This week alone, I have seen two separate iPhone apps enabling multi-factor authentication for the likes of your accounts at AOL, eBay, PayPal and Blizzard, the provider of the popular online game World of Warcraft. The first application is provided by Verisign and provides multi-factor authentication for AOL, eBay, and PayPal to combat identity theft and account takeover. This could easily be expanded to include other sites and is a significant improvement over the options that were previously available. The second application is provided by Blizzard to authenticate users to their popular online games, like World of Warcraft, and is intended to address their account takeover problems.

Before these mobile applications, sites could either provide a separate hardware token for multi-factor authentication which was expensive and difficult to manage, or it could provide this capability through a text message on the phone which could be costly for both the consumer and the company. This application solves the token problem by attaching itself to something that most users always have in their possession (their mobile phone) and solves the cost problem by bypassing costly text messages and embedding the password generation intelligence in the mobile app. There is a beta version of the Verisign app for some BlackBerry models and for another 40 phones in development. The Blizzard version is currently only available for the iPhone and iPod touch, but other models will likely follow.  The ease of adoption for the iPhone could be the difference make in this instance and it could be a positive step in the direction at combatting online fraud and more specifically account takeovers.

There is an interesting article today in the online Fortune Magazine focusing on the potential use of social networks to facilitate collaboration between online criminals intent on committing online fraud. The interesting hook for the article is that fraudsters may begin using social networks like Facebook and Twitter to communicate, share data and pass illegal information. The reality is that online criminals have been working together for some time and have established a sophisticated online fraud value chain where fraudsters specialize in a particular fraud deliverable.

Generally you won’t find the online criminal who commits all aspects of an online fraud independently from stealing the identity, obtaining fraudulent credit, to finally defrauding an online business. Instead, online criminals may specialize in different areas of the fraud process. One criminal may specialize in establishing and utilizing botnets to steal identities. John Pescatore at Gartner Group has been particularly vocal about the rampant threat of botnets on his blog. Another criminal may specialize in hosting phishing sites with guaranteed uptime. Whether it is spam and phishing e-mail distribution, identity theft, credit card databases, or other elements of the fraud value chain, you can find an individual or organization specializing in it.

My point is this. Yes, it is possible and perhaps even likely that online criminals may begin to collaborate and communicate on Facebook and Twitter. The reality of today’s environment, however, is that these criminals have been working together for years in an underground fraud market. That is why it is so essential that legitimate online businesses similarly work together to fight online fraud. That is exactly part of the unique value we bring to our customers at iovation. The chance to work with their peers to establish and share over 100 million unique device reputations to fight online fraud and abuse.

Incompetent fraudster appear to be even more dangerous than competent ones. Credit card details of over 19,000 individuals were posted to the Internet by online criminals in a botched identity theft scheme. It appears that they intended to sell the credit card details and accompanying identities, but posted them to the public instead. Because they were in the public domain, all of this information was available through a simple Google search. Details of the credit card fraud scheme were reported by the Telegraph.

SC Magazine has posted an article about the 2008 numbers for online fraud as reported originally in a study by APACS, a UK online payments association.

The net results? Online banking fraud rose by 132%. The article itself highlights the fact that most of this fraud occurred online and particularly speaks to the need for global adoption of multi-factor authentication. Whether or not the world can agree on a standard for multi-factor authentication remains to be seen, but I certainly agree that many of the methods employed to stop online fraud are woefully inadequate especially those that require the input of identity information.

TippingPoint’s DVLabs ran their annual contest yesterday at CanSecWest. The results were scary, but not unexpected. The rules are that the contestants must hack one of the provided systems using a zero day attack, which is essentially an exploit of a vulnerability that has been undisclosed to the public. It took mere minutes for exploits of Apple’s Safari, Microsoft’s IE8, and Firefox to result in full compromise of the target Macbook and Sony Vaio allowing the exploiters to go home with $5,000 for each new exploit and a new Macbook and Vaio for the first to exploit those systems.

This was a good example of how cyber attacks have shifted to target the online user and not enterprise exploitations. None of the winners even tried to brute force attack the OSX or Microsoft Vista operating systems as by this time, those systems are locked down pretty well. Instead they focus on the browser environment and this highlights why Phishing, which I talked about in my last blog post, is the first step of the fraud value chain in obtaining personal information.

How many people can honestly say they haven’t linked to a site that they aren’t 100% certain of the content? Have you ever linked to something through a social media site, a chat group, a support forum, through a friend in e-mail? It is no mystery why botnets are such a problem. This has become big business and harvesting identities is the first step to much of today’s online fraud.

What can you do personally? That’s a good question. First, stay up on all the latest patches of your operating system and browser technology. In general, security professionals find Firefox to be better than IE as a browser technology. I use Safari, but as you can tell from the above article, they were all compromised. Second, I think it is wise for anyone to regularly monitor both their credit card statements to protect against unauthorized charges as well as subscribe to a credit monitoring service. Lifelock is an example of a well known service. Finally, as I mentioned many times before, we need to move away from using identity based information in legitimate systems. The one time I have been a potential victim of credit card theft is when my university, who used my SSN as an ID, had these records stolen out of their database. The less we rely on this personal information online, the less valuable it will be and the less it will be stolen.

