Mike Davies: Online Identity and Trust in EMEA

For clarification, I should mention that I mean Nicolas Sarkozy, Jeremy Clarkson, and Sarah Palin, but the question remains what have they got in common?

The answer is they have all had high profile identity theft issues in the past 6 months.

Now granted, Jeremy Clarkson (a British TV presenter and Journalist) deserved it. He deliberately published in a UK national newspaper personal information to prove that the whole identity theft problem was overhyped.

Having briefly met Clarkson, a man who in the two minutes I chatted to him used more swear words than I normally use in a year, I can only imagine that his wife had to put her hands over her childrens ears when he found out someone had used the information he published to transfer £500 from his bank account to a charity, proving how dumb he had been.

Sarah Palin had her Yahoo email account compromised. This was more a cantakerous prank than malicious fraud but it proved how easy it can be if you know some information about the cardholder. The fraudster got in by guessing correctly (or more accurately researching Sarah Palin on Wikipedia and Google) the password reset questions.

And finally Sarkozy. A man who I can only presume given his position as President of one of the leading world economies is an intelligent man, fell for a phishing scam.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117548&source=rss_topic17

Each one of these could have been prevented with some form of stronger authentication:

1) Clarkson: With stronger authentication the reader would not have been able to transfer money.

2) Palin: Password reset functionality would not result in a compromise if the account was protected by some kind of token.

3) Sarkozy: If his account had been protected by Stronger Authentication, even if he had responded to a phishing email, it would be unlikley (but not impossible) for the fraudster to have completed a real time attack.

There are some positives to take out of this:

1) The general consumer becomes more wary of publishing data or phishing

2) The more these things happen, the more likely we will adopt stronger authentication technologies to help protect online accounts. This is not just because a high profile person such as Sarkozy says so, more that the general population will demand better security the more they realise they are under threat.

3) Jeremy Clarkson got scammed for £500.

I know the last one sounds a but malicious but I really didn't like him when I met him...

Posted by Mike Davies at 8:24 AM | Permalink | Comments (0)

In the first post in this series I mentioned I would touch on some of the more obvious affects of the credit crunch...no surprises but the fraudsters have changed their tactics to try and exploit the uncertainty. Even if you are not based in the UK, I am sure you will have seen the main banks who have been affected by this are RBS, LloydsTSB and HBOS.

http://www.timesonline.co.uk/tol/money/consumer_affairs/article4965394.ece

Well it seems that the malicious people who are determined to get your money have started sending out phishing emails hoping they snare a few of their customers.

It amazes me that Phishing must still be working after so much consumer education about the problem through news stories such as this, but I guess they wouldn't be doing it if there was not money to be made.

I remember being told 3 years ago that Phishing had peaked and since then the quantity and variety of attacks has continued to rise, and my guess is this trend will continue.

Posted by Mike Davies at 11:51 AM | Permalink | Comments (0)

The markets are up today, that can only be good news, but it would be a fool that would say we have definitely turned the corner.

There seems to be a pattern that you can follow when we have major incidents like this:

1) Panic
2) Attempts at a solution (which either individually or combined) eventually works
3) Assessment of how things have changed and what we should be doing now

I think we are edging towards number 3 now.

And if that is the case, what has changed? Well firstly consumer trust in banking has been badly knocked. These great institutions don't quite seem as solid as they did 6 months ago.

And it is wider than that, this article from computer weekly highlights how consumers and employees are not happy with the measures taken by big business when protecting their identity:

http://www.computerweekly.com/Articles/2008/10/10/232612/fraud-survey-highlights-business-security-failures.htm

As in banking, if you don't trust you don't do business.

So what should banks be doing? Well they need to regain the trust of their customers and one way of doing that is demonstrating they take their consumers security seriously, especially in the online space where confidence is already low.

I am not saying that this will cancel out all the mistrust that has been generated but building trust takes time and little steps can make a big difference.

Posted by Mike Davies at 1:35 PM | Permalink | Comments (0)

I think most of us are quite surprised about how deep the financial crisis is becoming.

More and more of us are sitting here and wondering how it will affect us in our personal or business lives over the coming months, and I thought I would try and take a look at how it affects consumer authentication.

I will cover the more obvious ones in later posts, like potentially smaller security budgets and the cost savings of using the internet as a channel, but a little gem from the BBC website really caught my eye.

The upshot is that all of a sudden banks aren't lending as much money as they used to. Ok so how does that affect fraudsters? Well obviously less money available to lend manifests as tighter controls on the acceptance of applications for new credit agreements, which are falling rapidly. So with an overall decrease in credit applications then naturally that means an overall decrease in the number of fraudulent claims that get through the system. With the notable exception of Whaling, targeting high wealth individuals for nefarious gains, if you are stealing an identity you are less likely to get an application fraud accepted because the individual is less likely to be credit worthy.

So as a fraudster what do I do? I need to make my money, so I target those people who already have an established relationship with the organisation. In other words I target the people with an existing account. This is where consumer authentication really becomes important.

The more I follow fraudsters the more I get back to the idea of "the rational man". This is one of those stating the obvious theories hidden behind psychobabble which means if it makes financial sense everyone will do it.

According to this article, which I believe, Fraudsters will switch their focus to account based relationships away from application fraud as they are unable to make money through that channel.

But what is most interesting here is that the UK banking industry looked like it was winning the account takeover war. Fraud in this area had reduced from £33m to £22m from 2006 to 2007. This was mainly due to better Risk based Authentication being conducted in the back office as consumers (and yes fraudsters) try to access accounts.

