The Bigger They Come, the Harder They Fall — On the Little Guy

Posted on November 27th, 2014 by Dan Rampe

NAFCU

The Impact of Major and Local Breaches on Two Nevada Credit Unions

Former Speaker of the House, the late Tip O’Neill, famously said “All politics is local.” In a manner of speaking the same can be said of data breaches. JPMorgan Chase, Home Depot, Target, Neiman Marcus and other high-profile breaches affected tens or hundreds of millions. However, how a local credit union handles the fallout from a major or local breach is what’s really important to that institution’s customers.

Using research provided by the National Association of Federal Credit Union’s “October Economic and CU Monitor” and interviews with executives at two Nevada credit unions, Chris Sieroty on reviewjournal.com offers an overview of how two local credit unions deal with breaches. The following has been excerpted from Sieroty’s piece and edited to fit our format. You may find the complete, unedited article by clicking on this link.

More than 20 percent of plastic exposed

[A] majority of credit unions say local data breaches have affected their operations according to a survey by the National Association of Federal Credit Union’s October Economic and CU Monitor. [And] large national retailer breaches, such as those that occurred at Target and Home Depot, have exposed 20.6 percent of member payment cards, on average. The NAFCU estimates the Target breach cost credit unions nearly $30 million.

Small breaches cause big pain

“Small, local breaches may not garner the same headlines, but they can be just as damaging for smaller financial institutions like credit unions,” the six-page report says. “A wide majority of respondents (84.4 percent) were impacted by a local data breach during the last two years.” [And]

…most credit unions expect to spend more on data breach costs in 2015 than they did this year.

A CU CEO speaks out

“The impact of the recent card breaches has been significant,” said Wayne Tew, president and CEO of Clark County Credit Union. “Since the two most recent breaches, we have been re-issuing cards with changed expiration dates and CVV codes.”

Tew said Clark County Credit Union continues to receive daily alerts with small numbers of cards that have been breached. Clark County Credit Union operates five branches in Southern Nevada with 33,000 members and about $500 million in assets.

“To avoid any legal implications, I will refer to the breaches as coming from Party A and Party B without stating which is which,” Tew said. “To date, we have re-issued 2,440 cards due to the breach at Party A and 3,670 due to the breach at Party B.”

Losses to fraud

Direct fraud losses for Clark County Credit Union from Party A breaches so far total $22,123.76 and $830 from Party B, with more coming in.

Business as usual?

“Unfortunately, the losses are becoming a regular part of doing business,” Tew said. “Safeguards we put in place are to re-issue the cards as soon as we receive notice of possible compromise of the card.”

Another CU CEO speaks out

Brad Beal, president and CEO of One Nevada Credit Union, said in both the Target and Home Depot breaches the credit union has had to reissue debit and credit cards.

“We try to time the re-issues in such a manner as to minimize inconvenience for our members,” Beal said. “Sadly, we (have) some members who have had their cards reissued for both breaches, which multiplies the inconvenience for them.”

75,500 members could be at risk

Based in Las Vegas, One Nevada Credit Union has $800 million in assets, 75,500 members and 15 branches in Clark, Washoe and Nye counties.

“From the credit union’s viewpoint, we first must assess the magnitude of the breach, our potential loss exposure, and the cost of potentially reissuing cards,” Beal said. “These assessments require the attention of a number of our management personnel, and must be performed rather quickly.”

Monitoring transaction activity

“As to the credit union, we monitor consumer transactions carefully, watching for transactions that are inconsistent with each cardholder’s usual activity,” Beal said. “The cardholder is then promptly contacted to verify the legitimacy of any transaction that seems out of the ordinary.”

Beal said by closely monitoring consumer transactions, One Nevada Credit Union can “usually detect breaches before the merchant announces them.”

When asked if data breaches were becoming a cost of doing business, Beal said, “Absolutely not.” He said the credit union is opposed to simply accepting breaches as part of their normal business.

Strengthen data security at point of card use

“Ultimately, consumers end up paying for breaches,” Beal said. “Strengthened data security at the point of card use would go a long way to reducing these breaches, strengthening the security and reliability of our nation’s automated payment systems, and eliminating consumer inconvenience and frustration.”

