Fall 2014 Release Incorporates New Data Sources to Enrich ThreatMetrix Context-Based Authentication

Posted on November 5th, 2014 by Dan Rampe

Fall Release

Customers Can Integrate Information from Any Source to Enhance the ThreatMetrix Global Trust Intelligence Network’s Real-Time Analysis

ThreatMetrix’s Fall 2014 Release offers a whole host of new and improved features. Now customers can privately store and analyze organizational-supplied data to determine trust and risk levels and other attributes specific to their businesses. And, through its partnership with Webroot, a leader in cloud-based, real-time Internet threat detection, ThreatMetrix provides new capabilities for analyzing and determining risk factors for applications running on Android-based devices.

Enhancing and advancing ThreatMetrix’s context-based security and fraud prevention solutions, the Fall 2014 Release has:

  • Persona DB – Enabling organizations to privately store user or customer-identifying attributes, characteristics, and behaviors. Any data relevant to authorizing visitor access may be stored. This includes information such as normal usage locations, mobile phone numbers for step-up authentication, compromised IP or email addresses, banned country lists for compliance and countless other data elements. Persona DB lets ThreatMetrix customers perform a customizable, comprehensive user, device, and behavior analysis for each access or transaction attempt in real time.

“The new Persona DB enables ThreatMetrix customers to provide their own data sources to improve their ability to distinguish between trusted users and fraudulent activity,” said Ken Jochims, director of product marketing at ThreatMetrix. “For example, banks and financial institutions can include banned country lists to ensure they are compliant with governmental trade restrictions. In addition to blocking suspicious activity, Persona DB data can also be used to enhance good customer access by identifying trusted high-value customers through frequent flier status data, streamlining access or by applying other specialized actions.”

  • Mobile Application Analysis – Security risks inherent in mobile devices are more prevalent than ever, as 42 percent of Android applications have been classified as malicious, unwanted or suspicious. The Fall 2014 Release provides an integrity check of the mobile application it’s protecting to ensure it has not been compromised or contains malware. To detect the presence of malicious or unwanted apps it also scans all installed mobile applications to verify their reputation through The Network via integration with the Webroot BrightCloud Mobile App Reputation Service. These new data collection and analysis features, together with existing mobile detection and analysis capabilities, such as root detection, deliver a complete security-risk profile of each user’s device.

“We’re excited to partner with ThreatMetrix to extend our market-leading mobile classification services to determine trust levels for Android applications,” said Scott Merkle, vice president of enterprise and OEM sales at Webroot. “Together, we can empower organizations to identify threats lurking in mobile applications while maintaining compliance by protecting access and transactions for a multitude of mobile devices.”

“As cybercriminals continue to advance their capabilities, ThreatMetrix will ensure it is providing customers with the most in-depth data available for analysis,” said Jochims. “Together, Persona DB and Mobile Application Analysis enrich and expand the data available to The Network. These capabilities enable businesses to identify cybercriminals in real time while creating enhanced experiences for trusted customers or users.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

ThreatMetrix Kicks off National Cyber Security Awareness Month by Announcing “The Network” Has Reached 850 Million Monthly Transactions

Posted on September 30th, 2014 by Dan Rampe

Data-Privacy-Day-Reed

To make significant progress against cybercrime, we’re all going to have to work together – individuals, businesses and government agencies alike. Security in this connected world requires collaboration, and collaboration requires trust.

Shared responsibility is the theme of this year’s National Cyber Security Awareness Month, a program sponsored every October by the Department of Homeland Security. To commemorate the start of National Cyber Security Awareness Month, we are thrilled to share that the ThreatMetrix® Global Trust Intelligence Network (The Network) has reached 850 million monthly transactions and now protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

While businesses must do their part to collaborate on cybercrime prevention by leveraging a collective repository of data such as The Network, the federal government is also doing its part to encourage global information sharing. President Obama’s Executive Order 13636 stresses federal accountability for sharing information with the private sector to protect critical infrastructure such as power plants, communication networks and transportation networks.

Why aren’t we doing more already?

