There is a good article on the Internet Retailer site today titled “Fear of debt and fraud change the way online shoppers pay.“ Essentially, online shoppers are looking for the sites they trust the most and are moving to alternative payment vehicles that do not require them to enter their credit card information. According to the article, thirty-seven percent of online shoppers are using their credit cards less, while only ten percent indicate they are using credit cards more. Meanwhile, alternative payment vehicles like PayByCash, Bill Me Later, and PayPal are undergoing rapid growth.

In addition to being good news for the companies who offer alternative payment types, this information also signifies an important development in the realm of fraud prevention. With fewer shoppers using credit cards online, traditional fraud-management tools that rely upon that personal and credit information are going to become less effective. The Internet Retailer article quotes extensively from CyberSource’s most recent fraud report: a report that indicates that device fingerprinting solutions, like iovation ReputationManager™, are at the top of the list for planned implementation in 2009. The trend of online consumers away from payment options that require personal and credit information will only make augmenting fraud prevention with device fingerprinting solutions more important.

Device fingerprinting is a technology that has been growing in importance over the past few years. Online businesses are dealing with the problem of increased identity theft and manufactured identities being used to create new accounts, purchase goods, and in general transact with the online business in some way. Device fingerprinting complements existing identity based techniques to address this problem and to identify repeat offenders and fraud rings that target these businesses. In a recent online fraud survey put out by Cybersource, device fingerprinting was identified as the number one technology to be adopted, in terms of percentage of planned new adoption, over the course of the next year due to its high effectiveness.

At iovation, many of the questions we field revolve around how we do device fingerprinting. Rather than get into a detailed definition of device fingerprinting, I will address the basic choices available to companies and explain how iovation uses them. Essentially, device fingerprinting is used online to identify and then re-recognize a PC or other Internet device that visits an online site. There are really 4 different ways that this can be accomplished: (more…)

In a recent post I spoke about the recent phishing attack spoofing the social security administration. Today I would like to discuss a variation of this identity theft scam, vishing. Where phishing uses social engineering through e-mail to trick people into visiting fake websites, vishing uses social engineering through the phone system to get you to connect to phony phone numbers to harvest your personal information. There is a good article on vishing attacks at cnet. Don’t be fooled by the fact that a voice mail is directing you to a toll free number. Vishing attacks use temporary 800 numbers to enhance legitimacy.

This attack is even more relevant to me personally as I witnessed this attack on a friend of mine this past weekend. My friend received a voice message telling him that his debit card account had indications of fraud and to call the 800 number immediately to get details. Once he connected to this number he was directed to enter his card number to get details on the incident. It so happened that he didn’t have his card with him so he hung up intending to call back later. When he did call back, he called the number of his financial institution on his card instead of the number left on voice mail. It was a good thing he did. There they indicated that there was no fraud activity on his account and that he had been a victim of a vishing attack.

In this incident it turned out ok because he never entered his personal information, but it could have easily turned out differently. The lesson from this incident is that as with websites, you shouldn’t trust messages directing you to a phone number that requests personal or financial data. If you receive an indication of fraud or some other problem with a financial, or other account, you should dial the actual company number and have them direct you to the appropriate department. Do not trust phone numbers left to you in a voice mail that ask you for personal information.

When personal identities have such value to scammers, individuals must be increasingly vigilant about protecting this data and ensuring that they do not deliver it into the hands of the bad guys.

Visa is launching a new card aimed at combating card not present (CNP) fraud in the UK. The card essentially adds a two factor authentication token to the back of the card that can be used to validate possession of the card online.

This is an interesting concept, but the execution of this with online businesses will make all the difference. The key here is the merchants and their adoption of this technology. If adoption is slow, then the card company may be forced to allow use of this card at sites without the pin. If this is the case, the improved authentication is rendered useless because a scammer could still steal the card information and use it online. If, on the other hand, the card issuer continues to require the use of the pin in order to complete an online transaction despite slow adoption by merchants, this could doom the use of the card by consumers as they won’t find enough places to use it.