Need federal standards

Beal said federal standards for merchant data security should be adopted. Tew also called for strengthening data security.

Retailers should be held responsible for losses

“The greatest safeguard would be for the retailers to have some responsibility to cover the losses incurred by the financial institutions,” Tew said. “If they would put in place the same required security systems financial institutions do, the breaches would diminish.”

Tew said retailers are proud to boast that their customers will not suffer any loss, often implying that they, the retailers, are eating the cost.

“I consider that to be deceptive business practice,” Tew said, “What retailers do not reveal is that they don’t suffer any hard losses because the costs are borne by the card issuing credit unions and banks.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

What Would Holiday Shopping Be without Cybercrime? Retailers Are Trying to Find Out.

Posted on November 26th, 2014 by Dan Rampe

Holiday Shopping

PwC Survey of 758 American Companies Says $4.1 Billion Being Spent This Year to Stop Hackers

To date this year, there have been 679 major data breaches, a 25 percent increase over the same time frame a year ago, which is more than enough reason for companies to increase their investments in cybersecurity. As a matter of fact, at the current rate, the PricewaterhouseCoopers survey says spending on security could increase by another $2 billion by 2017.

In her article on detroitnews.com, Lauren Abdel-Razzaq has interviewed a number of experts to examine where and how security dollars are being spent. The following has been excerpted from her piece and edited to fit our format. You may find the complete article by clicking on this link.

Newest trends for keeping a step ahead of cybercrime

Karl Volkman, chief technology officer at [IT services company, SRV Network Inc. says] “bringing on security consultants, expanding cybersecurity staffing, and researching the newest trends to stay ahead of cybercriminals.”

More spent on cybersecurity than employee benefits or marketing

“As hackers become more advanced, global institutions will have no choice but to keep up,” says Volkman. “Dollars spent on cybersecurity could eclipse dollars spent on marketing or employee benefits. Nothing is out of the realm of possibility at this point.”

Security and customer loyalty go hand-in-hand

[Craig Peasley, head of product marketing for eBay Enterprise notes,] “Retailers need to make security and privacy of utmost importance. And if they do, they can leverage this data to provide a better customer experience that ultimately increases loyalty.”

Results of eBay Enterprise survey

Of the companies eBay Enterprise surveyed, 65 percent of larger retailers said they had heightened concerns about data security, and 77 percent said they have not experienced a security breach.

Considering last year’s $148M breach, how is Target coping?

[Target CEO Brian Cornell] said the company has bolstered its IT and compliance staffs and invested in new technology to better protect data. However…Target will not begin accepting EMV cards…until early next year. The retailer also is beefing up security on Target debit cards; the rollout for that is also planned for early next year.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

UK Millennials Ready to “Pay Their Dues” Via Mobile

Posted on November 25th, 2014 by Dan Rampe

Millennials

New Report Says Prime-Demographic Millennials Are Much More Positive about Mobile Payments than Any Other Age Group

JWT Intelligence, which conducts research and analysis of emerging trends, found that millennials in the UK are most receptive to making payments using a mobile device.

In a story on the JWT Intelligence study that ran on thepaypers.com (link to article), the research organization discovered that UK internet users 18 to 34 had a much more positive attitude toward mobile payments than any other age group. Just about half (48 percent) said they would use their mobile phones for small transactions. That number is well above the 29 percent average across all age groups.

From time immemorial (okay maybe only since marketing people kept track of these things), 18 to 34 have been virtually iconic numbers. Except for people pushing cemetery plots at one end and Teenage Mutant Ninja Turtles at the other, success is generally measured in who best reaches that market segment. Therefore, finding out millennials are the most avid supporters of mobile payments is great news for the mobile payment industry and marketers who take advantage of the technology.

