Millions Spend a Billion-a-Day in UK

Posted on July 14th, 2014 by Dan Rampe

BBA

BBA Report Has Brits Spending Close to £1 Billion (1.5 billion USD) per Day Using Mobile and Online Devices

The accounting firm, EY, and British Bankers Association (BBA) report, “The Way We Bank Now: It’s in Your Hands,” (link to report) notes that millions of UK customers use contactless cards (pocket-sized cards with embedded chips for processing and storing data), payment by mobile and SMS balance alerts. And, this year, in the UK, more than 15,000 people each day will be downloading banking apps.

Highlights from the report:

  • Internet and mobile banking is now used for transactions worth £6.4 billion (11 billion USD approximately) a week – up from £5.8 billion (9.9 billion USD approximately) last year.
  • Banking apps for mobiles and tablets have now been downloaded more than 14.7 million times – a 2.3 million rise since January at a rate of around 15,000 per day in 2014.
  • Internet banking services typically receive 7 million log-ins a day
  • Spending on contactless cards is expected to rise to £6.1 million (10 million USD approx.) a week this year – up from £3.2 million (55 million USD approximately) in 2013.

CEO of BBA

“This report shows just how enthusiastically the British public is embracing mobile banking, contactless cards and a range of other consumer-friendly banking technologies,” said Anthony Browne, chief executive of the BBA.

“This study shows that banks have, are and will continue to compete against one another to offer customers innovative technology. It’s a revolution putting more power in your hands.”

Mobile on the move

In his article on cbronline.com (link to article), Michael Moore cites Juniper Research’s prediction that more than 1.75 billion mobile phone users will be using their devices for banking by the end of 2019 compared to 800 million this year, and that countries like India and China will be driving this growth over the next several years.

Juniper Research’s Nitin Bhas, who wrote the report says, “The level of maturity in number and innovation of services being offered in the market across several geographical areas demonstrates that banks now regard the mobile channel as an indispensable revenue-stream.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Eating at P.F. Chang’s Could Give You Heartburn — And Not Because of the Food.

Posted on June 16th, 2014 by Dan Rampe

PFChang

Wendy’s once ran an iconic ad campaign “where’s the beef?” P.F. Chang’s may have its own version, “where’s the breach?” And, if you’re a P.F. Chang’s patron, who used a credit or debit card, you have to be wondering.

Brian Krebs in his blog, krebsonsecurity.com, reported that the restaurant chain is “investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.”

He writes that earlier this month thousands of stolen credit and debit cards were being sold on an underground store that also sold “tens of millions of cards stolen in the Target breach.” And he adds, “A new ad that debuted on June 9 for a fresh batch of cards apparently stolen from P.F. Chang’s China Bistro locations.

“The ad for the Ronald Reagan batch of cards also includes guidance for potential customers who wish to fund their accounts via Western Union or MoneyGram wire transfers, advice that strongly suggests those involved in this apparent heist are once again from Russia and Eastern Europe:”

You can find Krebs’ full article by clicking on this link.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

A Sign of the Times — Hacking Signs. Electronic Road-Sign Hackers Reveal a Downside to “the Internet of Things.”

Posted on June 6th, 2014 by Dan Rampe

Internet of Things

Remember the good old days when defacing road signs meant two barrels of double-ought buckshot in a deer-crossing sign on a rural dirt road? (Note: If it needs saying, we are indeed joking. Oh, you knew it all along.)

Anyway, the modern equivalent of the shotgun, but capable of being just as dangerous, is hacking into the software controlling an electronic road sign and changing the message — for instance from “DANGER BRIDGE OUT” to “HAPPY MOTORING. DON’T FORGET TO BUCKLE UP.”

The Internet of Things provides the ability to virtually control anything that connects to the Internet and offers up all kinds of possibilities for improving life from checking the security of the home while you’re on vacation to ensuring the dog isn’t eating the sofa while you’re at work. It also has downsides.

In his blog, KrebsonSeurity, Security Expert Brian Krebs, writes that authorities in several states have reported that hackers have broken into and defaced electronic highway road signs in several states. He quotes the Multi-State Information Sharing and Analysis Center (MS-ISAC) as observing “changes to road signs create a public safety issue because instead of directing drivers through road hazards, they often result in drivers slowing or stopping to view the signs or take pictures.

“That same MS-ISAC notice…points out that these incidents appear to be encouraged by sloppy security on the part of those responsible for maintaining these signs.” You may read Krebs’ entire article by clicking on this link.

Andreas Baumhof, ThreatMetrix’s chief technology officer, maintains, “the Internet of Things is coming on faster than we can cope with it. Soon enough, we will be living in smart houses and all of our critical infrastructure will be managed online. This extensive interconnectivity poses a severe risk with cybercriminals having more and better opportunities to disrupt critical utilities such as our nation’s water supply and other vital infrastructure.”

