Online Identity and Trust

It's about time Hollywood produces a blockbuster about identity management.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

Posted by Yohai Einav at 5:28 AM | Permalink | Comments (0)

By Yohai Einav, Senior Fraud Analyst

A deserted street, night, a frightened old lady hops towards a policeman who just left the bar.
Old lady: "Please officer, this e-mail is trying to phish me!"
She shows a laptop to the Policeman.
Old lady: "My grandson gave it to me for my birthday, and he warned me of such things. Now it is trying to phish me!"
Policeman: "Let me see this".
The Policeman looks at the screen. He sees a phishing email.
Policeman: "Lady, do you have any idea what this is? This is identity theft! Wait a second; I must report this to my superiors right away!"

The policeman talks into his walkie-talkie:
Policeman: "Jim, I want to report an identity theft on 8th and Houston.... Yes, an old lady again.... Yes, her grandson... no, I didn't get the IP..."
The policeman leans toward the old lady.
Policeman: "You are lucky to still have your identity. Now go home and be sure to lock your firewalls."

The lady walks away. 2 minutes pass. Suddenly we see an old man running towards our policeman.

Old man: "It's a Trojan horse! He is coming for me!"

End of scene

(Taken from the new Harrison Ford movie, "Firewall 2: revenge of the firewall")

This scene (based on a true event), illustrates the pervasive confusion many of us suffer with all these security buzzwords flying around. This entry level post will try to answer such questions as "what do these buzzwords mean", and "how do they fit into a bigger picture".

Let's start with the bigger picture.

Bad people want your money
When bad people want your money they usually have such a plan in mind:
1. Steal your personal credentials
2. Penetrate your online financial accounts using these credentials
3. Move money from your accounts to other accounts
4. Take the money and run

That's the very big picture. Now let's get down to point [1] - steal your banking credentials. There are few common buzzwords that fall under this category: phishing, identity theft, Trojans.

"Identity theft" is certainly a very scary term: who wants his own personal identity to be stolen? How can you function as a human being without your identity? Well, you can't function, but luckily, the problem is not with you, but with the term. It is not inherently possible to steal an identity, only to use it. "Identity theft" is a misnomer, which actually has the meaning of our point [1] - bad people want to steal and use your credentials. So, when you are "a victim of identity theft", all it means is that bad guys stole some of your credentials - login, password, SSN, driving license number, birthday, etc.

Now, how can bad people steal your credentials? Two of the most popular means are also two of the most popular buzzwords -

Phishing and Trojans.
Phishing and Trojans are two ways of stealing your credentials. Phishing does it using mostly social engineering, while Trojans uses brutal force, and less social engineering. In a "phishing scam" (a.k.a "phishing attack") you receive a fake email, navigate from it to a fake banking site, and there, typically if you are a naïve person, you give away your credentials to the bad guys. And that's it.

In a Trojan scam, your computer gets infected with a Trojan horse - a type of malicious software which makes your computer perform undisclosed malicious functions; one of these malicious functions is to send personal credentials that were found on your computer to the bad guys. The exact techniques of how this is done are out of scope here, but the important thing is that you, the victim, give away your credentials without knowing you're doing so.

So we have two very different techniques that achieve the same goal - stealing credentials ("identity theft"). Yet the ways to protect yourself from these vicious means are completely different. In order not to be a victim of phishing you simply need to be less naïve and more aware of the threats of phishing. You could use software tools that filter and warn about phishing, but if you fall to social engineering, this wouldn't help you.

Trojan protection doesn't require a personality change. You can remain naïve, but you must install an anti-trojan/anti-virus software on your PC, and keep it updated at all times. In 99% of the cases, this ensures that no behind-the-scenes malicious function action is being performed on your computer.

So what should you do if an email tries to phish you in the middle of the night?

Exactly, call the cops.

Posted by Yohai Einav at 1:00 PM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Researcher

The FTC announced last month that is pushing back the deadline for the implementation of the "red-flag" requirements for another six months. Under the "red flags" all financial institutions must develop and implement an "Identity Theft Prevention Program", which includes "reasonable policies and procedures for detecting, preventing and mitigating identity theft".

I'm pretty confident that somewhere in the world security chiefs are dancing in relief, and, on the other hand, so are many fraudsters (in their filthy underground caves).

FFIEC guidance and beyond
So why are fraudsters relieved? Because a well planned and implemented red flag program could actually slow the fraud business.