Each of us needs to take accountability for what we do online – that’s the theme of the Stop.Think.Connect.™ campaign. But as individuals, we are greatly outmatched by size, volume and sophisticated of the cybercrime forces arrayed against us. We also trust that the websites we use are doing the right things to protect our privacy.

In a networked world, businesses need up-to-date, global information about online threats and identities to keep customer data secure. For that to happen, legitimate businesses must share data across business boundaries. But collaborating with your competitors, even for the public good, is a difficult idea in many industries.

In the financial services industry, information sharing for security purposes is an accepted practice. But in the retail environment, businesses are wary about sharing customer information with competitors and others. And of course they need to protect customer privacy.

Effective collaboration requires a degree of trust – and that’s the sticking point.

It all comes down to trust

Doing business online requires a level of trust.

  • Customers trust that businesses will protect their information and use it responsibly.
  • Businesses must trust that customers are legitimate.

Cybercrime eats away at this trust. And, sadly, lack of trust has been the Achilles’ heel of industry collaboration.

Building trust through anonymization and collaboration

Without a broad global context for the people, devices and personas creating accounts, making transactions, or logging into sensitive systems in your network, you cannot trust they are who they claim to be. To get that context, businesses have to share information with many other sites around the world.

Trust requires information sharing, yet information sharing requires trust.

At ThreatMetrix, we’re working to solve this essential dilemma. Through The Network, businesses can securely share information about devices and personas connecting to their sites, without sharing any personally-identifiable information about customers or visitors. ThreatMetrix anonymizes and encrypts information in the network, so personal identities are never revealed to other organizations.

This approach offers a pattern for other cybersecurity collaboration efforts. We need to find ways to increase information sharing around online security and global identities, and the best way to do this is to remove the risk of exposing information we need to keep private.

The more we share information about global threats, the better we can protect legitimate business and build online communities that are truly worthy of trust.

In addition to the overall theme of “cybersecurity is a shared responsibility,” the U.S. Department of Homeland Security has outlined weekly themes to commemorate National Cyber Security Awareness Month throughout October. These themes include:

  • Week One – Promoting Online Safety with the Stop. Think. Connect.™ Campaign
  • Week Two – Secure Development of IT Products
  • Week Three – Critical Infrastructure and the Internet of Things
  • Week Four – Cyber Security for Small and Medium-Sized Businesses and Entrepreneurs
  • Week Five – Cyber Crime and Law Enforcement

ThreatMetrix plans to support each week’s theme throughout the month. And, to commemorate National Cyber Security Awareness Month, ThreatMetrix has also signed on as a “Champion” with the National Cyber Security Alliance.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

The Password Apocalypse has Happened and ThreatMetrix Predicted It

Posted on August 6th, 2014 by Dan Rampe

Apocalypse

Russian Crime Ring Rips Off 1.2 Billion Username/Password Combos and More than Half-a-Billion Email Addresses

The crime is mind boggling. It’s as if one in every seven people on the planet had been burglarized. The gang who breached 420,000 websites from obscure to household names, was discovered by Hold Security.

Alex Holden, Hold Security’s founder and chief information security officer, said, “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”

ThreatMetrix predicted this would happen as early as 2013 when  Alisdair Faulkner, ThreatMetrix chief products officer, ThreatMetrix, wrote: “2013: The Year of the Password Apocalypse.”

Early this year Andreas Baumhof, ThreatMetrix chief technology officer, wrote on the same subject, “3 Steps Businesses Can Take to Guard Against ‘Password Apocalypse’ in Wake of Data Breaches.”

And finally, ThreatMetrix provided you with an infographic titled “Data Breach! What Happens Next.”

In their nytimes.com story, Nicole Perlroth and David Gelle explore the background and ramifications of this unprecedented and wide-ranging security breach. The following has been excerpted from their piece and edited to fit our format. You may find their full article by clicking on this link.

[The] size of the latest discovery has prompted security experts to call for improved identity protection on the web.

“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at Gartner, the research firm. “Until they do, criminals will just keep stockpiling people’s credentials.”

Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.

So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.

But selling more of the records on the black market would be lucrative.

The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are believed to be in Russia.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.

Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets…. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to… a SQL injection [where] a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

The average total cost of a data breach jumped 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Winner: Best in Biz Awards 2014 International

Posted on August 5th, 2014 by Dan Rampe

BestinBizAwards_final_2013_international_green

ThreatMetrix Takes Silver in “Enterprise Product of the Year – Software”

Representing virtually every sector of the economy, the Best in Biz Awards 2014 International recognizes success in a number of categories as judged by industry analysts and members of the press. Journalists from financial, business and trade publications as well as industry experts objectively evaluate each of the entries to choose the world’s top companies, teams, executives and products.

“It’s quite a feat to not only be recognized among other major providers of cybersecurity solutions, but among companies of varying industries and scope around the world,” said Reed Taussig, CEO, ThreatMetrix. “Our TrustDefender Cybercrime Protection Platformenables us to differentiate ourselves from other providers of security and fraud prevention solutions as well as other global companies in the enterprise software industry. Through the platform, we can quickly identify threats and protect our enterprise customers and businesses across industries in real time.”

Leveraging the power of the ThreatMetrix™ Global Trust Intelligence Network (The Network), the TrustDefender Cybercrime Protection Platform creates trust across all types of online transactions. It guards against account takeover, card-not-present, and fictitious account registration fraud.

The Network – the largest trusted identity network of shared intelligence – processes transactions using shared intelligence that provides predictive analytics to protect online businesses and reduce customer friction.

Recently, ThreatMetrix expanded its enterprise solutions through its integration with Ping Identity’s PingFederate identity bridge. Integrating ThreatMetrix and PingFederate leverages context-based authentication and single sign-on. This enables enterprises to deliver users secure, frictionless access to their business productivity applications.

For a full list of winners, visit http://intl.bestinbizawards.com/intl-2014-winners/.

In addition to Best in Biz International Awards, ThreatMetrix has been recognized through several additional awards so far this year:

  • Named to the 2014 AlwaysOn Global 250 Top Private Companies List
  • Named to the 2014 Lead411 Hottest Companies in Silicon Valley list
  • Products Guide (NPG) 2014 Hot Companies and Best Product Award Winner for the “Best Products and Services – Information Security and Risk Management” category and also in the “Best Products and Services – Security Software” category.
  • Judges Choice for Best Overall Fraud/Security Solution at the 2014 CardNotPresent.com (CNP) Awards for the ThreatMetrix TrustDefender Cybercrime Protection Platform
  • A 2014 Info Security Products Guide Global Excellence Award for Most Innovative Company of the Year (Security)
  • 2014 Cyber Defense Magazine Award Winner in 2 Categories: Most Innovative Anti-Malware Appliances Solution & Best Product Network Access Control Solution

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

Austrian, Japanese, Swedish, Swiss Banks Hit

Posted on August 4th, 2014 by Dan Rampe

Android

Sophisticated Cybercriminals Attack 34 Banks. Side-step Two-Factor ID and Make off with a Million or More.

A recent report “Finding Holes: Operation Emmental*” says cybercriminals used the Android platform’s openness to install apps from third-party sites to make off with at least seven figures from 34 banks.

*Like Swiss cheese, i.e., full of holes.

The attackers were able to marry traditional phishing attacks to get a person’s username and password with malicious mobile apps to get the session tokens sent to their mobile devices.

Authored by security experts David Sancho, Feike Hacquebord and Rainer Link, the report says that Operation Emmental is a complex operation that involves several components. “The infrastructure required to pull the attack off is not inconsequential—the attackers need a Windows malware binary, a malicious Android app sporting various banks’ logos, a rogue DNS resolver server, a phishing Web server with several fake bank site pages, and a compromised command-and-control server,” [the report] says, adding that the attack vector is one that has likely evolved over time.

“The fact that the most salient part of the attack — the PC malware — is not persistent [i.e., not lost when “turned off” or not in use] likely helped the attackers keep a low profile. We believe this allowed them to use different infection strategies, not just through emails, although we have not been able to detect any other means…”

In his piece on scmagazineuk.com (link to article), Steve Gold cites Sarb Sembhi, a director with STORM Guidance, observing a need for banks to put their heads together to develop common and more secure methodologies for the mobile phone and software industries.