As well as warning of the dangers presented by the Internet of Things, Baumhof talks about a positive solution. “Given today’s sophisticated cybercriminals [and hackers, organizations] must collaborate through a global network for a collective response to cybercrime.”

To protect themselves against this newest threat to security, organizations including state governments, financial services, e-commerce, payments, enterprises, social networks and others can turn to global data repositories such as ThreatMetrix’s Global Trust Intelligence Network, nicknamed The Network.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

MasterCard and Visa Push Hard for EMV Chip Adoption. But There’s Strong Pushback by Others.

Posted on May 27th, 2014 by Dan Rampe

EMV

What do Canada, Mexico and most of Western Europe have that the U.S. doesn’t? EMV chips. That was too easy. The headline practically gave away the answer.

Now, here’s a question that’s a lot harder to answer. Why hasn’t the United States rushed to replace magnetic stripes on the backs of credit and debit cards with EMV microchips? Especially since they would eliminate a substantial amount of plastic fraud and make shopping safer for consumers? Not to mention for banks which generally have to pony up for credit card losses?

In her AP piece, Bree Fowler focuses on the players involved and explains who’s pushing for EMV, who’s pushing against adopting the technology…and most importantly why. The following has been edited to fit our format. You can find the complete article by clicking on this link.

Chips aren’t perfect, says Carolyn Balfany, MasterCard’s group head for U.S. product delivery, but the extra barrier they present is one of the reasons criminals often choose to target U.S.-issued cards, whose magnetic strips are easy to replicate.

“Typically, fraudsters are going to go to the path of least resistance,” Balfany says.

The chip technology hasn’t been adopted in the U.S. because of costs and disputes over how the network would operate. Retailers have long balked at paying for new cash registers and back office systems to handle the new cards. There have been clashes between retailers, card issuers and processors over which processing networks will get access to the new system and whether to stick with a signature-based system or move to one that requires a personal identification number instead. These technical decisions impact how much retailers and customers have to pay — and how much credit card issuers make — each time a card is used.

The disputes have now largely been resolved. And the epic breach of Target’s computer systems in December, which involved the theft of 40 million debit and credit card numbers, along with smaller breaches at companies such as Neiman Marcus and Michaels, helped garner support for chip-based cards among retailers who were previously put off by the costs.

Chip cards are safer, argue supporters, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer’s register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards, say experts, are also nearly impossible to copy.

For its part, Target is accelerating its $100 million plan to roll out chip-based credit card technology in its nearly 1,800 stores. New payment terminals will appear in stores by September, six months ahead of schedule. Last month, the retailer announced that it will team up with MasterCard to issue branded Target payment cards equipped with chip technology early in 2015. The move will make Target the first major U.S. retailer with its own branded chip-based cards.

Even so, the protections chips provide only go so far, according to opponents who note that chips don’t prevent fraud in online transactions, where consumers often enter credit card numbers into online forms. Some opponents also point to other technologies, such as point-to-point encryption, as better long-term solutions.

Ken Stasiak, founder and CEO of SecureState, a Cleveland-based information security firm that investigates data breaches, says that while chips would be a big security improvement, they wouldn’t have stopped the hackers from breaching Target’s computer systems where they also stole the personal information, including names and addresses, of as many as 70 million people, putting them at risk of identity theft.

“Chip and pin is just another security component,” Stasiak says. “What matters is how companies like Target use consumer information, how they protect it.”

Banks generally pick up the tab for credit card-related losses, but companies such as Visa and MasterCard stand to lose too, if data breaches continue to occur with increasing frequency. After all, if consumers don’t feel safe using cards, they may choose other ways to pay for purchases.

“It’s not just about fraud and losses, it’s about the trust involved in electronic payments that’s destroyed,” says Ellen Ritchey, Visa’s chief enterprise risk officer.

In March, Visa and MasterCard announced plans to bring together banks, credit unions, retailers, makers of card processing equipment and industry trade groups in a group that aims to strengthen the U.S. payment system for credit and debit cards. The initial focus of the new group will be on banks’ adoption of chip cards.

That comes ahead of a liability shift set to occur in October 2015, when the costs resulting from the theft of debit and credit card numbers will largely fall to the party involved with the least advanced —and most vulnerable— technology. For example, if a bank has updated to chip technology, but the retailer involved hasn’t, the retailer will be liable for the costs.

Stasiak says many of the retailers he works with already have the technology in place. Once the banks start issuing chip cards, the retailers will activate their new systems, he says.

