Understanding the evolving fraud threats that financial services organizations face today is crucial to preventing the damaging affects that credit application fraud, account takeovers and identity theft can have on their business, customers and bottom line.

To help European financial services leaders understand how to thwart these increasing risks, iovation is scheduling one-on-one meetings with Europe’s major financial institutions at the upcoming Financial Services Technology (FST) Summit, October 4-6, in Lisbon, Portugal. If you are interested in learning about the latest online fraud trends and best practices for fraud prevention in retail banking and commercial banking, please reserve some time for us to talk.

As the world’s leading provider of fraud preventative device reputation services, iovation helps businesses assess online transaction risks before they happen. Our active partnerships with leading credit issuers, foreign exchange service providers and banking clients around the globe are designed to stop account takeovers, ID theft, ACH or debit fraud, credit application fraud and more. (more…)

Network World reports, “The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled 77 financial institutions and asked how many account takeovers occurred in 2009 and during the first six months of 2010. The FS-ISAC consists of a group of banks that shares threat information and interacts with the federal government on critical infrastructure issues. Its members include Citi, Prudential, Bank of America, JPMorgan Chase, Goldman Sachs and Wells Fargo, among others.”

Account takeover occurs when thieves infiltrate your existing bank or credit card account and siphon out your money. This typically occurs after your account has been hacked or your credit card or personal identity has been stolen.

21 of the institutions polled reported a total of 108 commercial account takeovers during the first six months of 2010, compared to 86 for the full year of 2009.

In 2010, 36% of fraud attempts were successfully thwarted, whereas 2009, fraud was only prevented 20% of the time. (more…)

Three months. That’s how long financial institutions have before they are obligated to comply with the Federal Financial Institutions Examination Council’s compliance requirements, which kick in January 2012. At this point, the question on everyone’s mind is, “Is my bank ready?” If not, iovation is here to help. We’ve just released a new white paper to help financial institutions meet the FFIEC guidelines, and also protect themselves against future security threats.

The fact that cyber criminals have figured out ways to circumvent virtually every single authentication technique financial institutions use today, it’s become imperative that banks not only meet the FFIEC’s upcoming security guidelines, but exceed them, if they expect to stave off increasing security attacks.

One of the keys to stopping innovative fraudsters from compromising banks’ cyber defenses is utilizing a system of layered security. This is something the FFIEC has reinforced with a supplement to the original Authentication in an Internet Banking Environment guidance, along with updated supervisory expectations for customer authentication, layered security, and other controls for authorizing transactions for financial institutions that offer Internet-based products and services. (more…)

Part of maintaining a strong corporate image is ensuring your customers are protected from all types of security threats. This is true for any organization as the health of their brand is often closely linked to their business success. That said, a recent study by TD Bank found that even with fraud cases on the rise, only one percent of small business owners surveyed said falling victim to fraud was a top business concern.

This casual, unwary approach toward security continues to boggle my mind, particularly in today’s highly volatile business environment. But while three-quarters of the small businesses polled said they are incorporating steps to protect their computer systems from fraudsters, Fred Graziano, head of the commercial and small business banking at TD Bank, said companies need to keep up with the latest available fraud preventative technologies and criminal tactics used by more sophisticated fraudsters. (more…)

Every second, someone is sharing personal information about themselves over the Internet. For most online users, this data is meaningless except to the friends and well-intended recipients of the sender. But the truth is, others are watching; and they’re watching closely. For online fraudsters, personal information is carefully pieced together and used to answer security questions that allow them to break into other peoples’ online accounts to perpetrate identity theft and steal from their bank accounts.

In the article, “Fraudster used Facebook to hack bank accounts,” cyber criminal Iain Wood spent 18 hours a day online collecting information posted by his neighbors on social networking sites including Facebook to figure out passwords that would defeat online banking security checks. Prior to getting caught by police, he managed to steal more than £35,000 (approx. $55,000 USD) over a two-year period. (more…)

The attack vectors of online scams morph faster and faster, making it consistently more difficult for security professionals to develop effective preventative solutions. Merely keeping pace with fraudsters’ latest tricks is not enough to adequately protect a system or network. This is especially true for online retailers and other businesses that open their virtual doors to international business.