Sembhi notes that the attack model is so highly sophisticated that cybercriminals established five or six fallback positions in the event one or more of their methods of attack are compromised. “Banks need to understand what attack model the cybercriminals are looking at, and then get together to discuss the issue, most notably how the security of the Android platform can be enhanced to stop things like this going wrong.”

In case you were wondering, the attackers are likely from Russia and Romania. How do researchers know? They found “obnilim rid” (That’s transliterated from Cyrillic) in the app’s code. That’s Russian slang for “set to zero.” The researchers said they also found a Romanian connection.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Millions Spend a Billion-a-Day in UK

Posted on July 14th, 2014 by Dan Rampe

BBA

BBA Report Has Brits Spending Close to £1 Billion (1.5 billion USD) per Day Using Mobile and Online Devices

The accounting firm, EY, and British Bankers Association (BBA) report, “The Way We Bank Now: It’s in Your Hands,” (link to report) notes that millions of UK customers use contactless cards (pocket-sized cards with embedded chips for processing and storing data), payment by mobile and SMS balance alerts. And, this year, in the UK, more than 15,000 people each day will be downloading banking apps.

Highlights from the report:

  • Internet and mobile banking is now used for transactions worth £6.4 billion (11 billion USD approximately) a week – up from £5.8 billion (9.9 billion USD approximately) last year.
  • Banking apps for mobiles and tablets have now been downloaded more than 14.7 million times – a 2.3 million rise since January at a rate of around 15,000 per day in 2014.
  • Internet banking services typically receive 7 million log-ins a day
  • Spending on contactless cards is expected to rise to £6.1 million (10 million USD approx.) a week this year – up from £3.2 million (55 million USD approximately) in 2013.

CEO of BBA

“This report shows just how enthusiastically the British public is embracing mobile banking, contactless cards and a range of other consumer-friendly banking technologies,” said Anthony Browne, chief executive of the BBA.

“This study shows that banks have, are and will continue to compete against one another to offer customers innovative technology. It’s a revolution putting more power in your hands.”

Mobile on the move

In his article on cbronline.com (link to article), Michael Moore cites Juniper Research’s prediction that more than 1.75 billion mobile phone users will be using their devices for banking by the end of 2019 compared to 800 million this year, and that countries like India and China will be driving this growth over the next several years.

Juniper Research’s Nitin Bhas, who wrote the report says, “The level of maturity in number and innovation of services being offered in the market across several geographical areas demonstrates that banks now regard the mobile channel as an indispensable revenue-stream.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Eating at P.F. Chang’s Could Give You Heartburn — And Not Because of the Food.

Posted on June 16th, 2014 by Dan Rampe

PFChang

Wendy’s once ran an iconic ad campaign “where’s the beef?” P.F. Chang’s may have its own version, “where’s the breach?” And, if you’re a P.F. Chang’s patron, who used a credit or debit card, you have to be wondering.

Brian Krebs in his blog, krebsonsecurity.com, reported that the restaurant chain is “investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.”

He writes that earlier this month thousands of stolen credit and debit cards were being sold on an underground store that also sold “tens of millions of cards stolen in the Target breach.” And he adds, “A new ad that debuted on June 9 for a fresh batch of cards apparently stolen from P.F. Chang’s China Bistro locations.

“The ad for the Ronald Reagan batch of cards also includes guidance for potential customers who wish to fund their accounts via Western Union or MoneyGram wire transfers, advice that strongly suggests those involved in this apparent heist are once again from Russia and Eastern Europe:”

You can find Krebs’ full article by clicking on this link.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

A Sign of the Times — Hacking Signs. Electronic Road-Sign Hackers Reveal a Downside to “the Internet of Things.”

Posted on June 6th, 2014 by Dan Rampe

Internet of Things

Remember the good old days when defacing road signs meant two barrels of double-ought buckshot in a deer-crossing sign on a rural dirt road? (Note: If it needs saying, we are indeed joking. Oh, you knew it all along.)

Anyway, the modern equivalent of the shotgun, but capable of being just as dangerous, is hacking into the software controlling an electronic road sign and changing the message — for instance from “DANGER BRIDGE OUT” to “HAPPY MOTORING. DON’T FORGET TO BUCKLE UP.”