Banks say that despite the jump in high-profile data breaches, fraud still accounts for a small fraction of total transactions processed, while the cost related to issuing chip cards to all of their customers and switching out all of their ATMs is substantial. Banks have urged lawmakers to make retailers more accountable for their own security in hopes of recouping more of the losses from cybercrime.

Richard Hunt, CEO of Consumer Bankers Association, says that in cases of major fraud, banks have generally been able to collect only pennies on the dollar from the retailers involved.

Hunt says even if banks put chips in cards, it won’t do any good if retailers don’t upgrade their systems.

“We have to improve fraud prevention across the board,” he says. “There are people who get up every day across the world with one mission and that’s to break credit card technology. But there’s no magic pill out there. The solution involves everyone.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

ThreatMetrix CFO Frank Teruel Explores How Companies Can Authenticate Customers — Without an Involved Process that Loses Their Business.

Posted on May 8th, 2014 by Dan Rampe

Wired-PR

In a thoughtful and well-reasoned piece, “Trust: The Only Online Currency That Matters,” on wired.com, security expert and ThreatMetrix® CFO Frank Teruel tackles a dilemma facing every company selling products or services online. That is separating the wheat from the chaff. Or, put another way, authenticating real customers from cybercriminals without complicated processes that degrade user experience and cause customers to go elsewhere.

Teruel writes:

Is your company turning away good customers in an effort to stop bad actors? Regretfully, all too often, Internet fraud mitigation efforts are so constricting they turn away real customers.

The reason businesses often turn away good customers is because every site visit or event immediately manifests the natural query inherent in any online transaction – can this transaction be trusted? Determining whether or not a transaction can be trusted is an immensely complicated issue in a world of big data, compromised credentials, and highly trained, well-funded bad actors whose sole mission in life is to make you believe they are trusted users so they can gain access to your site.

Once cybercriminals gain access to a website, the consequences can be extremely detrimental, not only because of stealing data, or scraping bank accounts, or using stored credit cards and applying for loans or credit, or any other host of resulting bad behaviors, but also from the ire of your legitimate customers who suffer from the impact of a breach of trust. Any executive at a business that operates online, irrespective of industry, who is not focused on the impact of cybercrime and Internet fraud, is risking the most important attribute of any customer relationship – trust – and once lost, it is not easily restored.

Tighten the Screws

How do companies that value their customers wind up in this quandary of lost trust? Frankly, the answer is rooted in a very natural reaction to increased Internet fraud rates. Unless your organization’s cybercrime prevention efforts are based on an intelligent system that provides real-time contextual data, your authentic customers will get caught in a dragnet that may reject them out right or, at a minimum, challenge their attempted interaction. Worse still, if the transaction involves digital goods where a review is impossible, your organization will lose that sale to a legitimate paying customer.

Rejecting and challenging good customers are both ineffective and abrasive approaches to cybercrime prevention. One strategy treats customers with disdain and the other imposes challenge questions or secondary authentication that often leads to transaction abandonment, angry customers and lost revenue. In fact, the CyberSource Online Fraud Report estimates that 75 percent of all manually reviewed transactions are real customers facing system friction.

In addition, business costs of manually reviewing transactions are also significant in terms of personnel costs. Reviewers can take up to 1.5 hours to review a single transaction that on average is accepted 75 percent of the time.

Overall, what are the biggest drawbacks of overly stringent online fraud strategies?

  • One: angry customers willing to take their business elsewhere
  • Two: lost revenue on abandoned transactions, and
  • Three: massive review costs

All significant and all juxtaposed against the other alternative – loose fraud controls that lead to real dollar losses, breaches of customer accounts and data, and large potential charges, fines, and lawsuits. However, there is an approach that enables businesses to solve this trust problem and eliminate the unacceptable alternatives of too much friction or too much fraud.

Crystal Ball

It turns out that the best way to mitigate some of this tension is to know your customer irrespective of the devices they are using to interact with your site, the credential used to attempt that interaction, and their behavior during the visit. Businesses don’t need to know a customer’s name to know their customers. Instead, they can use real-time global intelligence that correlates a virtual persona with the device or related devices used. That first touch information then can be correlated to that persona’s transaction history and other salient attributes like location and good and bad behavior in real time across a global network.

By using such an approach, businesses can predict with great certainty whether that persona is in fact a legitimate customer or an enterprising bad guy, aka – criminal, masquerading as a customer. As a result, this approach can reduce review challenges and the associated dollars while still reducing Internet fraud rates. Think of this approach as a trusted customer crystal ball.

Global Contextual Trust Intelligence

The key is access to rich transactional intelligence that contextualizes the pending interaction between you and the customer, the method of interaction/device and its attributes and anomalies, and how that customer has behaved or been treated throughout other site interactions in the network. A combination of that critical contextual data, or truth data, is the only way to solve the trust calculus. The challenge is that no one will provide certain truth data for fear of violating personally identifiable information (PII). So what can businesses do to overcome this challenge?