According to the article, “Credit card fraud is a cross-border crime,” statistics have shown in recent years that online fraud trends can differ dramatically between countries. For example, online payment fraud in the UK dropped 10% from 2009-2010, while the US experienced a 157% rise in attempted payment fraud during that same period. (more…)

When it comes to adopting new technologies, every industry and market has its growing pains. For example, businesses with an increasing dependency on the Internet for sales revenues face a number of security challenges ranging from credit card fraud, phishing emails and social engineering scams. If they aren’t careful, both the business and their customers can fall victim to more complex fraud schemes.

One of the emerging markets experiencing an upswing in Internet transactions is India. According to the article, “How secure are Indian businesses?” the Internet is one of the fastest growing mediums for generating business leads for Indian small and medium-sized businesses, with 57% of SMBs now using their websites as a sales channel. (more…)

Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) made security recommendations for banks and financial institutions in response to the increase of cybercrime. Since then, banks have implemented most, if not all, of these guidelines, and cyber criminals have responded by challenging each layer of security, by exploiting different technologies or coming up with new hacking techniques.

The latest security recommendations strongly suggest a layered or “defense-in-depth” approach, which the National Security Agency defines as a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy strikes a balance between the protection capability and cost, performance, and operational considerations.

The FFIEC recommends that financial institutions replace simple device identification with complex device identification, which most banks had already implemented long ago. Therefore, the next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences. iovation, an Oregon-based security firm, offers this service and more.

The FFIEC also recommends that financial institutions replace challenge questions, which are often fact-based questions, and can be easy to figure out with the use social networking data, with “Out of Wallet” (OOW) questions that don’t rely on publicly available information.

Challenge questions include, “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” OOW questions are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Keir Breitenfeld, Senior Director of Experian Decision Analytics recently joined Device Reputation pioneer and leader, iovation, for a webinar presentation addressing the FFIEC guidelines. You can listen to his presentation on applying proportional treatment to risk-based authentication efforts and dynamically managing credit and non-credit data questions to mitigate fraud via the webinar.

Ultimately, financial institutions must implement a layered approach to security. iovation’s device reputation service is a must-have layer that contributes greatly to a defense-in-depth approach, assessing risk throughout multiple points on an institution’s website.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands.

Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They are using stolen usernames and passwords to transfer money through wire transfers, Automated Clearing House (ACH) and through billing fraud.

The Federal Financial Institutions Examination Council (FFIEC) has repeatedly implored that come January 2012, any lagging financial institutions will be required to significantly upgrade their security protocol. Since any existing form of authentication can be compromised, the FFIEC recommends that financial institutions should institute systems of “layered security.”

Previous FFIEC recommendations discussed authentication, suggesting that the security issue takes place when a user logs in. But in fact, not all the danger occurs at login. Other website integration points are vulnerable to security issues, particularly at the point when money is transferred.

According to the FFIEC’s recent update:

“Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

One of the FFIEC’s recommendations for financial institutions involves complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Smart financial institutions aren’t just complying with the FFIEC’s security recommendations, but are going beyond by incorporating device reputation into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another data breach on Good Morning America. (Disclosures)

“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account.

The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.”

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.”

You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

A recent report, published by the Office of Cyber Security & Information Assurance in the Cabinet Office and Detica, on the cost of cyber crime revealed that online crime costs the UK economy £27 billion per year. In the article, “UK Cabinet Office Report: The Cost of Cyber Crime,” UK businesses shell out more than three-quarters of the total annual cybercrime costs at £21 billion, while private citizens (£3.1bn) and the government (£2.2bn) round out the overall economical impact.

The study found that IP theft (£9.2bn) and industrial espionage (£7.6bn), combined, account for over two-thirds of the overall cost to UK businesses per annum. IP theft is largely committed against companies with high volumes of IP or IP that’s easy to hack, while industrial espionage includes stealing or exploiting non-IP data from organizations that depend on large amounts of financial transactions and monetary activities.

