Once cybercriminals gain access to a website, the consequences can be extremely detrimental, not only because of stealing data, or scraping bank accounts, or using stored credit cards and applying for loans or credit, or any other host of resulting bad behaviors, but also from the ire of your legitimate customers who suffer from the impact of a breach of trust. Any executive at a business that operates online, irrespective of industry, who is not focused on the impact of cybercrime and Internet fraud, is risking the most important attribute of any customer relationship – trust – and once lost, it is not easily restored.

Tighten the Screws

How do companies that value their customers wind up in this quandary of lost trust? Frankly, the answer is rooted in a very natural reaction to increased Internet fraud rates. Unless your organization’s cybercrime prevention efforts are based on an intelligent system that provides real-time contextual data, your authentic customers will get caught in a dragnet that may reject them out right or, at a minimum, challenge their attempted interaction. Worse still, if the transaction involves digital goods where a review is impossible, your organization will lose that sale to a legitimate paying customer.

Rejecting and challenging good customers are both ineffective and abrasive approaches to cybercrime prevention. One strategy treats customers with disdain and the other imposes challenge questions or secondary authentication that often leads to transaction abandonment, angry customers and lost revenue. In fact, the CyberSource Online Fraud Report estimates that 75 percent of all manually reviewed transactions are real customers facing system friction.

In addition, business costs of manually reviewing transactions are also significant in terms of personnel costs. Reviewers can take up to 1.5 hours to review a single transaction that on average is accepted 75 percent of the time.

Overall, what are the biggest drawbacks of overly stringent online fraud strategies?

  • One: angry customers willing to take their business elsewhere
  • Two: lost revenue on abandoned transactions, and
  • Three: massive review costs

All significant and all juxtaposed against the other alternative – loose fraud controls that lead to real dollar losses, breaches of customer accounts and data, and large potential charges, fines, and lawsuits. However, there is an approach that enables businesses to solve this trust problem and eliminate the unacceptable alternatives of too much friction or too much fraud.

Crystal Ball

It turns out that the best way to mitigate some of this tension is to know your customer irrespective of the devices they are using to interact with your site, the credential used to attempt that interaction, and their behavior during the visit. Businesses don’t need to know a customer’s name to know their customers. Instead, they can use real-time global intelligence that correlates a virtual persona with the device or related devices used. That first touch information then can be correlated to that persona’s transaction history and other salient attributes like location and good and bad behavior in real time across a global network.

By using such an approach, businesses can predict with great certainty whether that persona is in fact a legitimate customer or an enterprising bad guy, aka – criminal, masquerading as a customer. As a result, this approach can reduce review challenges and the associated dollars while still reducing Internet fraud rates. Think of this approach as a trusted customer crystal ball.

Global Contextual Trust Intelligence

The key is access to rich transactional intelligence that contextualizes the pending interaction between you and the customer, the method of interaction/device and its attributes and anomalies, and how that customer has behaved or been treated throughout other site interactions in the network. A combination of that critical contextual data, or truth data, is the only way to solve the trust calculus. The challenge is that no one will provide certain truth data for fear of violating personally identifiable information (PII). So what can businesses do to overcome this challenge?

First, find a partner with a global network vast and diverse enough to provide transaction intelligence that is applicable to specific businesses. For example, if you are a bank deliberating on the “trust conundrum,” knowing that the customer in question was just successfully vetted and completed a transaction with another financial institution has much greater utility or trustworthiness than knowing whether the customer successfully logged into their Facebook account.

Second, do not rely on device identification alone. The device may be clean, in the hands of a bad guy with a stolen credential, which can lead to a trust decision businesses will regret. Make sure that the device information is just one component of the vetting process.

Third, ensure that your business has the ability to rate specific risks and set their own policies best suited to the Internet fraud risks and trends facing their business. Relying on canned scores will not align with the unique risks faced by an individual business and may contribute to customer friction.

Fourth, use a solution that encrypts all collected data and only allows you access to it. In a world of incessant breaches, a partner that does not protect PII and associated attribute and transactional data is a breach enabler that may wind up facing congressional committees, hostile media, unimpressed boards and expensive settlement costs.

Fifth, use a partner that has a network vast enough to identify industry specific fraud trends and provide predictive analytics and suggested remediation policies and data well in advance of that risk affecting your business.

