Online Identity and Trust

Han Dong, Senior Product Marketing Manager, User Authentication

One great thing about blogging for a company like VeriSign, which happens to have so many cool tools in its bag, is that it's so easy to find several blogs on the net that mention you. And in this case I'm referring to a Wall Street Journal blog: "Under Surveillance: Big Brother Stocks", by James Altucher. In this blog, Altucher talks about all of the various measures (and money spent - to the tune of $200 billion in the U.S.) taken to automate the monitoring and protection of your banking transactions, checking in at the airport, and even your simple ATM cash withdrawal.

Here Altucher mentions VeriSign and our VIP Fraud Detection Service for risk-based authentication and detection of unscrupulous user activity. Fraud detection is the key to enabling risk-based authentication, where an enterprise can deploy authentication based on the commensurate risk of a given transaction. The VIP Fraud Detection Service provides an "invisible means" of delivering proactive protection to consumers. Using advanced anomaly detection technology, the service detects fraudulent logins and transactions in real-time without affecting legitimate user's web experience. The solution also takes a self-learning approach to fraud detection, adapting to customer usage habits unique to that individual. Using policies and pattern recognition technology, the service can flag potentially fraudulent activities based on known types of fraud and behaviors not associated with the user. Because the service is self-learning, it can adapt to changing criminal behavior without manual intervention. This non-intrusive approach does not require any change to a Web site and remains invisible to the consumer until a fraud is detected.

And this whole scenario is completely customizable by VIP Fraud Detection Service customers. By using the provided rules or rules you set up, and by comparing current user transaction behavior to historical and live data, the system rates fraudulent transactions and alerts you to possible risks. Once alerted, you can investigate these fraudulent transactions as cases within the Fraud Detection Service Investigation Console. As the system logs a number of transactions for each user, it can learn user behaviors to better assess subsequent transactions for fraud, and it can use feedback from rules to build lists of fraudulent and legitimate transaction information.

Going back to Altucher's article, to clarify, there is one specific optional module known as the ATM Module. This is the additional component to the VIP Fraud Detection Service that evaluates and analyzes thousands of transactions per second to detect compromised cards and ATM locations used for fraudulent activity. When the risk score generated at the time of the transaction exceeds your threshold, an instant alert notifies your fraud team. Then fraud investigation and management tools provide sophisticated analysis to efficiently resolve scams. And banks can even choose to block an activity in real time.


Rest assured, VeriSign is watching your assets...

Posted by Han Dong at 4:09 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

It's a good thing that people much smarter than me are thinking about the future of the internet, cloud computing, and ensuring I'm properly indoctrinated on the right social networking sites du jour. More importantly, these same smart people are constantly thinking about really critical things, like 'standards', 'interoperability', and 'security'. Guys like Tim Berners-Lee, the inventor of the Web and HTML, Paul Mockapetris, the inventor of DNS, and Vinton Cerf, the father of the internet and co-designer of TCP/IP, are constantly analyzing what's happening today and thinking about what's coming in the future. These people are part of the founding fathers of the web, the internet, and how all the intricate pieces work together seamlessly - just so you can download your tunes, update your tweet/blog, and get the latest NFL scores.

Whew, I'm glad these guys are on top of things.

Of course, anytime a paradigm shift occurs in the world of computing, there's bound to be an outgrowth of new issues and problems. And some of these new issues related to cloud computing, are exactly what Vinton Cerf has been thinking about. Mamoon Yunus' article "Vint Cerf and Multi-Cloud Mayhem of cloud Computing" and Paul Krill's InfoWorld article "Cerf urges standards for cloud computing", both cover a number of issues Cerf sees that are created by the "cloud" and how the situation is very similar to the way things were in the wild west days of early computer networks.

One issue in particular is in the area of cloud security and authentication. "Strong authentication will be a critical element in the securing of clouds," said Cerf. Multi-tenant cloud environments and ensuring that the properly authorized user is permitted to access the right services, creates a critical need for strong authentication in the cloud. Now I bring this issue to your attention because this is precisely an area that VeriSign has given a great deal of thought and attention to in delivering our goal of providing trust on the internet and in the cloud.