The Internet of Things provides the ability to virtually control anything that connects to the Internet and offers up all kinds of possibilities for improving life from checking the security of the home while you’re on vacation to ensuring the dog isn’t eating the sofa while you’re at work. It also has downsides.

In his blog, KrebsonSeurity, Security Expert Brian Krebs, writes that authorities in several states have reported that hackers have broken into and defaced electronic highway road signs in several states. He quotes the Multi-State Information Sharing and Analysis Center (MS-ISAC) as observing “changes to road signs create a public safety issue because instead of directing drivers through road hazards, they often result in drivers slowing or stopping to view the signs or take pictures.

“That same MS-ISAC notice…points out that these incidents appear to be encouraged by sloppy security on the part of those responsible for maintaining these signs.” You may read Krebs’ entire article by clicking on this link.

Andreas Baumhof, ThreatMetrix’s chief technology officer, maintains, “the Internet of Things is coming on faster than we can cope with it. Soon enough, we will be living in smart houses and all of our critical infrastructure will be managed online. This extensive interconnectivity poses a severe risk with cybercriminals having more and better opportunities to disrupt critical utilities such as our nation’s water supply and other vital infrastructure.”

As well as warning of the dangers presented by the Internet of Things, Baumhof talks about a positive solution. “Given today’s sophisticated cybercriminals [and hackers, organizations] must collaborate through a global network for a collective response to cybercrime.”

To protect themselves against this newest threat to security, organizations including state governments, financial services, e-commerce, payments, enterprises, social networks and others can turn to global data repositories such as ThreatMetrix’s Global Trust Intelligence Network, nicknamed The Network.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

MasterCard and Visa Push Hard for EMV Chip Adoption. But There’s Strong Pushback by Others.

Posted on May 27th, 2014 by Dan Rampe

EMV

What do Canada, Mexico and most of Western Europe have that the U.S. doesn’t? EMV chips. That was too easy. The headline practically gave away the answer.

Now, here’s a question that’s a lot harder to answer. Why hasn’t the United States rushed to replace magnetic stripes on the backs of credit and debit cards with EMV microchips? Especially since they would eliminate a substantial amount of plastic fraud and make shopping safer for consumers? Not to mention for banks which generally have to pony up for credit card losses?

In her AP piece, Bree Fowler focuses on the players involved and explains who’s pushing for EMV, who’s pushing against adopting the technology…and most importantly why. The following has been edited to fit our format. You can find the complete article by clicking on this link.

Chips aren’t perfect, says Carolyn Balfany, MasterCard’s group head for U.S. product delivery, but the extra barrier they present is one of the reasons criminals often choose to target U.S.-issued cards, whose magnetic strips are easy to replicate.

“Typically, fraudsters are going to go to the path of least resistance,” Balfany says.

The chip technology hasn’t been adopted in the U.S. because of costs and disputes over how the network would operate. Retailers have long balked at paying for new cash registers and back office systems to handle the new cards. There have been clashes between retailers, card issuers and processors over which processing networks will get access to the new system and whether to stick with a signature-based system or move to one that requires a personal identification number instead. These technical decisions impact how much retailers and customers have to pay — and how much credit card issuers make — each time a card is used.

The disputes have now largely been resolved. And the epic breach of Target’s computer systems in December, which involved the theft of 40 million debit and credit card numbers, along with smaller breaches at companies such as Neiman Marcus and Michaels, helped garner support for chip-based cards among retailers who were previously put off by the costs.

Chip cards are safer, argue supporters, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer’s register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards, say experts, are also nearly impossible to copy.

For its part, Target is accelerating its $100 million plan to roll out chip-based credit card technology in its nearly 1,800 stores. New payment terminals will appear in stores by September, six months ahead of schedule. Last month, the retailer announced that it will team up with MasterCard to issue branded Target payment cards equipped with chip technology early in 2015. The move will make Target the first major U.S. retailer with its own branded chip-based cards.

Even so, the protections chips provide only go so far, according to opponents who note that chips don’t prevent fraud in online transactions, where consumers often enter credit card numbers into online forms. Some opponents also point to other technologies, such as point-to-point encryption, as better long-term solutions.