Other things learned from the study about millennial habits is that 24 percent said they had used a mobile app, while 10 percent said they had used their mobile phone in a “tap to pay” scenario. The over thirty-fives “scored” just 5 percent in those same categories.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Black Friday, Sofa Sunday and Cyber Monday Will Be Red-Letter Days for Cybercrime

Posted on November 24th, 2014 by Dan Rampe

Black Friday and Cyber Monday

ThreatMetrix Predicts Mobile Transactions and Account Takeovers Will Turn Holiday Shopping into “the Nightmare before Christmas,” Chanukah and Kwanza

This year is expected to be one of the hottest shopping seasons on record. In fact, the National Retail Federation expects a 4.1 increase in sales. Translated into hard cash, that’s roughly $616.9 billion — more than enough incentive for cybercriminals to go all out looking soft spots to attack on e-commerce sites.

Cybercrime migrating from POS to online

And, with the adoption of in-store technologies like EMV and Apple pay making it harder for criminals to make a living doing point-of-sale fraud, e-commerce businesses can anticipate many of those criminals to shift their expertise into online crime.

To help e-commerce businesses protect themselves and their customers before the holiday shopping season goes into full swing, ThreatMetrix offers these predictions, observations and suggestions:

Transactions at the table: Increase in mobile shopping starts before the turkey’s done

Last week, the “ThreatMetrix Cybercrime Report: Q4 2014” found that mobile represents nearly one-third of all activity on The ThreatMetrix® Global Trust Intelligence Network (The Network). Combine that with the fact that Adobe has predicted the season’s lowest prices will pop up on Thanksgiving Day and consumers can expect to see a lot of mobile shopping taking place during their Thanksgiving feasts, spilling over into “Sofa Sunday.”

This poses a huge opportunity for fraudsters because mobile users are more likely to store credit card data with retailers, a prime target for account takeover attacks. Another challenge is that retailers are more likely to reduce risk thresholds for mobile devices to avoid false positives.

Alisdair Faulkner observes

“Cybercriminals follow the flow of money, and this Thanksgiving, a very high number of transactions will take place through mobile channels,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Unfortunately, it can be difficult for retailers to use IP geo-location data to ensure mobile transactions are authentic. Instead, retailers should try to leverage trust intelligence networks to recognize customers with good mobile purchasing history, and complement with finer grained authentication intelligence available within a native mobile application. Retailers should also ensure that their mobile applications have not been injected by malware.”

The lump of coal in the stocking: Account takeover in the wake of high profile data breaches

Over the past year, there’ve been countless numbers of data breaches with hundreds of millions of user accounts compromised: 40 million in the Target breach, 60 million in the Home Depot breach, a whopping 1.2 billion passwords stolen by a Russian cybercrime ring. Stolen identities as a result of these and other breaches will play a major role in helping cybercriminal account takeovers this holiday season.

Retailers have to ensure that in real time they have a system in place to differentiate between trusted customers and cybercriminals. The system should be able to identify suspicious login patterns, risky or compromised devices and devices disguising their geo-location. Additionally, these systems shouldn’t add friction to the user experience or trap trusted customers in a fraud net.

Faulkner notes

“Unfortunately, many consumers use the same login credentials across multiple websites, which means that when those credentials fall into the hands of cybercriminals through data breaches or malware, all of their accounts and likely all of their credit cards will be compromised,” said Faulkner. “This sadly means that cybercriminals this year could end up having the merriest holiday season of all.”

In 2013, ThreatMetrix screened one-quarter of all Black Friday transactions in the U.S.

Last year using The Network, its global data repository, ThreatMetrix screened one in four of all U.S. e-commerce transactions on Black Friday to help retailers protect their customers from cyberfraud. The Network analyzes more than 850 million monthly transactions, and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites. It is the most comprehensive data repository of its kind, using its real-time analytics to evaluate logins, payments, new account registrations, remote access attempts and other transactions for validity.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

ThreatMetrix Predicts Mobile Transactions and Account Takeover Attacks Will be Easy Pickings for Cybercriminals This Holiday Season

Posted on November 24th, 2014 by Dan Rampe

ThreatMetrix Outlines Cybercrime Predictions for the Upcoming Black Friday and Cyber Monday Holiday Shopping Days

San Jose, CA – November 24, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced cybercrime predictions for the upcoming surge in consumer spending surrounding Black Friday and Cyber Monday and the rest of the holiday shopping season.