From Extended Validation SSL, to VeriSign Identity Protection for Two-factor authentication and Fraud Detection Services, to PKI Digital Certificates for authentication, every weapon in VeriSign's arsenal is designed to deliver a secure, trusted experience in the cloud and on the net. And just as I discussed in my last post, VeriSign knows just how to deliver a multi-layered security strategy for anyone who's moving to the cloud.

Whew, I'm glad Vinton Cerf (and VeriSign) has got your back.

Posted by Han Dong at 3:13 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

Some thoughts on a couple of recent articles, one from Gartner Research: Where Strong Authentication Fails and What You Can Do About It, by Avivah Litan and a similar article by Jaikumar Vijayan in Computerworld, which also references Ms. Litan's article.

The basic idea presented in these two articles is that "one-time passwords...are no longer enough to protect online banking transactions against fraud." These one-time password (OTP) token-based two-factor authentication methods may be compromised by man-in-the-browser malware that overwrites the user transactions to steal their assets. So the general recommendation from Avivah Litan is "A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers can and has mitigated these threats."

We agree that OTP is not the end-all, be-all of security for the internet. In fact, VeriSign was recently recognized as a "best in class authentication technology solution" by Javelin Strategy & Research, primarily because VeriSign espouses a layered security approach to our customers for protecting online transactions. This approach includes Extended Validation SSL to authenticate the website to a user, with an easily identifiable green address bar. Plus the VeriSign Identity Protection Fraud Detection Service, which delivers risk-based authentication to monitor particular user behavior and trigger authentication when abnormal patterns or behavior are noted. And additionally, the VeriSign Identity Protection Service, one-time password (OTP) authentication to mitigate account takeover and require an additional factor the user must present, in addition to username and password for accessing critical accounts. OTP in and of itself is not a panacea, but it is part of a multi-layered security approach that anyone conducting business online should consider to protect its customers and business.

Fraud may be on the rise, so whom do you turn to for trust in the online world?
Easy, look for the check.

Posted by Han Dong at 12:53 PM | Permalink | Comments (0)

It's about time Hollywood produces a blockbuster about identity management.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

Posted by Yohai Einav at 5:28 AM | Permalink | Comments (0)

By Yohai Einav, Senior Fraud Analyst

A deserted street, night, a frightened old lady hops towards a policeman who just left the bar.
Old lady: "Please officer, this e-mail is trying to phish me!"
She shows a laptop to the Policeman.
Old lady: "My grandson gave it to me for my birthday, and he warned me of such things. Now it is trying to phish me!"
Policeman: "Let me see this".
The Policeman looks at the screen. He sees a phishing email.
Policeman: "Lady, do you have any idea what this is? This is identity theft! Wait a second; I must report this to my superiors right away!"

The policeman talks into his walkie-talkie:
Policeman: "Jim, I want to report an identity theft on 8th and Houston.... Yes, an old lady again.... Yes, her grandson... no, I didn't get the IP..."
The policeman leans toward the old lady.
Policeman: "You are lucky to still have your identity. Now go home and be sure to lock your firewalls."

The lady walks away. 2 minutes pass. Suddenly we see an old man running towards our policeman.

Old man: "It's a Trojan horse! He is coming for me!"

End of scene

(Taken from the new Harrison Ford movie, "Firewall 2: revenge of the firewall")

This scene (based on a true event), illustrates the pervasive confusion many of us suffer with all these security buzzwords flying around. This entry level post will try to answer such questions as "what do these buzzwords mean", and "how do they fit into a bigger picture".

Let's start with the bigger picture.

Bad people want your money
When bad people want your money they usually have such a plan in mind:
1. Steal your personal credentials
2. Penetrate your online financial accounts using these credentials
3. Move money from your accounts to other accounts
4. Take the money and run

That's the very big picture. Now let's get down to point [1] - steal your banking credentials. There are few common buzzwords that fall under this category: phishing, identity theft, Trojans.