First, find a partner with a global network vast and diverse enough to provide transaction intelligence that is applicable to specific businesses. For example, if you are a bank deliberating on the “trust conundrum,” knowing that the customer in question was just successfully vetted and completed a transaction with another financial institution has much greater utility or trustworthiness than knowing whether the customer successfully logged into their Facebook account.

Second, do not rely on device identification alone. The device may be clean, in the hands of a bad guy with a stolen credential, which can lead to a trust decision businesses will regret. Make sure that the device information is just one component of the vetting process.

Third, ensure that your business has the ability to rate specific risks and set their own policies best suited to the Internet fraud risks and trends facing their business. Relying on canned scores will not align with the unique risks faced by an individual business and may contribute to customer friction.

Fourth, use a solution that encrypts all collected data and only allows you access to it. In a world of incessant breaches, a partner that does not protect PII and associated attribute and transactional data is a breach enabler that may wind up facing congressional committees, hostile media, unimpressed boards and expensive settlement costs.

Fifth, use a partner that has a network vast enough to identify industry specific fraud trends and provide predictive analytics and suggested remediation policies and data well in advance of that risk affecting your business.

Finally, use a partner with a global SaaS solution that scales and provides real-time data across different transaction use cases, whether account takeover protection, securing payments or protecting new account creation. Doing so will eliminate the expense of maintaining enterprise software in your environment, provide an on-boarding experience that is seamless and immediately applicable and deployable, and ensure that the network and service is always evolving in a way where you benefit from the enhanced features and functionality as well as the dynamic growing global dataset.

Monetize Trust

Shifting your focus to contextual trust intelligence as a force multiplier in the trusted customer verse fraudster construct will result in less fraud, less friction, less manual intervention, and less costs. At the same time, a new focus will ensure more revenue and most importantly, more customer trust; and that is the gift that keeps on giving.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Tired of Hearing about Heartbleed? Do Something About It. ThreatMetrix Strategies for “Staunching” Heartbleed and Any Similar Threats in the Future.

Posted on April 16th, 2014 by Dan Rampe

Heartbleed

After going unnoticed for two years, researchers discovered Heartbleed, the flaw that could let a hacker defeat OpenSSL, the most common encryption technology on the Internet. Another way of saying it is Heartbleed put 66 percent of servers worldwide at the mercy of cybercriminals. And another way of saying that is email, instant messaging, e-commerce transactions and more were being jeopardized in every corner of the planet, exposing passwords, credit card numbers and other personal data.

The Heartbleed security flaw was a danger to websites and the mobile applications and networking equipment that connect homes and businesses to the Internet, including such things as routers and printers. In short, the flaw presented a danger to the entire Internet of Things, i.e., any device from air conditioners to refrigerators that could be connected online.

After putting in a patch to fix the flaw, many, if not most online businesses, only had one strategy to offer users: change your passwords.

“Today it’s Heartbleed and tomorrow it will be another data breach or vulnerability,” said Alisdair Faulkner, chief products officer, ThreatMetrix.

“Passwords are a static means of security and are frankly obsolete as a stand-alone authentication solution in today’s cybersecurity landscape. Once account login information is obtained, cybercriminals have access to personal data used for committing bank fraud or falsifying credit card transactions – the possibilities are endless. Security should not just rely on point-in-time authentication solutions. Instead, continuous evaluation of trust is required based on what the user is attempting to do.”

ThreatMetrix’s preventative cybersecurity strategies offer protection that goes well beyond passwords and other forms of static authentication:

Real-time trust analytics – Move beyond just big-data collection and improve effectiveness of controls with real-time analysis of device, location, identity and behavioral context for every authentication attempt. Real-time trust analytics offer unprecedented identity authentication policies for businesses and enterprises by comparing against global benchmarks derived from peers in their industry, the size and scale of the enterprise, geographic location and more.

Enhanced mobile identification – Detects jailbroken devices and offers location-based authentication, protecting mobile transactions by indicating when the mobile operating system has been breached and the security of applications has been compromised.

“To protect against future attacks like Heartbleed, businesses need to move beyond legacy verification and authentication solutions and recognize the benefits of leveraging a collective approach to cybersecurity,” said Faulkner. “The ThreatMetrix® Global Trust Intelligence Network (The Network) delivers real-time intelligence, providing customers with consistent risk assessments of data and creating a digital persona of users by mapping their online behaviors and devices.”

Consumers can protect their online identities and personal information from threats like Heartbleed by ensuring location information on social networks is encrypted and by using different passwords across sites and never storing them on devices.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

How Dumb Can You Be? Here Are 10 of the Dumbest Ways of Making Your ID “Easy Pickin’s” for Cybercriminals.