While the 2005 FFIEC regulations (or, "guidance") talked about using better locks to the gates of the castle (which is important, but castles tend to have windows and hidden entrances), the new requirements deal with fighting the enemy within the walls of the castle - inside the compromised accounts.

To put it in a less metaphorical way: today, most banks already implement some extra protectional measures at their login page, but only a few measures inside their online banking system itself. And as it seems, better protection of the login - a stronger authentication - does not completely stop fraud, but forces fraudsters to look for the "hidden entrances".

(Don't get me wrong - the FFIEC guidance was the cornerstone for all anti online-fraud legislation and the tipping point which propelled anti-online-fraud into the spotlight)

Taking care of hidden entrances
As it applies to many areas of life, the Pareto principle applies also to the fraud market: 80% of the fraud losses come from 20% of the scam patterns, and a well-thought red flags program will target exactly these 20% of the patterns. Here are a few required red-flags:

• "Flag an account with a material change in purchasing or spending". This is a strong indicator for financial fraud - someone who suddenly changes his spending behavior - yet today only a handful of financial institutions have applied the mechanisms to detect it;


• "An account that has been inactive for a reasonably long period of time resumes usage". This is really a common sense red flag, yet only a handful of banks today have the system to detect it.


• "A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or member, such as recent and significant increase in the volume of inquiries, or an unusual number of recently established credit relationships". If you learn the behavioral patterns of an account, you could easily be able to find the out-of-pattern activities, and prevent fraud.

Simple? Yes.
Effective? Yes, thank you.
Would the red-flags policy create a fraud-free environment? No, but it should significantly reduce fraud. Remember the Pareto.
And what would be of the fraudsters? It would drive them away from the castle - and back to their filthy underground caves.

Posted by VeriSign Identity Protection Blogger at 8:52 AM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Analyst

What happened to good ol' fraud?

There's a new trend in online fraud today - it is getting more brutal.

A few years ago, when a fraudster wanted to get your online banking credentials, he would send you a phishing email, asking you kindly to send him your bank's login and password; today, he would simply infect your PC with malware, then take your details by force.

Fraudsters not believing in the goodness of mankind and taking things by force?! Yes - we live in crazy times.

The brutal trend doesn't end with phishing. The same evolution happens today in the online brokerage world with the "Pump and Dump" scam.

Pump and Dump 1.0
The classic Pump and Dump scam is one of the oldest tricks in the book. Its guiding principle is simple: if you can buy a worthless stock for a very low price (typically micro-cap companies), then sell it quickly for a much higher price, you can become rich (you probably haven't heard this principle before).

So, how do you turn something worthless into something valuable in a short period of time?

The answer, until recently, was - "persuade enough dupes to buy the stock, and make the market price to go up". How do you persuade enough people? Well, 200 years ago (when the Internet was still a secret known to few) you would spread false rumors about "a swell stock" in tea parties, or in a horse cart on the way to work. Today you would simply send a professional-looking spam email to millions, giving an expert recommendation on the stock.

Pump and Dump 2.0
But that classic, mainstream scam has changed. The "Brutal Pump and Dump" of the day is not about persuading people; it is about taking command over their trading accounts.

How does a brutal Pump and Dump work?
First, the fraudster buys shares of a penny stock through his personal account. At this point the share price is very low. The fraudster then logs into multiple compromised trading accounts in one or more brokerage firms. Once there, he liquidates the stock portfolio in these accounts and uses the free money to purchase shares of "his" penny stock. The rest of the process is quite obvious: the share price of the penny stock goes up (usually by 10's or 100's of percent), and it's time for the fraudster to capitalize on his investment.

Return on investment of 100%-200% for one hour of work? Not a bad deal.

One person's gain
We all know the old saying - "one person's gain is another person's loss"; but what can we do when it's "many persons' loss to one person's gain"? Can we stop this loss from happening? Is there a magical defense against these dark arts?

Well, defense exists, although it is not fully magical. It mainly consists of special rules, configurations, comparators and behavioral engines. And it can block most of the brutal Pump and Dump. Get further details about VeriSign's solution. If you still feel you need a magical addition to your Pump and Dump defense, kindly contact JK Rowling.

Posted by VeriSign Identity Protection Blogger at 5:35 AM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service

I'm Perry Tancredi, and I manage the VeriSign VIP Fraud Detection Service product. A lot of times when I explain what I do to my friends and family, especially when I talk about some of the latest attacks we see, the conversation turns to whether or not it's too risky to do anything online at all. People want to know if I think banking and shopping online is safe, what virus program I use at home and what they should be doing to protect themselves.