"Identity theft" is certainly a very scary term: who wants his own personal identity to be stolen? How can you function as a human being without your identity? Well, you can't function, but luckily, the problem is not with you, but with the term. It is not inherently possible to steal an identity, only to use it. "Identity theft" is a misnomer, which actually has the meaning of our point [1] - bad people want to steal and use your credentials. So, when you are "a victim of identity theft", all it means is that bad guys stole some of your credentials - login, password, SSN, driving license number, birthday, etc.

Now, how can bad people steal your credentials? Two of the most popular means are also two of the most popular buzzwords -

Phishing and Trojans.
Phishing and Trojans are two ways of stealing your credentials. Phishing does it using mostly social engineering, while Trojans uses brutal force, and less social engineering. In a "phishing scam" (a.k.a "phishing attack") you receive a fake email, navigate from it to a fake banking site, and there, typically if you are a naïve person, you give away your credentials to the bad guys. And that's it.

In a Trojan scam, your computer gets infected with a Trojan horse - a type of malicious software which makes your computer perform undisclosed malicious functions; one of these malicious functions is to send personal credentials that were found on your computer to the bad guys. The exact techniques of how this is done are out of scope here, but the important thing is that you, the victim, give away your credentials without knowing you're doing so.

So we have two very different techniques that achieve the same goal - stealing credentials ("identity theft"). Yet the ways to protect yourself from these vicious means are completely different. In order not to be a victim of phishing you simply need to be less naïve and more aware of the threats of phishing. You could use software tools that filter and warn about phishing, but if you fall to social engineering, this wouldn't help you.

Trojan protection doesn't require a personality change. You can remain naïve, but you must install an anti-trojan/anti-virus software on your PC, and keep it updated at all times. In 99% of the cases, this ensures that no behind-the-scenes malicious function action is being performed on your computer.

So what should you do if an email tries to phish you in the middle of the night?

Exactly, call the cops.

Posted by Yohai Einav at 1:00 PM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Researcher

The FTC announced last month that is pushing back the deadline for the implementation of the "red-flag" requirements for another six months. Under the "red flags" all financial institutions must develop and implement an "Identity Theft Prevention Program", which includes "reasonable policies and procedures for detecting, preventing and mitigating identity theft".

I'm pretty confident that somewhere in the world security chiefs are dancing in relief, and, on the other hand, so are many fraudsters (in their filthy underground caves).

FFIEC guidance and beyond
So why are fraudsters relieved? Because a well planned and implemented red flag program could actually slow the fraud business.

While the 2005 FFIEC regulations (or, "guidance") talked about using better locks to the gates of the castle (which is important, but castles tend to have windows and hidden entrances), the new requirements deal with fighting the enemy within the walls of the castle - inside the compromised accounts.

To put it in a less metaphorical way: today, most banks already implement some extra protectional measures at their login page, but only a few measures inside their online banking system itself. And as it seems, better protection of the login - a stronger authentication - does not completely stop fraud, but forces fraudsters to look for the "hidden entrances".

(Don't get me wrong - the FFIEC guidance was the cornerstone for all anti online-fraud legislation and the tipping point which propelled anti-online-fraud into the spotlight)

Taking care of hidden entrances
As it applies to many areas of life, the Pareto principle applies also to the fraud market: 80% of the fraud losses come from 20% of the scam patterns, and a well-thought red flags program will target exactly these 20% of the patterns. Here are a few required red-flags:

• "Flag an account with a material change in purchasing or spending". This is a strong indicator for financial fraud - someone who suddenly changes his spending behavior - yet today only a handful of financial institutions have applied the mechanisms to detect it;


• "An account that has been inactive for a reasonably long period of time resumes usage". This is really a common sense red flag, yet only a handful of banks today have the system to detect it.


• "A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or member, such as recent and significant increase in the volume of inquiries, or an unusual number of recently established credit relationships". If you learn the behavioral patterns of an account, you could easily be able to find the out-of-pattern activities, and prevent fraud.

Simple? Yes.
Effective? Yes, thank you.
Would the red-flags policy create a fraud-free environment? No, but it should significantly reduce fraud. Remember the Pareto.
And what would be of the fraudsters? It would drive them away from the castle - and back to their filthy underground caves.