Posted on April 4th, 2014 by Dan Rampe

ID Theft

Because reading our blogs is a clear indication of your high intelligence, this piece is not for you. However, you might want to pass it along to somebody you know who may not quite “measure up,” but who could definitely use this information. In any case, please don’t tell them why you decided to send it.

Personal finance editor and writer Kathryn Tuggle checked with a number of experts to discover ways people put themselves at risk of having their identities stolen. In her story on thestreet.com, she identifies the top ten dumbest ways. (The following has been edited to fit our format.)

1. Using the same password for everything

If you’re using the same password for everything, you’re setting yourself up for disaster, says Bill Carey, vice president of marketing for Siber Systems, creators of password management tool RoboForm. “You have to use a unique password for every website you log into. If you think about all the stuff that has gone on lately with hacking attacks at major companies, it seems inevitable that one of the companies you do business with is eventually going to get hacked,” he explains. Unfortunately, if you use the same password for every site, once hackers get one of your passwords, they’ve got them all.

2. Giving out personal information over the phone

“A lot of people have this thing where when someone calls them on the phone and represents to them that they are an official with the government or a credit card company or a broker’s firm, they believe it’s real,” says Adam Levin, chairman and co-founder of Credit.com. The truth is, the IRS, your bank or any other official organization is never going to call you and ask for your Social Security number, Levin says. Your bank might call to alert you to suspicious activity on your credit card, but they will never ask you to confirm such sensitive personal information.

“If you get a call like this, hang up the phone and find the official number of the organization. Then you make the call to them,” Levin says.

3. Not using a password on your smartphone

“Your smartphone isn’t just a phone anymore. It’s a personal computer, and if it’s not password protected people can gain access to your email, your bank account, everything,” Carey says.

If you lose your device and you’re still logged in to apps such as PayPal or eBay, you could be in for a world of trouble.

“The more people know about you, the more likely they can hack in and steal your identity on other sites,” he says.

4. Logging into financial accounts from an Internet cafe or unsecured connection

Internet cafes are great for browsing the Web and may be fine for doing less sensitive things such as printing tickets or boarding passes, but they’re not secure enough for managing your stock portfolio or savings account, Carey says.

“You can check email, Facebook or sports scores, but you don’t want to leave yourself open to someone picking off your banking passwords,” Carey says. “Internet cafes are super convenient, but you don’t want to be doing any sensitive financial transacting.”

5. Not having a private profile on social media

“It still surprises me the number of people who don’t keep their profiles private,” says Stacey Vogler, managing director of ProtectYourBubble.com, a company that insures smartphones, laptops and other communication devices. When you have your birth date, your phone number or your address on your profile, it’s an invitation for hackers to come in and use it in a malicious way, she says.

“It’s an entry into your life and who you are,” she says. “It would be easy to figure things out after following a few posts from you on a non-private profile.”

6. Following a phishing email — even if you’re “just curious”

If you get an email letting you know you’ve won $1 million for a contest you never entered, you shouldn’t follow the link or provide any information. Many people know emails like this are a scam, but they still follow along for a bit. This is a huge mistake. “Some people are curious, so they start a correspondence with the person to see if there’s something there or to see what kind of a scam it is,” Vogler says. “Unfortunately, any entry into who you are or where you live opens the door. It suddenly becomes really easy for them to hack into your life.”

7. Failing to monitor your bank statements and credit card statements

It’s surprising the amount of people who don’t monitor their credit card statements or banking statements to check for fraudulent activity, Vogler says. If you keep an eye on your statements, you can catch fraud early on.

“Check all your transactions to make sure they’re ones you have made. The dates and times, the merchants should all be ones you’re familiar with,” she says. “Look for anything that doesn’t seem typical to your normal behavior and notify your bank or credit card company immediately if something doesn’t check out.”

8. Carrying your Social Security card or Medicare card in your purse or wallet

“You don’t need to do it. It’s unnecessary,” Levin says. “You’re totally exposed.”

The elderly are already prime targets for identity thieves, and since your Medicare ID is your Social Security number, you’re leaving yourself at risk by carrying either.

“You never want to have something in your purse or wallet that has your Social Security number on it,” he says. “If you need to present it to a doctor or other agency one day, then carry it to the appointment and go straight home. Don’t leave it in your wallet for weeks or months on end.”

9. Putting too much information on social media

“Don’t take a selfie with your address in the background,” Levin says.

It may sound ridiculous, but some people will take a picture of their first drivers’ license that displays their full name and address. Others might take a photo of their final credit card statement announcing that they’ve just paid off their bills — unintentionally displaying their account number and other personal details.