Other significant cyber crimes that impact UK businesses include extortion (£2.2bn), direct online theft (£1.3bn), and loss or stolen customer data (£1bn), according to the report.

Because organizations today are becoming increasingly dependent on cyber space for business commerce, communications, and daily operations and production, cyber threats pose a significant threat to individual nations, as well as the global economy. This is why reports like these are so important.

Understanding the economical impact cyber crime can have on businesses, industry, and the economy can play a critical role in setting effective security policies and implementing proactive fraud preventative strategies, such as iovation’s device reputation service, which combats new and evolving forms of cyber crime that have a negative impact on organizations across the globe.

You’ve heard the phrase, “Too big to fail,” right? It’s a term that basically says certain banks or financial institutions are so large and interconnected that their failure would be disastrous to everyone else. A similar attitude has been floating around cyberspace for some time. Much like the first term, which the financial crisis proved wrong, the business mentality of being “too small to hack” is also failing.

According to the Wall Street Journal article, “Hackers Shift Attacks to Small Firms,” as small businesses make the leap to computerized systems, they are becoming prime targets for cyber thieves.

Business owner Joe Agelastri, who runs a pair of magazine shops in the Chicago-area, found out the hard way. After cyber criminals planted a software program on his cash registers, which sent customer credit-card numbers to Russia, the breach cost him around $22,000, slicing his annual profits in half. Though somewhat puzzled, Agelastri is just one of a growing number of small business owners who have experienced firsthand how prolific a problem cyber fraud has become in the SMB community. (more…)

The Federal Financial Institutions Examination Council (FFIEC) recently issued guidelines to help financial entities improve their cyber security efforts and gain a better understanding of the new, more dangerous threats they face today.

To show how layering iovation’s device reputation services with authentication technology offers a comprehensive defense-in-depth solution for exceeding the FFIEC’s new guidelines, we are hosting the upcoming webinar, “Ensuring Optimal Efficacy and Balance with Device Identification and Out-of-Wallet Questions.”

Along with Keir Breitenfeld, Senior Director at Experian Decision Analytics, I will be presenting what financial institutions need to know about how mitigating fraud risks while improving the overall customer experience, including:

1. How to achieve risk-based authentication with device reputation, authentication, scores and analytics — all while minimizing friction for the customer.

2. How to apply proportional treatment to your risk-based authentication efforts and dynamically manage credit and non-credit data questions, to fight fraud.

3. How to find optimal process points and question session configuration to strike the right balance between fraud prevention, customer experience, and cost.

(more…)

The ticker tape of data breaches in the last few months has been astounding. Many have called 2011 “The Year of The Hacker“ and that prognostication has rung true, without question. Halfway through the year, data breaches are an incessant news story.

And despite the constant stream of bad news, consumers continue divulging a tremendous amount of data to retailers, auction sites, dating sites, and gaming sites. While awareness of fraud and cybercrime is at an all time high, consumers seem to feel they don’t have much of a choice but to provide all their data.

People have grown to love the Internet and all the conveniences it offers, both commercially and socially. In my household, little people under five years old whack away at online iPhone games, never knowing what it’s like not to have the Internet.

Many seem to feel that their privacy is the price they must pay for all this connectedness and convenience, and are even willing to put their personal security at risk in exchange. (more…)

FFIEC is the Federal Financial Institutions Examination Council which is a government body empowered to prescribe uniform principles, standards and report forms for the federal examination of financial institutions by and for numerous other government, public, private and financial entities.

If there is a “good” place for your tax dollars to head, it’s to the FFIEC. And very recently the FFIEC has issued updated guidelines for financial institutions in regards to their cyber security and new threats your bank needs to counter.

Over the past decade as we have all (mostly) have banked and bought stuff online, criminals have formed organized web mobs to sniff out transactions and take over existing accounts and in some cases open up new accounts.

The FFIEC has certainly pointed this out and at the same time has made additional security recommendations since the last time they did in 2005 based on new kinds of criminal hacking and new technologies to combat it.
(more…)