According to the National Retail Federation, this holiday shopping season is expected to see a 4.1 percent increase in sales, climbing to $616.9 billion. Unfortunately, cybercriminals will be on high alert for holes in e-commerce sites’ cybersecurity, cashing in on the significant shopping surge. With new in-store technologies like Europay-Mastercard-Visa (EMV) and Apple Pay continuing to build momentum and cutting down point-of-sale fraud in store, e-commerce businesses need to be prepared for such technologies to push more fraud online and put preventative measures in place to protect against those risks.

To help retailers protect themselves and their customers leading up to the busiest days of the 2014 holiday shopping season, ThreatMetrix has outlined several predictions for the busiest shopping days of the year:

Transactions at the Table: Increase in Mobile Shopping Starting Early

Last week, the “ThreatMetrix Cybercrime Report: Q4 2014” found that mobile represents nearly one-third of all activity on The ThreatMetrix® Global Trust Intelligence Network (The Network). Combine that with the fact that Adobe has predicted the season’s lowest prices will pop up on Thanksgiving Day and consumers can expect to see a lot of mobile shopping taking place during their Thanksgiving feasts, spilling over into “Sofa Sunday.” This poses a huge opportunity for fraudsters because mobile users are more likely to store credit card data with retailers, a prime target for account takeover attacks. Another challenge is that retailers are more likely to reduce risk thresholds for mobile devices to avoid false positives.

“Cybercriminals follow the flow of money, and this Thanksgiving, a very high number of transactions will take place through mobile channels,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Unfortunately, it can be difficult for retailers to use IP geo-location data to ensure mobile transactions are authentic. Instead, retailers should try to leverage trust intelligence networks to recognize customers with good mobile purchasing history, and complement this with finer grained authentication intelligence available within a native mobile application. Retailers should also ensure that their mobile applications have not been injected by malware.”

Lump of Coal: Account Takeover in the Wake of High Profile Data Breaches

In the wake of the countless number of data breaches over the past year, hundreds of millions of user accounts have been compromised, from 40 million in the Target breach, to 60 million in the Home Depot breach to a whopping 1.2 billion stolen by a Russian cybercrime ring. These stolen identities will play a major role in the efforts of cybercriminals looking to cash in this holiday season through account takeover attempts.

Retailers must ensure they have a system in place to differentiate between trusted customers and fraudsters in real time by identifying suspicious login patterns, risky or compromised devices or devices disguising their geo-location. Additionally, putting high authentication requirements in place that don’t add friction to the user experience can successfully block cybercriminals without trapping trusted customers in the fraud net.

“Unfortunately, many consumers use the same login credentials across multiple websites, which means that when those credentials fall into the hands of cybercriminals through data breaches or malware, all of their accounts and likely all of their credit cards will be compromised,” said Faulkner. “This sadly means that cybercriminals this year could end up having the merriest holiday season of all.”

Last year, ThreatMetrix screened one in four of all U.S. e-commerce transactions the day after Thanksgiving to help retailers protect their customers from fraudsters through its global data repository, The Network, which analyzes more than 850 million monthly transactions, and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites. The Network is the most comprehensive data repository of its kind, using its real-time analytics to evaluate logins, payments, new account registrations, remote access attempts and other transactions for validity.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312.241.1178
Email: beth.kempton@walkersands.com

 

 

 

Unconventional Wisdom on EMV

Posted on November 24th, 2014 by Dan Rampe

EMV

Two Javelin Analysts Argue EMV Will Not Shift Cybercriminals’ M.O.s From P.O.S. to Online

Everybody knows that when EMV becomes the American standard next October, beaten cybercriminals will drop Point of Sale theft like a hot rock and take to the hills or try their collective hands at online fraud and thievery. P.O.S. crime goes down, online crime goes up. Everybody knows that, right? Wrong.