“You don’t take a picture saying, ‘Look at my incredibly valuable new car in my front yard,’ and show everyone your address,” Levin says. “Your Facebook friends are not all looking out for you. Identity theft and property theft occurs even with family and friends. Why open yourself up to pain?”

10. Storing confidential info on your smartphone

Don’t keep passwords, PINs or your Social Security number stored on your smartphone — even in your email account. In other words, don’t save an email called “Passwords” or “Social.” This applies to your personal information as well as the personal information of your children or family members. “There are people out there with all good intentions who are helping their children or parents deal with a financial issue, so they store all this personal information on their phone so they’ll have it handy,” Levin says. “Your phone is a communication device — not a storage device.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

New Study Journeys to the Heart of Darknets to Find Out Why a Stolen Twitter Account Is Worth More Than a Stolen Credit Card…Plus Much More.

Posted on April 1st, 2014 by Dan Rampe

Darknet

Brad Chacos on pcworld.com defined Darknets as “small niches of the ‘Deep Web,’ which is itself a catch-all term for the assorted net-connected stuff that isn’t discoverable by the major search engines.” It’s a “hidden underbelly, home to both rogues and political activists… accessed only with the help of specially designed anonymizing software. It’s a secretive place [and] a dangerous place, where a lot of illicit, underground nastiness occurs.”

A new study, “Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar” by the RAND Corporation, a research organization that develops solutions to public policy challenges, illuminates the murky world of Darknets and black market deals for both tools such as exploit kits and the booty that’s been plundered by cyberthieves, such as personal information from credit cards.

Interviews were conducted with more than two dozen cybersecurity experts including academics, researchers, reporters, security vendors and law enforcement officials.

Michael Callahan of Juniper Networks, which funded the study, was surprised to learn that “information that traditionally fetched a high price on the black market is decreasing in value, making way for new, high-priced items.

“Traditionally, credit card information was the currency of the black market. It demanded a high price, ranging from $20-$40 on average. However, high-profile breaches have created a recent influx of available credit card data online. As a result the scarcity and value of the stolen information is decreasing. During a large credit card breach, the market becomes flooded with data causing prices to drop from $20 per record to $0.75 per record in a short amount of time.

“Social media and other online accounts are now becoming more valuable. Although prices range widely, RAND found hacked accounts can be worth anywhere from $16 to $325+ depending on the account type.”

Experts agreed that the future held more activity in Darknets including more use of crypto-currencies, malware with improved anonymity, and more attention to encryption for protecting communications and transactions. They also agreed that cyberattacks would probably outpace the ability to defend against them and that there would be more hacking for hire as-a-service.

The same experts disagreed on who would most be affected by the growth of the black market. Would it be small businesses, large businesses or individuals? And they disagreed on what commodities would be the most sought after — data records and credit card information or intellectual property. There was also disagreement on which types of attacks would be most prevalent, persistent targeted attacks; opportunistic or mass “smash-and-grabs.”

Key Findings of the study:

• The cyber black market has evolved from a varied landscape of discrete, ad hoc individuals into a network of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states.

• The cyber black market does not differ much from a traditional market or other typical criminal enterprises; participants communicate through various channels, place their orders, and get products.

• Its evolution mirrors the normal evolution of markets with both innovation and growth.

• For many, the cyber black market can be more profitable than the illegal drug trade.

The cyber black market responds to external forces as does the traditional marketplace:

• As suspicion and “paranoia” spike because of an increase in recent takedowns by law enforcement, more transactions move to Darknets; stronger vetting takes place; and greater encryption, obfuscation, and anonymization techniques are employed, restricting access to the most sophisticated parts of the black market.

• The proliferation of as-a-service and point-and-click interfaces lowers the cost to enter the black market.

• Law enforcement efforts are improving as more of them become technologically savvy. Suspects are going after bigger targets, and thus are attracting more attention. More crimes involve a digital component, giving law enforcement more opportunity to encounter crime in cyberspace.

• Still, the cyber black market remains resilient and is growing at an accelerated pace, continually getting more creative and innovative as defenses get stronger, law enforcement gets more sophisticated, and new exploitable technologies and connections appear in the world.

• Products can be highly customized, and players tend to be extremely specialized.

Study recommendations include exploring:

• How computer security and defense companies could shift their approaches to thwarting attackers and attacks.

• How bug bounty programs or better pay and incentives from legitimate companies might shift transactions and talent off the illicit markets into legitimate business operations.

• The costs and benefits of establishing fake credit card shops, fake forums, and sites to increase the number and quality of arrests, and otherwise tarnish the reputation of black markets.

• The ramifications of hacking back, or including an offensive component within law enforcement that denies, degrades, or disrupts black-market business operations.