Ken Stasiak, founder and CEO of SecureState, a Cleveland-based information security firm that investigates data breaches, says that while chips would be a big security improvement, they wouldn’t have stopped the hackers from breaching Target’s computer systems where they also stole the personal information, including names and addresses, of as many as 70 million people, putting them at risk of identity theft.

“Chip and pin is just another security component,” Stasiak says. “What matters is how companies like Target use consumer information, how they protect it.”

Banks generally pick up the tab for credit card-related losses, but companies such as Visa and MasterCard stand to lose too, if data breaches continue to occur with increasing frequency. After all, if consumers don’t feel safe using cards, they may choose other ways to pay for purchases.

“It’s not just about fraud and losses, it’s about the trust involved in electronic payments that’s destroyed,” says Ellen Ritchey, Visa’s chief enterprise risk officer.

In March, Visa and MasterCard announced plans to bring together banks, credit unions, retailers, makers of card processing equipment and industry trade groups in a group that aims to strengthen the U.S. payment system for credit and debit cards. The initial focus of the new group will be on banks’ adoption of chip cards.

That comes ahead of a liability shift set to occur in October 2015, when the costs resulting from the theft of debit and credit card numbers will largely fall to the party involved with the least advanced —and most vulnerable— technology. For example, if a bank has updated to chip technology, but the retailer involved hasn’t, the retailer will be liable for the costs.

Stasiak says many of the retailers he works with already have the technology in place. Once the banks start issuing chip cards, the retailers will activate their new systems, he says.

Banks say that despite the jump in high-profile data breaches, fraud still accounts for a small fraction of total transactions processed, while the cost related to issuing chip cards to all of their customers and switching out all of their ATMs is substantial. Banks have urged lawmakers to make retailers more accountable for their own security in hopes of recouping more of the losses from cybercrime.

Richard Hunt, CEO of Consumer Bankers Association, says that in cases of major fraud, banks have generally been able to collect only pennies on the dollar from the retailers involved.

Hunt says even if banks put chips in cards, it won’t do any good if retailers don’t upgrade their systems.

“We have to improve fraud prevention across the board,” he says. “There are people who get up every day across the world with one mission and that’s to break credit card technology. But there’s no magic pill out there. The solution involves everyone.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

ThreatMetrix CFO Frank Teruel Explores How Companies Can Authenticate Customers — Without an Involved Process that Loses Their Business.

Posted on May 8th, 2014 by Dan Rampe

Wired-PR

In a thoughtful and well-reasoned piece, “Trust: The Only Online Currency That Matters,” on wired.com, security expert and ThreatMetrix® CFO Frank Teruel tackles a dilemma facing every company selling products or services online. That is separating the wheat from the chaff. Or, put another way, authenticating real customers from cybercriminals without complicated processes that degrade user experience and cause customers to go elsewhere.

Teruel writes:

Is your company turning away good customers in an effort to stop bad actors? Regretfully, all too often, Internet fraud mitigation efforts are so constricting they turn away real customers.

The reason businesses often turn away good customers is because every site visit or event immediately manifests the natural query inherent in any online transaction – can this transaction be trusted? Determining whether or not a transaction can be trusted is an immensely complicated issue in a world of big data, compromised credentials, and highly trained, well-funded bad actors whose sole mission in life is to make you believe they are trusted users so they can gain access to your site.

Once cybercriminals gain access to a website, the consequences can be extremely detrimental, not only because of stealing data, or scraping bank accounts, or using stored credit cards and applying for loans or credit, or any other host of resulting bad behaviors, but also from the ire of your legitimate customers who suffer from the impact of a breach of trust. Any executive at a business that operates online, irrespective of industry, who is not focused on the impact of cybercrime and Internet fraud, is risking the most important attribute of any customer relationship – trust – and once lost, it is not easily restored.

Tighten the Screws

How do companies that value their customers wind up in this quandary of lost trust? Frankly, the answer is rooted in a very natural reaction to increased Internet fraud rates. Unless your organization’s cybercrime prevention efforts are based on an intelligent system that provides real-time contextual data, your authentic customers will get caught in a dragnet that may reject them out right or, at a minimum, challenge their attempted interaction. Worse still, if the transaction involves digital goods where a review is impossible, your organization will lose that sale to a legitimate paying customer.