And then in the first half year of 2008, APACS release fraud figures showing that account takeover fraud is increasing again.

Some questions, with my opinion as answers:

1) Is the rise in account takeover fraud a direct result of the credit crunch and the associated switch to account takeover from application fraud? I doubt it, the credit crunch hadn't really bit by the release of these figures.

2) Didn't the security implementations of EMV CAP (i.e. PINSentry et al) mean that Account Takeover fraud was decreasing? Well I am sure that these initiatives had a positive impact on fraud but what I guess has happened is that those who have implemented stronger authentication are experiencing less fraud but those that haven't are seeing exponential growth in fraud in this area. And this fraud is only going to get worse as fraudsters follow the rational man hypothesis and go for the easiest money route, account takeover at those banks who have not implemented more secure authentication.

3) So should all banks follow the EMV CAP model? I don't think so, I love the security benefits of PINSentry et al but hate the usability issues which are well documented (just google PINsentry and you will see what I mean), but there are other more consumer friendly devices that can achieve similar results to EMV CAP, especially when combined with Risk Based Authentication and I believe that they will become more prevalent.

vipcard.tif

4) Will fraudsters following the rational man model keep targeting the account based relationships in the banking sector? Yes, increasingly so. Do nothing and your fraud will rise. Tell me I am wrong.

5) If application fraud decreases and account takeover fraud increases will that only be in the financial sector? Absolutely not. Any account based relationship is a potential money spinner for a fraudster...see earlier post about Mexican bail bonds.

So, here are a few questions which I will leave for you to answer:

1) As a bank do you believe that you should be doing more to stop account takeover fraud, given that the overall fraud is rising but competitor organisations have already implemented technology to reduce fraud making you the easier target?

2) As a non financial sector organisation do you believe that fraudsters are not looking at you as potential targets as online banking gets more secure?

3) Do you not think as fraud rises and confidence amongst your consumers is falling, threatening the cost effective internet channels you want to grow, that your business does not need to consider stronger authentication?

In my opinion, Account takeover fraud will continue to rise, with or without the credit crunch, but perhaps this crisis and the associated fraud losses incurred will be a catalyst for organisations to act.

Posted by Mike Davies at 8:59 AM | Permalink | Comments (0)

This is priceless. No really, this is a new fraud I had never heard about (OK the principles are nothing new, but the implementation is).

According to the Guadalajara reporter, I presume a respected voice in the land of Tequila, fraudsters have come up with an innovative way to defraud Joe Public and it goes something like this.

Step 1 - Fraudster gains control of an individuals personal email account
Guess you are not surprised by this so far, it could have been Phishing, Trojan delivering key logger or guessing password reset questions.

Step 2 - Fraudster emails all personal contacts stored in the address book of taken over account
OK still nothing new...what happened next?

Step 3 - Email contains an appeal for funds as stolen account individual is in Jail and needs money for bail
So I guess you have got this by now, but to explain fully just in case, perhaps the email looks like this:

"Hi friends, I need your help. Unfortunately I am in jail (again), of course I didn't do it but try persuading the Guadalajara police that. I need your help to post bail, please send whatever you can (at least 1000 pesos) to the following bank account as soon as possible XXXX XXXX XXXX XXXX. Thanks. Jose."

You might think that you would never have friends that would ask you for contribution to help them out of jail and would dismiss it as a scam, so how can his be relevant to me?

Well let's substitute the "bail" request for something closer to home, remember, this is an email you receive from someone you know and probably receive emails from regularly:

"Hi friends, I need your help. I am running the London Marathon this year and I promised to raise £1000, so far I am only at £300 If I don't get the full £1000 there are going to be a lot more homeless children so please donate (at least £10 ) to the following bank account as soon as possible XXXX XXXX XXXX XXXX. Thanks. John."

Sounds more feasible?

How many times do you ignore spam from people you have never interacted with before? Probably always, you don't trust the sender, you don't trust the content.

How many times do you ignore an email from a trusted friend? You may be wary of a opening a file supposedly sent from a friend, but would the above call for help go equally ignored?

There is a level of trust you have established with your contacts which can be so easily abused by fraudsters, Why? Well a user name and password are so easily stolen, we need stronger authentication in the consumer space, but unfortunately it will require scams like this to occur before some businesses and consumers realise that.

Posted by Mike Davies at 8:58 AM | Permalink | Comments (0)

I'm Back

Sorry for not posting, but I'm back now

It's been a really busy summer for me, here is the reason.....

I am very happy to say that I am now a father, a beautiful baby girl and things have settled down well enough now for me to start blogging again, regularly.

She also blogs herself, and I am afraid I won't be sharing a link to her blog or her name as you would probably be able to find the blog if you knew my surname and her first name. Why don't I want you to find her blog? Well when my wife set up the blog she asked what she should or shouldn't publish, from a security perspective.

We defined a policy for the new persons blog as such:
- Only first names
- No surnames
- No details of where we live
- No plans for holidays

Maybe I am being paranoid, but I know that is a part of my duty as a father to prepare her for for life, online or offline.

If I made public her full name, the day she was born, the town we live in and other personal details like her mother and fathers name, I am already setting her up for an online fall. The amount of information that is being published by people on Facebook and other similar sites is manna from heaven for fraudsters. If you analyse what you need to take over a consumers identity the above information is a significant part.

And what about if we published when we were going on holiday? It would only take a bad guy a little time to find out where we live, and know when is the best time to pay me a visit to relieve me of my treasured possessions.

Just put it down to new parent paranoia...

Posted by Mike Davies at 8:54 AM | Permalink | Comments (1)