During this year’s record-breaking Black Friday and Cyber Monday, iovation documented a significant rise in fraudulent transactions, which included account takeover attempts.

Their comparison of the two hottest shopping days of this year vs. last year found:

• 400% increase in the rate of fraudulent transactions on Black Friday (up from 1% to 4%)
• 25% increase in the rate of fraudulent transactions on Cyber Monday (up from 3% to 4%)
• 15% greater transaction volume on Cyber Monday compared to Black Friday
• 4% mobile fraud rate on both Black Friday and Cyber Monday.  

These statistics are compounded by the dramatic and impressive consumer spending numbers for these dates. Consumers must understand that their credit card numbers are fueling the rise in cyber fraud. Throughout the holiday season and beyond, it is imperative that cardholders check their statements carefully, matching them up against receipts to confirm that each charge was authorized.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Holiday Shopping Security on Fox News  Disclosures

Another of my holiday traditions is to expose the year’s phishing scams. The following examples come straight from my inbox or spam filter, and have been abbreviated to demonstrate the nature of the scam and specific hook being used.

1. This first phishing email appears to have been sent from LinkedIn, but the link that supposedly leads to the FDIC’s website is in fact a virus.

“From: LinkedIn linkedXXX@em.linkedin.com  

Temporary FDIC insurance coverage news. To obtain more information about temporary FDIC insurance coverage of transaction accounts, please refer to http://www.xxxxxx. Yours faithfully, Federal Deposit Insurance Corporation.”

2. In this phish, the sender claims to be Canadian, but the email suffix “.cn” is Chinese, and the scammer grammar is clearly East African in nature.

“From: Mrs.Martha Chery tesXXX@k.cn

Dear Beloved,

I am Mrs.Martha Chery from Canada,I am 58 years old,i am suffering from a long time cancer of my brain,from all indication my conditions is really deteriorating and it is quite obvious that i may not live for the next two months.”

3. Wow, my “email address has won.” Lucky me?

“From: payofficeXXX@aim.com

WINNING NUMBER: OL/656/020/018

OUR DEAR WINNER, THIS IS TO NOTIFY YOU THAT YOUR EMAIL ADDRESS HAS WON ONLINE LOTTO AND GAMING CORPORATION SUM OF (ONE MILLION EURO).”

4. This scammer responded to a Craigslist ad I had posted. Apparently I “sounded gorgeous in the ad.” I probably did!

“From: Justina Serini justinaXXX@hotmail.com

Hi Robert, I found your posting and wanted to ask you something essential. I am in a relationship and caught my partner cheating on me so I decided to get even! My co-worker said Craigslist list would be the best place to find someone nearby who I can be with for one time only so thought the hell, I would email someone I thought sounded gorgeous in the ad and came across yours!”

5. In this phish, I’m being scammed in Hebrew!

“???????!!! info@free2XXX.co.il

???? ????? ????? ????? ?? ???? ???? ????? – ??????! ?? ?? ????? ?????? ?????? ?? ?????? ?????? ?????,”

6. Oh, wow, the United Nations is contacting me directly. How exciting!

“From: UNITED NATIONS bankimoonXXX@yahoo.com

Attn: Beneficiary, This is to inform you that the International Community has received series Complaints from Beneficiaries who are yet to receive their outstanding Contract/Inheritance Funds.”

7. Download this report, and you’re as doomed as a boiled lobster.

“From: Jerry Bush benoit.metzger@XXXueamachine.com

This report applies to the ACH transfer (ID: 963623905410) that was recently sent from your banking account. The current status of the referred transfer is: failed due to the technical error. Please find the detailed information in the report below.”

Hey, that reminds me, I have fish to fry!

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses phishing on Fox Business Disclosures

This holiday season, as you seek out hard-to-find gifts and look for the best prices, keep in mind that not everyone out there on the wild, wild web has good intentions.

Auction sites are ground zero for scammers. It’s very easy to set up a free auction page from anywhere in the world, collect people’s money, and run.

Here are four tips to keep you safe when shopping through auction websites.