I had already been writing this post when the news about the largest case of identity theft in America (BBC, Washington Post), it seems more relevant now. There's been a lot of coverage last night and this morning, but I happened to be available when the story BBC story was being written,and got the chance to talk to and be quoted by the BBC. I'm a long time NPR and BBC listener, so I do have to say that it was quite a kick to hear Maggie Shiels say my name on the radio last night.

I told the BBC what I typically tell anyone else who asks, that while for the most part, the Internet is secure, but the most important thing anyone can do is just assume that their accounts are going to be compromised. Credit card and personal data are stolen every day using all kinds of methods, and it's not all Internet related. Most people are most concerned about the security at the point of sale, but don't think about what happens with the information later. When you assume that your accounts will be compromised one way or another, you have to start doing what you should have been doing anyway: reading your credit card statements and monitoring your credit reports. It's not fun, but it's easy to spot suspicious transactions when you look at statements every month. If you see something suspicious, call your bank or credit card company. Likewise, if you see something strange on your credit report, follow up on it.

The VeriSIgn Fraud Detection Service (FDS) works on the same pricipal. Protect the front door, but stay on the alert after you've let someone in. Out of the box, the FDS allows our customers to look for suspicious logins, but it was built to be modular and allow the analysis of any kind of transaction, and really reaches its full potential when it looks at post-logon transactions. We already have customers who have written their own modules using it to protect wire transfers online. Soon we'll release our first module to look at a specific kind of post-logon fraud, and that will be just the first module of many.

With more and more organizations looking beyond login, consumers will be safer, and the combination of users and organizations being more vigilant will move the bar that much higher for the fraudsters.

Posted by VeriSign Identity Protection Blogger at 4:18 PM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Analyst

I was on my way to the airport, chatting with my cab driver. After I told him my overused joke about the peasant, the seigneur and the miraculous goat, he asked me for my profession. "Oh, fraud?", he said. "You know, I almost lost $7,000 to card fraud last year".

So the sanguine driver told me how his bank called him, warning him he had gone into overdraft. When he investigated this he found that his Visa card had recently been charged with $6,000. He called Visa, and they told him - "Sir, didn't you make two £1,500 transactions in London two weeks ago?"

No, he was never in London. No, he rarely uses the British Pound in Israel.

"Time out", I said. "Credit card issuers know that this could happen, and no way could these two transactions have passed without Visa noticing them". Firstly, the amounts were high, and secondly, the driver's card had a consistent pattern of transactions in only one country. "Didn't Visa call you??" I asked. "No", he said, "the transactions were made on Yom Kippur, the holiest of the Jewish holidays, and no one in Israel was able to answer their phone". "No problem", the driver concluded, "Visa refunded my money the next day. They actually told me that they had dozens of fraud transactions on that same holy day".

I loved that story for one reason - it shows how the bad-guys constantly think outside the box. They knew that such a large scale scam would be detected on any other regular day, so they found a day when it wouldn't. They know what's inside the box, and then plan ahead.

Here's another story - a few years back I was analyzing a fraudsters' product called CC2Bank, which was basically a management tool for stolen credit cards. Release 1.3 of the tool enabled the bad-guy to type in any credit card number and learn the type of card, name of the issuing bank, the bank's phone number or the country where the card was issued. Yet it also had included another feature - "list of busy phone lines", with a geographical distribution of the phone numbers. Why was that of interest for the fraudsters?

Again - it was the think-outside-the-box attitude: on e-commerce sites the user needs to provide a phone number. So if you're a bad-guy you probably don't want to provide your home phone number, but you still need to provide some number. You obviously cannot use a random number, because the credit company is going to call it. So what do you do? You find a number that [1] geographically makes sense, and [2] is always busy. When the transaction validation call is made and the ringing tone is always be busy, the credit company will have to make a decision - are we going to pass on this transaction or not?

In most cases, you can already guess, such transactions will be approved.

This is not a new tactic, but a regular fraudster's strategy. Bad guys must use think-outside-the-box ideas since security companies already cover what ever is inside-the-box. The lesson for us in the security industry should be emphasized: never rest on our laurels; always try to cover what's outside of the box; occasionally think like a bad-guy; and never ever tell jokes about miraculous goats.

Posted by VeriSign Identity Protection Blogger at 11:00 AM | Permalink | Comments (0)