Finally, use a partner with a global SaaS solution that scales and provides real-time data across different transaction use cases, whether account takeover protection, securing payments or protecting new account creation. Doing so will eliminate the expense of maintaining enterprise software in your environment, provide an on-boarding experience that is seamless and immediately applicable and deployable, and ensure that the network and service is always evolving in a way where you benefit from the enhanced features and functionality as well as the dynamic growing global dataset.

Monetize Trust

Shifting your focus to contextual trust intelligence as a force multiplier in the trusted customer verse fraudster construct will result in less fraud, less friction, less manual intervention, and less costs. At the same time, a new focus will ensure more revenue and most importantly, more customer trust; and that is the gift that keeps on giving.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Tired of Hearing about Heartbleed? Do Something About It. ThreatMetrix Strategies for “Staunching” Heartbleed and Any Similar Threats in the Future.

Posted on April 16th, 2014 by Dan Rampe

Heartbleed

After going unnoticed for two years, researchers discovered Heartbleed, the flaw that could let a hacker defeat OpenSSL, the most common encryption technology on the Internet. Another way of saying it is Heartbleed put 66 percent of servers worldwide at the mercy of cybercriminals. And another way of saying that is email, instant messaging, e-commerce transactions and more were being jeopardized in every corner of the planet, exposing passwords, credit card numbers and other personal data.

The Heartbleed security flaw was a danger to websites and the mobile applications and networking equipment that connect homes and businesses to the Internet, including such things as routers and printers. In short, the flaw presented a danger to the entire Internet of Things, i.e., any device from air conditioners to refrigerators that could be connected online.

After putting in a patch to fix the flaw, many, if not most online businesses, only had one strategy to offer users: change your passwords.

“Today it’s Heartbleed and tomorrow it will be another data breach or vulnerability,” said Alisdair Faulkner, chief products officer, ThreatMetrix.

“Passwords are a static means of security and are frankly obsolete as a stand-alone authentication solution in today’s cybersecurity landscape. Once account login information is obtained, cybercriminals have access to personal data used for committing bank fraud or falsifying credit card transactions – the possibilities are endless. Security should not just rely on point-in-time authentication solutions. Instead, continuous evaluation of trust is required based on what the user is attempting to do.”

ThreatMetrix’s preventative cybersecurity strategies offer protection that goes well beyond passwords and other forms of static authentication:

Real-time trust analytics – Move beyond just big-data collection and improve effectiveness of controls with real-time analysis of device, location, identity and behavioral context for every authentication attempt. Real-time trust analytics offer unprecedented identity authentication policies for businesses and enterprises by comparing against global benchmarks derived from peers in their industry, the size and scale of the enterprise, geographic location and more.

Enhanced mobile identification – Detects jailbroken devices and offers location-based authentication, protecting mobile transactions by indicating when the mobile operating system has been breached and the security of applications has been compromised.

“To protect against future attacks like Heartbleed, businesses need to move beyond legacy verification and authentication solutions and recognize the benefits of leveraging a collective approach to cybersecurity,” said Faulkner. “The ThreatMetrix® Global Trust Intelligence Network (The Network) delivers real-time intelligence, providing customers with consistent risk assessments of data and creating a digital persona of users by mapping their online behaviors and devices.”

Consumers can protect their online identities and personal information from threats like Heartbleed by ensuring location information on social networks is encrypted and by using different passwords across sites and never storing them on devices.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

How Dumb Can You Be? Here Are 10 of the Dumbest Ways of Making Your ID “Easy Pickin’s” for Cybercriminals.

Posted on April 4th, 2014 by Dan Rampe

ID Theft

Because reading our blogs is a clear indication of your high intelligence, this piece is not for you. However, you might want to pass it along to somebody you know who may not quite “measure up,” but who could definitely use this information. In any case, please don’t tell them why you decided to send it.

Personal finance editor and writer Kathryn Tuggle checked with a number of experts to discover ways people put themselves at risk of having their identities stolen. In her story on thestreet.com, she identifies the top ten dumbest ways. (The following has been edited to fit our format.)

1. Using the same password for everything

If you’re using the same password for everything, you’re setting yourself up for disaster, says Bill Carey, vice president of marketing for Siber Systems, creators of password management tool RoboForm. “You have to use a unique password for every website you log into. If you think about all the stuff that has gone on lately with hacking attacks at major companies, it seems inevitable that one of the companies you do business with is eventually going to get hacked,” he explains. Unfortunately, if you use the same password for every site, once hackers get one of your passwords, they’ve got them all.