Rejecting and challenging good customers are both ineffective and abrasive approaches to cybercrime prevention. One strategy treats customers with disdain and the other imposes challenge questions or secondary authentication that often leads to transaction abandonment, angry customers and lost revenue. In fact, the CyberSource Online Fraud Report estimates that 75 percent of all manually reviewed transactions are real customers facing system friction.

In addition, business costs of manually reviewing transactions are also significant in terms of personnel costs. Reviewers can take up to 1.5 hours to review a single transaction that on average is accepted 75 percent of the time.

Overall, what are the biggest drawbacks of overly stringent online fraud strategies?

  • One: angry customers willing to take their business elsewhere
  • Two: lost revenue on abandoned transactions, and
  • Three: massive review costs

All significant and all juxtaposed against the other alternative – loose fraud controls that lead to real dollar losses, breaches of customer accounts and data, and large potential charges, fines, and lawsuits. However, there is an approach that enables businesses to solve this trust problem and eliminate the unacceptable alternatives of too much friction or too much fraud.

Crystal Ball

It turns out that the best way to mitigate some of this tension is to know your customer irrespective of the devices they are using to interact with your site, the credential used to attempt that interaction, and their behavior during the visit. Businesses don’t need to know a customer’s name to know their customers. Instead, they can use real-time global intelligence that correlates a virtual persona with the device or related devices used. That first touch information then can be correlated to that persona’s transaction history and other salient attributes like location and good and bad behavior in real time across a global network.

By using such an approach, businesses can predict with great certainty whether that persona is in fact a legitimate customer or an enterprising bad guy, aka – criminal, masquerading as a customer. As a result, this approach can reduce review challenges and the associated dollars while still reducing Internet fraud rates. Think of this approach as a trusted customer crystal ball.

Global Contextual Trust Intelligence

The key is access to rich transactional intelligence that contextualizes the pending interaction between you and the customer, the method of interaction/device and its attributes and anomalies, and how that customer has behaved or been treated throughout other site interactions in the network. A combination of that critical contextual data, or truth data, is the only way to solve the trust calculus. The challenge is that no one will provide certain truth data for fear of violating personally identifiable information (PII). So what can businesses do to overcome this challenge?

First, find a partner with a global network vast and diverse enough to provide transaction intelligence that is applicable to specific businesses. For example, if you are a bank deliberating on the “trust conundrum,” knowing that the customer in question was just successfully vetted and completed a transaction with another financial institution has much greater utility or trustworthiness than knowing whether the customer successfully logged into their Facebook account.

Second, do not rely on device identification alone. The device may be clean, in the hands of a bad guy with a stolen credential, which can lead to a trust decision businesses will regret. Make sure that the device information is just one component of the vetting process.

Third, ensure that your business has the ability to rate specific risks and set their own policies best suited to the Internet fraud risks and trends facing their business. Relying on canned scores will not align with the unique risks faced by an individual business and may contribute to customer friction.

Fourth, use a solution that encrypts all collected data and only allows you access to it. In a world of incessant breaches, a partner that does not protect PII and associated attribute and transactional data is a breach enabler that may wind up facing congressional committees, hostile media, unimpressed boards and expensive settlement costs.

Fifth, use a partner that has a network vast enough to identify industry specific fraud trends and provide predictive analytics and suggested remediation policies and data well in advance of that risk affecting your business.

Finally, use a partner with a global SaaS solution that scales and provides real-time data across different transaction use cases, whether account takeover protection, securing payments or protecting new account creation. Doing so will eliminate the expense of maintaining enterprise software in your environment, provide an on-boarding experience that is seamless and immediately applicable and deployable, and ensure that the network and service is always evolving in a way where you benefit from the enhanced features and functionality as well as the dynamic growing global dataset.

Monetize Trust

Shifting your focus to contextual trust intelligence as a force multiplier in the trusted customer verse fraudster construct will result in less fraud, less friction, less manual intervention, and less costs. At the same time, a new focus will ensure more revenue and most importantly, more customer trust; and that is the gift that keeps on giving.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.