1. Use strong passwords: Use complex passwords that are hard to crack but easy to remember. Passwords should include upper and lowercase letters as well as numbers, and, if possible, other characters.
2. Look out for phishing emails: Any email that appears to have been sent from an auction site should be considered suspect. Certainly there are legitimate communications being sent by eBay and similar sites, but none of them should require a direct email response. To confirm that a communication is legitimate, always go to the website directly via your favorites menu, log into your account normally, and check your “My Messages” folder, rather than clicking any links within the email.
3. Secure your device: Whether you shop using a tablet, smartphone, PC, or Mac, they all need some form of antivirus protection. At the very least, the operating system should be kept up to date with all the latest security patches. Any website can potentially pose a threat. Never respond to pop-ups that claim your computer or other device has been infected and instruct you to install antivirus software. This is actually “scareware.”
4. Buy from trusted sources: Some may not like my saying so, but buying from sellers with no track history is risky. If sellers have less than five transactions under their belt, they may be scammers. My rule of thumb is never but from anyone with fewer than ten transactions, and even then I take all their feedback into account before purchasing. If a seller has ten transactions but all those purchases are less than a dollar in value, that seller is still suspect.

Online classified and auction websites can do more to protect legitimate buyers and sellers by identifying fraudsters faster with advanced device identification.  iovation Inc.’s fraud prevention service is called ReputationManager 360 and incorporates device identification, device reputation analysis, and geolocation, velocity, and anomaly checks in its real-time risk profiling. iovation is used by hundreds of online businesses to prevent fraud and abuse by analyzing the computers, smartphones, and tablets being used to connect to their online properties.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Black Friday/Cyber Monday Scams on Mike and Juliet Show  Disclosures

According to the NY Times article, “Cyber Monday Shopping Surpasses Expectations,” both ComScore and IBM Benchmark reported that the $1.3 billion spent by online shoppers represented up to a 33% increase in online sales over last year. This followed record-breaking Black Friday weekend sales of $52.4 billion, which CNN Money reported is a 16% jump over 2010. Either way you cut it, there’s little doubt that retail and online sales over the weekend could make for a very profitable holiday season for merchants.

At iovation, we help our clients know who to trust online, by quickly recognizing their good online customers and isolating the fraudsters through shared device intelligence. By identifying bad actors upfront and flagging suspicious transactions in real-time, we help merchants decline fraudulent orders faster, minimize chargebacks and take more good business with confidence — all especially important during the holiday’s peak traffic.

Looking at iovation’s device reputation network on Black Friday and Cyber Monday, we found some interesting trends and year-over-year comparisons during the two hottest shopping days of the year, including:

• 400% increase in the rate of fraudulent transactions (from 1% to 4%) on Black Friday
• 25% increase in the rate of fraudulent transactions (from 3% to 4%) on Cyber Monday
• 15% greater transaction volume on Cyber Monday compared to Black Friday
• 4% mobile fraud rate on both Black Friday and Cyber Monday

While it was no surprise that credit card fraud, shipping fraud and account takeovers topped the list of fraud types reported to iovation’s database on these days, a noticeable drop in the share of mobile shopping activity was very unexpected.

Despite several industry surveys forecasting significant increases in mobile purchases over the holidays, iovation saw mobile transactions decrease as a share of overall activity on Black Friday and Cyber Monday. While mobile transactions usually account for 5% of queries to iovation’s service, mobile’s share of overall retail transactions dropped to 3.2% on Black Friday and 2.7% on Cyber Monday. At this point any conclusions would be only speculative as to why mobile transactions were down during these peak periods. Are consumers not ready to make purchases over their smartphones? Is the user experience of a smartphone checkout too cumbersome compared to the convenience of a desktop?  As retailers look to the mobile market as an increasingly important channel, it will be critical that they solve these issues.

Keep safe and sane this holiday season:

1. Look for indications of online security. Depending on your browser, there may be an icon of a yellow lock at the top of the window, near the address bar, or at the bottom, near the taskbar. If the website is secure, the yellow lock should be closed. Some browsers use a color coding system, displaying red to indicate that a website is not secure and may potentially be infected, or green to indicate that it’s okay. 

2. Update your operating system. If your computer’s operating system is out of date, it may invite trouble when heading out to the wild, wild web. Go to your security center to download the latest critical security patches.

3. Update your browser. While your operating system may be up to date, which would mean that Internet Explorer is most likely up to date as well, if you are using Chrome or Firefox, you may need to update manually. Select “About” in your browser’s toolbar to check for updates.

4. Protect your computer with antivirus software. Antivirus protection that includes a firewall will, in most cases, shield you from “drive by downloads” and other malware. Even a major online retailer with a secure website can be vulnerable to criminal hackers.