2. Giving out personal information over the phone

“A lot of people have this thing where when someone calls them on the phone and represents to them that they are an official with the government or a credit card company or a broker’s firm, they believe it’s real,” says Adam Levin, chairman and co-founder of Credit.com. The truth is, the IRS, your bank or any other official organization is never going to call you and ask for your Social Security number, Levin says. Your bank might call to alert you to suspicious activity on your credit card, but they will never ask you to confirm such sensitive personal information.

“If you get a call like this, hang up the phone and find the official number of the organization. Then you make the call to them,” Levin says.

3. Not using a password on your smartphone

“Your smartphone isn’t just a phone anymore. It’s a personal computer, and if it’s not password protected people can gain access to your email, your bank account, everything,” Carey says.

If you lose your device and you’re still logged in to apps such as PayPal or eBay, you could be in for a world of trouble.

“The more people know about you, the more likely they can hack in and steal your identity on other sites,” he says.

4. Logging into financial accounts from an Internet cafe or unsecured connection

Internet cafes are great for browsing the Web and may be fine for doing less sensitive things such as printing tickets or boarding passes, but they’re not secure enough for managing your stock portfolio or savings account, Carey says.

“You can check email, Facebook or sports scores, but you don’t want to leave yourself open to someone picking off your banking passwords,” Carey says. “Internet cafes are super convenient, but you don’t want to be doing any sensitive financial transacting.”

5. Not having a private profile on social media

“It still surprises me the number of people who don’t keep their profiles private,” says Stacey Vogler, managing director of ProtectYourBubble.com, a company that insures smartphones, laptops and other communication devices. When you have your birth date, your phone number or your address on your profile, it’s an invitation for hackers to come in and use it in a malicious way, she says.

“It’s an entry into your life and who you are,” she says. “It would be easy to figure things out after following a few posts from you on a non-private profile.”

6. Following a phishing email — even if you’re “just curious”

If you get an email letting you know you’ve won $1 million for a contest you never entered, you shouldn’t follow the link or provide any information. Many people know emails like this are a scam, but they still follow along for a bit. This is a huge mistake. “Some people are curious, so they start a correspondence with the person to see if there’s something there or to see what kind of a scam it is,” Vogler says. “Unfortunately, any entry into who you are or where you live opens the door. It suddenly becomes really easy for them to hack into your life.”

7. Failing to monitor your bank statements and credit card statements

It’s surprising the amount of people who don’t monitor their credit card statements or banking statements to check for fraudulent activity, Vogler says. If you keep an eye on your statements, you can catch fraud early on.

“Check all your transactions to make sure they’re ones you have made. The dates and times, the merchants should all be ones you’re familiar with,” she says. “Look for anything that doesn’t seem typical to your normal behavior and notify your bank or credit card company immediately if something doesn’t check out.”

8. Carrying your Social Security card or Medicare card in your purse or wallet

“You don’t need to do it. It’s unnecessary,” Levin says. “You’re totally exposed.”

The elderly are already prime targets for identity thieves, and since your Medicare ID is your Social Security number, you’re leaving yourself at risk by carrying either.

“You never want to have something in your purse or wallet that has your Social Security number on it,” he says. “If you need to present it to a doctor or other agency one day, then carry it to the appointment and go straight home. Don’t leave it in your wallet for weeks or months on end.”

9. Putting too much information on social media

“Don’t take a selfie with your address in the background,” Levin says.

It may sound ridiculous, but some people will take a picture of their first drivers’ license that displays their full name and address. Others might take a photo of their final credit card statement announcing that they’ve just paid off their bills — unintentionally displaying their account number and other personal details.

“You don’t take a picture saying, ‘Look at my incredibly valuable new car in my front yard,’ and show everyone your address,” Levin says. “Your Facebook friends are not all looking out for you. Identity theft and property theft occurs even with family and friends. Why open yourself up to pain?”

10. Storing confidential info on your smartphone

Don’t keep passwords, PINs or your Social Security number stored on your smartphone — even in your email account. In other words, don’t save an email called “Passwords” or “Social.” This applies to your personal information as well as the personal information of your children or family members. “There are people out there with all good intentions who are helping their children or parents deal with a financial issue, so they store all this personal information on their phone so they’ll have it handy,” Levin says. “Your phone is a communication device — not a storage device.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.