Online merchants are the key to the success of this experiment and they have incentives to make this work. CNP fraud is a big problem and costs online companies billions of dollars per year. If they can band together to speed adoption of this technology, it will go a long way to changing how online fraud occurs.

I have recently answered several questions from individuals asking about device reputation. They have asked about the value of reputation data built by identifying infected PCs, i.e. botnets, as opposed to identifying PCs that have been used to commit actual online fraud or abuse. iovation pioneered the use of device fingerprinting in a shared database to build device reputations in 2004 and we have a lot of experience with this issue. There is a big difference between the two types of reputations and their relevant value. (more…)

Yesterday, SC Magazine reported that malware distributed on social networks was 10 times more effective than the same malware distributed through e-mail. They report that it is a big threat to the future of social networks and hypothesize that its effectiveness is due to the trust relationships that exist on these sites.

While the trust between friends on sites like Facebook and MySpace certainly contributes to the problem, there are probably three other factors that should be mentioned: (more…)

An SC Magazine article, out today, reports that a new phishing attack is now targeting individuals who will be receiving an economic payout later this month.

Phishing attacks are usually at the forefront of identity collection in today’s Fraud as a Service process. Phishing utilizes social engineering, which is both one of the oldest forms of security attack and is one of the hardest to fix. Social engineering tricks users into giving up sensitive data that online criminals would normally have a very difficult time obtaining in any other way. Today, the users personal information is the target of choice, but this is also very effective for obtaining account information and passwords.

Combating phishing isn’t difficult, it just requires the user to keep in mind that online businesses simply will not ask for sensitive information in an e-mail or link to a page that collects that data from an e-mail.

There has been some recent discussion in different articles regarding whether or not device identification (also referred to as device fingerprinting) constitutes a violation of privacy, in the context of fighting online fraud. The topic came up recently at a panel at RSA on the Benefits and Dangers of Device Fingerprinting. Device fingerprinting provides significant benefits for online businesses; it provides an additional factor for authentication, used by many online banks, and aides in the fight against fraud by identifying computers that have been used in the past for fraudulent activities and stopping future transactions from those systems.

The argument against this type of technology, however, is that the device information could be collected and sold, constituting a violation of privacy of the online user. What needs to be taken into consideration, however, is how device fingerprinting compares with existing identity-based fraud prevention techniques. Device fingerprinting solutions, such as the device reputation system offered by iovation, ideally work to reduce fraud while simultaneously protecting the privacy of the individual. iovation’s ReputationManager service, as an example, collects and requires no personal information from our customers. Our online service is completely incapable of assigning any online activity to an individual and we market it that way.

The reality is that device fingerprinting systems provide online businesses with some of the only fraud management tools that don’t rely heavily on personally identifiable information. Instead of decrying privacy violations, privacy advocates should be looking to embrace systems that achieve the purpose of reducing online fraud while still protecting the privacy of good online users.

It’s been a busy week at RSA for iovation and I have just about talked myself out of words, but as always it is a great show to connect to security professionals and measure security trends. The show attendance seemed to be down some, but as I have noticed at other shows the quality of attendees seemed to be up in general. There were a lot less people searching for chotchkies and more who seemed to be there to get information and do business. Three quick observations from the show:

1. ROI for security vendors is more important than ever. The time when businesses make investments on loose Fear, Uncertainty and Doubt (FUD) is coming to a close. Companies are looking to solve real, existing problems and more than ever are being held accountable to the impact of their investments on the bottom line of their company.
2. Fraud as a Service resonates. I blogged a couple of weeks ago about a podcast from RSA where they referred to Fraud as a Service to describe the way online criminals are specializing and working together to commit online fraud.  I am officially changing to this term in preference to the Fraud Value Chain.  I spoke to reporters, analysts and security professionals about this concept and it really resonated.  I had an interview with Bank Info Security that included this topic and here is the podcast.
3. Application Whitelisting vs Blacklisting. I spent some time with the folks at CoreTrace and I think that Application Whitelisting may finally be hitting the market at the right time. Eric Ogren, from the Ogren Group, and I spoke about this and we both agreed that blacklisting systems, in other words anti-virus, provide little to no value in preventing attacks and more than ever are relegated to clean up tools that identify infection after the fact and remove it.  Whitelisting has a way to go before it completely replaces anti-virus, but it has a good future.