• The options for banks or merchants to buy back their customers’ stolen data.

• The effects of implementing mandates for encryption on point-of-sale terminals, safer and stronger storage of passwords and user credentials, worldwide implementation of chips and PINs, and regular checks of websites to prevent common vulnerabilities put a dent in the black market, or enforce significant changes to how the market operates.

• How to apply lessons learned from the black market for drugs or arms merchants to the black market for cybercrime.

It also recommends:

• Determining whether it is more effective for law enforcement to go after the small number of top-tier operators or the lower- or open-tier participants.

• Examining whether governments and law enforcement worldwide could work together to prosecute and extradite cybercriminals including coordinating physical arrests and indictments.

“Hacking used to be an activity that was mainly carried out by individuals working alone, but over the last 15 years the world of hacking has become more organized and reliable,” said Lillian Ablon, lead author of the study and an information systems analyst at RAND. “In certain respects, cybercrime can be more lucrative and easier to carry out than the illegal drug trade.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security

Posted on January 28th, 2014 by Dan Rampe

Data Privacy 3

Businesses Can Protect Customer Identities While Enabling Confidentiality on the Internet Through Anonymized Trusted Identity Networks

San Jose, Calif. – January 28, 2014 – ThreatMetrix™, the fastest-growing provider of context-based authentication and advanced Web fraud solutions, commemorates Data Privacy Day by announcing strategies for businesses to protect consumer identities without compromising privacy.

In the age of big data enterprises are collecting and sharing unprecedented amounts of customer information, many times unintentionally. When a single employee can steal up to 40 percent of a country’s credit data on a USB stick, and identity thieves can illegally purchase credit data, better practices are urgently needed for protecting access to online information and identities. The flip side however, is that in order to protect against data breaches and malware, big data approaches to cybersecurity are essential for total situational awareness.

“Often, bad things happen to good people and sometimes good people – even a company’s own employees – go bad and compromise online security and privacy,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Therefore, enterprises need to combine big data techniques with a new approach to protecting privacy and unlawful access to customer and employee accounts.”

At the heart of the problem is the way trust is evaluated online. In the offline world, trust is situational, continually evaluated over time based on observed behavior and informed by reputation. In the online world, however, the vast majority of data and commerce is protected by static checks such as passwords, payment information or supposedly private “out-of-wallet” information. The problem is exacerbated by the lack of privacy-protecting intelligence sharing, meaning companies either operate in a silo, or customers must trust their identity information will not be abused by marketing organizations or breached by hackers.

“There is a fine line between offering customers comprehensive security and invading their privacy,” said Faulkner. “Finding the balance is essential to effectively protecting sensitive data while maintaining trust and preventing customer identities from falling into the hands of cybercriminals. With the advent of controversies surrounding government spying programs, the tightrope between privacy and security has become even narrower.”

Added complexity lies in differentiating between cybercriminals, who are looking for anonymity to hide their fraudulent activity, and consumers who simply want privacy. For example a person using an anonymized IP Address to read political news is one thing and it’s a completely different matter if the user is accessing a Tor network while applying for a credit card. The expectations for privacy by a legitimate consumer and what is viewed by a business as acceptable behavior are very different based on the context of the action taken.

Key strategies ThreatMetrix recommends businesses implement to achieve the balance between privacy and security include:

CEO-Sponsored Trust Protection Taskforce – It’s essential that the CEO takes a leadership stand in framing the privacy and security tightrope as a competitive opportunity to build brand trust and remove obstacles to increasing revenue. The often-competing requirements of security, privacy and marketing need to come together under a coherent strategy that moves the internal conversation beyond compliance to protection.

Anonymized Shared Intelligence – A collective problem requires a collaborative solution. Leverage trusted identity networks that use strict anonymization practices to share risk intelligence and improve security without compromising privacy. Anonymized networks used in this way enable trust to be federated across applications and companies using big data techniques without falling afoul to privacy laws and consumer trust.

Behavior-Based Identity Proofing – Simple reputation systems cause authentic customers and employees to be treated unfairly when their identities or accounts are abused. Analyze anonymized global patterns of identity usage including locations, devices, accounts, transactions and associations over time to provide ‘spoof-proof’ identity screening without false positives – incorrectly labeling legitimate users as fraudulent.

Context-Based Authentication – “Context is King” when it comes to differentiating between trusted users and cybercriminals. Businesses must dynamically establish the credibility of each and every access attempt and transaction, regardless of whether initiated by a customer or employee, based on business risk of the action and the full context of identity and device threats. These threats include Man-in-the-Middle and Man-in-the-Browser attacks, account compromise, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.