Two Javelin Strategy & Research analysts, Nick Holland, retail payments practice lead and Al Pascual, fraud and security practice lead just don’t buy into the conventional wisdom. In his piece on digitaltransactions.net, John Stewart explains the analysts’ reasons for bucking convention. The following has been excerpted from his piece and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Sticking a pin in the balloon

“The balloon-squeezing mythology [squeeze a balloon at one end and it expands at the other] needed to be revisited with a fresh set of eyes. Does this idea that EMV forces fraud to other areas still hold water? We had our doubts.”

They’re heeere (Think the classic line from Poltergeist)

The “missing” factor, argue[d] Holland and Pascual…is the explosive growth of e-commerce. In other words, rapidly rising volume in this channel has already attracted plenty of fraudsters in recent years, a trend that will only continue with or without EMV in physical stores. “They’re already there,” [said] Holland. “They already leapt online years ago.”

Half of all transaction fraud online

To buttress their point, Holland and Pascual point to current e-commerce fraud statistics. In the United States, online traffic accounts for just 8.5% of all electronic-transaction volume, yet nearly half of all transaction fraud occurs online.

Multitasking

Fraudsters, in their nefarious way, tend to be multitaskers, attacking all forms of payments in all channels opportunistically. EMV has proven itself effective in other countries against counterfeit-card fraud at the point of sale. But to Holland and Pascual, the idea that criminals confine themselves to just that form of fraud, and then move on to card-not-present crime only when frustrated by EMV, is naïve.

e-Commerce fraud soaring

[e-Commerce] fraud in the United States is due to soar, even if the move to EMV will have little to do with it. If volume drives fraud, and if, as predicted by Javelin, online volume grows to more than 10% of all e-payments within three years, then card-not-present fraud can only grow much worse. “Card-not-present fraud is already very big and will get bigger,” warns Holland.

Same-day delivery delivers fraud

Exacerbating this problem, he says, is the nascent trend toward same-day or even faster delivery. While this trend promises greater convenience for consumers, it opens new opportunities for fraudsters with stolen payment credentials, Holland warns.

“Increasingly, you’ve got this situation where you’re shopping locally but accessing inventory globally,” he notes. “[There’re] clearly avenues of fraud there, particularly when you’re getting the goods within hours. Certainly, the time between instigating payment and the delivery of the goods is short and rapidly truncating. The fraud-mitigation response needs to be tailored to that.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

MasterCard and Visa to Drop Pop-up Window Passwords

Posted on November 21st, 2014 by Dan Rampe

MC and Visa

Taking a Page from the ThreatMetrix Playbook, the Credit Card Giants Are Moving to Non-Intrusive, Effective Authentication Systems

More than a year ago, ThreatMetrix was warning that the day of the password had passed (See the ThreatMetrix news release titled “2013: The Year of the Password Apocalypse” ) and advised:

  • Integrating Login and Payment Screening for a single view of the customer whether he/she does a guest checkout on a friend’s iPad or uses a registered credit card on a mobile device.
  • Leveraging Shared Intelligence Networks to passively recognize both valuable customers and cyberthreats based on anonymized shared intelligence of device and persona reputation and behavior.
  • Implementing Trust Tags to associate user accounts and devices with additional context by tagging to see, for example, if a registered user’s email and password was compromised on another sit

Now MasterCard and Visa are transitioning out of their present systems, MasterCard SecureCode and Verified by Visa, which are based on the 3D protocol. Under the 3D protocol, a user had to enter a password in a pop-up window so the card issuer could confirm the user’s identity before the transaction was completed.

In her piece on independent.ie, Sophie Curtis points out that systems using the 3D protocol are “unpopular with online shoppers, because [shoppers are required] to use complex passwords that are easy to forget, and can be difficult to tell whether the pop-ups are legitimate or fraudulent [in other words whether somebody is attempting to capture the shopper’s password].”

Curtis goes on to discuss the new systems Visa and MasterCard are introducing. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

Invisible authentication

A new invisible authentication [reduces] the reliance on passwords as a means of verifying identity.

In the event that authentication is needed, cardholders will be able to identify themselves with the likes of one-time passwords or fingerprint biometrics, rather than committing static passwords to memory.