Posted by VeriSign Identity Protection Blogger at 8:52 AM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service
Greg Pierson of iovation recently wrote an interesting blog postabout the idea that the more places your identity information resides, the greater the chance of your identity actually getting stolen. It reminded me of an incident that happened to me recently. I live in a condo and our neighbor's sprinkler system had gone off. There was so much water that it seeped through the walls and ceiling and flooded one of our rooms, which happened to be carpeted. Our landlord, along with the condo association, arranged to have the carpet replaced. When the workers arrived, they insisted on taking my wife's credit card number even though they weren't going to charge us. They took an impression of the card, and then insisted on writing down the CVV2 number (the three digit number on the back of the card, often called a "security code"), not to charge anything, but because it was policy or they couldn't start the work. Of course, recording both numbers is totally unnecessary. It's actually pretty dumb, and most likely against the rules that merchants have to sign up to to be able to take credit cards as payment.

Credit card transactions can be "card present" transactions, when the card is physically present, like at a gas station or when you are physically at the store, or "card not present" (CNP), when the card is not present like when you make a transaction online or over the phone. The presence of the card is usually established by reading the magnetic strip or by taking an impression of the card. Clearly, the risk of fraud is greater for CNP transactions because all a fraudster may need is the card number (something you know). Card companies started to combat this by using CVV2 to validate CNP transactions, so you, in theory need to physically have the card or else you wouldn't be able to turn it over to read those three extra digits. Of course, those three digits are just something else you know, and can easily be compromised along with your card number, especially when written down by unscrupulous or clueless merchants. In practice, it does provide a little more security because those extra digits aren't supposed to be stored with your card number. Of course, when the carpet guys are holding your new carpet hostage and they insist on writing both pieces of information on the same piece of paper, that extra security goes out the window. To make matters worse for me, these particular carpet guys spoke with Russian accents. I don't want to launch a discussion about the merits of profiling cyber-criminals, but it didn't do much to ease my suspicion.

After my wife told me what happened, I considered canceling our credit cards, but then we would be faced with the hassle of updating every subscription and service that has our card stored somewhere for auto-renewal. On the one hand, that's not such a bad idea. Who knows what auto-renewals we'd forgotten about and didn't need anymore. On the other hand, who wants to deal with all that, especially when your liability for any fraudulent charges is capped at $50? The real fear wasn't the charges themselves but of someone establishing a new credit line in one of our names using the credit card. Ultimately, we decided just to keep an even more vigilant eye on our statements and rely on our Equifax Credit Watch to alert us of any suspicious behavior.

Continue reading "Who's minding the Identity store?" »

Posted by VeriSign Identity Protection Blogger at 4:00 AM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Analyst

What happened to good ol' fraud?

There's a new trend in online fraud today - it is getting more brutal.

A few years ago, when a fraudster wanted to get your online banking credentials, he would send you a phishing email, asking you kindly to send him your bank's login and password; today, he would simply infect your PC with malware, then take your details by force.

Fraudsters not believing in the goodness of mankind and taking things by force?! Yes - we live in crazy times.

The brutal trend doesn't end with phishing. The same evolution happens today in the online brokerage world with the "Pump and Dump" scam.

Pump and Dump 1.0
The classic Pump and Dump scam is one of the oldest tricks in the book. Its guiding principle is simple: if you can buy a worthless stock for a very low price (typically micro-cap companies), then sell it quickly for a much higher price, you can become rich (you probably haven't heard this principle before).

So, how do you turn something worthless into something valuable in a short period of time?

The answer, until recently, was - "persuade enough dupes to buy the stock, and make the market price to go up". How do you persuade enough people? Well, 200 years ago (when the Internet was still a secret known to few) you would spread false rumors about "a swell stock" in tea parties, or in a horse cart on the way to work. Today you would simply send a professional-looking spam email to millions, giving an expert recommendation on the stock.

Pump and Dump 2.0
But that classic, mainstream scam has changed. The "Brutal Pump and Dump" of the day is not about persuading people; it is about taking command over their trading accounts.