“At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft,” said Faulkner. “Otherwise, government agencies will be forced to step in. It’s crucial that privacy and security professionals move to frictionless solutions that can tell whether a user is who they say they are without needing to know their name. These standards can be used as a balancing pole for chief security officers and chief privacy officers walking the tightrope between privacy and security.”

ThreatMetrix uses an anonymized global data repository, the ThreatMetrix™ Global Trust Intelligence Network (The Network), to evaluate logins, payments, new account registrations and remote access attempts for validity in real time. The most comprehensive global repository of anonymized identity and trust data, The Network uses real-time analytics to protect hundreds of millions of accounts and identities each day from cybercrime.

Through sharing strategies to balance between privacy and security, ThreatMetrix continues its commitment to Data Privacy Day, an annual event sponsored by the National Cyber Security Alliance that encourages businesses and consumers to protect their online privacy and control their digital footprint. ThreatMetrix was named a Data Privacy Day Champion for its ongoing efforts to prevent cybercrime and preserve personal data on the Internet.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

 

Holiday Gift Card Spending Will Reach All-Time High of $29.8 Billion, Leading to Increased Cybercrime Risks

Posted on November 20th, 2013 by Dan Rampe

ThreatMetrix Warns of Several Fraud Scenarios Associated with Gift Cards During the Holiday Shopping Season

San Jose, Calif. – November 20, 2013 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime solutions, today announces several fraud scenarios associated with holiday gift cards, as cybercriminals seek to make a profit from the lucrative market this time of year. The National Retail Federation (NRF) predicts gift card sales will reach an all-time high this holiday season – $29.8 billion in total spending – making the industry an attractive target for cybercriminals.

“Cybercriminals have developed several highly sophisticated ways to compromise gift cards and take advantage of consumers during the upcoming holiday shopping season, when merchants are often too busy with a high volume of transactions to spot all suspicious activity,” said Carmen Honacker, director of customer advocacy at ThreatMetrix. “If merchants fail to put preventative measures in place to protect against gift card fraud, it can be one of the greatest sources of revenue loss for merchants.”

Holiday Gift Card Fraud Scenarios

There are several advanced scenarios associated with holiday gift card fraud, all of which can lead to severe losses for the merchants and compromised customer account data. These scenarios include:

Stolen Gift Card Web IDs – Cybercriminals fraudulently gain access to virtual gift cards, also known as eCerts and purchase goods and services that are then resold for profit outside the country or on auction sites.

Virtual Goods – Fraudsters take advantage of the thriving gaming industry to compromise online currency and steal virtual goods – such as extra lives, levels and customized features in video games – for personal profit. This will be especially prevalent this holiday season with the release of two big-name video game systems – PS4 and Xbox One.

Purchasing Gift Cards with a Stolen Credit Card – Using a stolen credit card number, cybercriminals can purchase gift cards either online or in-store. Physical goods such as clothing and electronics are then purchased with the stolen cards and sold online or shipped abroad and sold at a higher price for profit.

“Gift card purchases using stolen credit cards have become so prevalent that some retailers have resorted to ceasing online gift cards altogether and only accepting cash in-store for gift cards,” said Honacker. “However, retailers don’t need to miss out on these revenue opportunities due to the risk of cybercrime. With effective strategies and technologies in place to differentiate between authentic and fraudulent transactions, retailers can continue selling gift cards via credit card transactions and drastically decrease fraud attempts.”

Leveraging a collective data repository such as the ThreatMetrix™ Global Trust Intelligence Network (The Network) helps merchants differentiate between authentic and suspicious gift card transactions. If any given account, device or persona has been flagged in the past for masking its true location, stealing gift card PINs, selling stolen goods or other fraudulent activity, The Network can flag these transactions as high risk and recommend the merchant add additional screening before accepting the transaction.

More specifically, a comprehensive data repository such as The Network doesn’t automatically accept authentic orders or reject suspicious orders. Rather, The Network provides a recommendation and merchants can customize the parameters for classifying a transaction as low, medium or high risk depending on their specific business needs.

“Each merchant has different requirements for categorizing risk, which is why ThreatMetrix doesn’t merely offer a ‘one-size-fits-all’ cybercrime protection platform,” said Honacker. “While The Network may generally set certain locations, as high risk, a given retailer may receive significant business from that location and can adjust the risk levels.”

The holiday shopping season is the busiest time of year for gift card purchases and retailers need advanced strategies in place to assure cybercriminals are stopped in their tracks and authentic customers are not disrupted by arduous authentication processes. ThreatMetrix is committed to continuously developing new technologies to assure retailers and other businesses across industries have all the tools they need to protect against cybercrime.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Tory Patrick
WalkerSands Communications
Tel: 312-533-9823
Email: tory.patrick@walkersands.com