That’s it from RSA, now it’s time to head back and fight the bad guys.

Here is an interesting article that I came across that is proposing stronger criminal sentences for online crimes where an anonymizing proxy is used. The intent here is that crimes committed while using an anonymizer indicate a higher level of sophistication. Critics of the measure state that this puts a stigma on what is many times seen as a good practice for protecting the online user’s privacy.

Independent of those issues, we at iovation have actually been studying the correlation of use of a proxy to online fraud and abuse. The early results are that for online businesses, users who utilize an anonymizing proxy have a higher rate of fraud and abuse than those that don’t, but it isn’t a sufficient independent indicator of fraudulent activity. In other words, for analyzing the risk of a given online transaction, checking for the use of a proxy is one of many important checks in assessing the overall risk, but it is not sufficient independently to determine whether an online user is bad. This also varies by industry. For example, the use of proxies is rarer at mainstream sites like online banks and retail sites as opposed to online dating sites where individuals may be more concerned about maintaining anonymity.

One thing remains certain, however, and that is the use of proxies to mask their true IP address remains extremely high. We have found that if an online criminal, for example, is using stolen French credit cards to defraud businesses from the Ukraine, the criminals will often go to the extent to ensure that they use a proxy that identifies their machine as originating from France to bypass many of the fraud checks that online businesses use.

In my 17+ years in security I have often heard and repeated that security is a process, not an event, and in the high stakes games of online fraud, this is no different.

Richi Jennings at ComputerWorld has a nice summary of blogs and articles on the activation of the Conficker botnet that is going to provide new avenues for online fraud. What began as a mass worm infection has now moved into the serious business of establishing a botnet that can be used for black market commerce.

This is a good of an example of the way that Fraud as a Service is enabled which I talked about in my previous blog post. Now that Conficker has established a botnet, it can be used for a variety of ends. Here are a few to consider:

• Spam distribution – many of this morning’s articles have focused on the first use of this botnet to distribute spam. Spam can be for illegal services or can also be links to phishing sites.
• Identity theft – any botnet or trojan horse can simply be used to steal and transmit personal information. The way it generally works is that the user’s online web activity is monitored to capture user IDs and passwords from targeted sites like online banks, massively-multiplayer online games (MMOs), or commerce sites. That stolen data is then transmitted back to the scammer’s database.
• Hosting phishing websites or download sites – Many times individual’s PCs can be turned into hosting sites for phishing websites or illegal data download sites.

Botnets continue to be a big problem and are an important part of online criminal activity. Certainly individuals need to ensure their anti-virus software is up to date, and the industry needs to take steps to make account takeover more difficult, through more common use of authentication tokens and personal information less valuable online through the use of other fraud detection techniques like device fingerprinting and device reputation.

I came across a good podcast from RSA today that highlights the online fraud trends for 2009. It is only 10 minutes, but highlights several trends that I have spoken about in previous blogs. Specifically they highlighted three main trends in 2009 for online fraud:

1. There is an emerging trend toward “Fraud as a Service” FaaS.  This is a takeoff on Software as a Service (SaaS), but the speaker primarily highlighted the moving trend toward collaboration among the scammers.  There are trojan horse kits with promised patch releases once they are detected by anti-virus.  There are launch kits that allow online criminals to target organizations.  I also highlighted this movement toward an underground fraud value chain in previous blogs.
2. New account fraud is on the rise.  Whether it is enabled by identity theft or by synthetic identities, fraudsters are creating more new accounts than ever online.  This is actually one of the top frauds that we prevent for our customers.  Whether this is targeting credit issuers for online credit accounts, MMOs for new account creation for gold farming and spam, or scammers that target online dating sites and create repeat accounts, new account fraud is a real problem made worse by the fact that identity information is so easy to obtain.
3. Cross channel fraud.  This was highlighted as the trend to play off different channels such as web, phone and mobile environments against each other to enable fraud.