How does a brutal Pump and Dump work?
First, the fraudster buys shares of a penny stock through his personal account. At this point the share price is very low. The fraudster then logs into multiple compromised trading accounts in one or more brokerage firms. Once there, he liquidates the stock portfolio in these accounts and uses the free money to purchase shares of "his" penny stock. The rest of the process is quite obvious: the share price of the penny stock goes up (usually by 10's or 100's of percent), and it's time for the fraudster to capitalize on his investment.

Return on investment of 100%-200% for one hour of work? Not a bad deal.

One person's gain
We all know the old saying - "one person's gain is another person's loss"; but what can we do when it's "many persons' loss to one person's gain"? Can we stop this loss from happening? Is there a magical defense against these dark arts?

Well, defense exists, although it is not fully magical. It mainly consists of special rules, configurations, comparators and behavioral engines. And it can block most of the brutal Pump and Dump. Get further details about VeriSign's solution. If you still feel you need a magical addition to your Pump and Dump defense, kindly contact JK Rowling.

Posted by VeriSign Identity Protection Blogger at 5:35 AM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service

I'm Perry Tancredi, and I manage the VeriSign VIP Fraud Detection Service product. A lot of times when I explain what I do to my friends and family, especially when I talk about some of the latest attacks we see, the conversation turns to whether or not it's too risky to do anything online at all. People want to know if I think banking and shopping online is safe, what virus program I use at home and what they should be doing to protect themselves.

I had already been writing this post when the news about the largest case of identity theft in America (BBC, Washington Post), it seems more relevant now. There's been a lot of coverage last night and this morning, but I happened to be available when the story BBC story was being written,and got the chance to talk to and be quoted by the BBC. I'm a long time NPR and BBC listener, so I do have to say that it was quite a kick to hear Maggie Shiels say my name on the radio last night.

I told the BBC what I typically tell anyone else who asks, that while for the most part, the Internet is secure, but the most important thing anyone can do is just assume that their accounts are going to be compromised. Credit card and personal data are stolen every day using all kinds of methods, and it's not all Internet related. Most people are most concerned about the security at the point of sale, but don't think about what happens with the information later. When you assume that your accounts will be compromised one way or another, you have to start doing what you should have been doing anyway: reading your credit card statements and monitoring your credit reports. It's not fun, but it's easy to spot suspicious transactions when you look at statements every month. If you see something suspicious, call your bank or credit card company. Likewise, if you see something strange on your credit report, follow up on it.

The VeriSIgn Fraud Detection Service (FDS) works on the same pricipal. Protect the front door, but stay on the alert after you've let someone in. Out of the box, the FDS allows our customers to look for suspicious logins, but it was built to be modular and allow the analysis of any kind of transaction, and really reaches its full potential when it looks at post-logon transactions. We already have customers who have written their own modules using it to protect wire transfers online. Soon we'll release our first module to look at a specific kind of post-logon fraud, and that will be just the first module of many.

With more and more organizations looking beyond login, consumers will be safer, and the combination of users and organizations being more vigilant will move the bar that much higher for the fraudsters.

Posted by VeriSign Identity Protection Blogger at 4:18 PM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Analyst

I was on my way to the airport, chatting with my cab driver. After I told him my overused joke about the peasant, the seigneur and the miraculous goat, he asked me for my profession. "Oh, fraud?", he said. "You know, I almost lost $7,000 to card fraud last year".

So the sanguine driver told me how his bank called him, warning him he had gone into overdraft. When he investigated this he found that his Visa card had recently been charged with $6,000. He called Visa, and they told him - "Sir, didn't you make two £1,500 transactions in London two weeks ago?"

No, he was never in London. No, he rarely uses the British Pound in Israel.

"Time out", I said. "Credit card issuers know that this could happen, and no way could these two transactions have passed without Visa noticing them". Firstly, the amounts were high, and secondly, the driver's card had a consistent pattern of transactions in only one country. "Didn't Visa call you??" I asked. "No", he said, "the transactions were made on Yom Kippur, the holiest of the Jewish holidays, and no one in Israel was able to answer their phone". "No problem", the driver concluded, "Visa refunded my money the next day. They actually told me that they had dozens of fraud transactions on that same holy day".

I loved that story for one reason - it shows how the bad-guys constantly think outside the box. They knew that such a large scale scam would be detected on any other regular day, so they found a day when it wouldn't. They know what's inside the box, and then plan ahead.