Facial and voice recognition apps

MasterCard is also piloting commercial tests for facial and voice recognition apps to authenticate cardholders, and conducting trials of a wristband which authenticates a cardholder through their unique cardiac rhythm.

“All of us want a payment experience that is safe as well as simple, not one or the other,” said Ajay Bhalla, president of enterprise security solutions at MasterCard.

“We want to identify people for who they are, not what they remember. We have too many passwords to remember and this creates extra problems for consumers and businesses.”

Adoption expected in 2015

The new protocol could be adopted in 2015 and will gradually replace the current 3D Secure protocol.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Announces its “ThreatMetrix Cybercrime Report: Q4 2014” and Outlines Trends Leading up to the Holiday Shopping Season

Posted on November 20th, 2014 by Dan Rampe

Standard-Header-AF

The Report Examines Cybercrime Attacks Detected by the ThreatMetrix® Global Trust Intelligence Network and Identifies Top Concerns as Account Takeover and Customer Friction

San Jose, CA – November 20, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced the availability of its “ThreatMetrix® Cybercrime Report: Q4 2014,” which examines cybercrime attacks detected by the ThreatMetrix® Global Trust Intelligence Network (The Network) during Q3 2014.

The Network analyzes more than 850 million monthly transactions, and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites. Leveraging real-time, anonymized data from The Network, the “ThreatMetrix Cybercrime Report: Q4 2014” samples nearly one billion transactions and provides a representative summary of activity including account creation, payment and login fraud across industries.

Threats Facing the E-Commerce Industry This Holiday Shopping Season

The report places a particular emphasis on the e-commerce industry based on current attack trends. The identified card-not-present, account takeover and fraudulent account registration attacks are in no small way associated with the countless high profile data breaches in the past year and will no doubt accelerate during the upcoming $600 billion holiday shopping season. While many reports discuss cyber threat trends such as malware, massive data breaches or the total economic impact of cybercrime, the “ThreatMetrix Cybercrime Report: Q4 2014” is the first of its kind to analyze how frequently stolen and compromised identities are turned into cybercrime.

“In addition to payment fraud this holiday shopping season, our biggest concern is the spike in the number of account takeovers we are seeing on retail websites. ThreatMetrix data shows an upswing in account takeover activity in the wake of recent massive data breaches – and most retailers will be caught unprepared,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Previously, guest checkouts represented the highest risk, but due to the prevalence of data breaches and the convenience of storing credit cards to make mobile purchases easier, fraudsters have found it just as easy to use a stolen username and password as it is to use compromised credit card information that has a shorter life span before being shut down. Even strong PCI compliance and encryption means little when cybercriminals utilize stolen password and email combinations to compromise customer accounts. Retailers need to leverage a shared global network of trust intelligence to differentiate between trusted and suspicious transactions.”

In comparison to other industries, e-commerce falls in the middle when it comes to high-risk transactions, with four percent of all transactions being labeled as high-risk. Overall, high-risk transactions and logins are typically rejected outright by ThreatMetrix customers. E-commerce transactions broken down consist of the following percentages and risks:

  • Seven percent of transactions were account creation, with 5.2 percent high risk
  • 14 percent of transactions were account logins, with 5.5 percent high risk
  • 79 percent of transactions were payments, with 3.4 percent high risk

Cybercrime Leads to Customer Friction in the Financial Services Industry

In addition to e-commerce, the “ThreatMetrix Cybercrime Report: Q4 2014” examines financial services transactions and authentication attempts. While only one percent of transactions and logins are labeled as high-risk, financial services tolerate a higher threshold of risk at point of login and instead intercept attempted money transfers or rely on intrusive step-up authentication solutions to provide extra assurances. Financial services transactions broken down consist of the following percentages and risks:

  • Two percent of transactions were account creation, with 1.7 percent high risk
  • 83 percent of transactions were account logins, with 0.7 percent high risk
  • 15 percent of transactions were payments, with 0.5 percent high risk

“Attacks aimed at financial services are more targeted and result in much higher losses and possible brand damage than e-commerce ‘spray-and-pay’ attacks – meaning randomly targeting as many victims as possible,” said Faulkner. “Financial services businesses are dominated by higher authentication requirements, making it more difficult for fraudsters to attack. As a result, attacks leveraging malware are much more common and the challenge for most financial institutions has shifted from the detection of anomalous account access to stopping valid customers from being caught in the fraud net.”