All in all, I found this to be a great podcast and worth a listen.

Looks like congress feels like credit card companies haven’t done enough to stop online fraud and identity theft. The general feeling from lawmakers was that while the PCI standard does provide guidelines on how to protect customer card data and personal information, it isn’t effective at addressing ever changing threats. Lawmakers used an example of a company that had recently passed PCI compliance and was compromised while the actual certification was being granted.

Predictably representatives from the PCI council and the cards industry defended the standard and said that any company that had been shown to be breached was in violation of one of the standards at the time.

The reality of this all is that evidence of a breach doesn’t invalidate a standard. No regulation is going to stop online fraud, but it can dramatically reduce the risk as opposed to the absence of the standard. The real question should be how many breaches would have occurred without the standard and how must the standard evolve to be more effective and meet the worlds changing threat.

This week alone, I have seen two separate iPhone apps enabling multi-factor authentication for the likes of your accounts at AOL, eBay, PayPal and Blizzard, the provider of the popular online game World of Warcraft. The first application is provided by Verisign and provides multi-factor authentication for AOL, eBay, and PayPal to combat identity theft and account takeover. This could easily be expanded to include other sites and is a significant improvement over the options that were previously available. The second application is provided by Blizzard to authenticate users to their popular online games, like World of Warcraft, and is intended to address their account takeover problems.

Before these mobile applications, sites could either provide a separate hardware token for multi-factor authentication which was expensive and difficult to manage, or it could provide this capability through a text message on the phone which could be costly for both the consumer and the company. This application solves the token problem by attaching itself to something that most users always have in their possession (their mobile phone) and solves the cost problem by bypassing costly text messages and embedding the password generation intelligence in the mobile app. There is a beta version of the Verisign app for some BlackBerry models and for another 40 phones in development. The Blizzard version is currently only available for the iPhone and iPod touch, but other models will likely follow.  The ease of adoption for the iPhone could be the difference make in this instance and it could be a positive step in the direction at combatting online fraud and more specifically account takeovers.

There is an interesting article today in the online Fortune Magazine focusing on the potential use of social networks to facilitate collaboration between online criminals intent on committing online fraud. The interesting hook for the article is that fraudsters may begin using social networks like Facebook and Twitter to communicate, share data and pass illegal information. The reality is that online criminals have been working together for some time and have established a sophisticated online fraud value chain where fraudsters specialize in a particular fraud deliverable.

Generally you won’t find the online criminal who commits all aspects of an online fraud independently from stealing the identity, obtaining fraudulent credit, to finally defrauding an online business. Instead, online criminals may specialize in different areas of the fraud process. One criminal may specialize in establishing and utilizing botnets to steal identities. John Pescatore at Gartner Group has been particularly vocal about the rampant threat of botnets on his blog. Another criminal may specialize in hosting phishing sites with guaranteed uptime. Whether it is spam and phishing e-mail distribution, identity theft, credit card databases, or other elements of the fraud value chain, you can find an individual or organization specializing in it.

My point is this. Yes, it is possible and perhaps even likely that online criminals may begin to collaborate and communicate on Facebook and Twitter. The reality of today’s environment, however, is that these criminals have been working together for years in an underground fraud market. That is why it is so essential that legitimate online businesses similarly work together to fight online fraud. That is exactly part of the unique value we bring to our customers at iovation. The chance to work with their peers to establish and share over 100 million unique device reputations to fight online fraud and abuse.