Here's another story - a few years back I was analyzing a fraudsters' product called CC2Bank, which was basically a management tool for stolen credit cards. Release 1.3 of the tool enabled the bad-guy to type in any credit card number and learn the type of card, name of the issuing bank, the bank's phone number or the country where the card was issued. Yet it also had included another feature - "list of busy phone lines", with a geographical distribution of the phone numbers. Why was that of interest for the fraudsters?

Again - it was the think-outside-the-box attitude: on e-commerce sites the user needs to provide a phone number. So if you're a bad-guy you probably don't want to provide your home phone number, but you still need to provide some number. You obviously cannot use a random number, because the credit company is going to call it. So what do you do? You find a number that [1] geographically makes sense, and [2] is always busy. When the transaction validation call is made and the ringing tone is always be busy, the credit company will have to make a decision - are we going to pass on this transaction or not?

In most cases, you can already guess, such transactions will be approved.

This is not a new tactic, but a regular fraudster's strategy. Bad guys must use think-outside-the-box ideas since security companies already cover what ever is inside-the-box. The lesson for us in the security industry should be emphasized: never rest on our laurels; always try to cover what's outside of the box; occasionally think like a bad-guy; and never ever tell jokes about miraculous goats.

Posted by VeriSign Identity Protection Blogger at 11:00 AM | Permalink | Comments (0)

By Yohai Einav, Senior Fraud Analyst

I have six friends that serve me true
Their names are Why and What and When
and How and Where and Who.
-- Rudyard Kipling

Why quote Kipling in an online identity blog? According to all his biographies, Kipling was never a victim of identity theft, nor did he ever write a blog.

But Kipling knew something about the 6 W's, something that we, in the security industry, often forget: starting with the "Why."

Have you noticed the phenomenon: every discussion about identity theft, security and online fraud - starts with the How and What questions:

"How do fraudsters attack banks?"
"What technologies are fraudsters using?"
"What is the damage to customers?"
"What can we do to protect ourselves?"

All good questions. But, the first thing we should ask is "why?"

"Why am I being attacked?"
"Why am I a target?"
And, of course, "why isn't my competitor a target?!"

When you think of it, all banks are good sources for money (yes, they really are!), but, for some reason, not all banks are attacked by fraudsters. As I see it, not all fraud targets are born equal: there are the preferred and the less preferred. Where do you want to be?

A good example for the "Why" is Phishing:
Phishing is a huge, worldwide phenomenon. Millions of phishing emails are sent every year and thousands of new phishing sites are created every month. But the list of entities being attacked is quite constant. And you usually see a trend of bursts of phishing attacks against a specific target.

Why?

Continue reading "Online Fraud: Start with the "Why"" »

Posted by VeriSign Identity Protection Blogger at 2:25 PM | Permalink | Comments (0)

Posted by Vicente Silveira, Sr. Product Manager for VIP Fraud Detection Service

The never ending parade of consumer data leakage and the inevitable fraud that follows added another participant this week with the Hannaford incident. This time, the damage amounts to 4.2 million credit and debit cards being compromised. It is early to tell all the ramifications of this incident, but the unraveling already started with the first salvo of class-action lawsuits against Hannaford.

When I see something like this happen, I'm always left to wonder: what is the true cost of a fraud incident ?

Looking back to some of the high-water mark incidents of the past we can have some hints of what the direct cost involved may look like. Take TJ Maxx for example: back in January 2007 TJ reported a 45 million (or 94 million) card compromise, which was followed by an estimated $68 million to $83 million in fraud losses on Visa cards alone. All this damage led to legal action and a settlement last September with TJ reserving more than $120 million to cover for it. Fast forward to the beginning of this week, and TJ is still in the news with a massive notification campaign that has been kicked off with mailings, magazine and newspaper adds to try to reach customers that may have had their cards compromised.

Based on all of this, it shouldn't be unreasonable to think that the direct costs associated with this fraud incident are north of $100 million dollars, specially when you include legal costs, advertising and G&A overhead to manage all the mess. All the urgent security assessments, patching and fixing shouldn't have come cheap either.