One trend both the e-commerce and financial services industries must keep in mind is new in-store technologies such as Europay-MasterCard-Visa (EMV) and Apple Pay. While such technologies will cut down on point-of-sale fraud caused by recent data breaches, more secure in-store payments will increasingly push fraud online and e-commerce and financial services executives must be prepared to protect against such risks.

Media Industry Faces the Highest Percentage of High-Risk Transactions

According to the “ThreatMetrix Cybercrime Report: Q4 2014,” the media industry, consisting of social media, content streaming and online dating websites, consists of nine percent high-risk transactions, the highest percentage of all industries examined. Broken down, media consist of the following percentages and risks:

  • Six percent of transactions were account creation, with 4.6 percent high risk
  • 66 percent of transactions were account logins, with 6.2 percent high risk
  • 28 percent of transactions were payments, with 3.7 percent high risk

“The media industry has the highest incidence rate of high-risk transactions due to the low authentication threshold – often only consisting of a username and password combination,” said Faulkner. “Such identities can easily be compromised due to using the same login credentials across websites and a significant number of data breaches exposing these login combinations.”

Mobile Represents A Quarter of All Activity in The Network

For the report, total mobile activity was also examined for the prevalence and break down of cyber threats. According to ThreatMetrix data, mobile represents nearly one-third of all activity on The Network. However, while cybercriminals target mobile, this channel still has much lower risk rates than desktop.

“As iPhone, Android and tablet usage continues to increase among consumers, mobile will represent an equal opportunity channel for cybercrime activity,” said Faulkner. “Cybercriminals always go where the money is and as more transactions turn to mobile, they will create new, sophisticated strategies to target this channel.”

The report found that while Android represents much higher percentage in terms of market and browser share, iOS (a combination of iPhone and iPad) generates nearly twice the number of payments, logins and authentications of all mobile operating systems combined. Specifically, 64 percent of mobile transactions are either iPhone or iPod transactions. Additionally, 48 percent of mobile attacks target iOS devices.

“ThreatMetrix Cybercrime Report: Q4 2014” Identifies Top Attacks by Transaction Type

Leveraging activity across industries, mobile and desktop, the report also identified the top attacks by transaction type and found spoofing, such as IP address, geolocation, identity and device spoofing to be the most common attack types across payments, account login and account creation attempts.

As a whole, cybercrime is a multi-billion dollar industry, which consists of organized cybercrime, nation states and cybercrimes. Given the widespread prevalence of cybercrime and no signs of slowing down, businesses need to place an emphasis on understanding the types of attacks that occur once identities are compromised. In addition, no business – no matter the industry or size – can afford to stand alone in the fight against cybercrime. Rather, businesses must leverage a global network of trust intelligence to assure they have the best resources available to differentiate between authentic and fraudulent transactions without disrupting the customer experience with added friction.

To learn more, download the “ThreatMetrix Cybercrime Report: Q4 2014” eBook: http://goo.gl/6wUWrV

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312.241.1178
Email: beth.kempton@walkersands.com

 

 

This Is Private. Can We Keep This Just Between Us…

Posted on November 19th, 2014 by Dan Rampe

Privacy

…Evidently Not. New Survey Suggests Most Americans Feel the Security of Their Personal Information and Ability to Maintain Confidentiality Are in Danger

A Pew Research Center study titled “Public Perceptions of Privacy and Security in the Post-Snowden Era” by Mary Madden found that an amazing 91 percent of Americans believe they’ve lost control over how companies collect and use their personal information. Likely the other 9 percent who feel they have control — excluding those not within the margin of error — feel Congress is doing an outstanding job.