I came across a good article this morning on detecting and avoiding phoney fraud alerts.  The problem is that I found myself thinking yet again that as online sites employ even more identity-based fraud management solutions to combat online fraud, the likelihood of these phishing attacks to succeed goes up.  More and more often we are being asked for increasing amounts of personal information to validate our identity.

There are two problems with this.  First, we are training online users that providing personal information in addition to credit credentials, i.e. color of your first car, your pet’s name, etc. is required to complete a transaction.  As this has become the norm it  is harder to spot phishing attacks.  Second, we are feeding the online databases created by botnets with increasingly personal information that the scammers can use to bypass these same checks.

I truly believe that the long term viability of solutions that require input of substantial personal information is in question.  To fight fraud, account takeover and identity theft, we should move more to systems that do not require this information like a variety of multi-factor authentication tokens, device fingerprinting, and smart cards.

One thing that came out this week that I found particularly interesting was CyberSource’s 2009 Online Fraud Report.  They have some great information about fraud trends for online merchants.

One of the more interesting sections for us here at iovation can be found on page 8 of this report where they report on implemented, planned and most effective online fraud solutions.  For both large and small merchants, device fingerprinting had the largest number of respondents indicating that they planned on implementing this technology in the next 12 months.  Additionally it was ranked as one of the top three most effective technologies available to merchants today.

Device based fraud managment solutions are rapidly moving into merchant best practices for fighting online fraud.  For more information on key findings from the fraud survey, read the Merchant Risk Council press release.

This is a big week for fraud prevention discussions with online retailers. The Merchant Risk Council’s (MRC) 7th Annual eCommerce Payments and Risk Conference takes place at the Wynn Las Vegas. The Merchant Risk Council is a merchant-led trade association focused on electronic commerce risk and payments globally. Approximately 500 online merchants and vendors meet to discuss new strategies and collaboration techniques to reduce fraud losses stemming from credit card fraud, shipping fraud, identity theft and more.

Week at a Glance:

• March 9 – Opening Party at Blush Boutique, Wynn, co-sponsored by iovation
• March 10 – Platinum Member Meeting co-sponsored by iovation
• March 11 – General Conference & Exhibits (iovation booth #304)
• March 12 – General Conference & Exhibits (iovation booth #304)

On Wednesday, March 11th, iovation veteran Cory Swick will demonstrate how fraudsters are extending their scams and what online businesses can do to stop them. Emerging strategies of cybercrime will be discussed—from individuals targeting specific markets and organized rings of collusion to maturing fraud economies.

Presentation Details:

• Title:  Criminal Diversification: A Look at the Emerging Strategies of Cybercrime
• When:  Wednesday, March 11, 2009, 2:15 p.m. – 3:00 p.m. PT
• Where:  Wynn Las Vegas, Room – Lafite 6
• Speaker:  Cory Swick, Senior Enterprise Sales Executive

To meet with iovation at the event, please schedule a meeting through our website.

One day before Valentine’s Day, Computerworld put out a terrific article focused on the technology used in the online dating industry, an industry growing 10% annually according to Forrester Research. This is timely news as the highest demand for internet dating sites comes just before Valentine’s Day, when most sites double their traffic, if not quadruple it.  In the article, titled “Online Dating: The Technology Behind the Attraction,” editor Robert Mitchell outlines four basic and necessary steps for the online dating business model:

1. Provide visitors with instant feedback (or matches)
2. Convert visitors from “Just Looking” to “Paid Customers”
3. Deliver high quality connections or matches
4. Keep the quality of the prospect pool high, by weeding out scammers, spammers and fraudsters. (more…)

iovation recently surpassed the 80 million mark for device reputations under management. Wow! That’s an increase of 208% percent from 26 million worldwide device reputations we were managing on January 1, 2008. This notable accomplishment is a testament to the hard work and dedication of our staff and wide range of customers who are all working together to combat online fraud and abuse across multiple industries. (more…)

Client Device Identification (CDI) can go by many different names, including device fingerprinting, device ID, or device tagging. Whatever you may call it, there is a growing recognition that in order for online businesses to effectively combat online fraud and abuse, they must move beyond relying almost solely on the identity and credit information supplied by the fraudsters and augment it with information about the device being used to defraud them. (more…)

I’ve been analyzing the online behavior patterns of criminals for about 4 years now. When I first started, the criminals were clearly “specialists” targeting a particular vertical market with their organized crime operations, e.g., online gaming, Internet dating, eCommerce, or financial institutions. They would craft their schemes to specifically exploit a victim Web site until they got caught. Then, they would simply shift their focus over to the next Web site with similar vulnerabilities in that same vertical market. (more…)

Someone recently asked me the following question that I thought was particularly interesting and insightful; “To what extent do identity-based fraud management systems actually contribute to identity theft?” (more…)

I recently spoke with ConsumerAffairs.com reporter, Joe S. Enoch, about a Nigerian scam targeting online dating sites where the victim lost well over $10,000. One of his questions was why online dating sites don’t simply do background checks on their users?

This is a fair question, but highlights the fact that people really don’t understand the shortcomings of identity based fraud and abuse management systems in the online world. (more…)

While online retailers continue to beef up their fraud detection capabilities, according to Javelin’s “2008 Identity Fraud Forecast” combating Internet credit card fraud is expected to rise until as least 2010. With higher fraud levels on the horizon, eMerchants will continue to face losses that go beyond the loss of online purchases, but impact their business growth. (more…)