The indirect costs are harder to access but in my view even more dramatic: one can only imagine the amount of brand damage when you have to engage tens of millions of your customers repeatedly over more than one year, reminding them you didn't manage to keep their sensitive data safe. The cost goes up and is shared with all of us with the broader backlash against e-commerce and online businesses in general, where consumer confidence is melting away faster than I can say Global Warming. We are already seeing that in the polls: according to a recent YouGov survey in the UK almost half of the women in Great Britain would be ready to stop shopping and banking online in order to reduce their risk of ID fraud.

It got to a point where even corrective and preventive measures are becoming vectors for data leakage, such as this bank's attempt to notify one customer about a fraud issue in his account ending up compromising information on other people's accounts.

Sooner or later we will have to implement pro-active, stronger security measures for the broader online infrastructure, the only question is how much organizations and consumers will have to pay until that day arrives.

Posted by Vicente Silveira at 2:12 PM | Permalink | Comments (0)

Posted by Vicente Silveira, Sr. Product Manager for VIP Fraud Detection Service

If you live in the UK, the answer would be a little over twenty thousand dollars (at current exchange rates) for the average adult internet user, a nice bounty for phishers, bot herders, malware coders and other cyber-criminals to go after.

This is based on highlights of a recent YouGov survey that estimates European Internet users are risking up to 1.6 trillion dollars by sharing personal and financial data with sites that are not adequately protected, with UK Internet users responding for a 731 billion chunk of the total amount.

What the research also suggests is that the ubiquity of social networking and other data sharing sites has increased dramatically the quantity and sensitivity of the information available on the web, with users volunteering more and more details in order to complete their profiles, make more friends or establish new connections. Many consumers are giving away their date of birth (75%), their home address (70%) and even their mother's maiden name (68%). People sharing such data may not realize that it is not too hard to aggregate all this information and use it to compromise internet banking accounts and other sensitive online applications.

That is why consumer education plays a key role in making sure users understand what is appropriate to share and where to share it. And believe it or not some of it is working, as the YouGov research shows that consumers are becoming more aware of security symbols such as the padlock (69 percent) or a security mark like the VeriSign® Secured Seal (41 percent).

Moving forward, tools such as Microsoft IE7 and EV certificates will ease the learning curve, but at the end of the day good old common sense continues to be key when deciding whether to share sensitive data online.

Posted by Vicente Silveira at 2:15 PM | Permalink | Comments (0)

Hi there! My name is Vicente Silveira and I'm responsible for the VIP Fraud Detection Service , or as we call it, VIP FDS, product at VeriSign.

Our team develops products that help businesses and individuals transact securely on the internet. Needless to say we have a lot of work to do.

I just spent some time in Europe talking to financial institutions and comparing notes on fraud trends here and there. One of the quick conclusions is that online criminals are sharing tools and methods on a global basis and on a scale that we haven't seen before.

One example is a modern variation of an old stock touting technique known as "Pump and Dump" , where fraudsters use e-mail spam to falsely promote a thinly traded instrument (such as a penny stock) hoping that enough people will buy it and drive the price up. The way they make money is by buying the penny stock before sending the spam and selling when the stock goes up (and before it crashes down).

Now if one feels like following investment tips from an e-mail with an anonymous robotic voice that is one thing. A different thing altogether is when criminals take "Pump & Dump" to the next level and steal your username and password, hijack your online brokerage account, sell all your blue chip stocks and use the proceeds to buy the penny stock, leaving you with some worthless equity in a tiny and obscure company. Play the video below for a CNBC report on Pump & Dump aired last year.

Over the last two years, the SEC has filed charges against several individuals in the US and abroad that used this enhanced technique to defraud online brokerage users. Since 2007 the same technique started to show up in Europe and China, as fraudsters realize they can repeat the scam throughout the globe.

While the authorities are arresting some of the suspects, the sustainable solution is for brokerages to continue monitoring suspicious trading behavior and investing in better authentication credentials.

Vicente Silveira

Hacker Pump and Dump Stock Scam www.IDTheftSecurity.com

Posted by Vicente Silveira at 7:09 AM | Permalink | Comments (0)