Anyway…

Based on the Pew research survey which recorded responses from more than 600 people and her interview with security expert Bruce Schneier, Jane Wakefield’s piece on bbc.com takes up the issue of how Americans have come to view privacy and confidentiality. The following has been excerpted from Wakefield’s article and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Worried about government

[While 91% of Americans thought companies “abused” (our word) their personal information] 80% also felt that Americans should be concerned about government surveillance…

Pew author sees privacy concerns at all-time high

The high level of media attention given both to the Snowden allegations and to large-scale data breaches among well-known US brands means concerns about privacy are at an all-time high, according to report author Mary Madden.

“[There’s] an overwhelming sense that consumers have lost control over the way their personal information is collected and used by companies.”

[Microsoft], Yahoo, Apple and Google have promised higher levels of encryption for personal data to make it harder for governments to snoop.

Social networking sites

Some 80% of respondents who use social networking sites said that they were concerned about third parties such as advertisers or businesses accessing their online data.

Fewer, although still a significant number – 70% – were concerned about the government accessing the information they shared on these sites.

May be worried about government… but want it to address privacy

Large numbers – 64% – said that it was up to government to regulate the way advertisers accessed data.

Consumers aware of tradeoffs

More than half (55%) agreed that they needed to share information about themselves in order to have free use of online services. But the majority (61%) were not buying the idea that online services were made more efficient because of the increased access they had to personal data.

Back to the future

When asked what communication medium respondents felt was the most secure, the winner was the landline phone – although only 16% said they felt “very secure” using it to share private information with another trusted person or organization.

Least secure sites

Social media sites were regarded as the least secure, with only 2% saying they felt “very secure” using such services.

People want more protection

There is already evidence that people are considering changing the way they secure their personal information, with 61% claiming they would want higher levels of protection for their data.

Security expert Schneier’s take

“We know that people are concerned about privacy but we also know that they don’t think about it when they are sharing data on Facebook because we have to socialize.

“People give Google their data and share on Facebook. Surveillance is the business model of the internet. Google knows more about what you think about than any other company on Earth.”

“People want legislative change rather than technology tools. People tend to do what is easy.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

What Do You Do When “Elvis Has Left the Building?”

Posted on November 18th, 2014 by Dan Rampe

ID Theft

Report Surveys What Victims Face after Their Identities Are Stolen.

Who steals my purse steals trash; ’tis something, nothing;
‘Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him,
And makes me poor indeed.

The bard was dead on about most things, but identity theft? Well he was half right. And for somebody separated by over half a millennium from smartphones, iPads, credit reporting agencies, and even credit, that’s not too shabby.

While he had a good idea how terrible it was for a person’s good name to be stolen (Many scholars are still trying to credit Sir Francis Bacon with writing Shakespeare’s stuff.), he was off the mark when it came to the part about a stolen name not enriching the thief.

Back in the day, the Bard’s day that is, a victim could get satisfaction by demanding satisfaction, i.e., challenging the thief to a duel. It’s a lot more than a sword and skill to set things right today. In her story on foxbusiness.com, Christine DiGangi reports on the Identity Theft Resource Center’s “Aftermath 2013″ study based on responses from 201 victims in 39 states. The following has been edited to fit our format. You can find the complete article by clicking on this link.

Getting loans and new credit cards most difficult

Of the 179 victims who shared how identity theft has affected their lives, 32.4% said they experienced difficulty getting loans or credit cards. That was the most common obstacle.

Followed by

The next most common answers (after “other” and “none of these apply”) were problems opening new financial accounts (22.9%) and receiving calls from debt collectors for debts incurred by the thief (22.3%).

Long time to put things right

The road to recovery was long and stressful for many people, as several victims expressed difficulty clearing their credit reports, either because they weren’t sure how to do it or the fraud kept getting reported to the credit bureaus, even after it had been removed.

Long time to find out the identity’s been stolen

For that reason (and many others), it’s incredibly helpful to stop identity theft as soon as possible. While most people find out someone stole their identity within six months of the crime starting, a large portion of victims are unaware of what’s going on for years, making the damage more difficult to reverse.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.