5. Beware of phantom websites. Criminals love to pull the wool over unsuspecting eyes. One technique is to use “black-hat SEO” to place fake websites at the top of organic search results. Customers who attempt to make purchases via these fake websites are unknowingly transmitting credit card numbers directly to the hackers, and it’s safe to assume they’ll never receive the products they believe they’ve purchased.

6. Check credit card statements often. I still have to search the Internet for the names of unfamiliar retailers that appear on my credit card statements with unauthorized charges. Check your statements online weekly, and refute unauthorized charges within 60 days.

Most major online retailers are already using multiple sophisticated fraud prevention procedures to protect you. Oregon-based iovation Inc. is one hot technology company offering a device reputation service that alerts businesses to suspicious behavior such as someone attempting to hijack your account or use your stolen credentials (and  many others’) to steal from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

1. Go big. Do your online business with major retailers, or those you already know, like, and trust. The chances of a major online retailer stiffing you, or of their database being compromised, are slimmer than those of an unknown.

2. Do your homework. If you search for a particular product and wind up at an unfamiliar website, do some research on the retailer before putting down your credit card number. Search for the company’s name and web address to see if there have been complaints.

3. Don’t give out more personal data than necessary. Many retailers require your name, address, phone number, and credit card information. This is normal. But if you are asked for anything beyond that, like bank account numbers or your Social Security number, run hard and fast.

4. Vary your passwords. Often, online retailers will ask you to register with their website when you make your first purchase. Never register using the same password you’ve already used for another website. Otherwise, if one website is hacked, your password could be used to infiltrate your other accounts.

5. Use HTTPS sites. Websites that have a secure checkout process, with “https://” in the web address (as opposed to “http://”) are safer.

6. Print out and save online receipts. Keeping track of what you bought, where, and for how much can become confusing when making multiple purchases online. You need to pay close attention to your purchases in order to reconcile your credit card statements.

Smart retailers are already protecting consumers behind the scenes by implementing multiple layers of fraud protection. One very effective fraud detection technology is the use of device identification and device reputation to alert businesses to known fraudsters on their site. iovation Inc. provides this service, taking it another level to analyzing the device’s reputation by assessing risk on each transaction.

“The most reputable online sites all ramp up their security processes during the holidays,” says Molly O’Hearn, iovation’s VP of Operations & Co-founder. “This is a very good thing for online consumers because this is the time of year that your identity and credit card information is most at risk.”

Whether you are buying electronics as gifts this holiday season, or sports and entertainment tickets for friends and family, iovation is working hard in the background of these sites to keep the bad guys out so you can have a safe and fun experience.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

As we inch closer to the holiday season, a pair of recent articles highlight the increasing volume of online transactions that are just around the corner for online merchants. If there is a security takeaway from these trends, it’s that IT fraud teams better be prepared for significant increases in online transactions over the next few weeks.

The first article, “Retailers: Don’t Leave ‘Peak Week’ Money on the Table,” highlights the jump in online traffic over the four-day sales period it terms, “Peak Week.” That’s the time between Black Friday (the day after Thanksgiving) and Cyber Monday (the following Monday). According to analysts at Experian Marketing Services, each of these four days appear in the top 10 for high transaction rates. Other online traffic and retail email data results the marketing group released included:

• In 2010, online traffic to the top 500 retail sites increased 5% during Peak Week over 2009
• Email volume increased 26% in 2010 versus 2009 during Peak Week
• Black Friday online traffic increased 13% in 2010
• Black Friday is the second-biggest day for online email transactions

In the article, “Online Merchants Prepare for Cyber Weekend (Not Monday),” Ken Wisnefski, founder and CEO of the search engine marketing and E-commerce solutions firm, WebiMax, elaborated on the significance of how Peak Week, or what he calls, “Cyber Weekend,” has become much larger than a one-day retail event.

“Online retailers and merchants have largely invested in E-commerce, online ads and ramping up their website infrastructure in 2011. We’re seeing these merchants committed to making it a weekend-long buying experience versus confining the mad-dash to just one day.”

At iovation, our mission is to support our clients’ business growth by securing online transactions through highly effective fraud prevention solutions. iovation is focused on helping our subscribers manage the higher volume of risks that come with peak season online transactions, without negatively impacting the shoping experience for their customers.

As an anti-fraud security provider that helps stop more than 150,000 fraud incidents each day, we understand the importance of efficiently managing high-volume order flows. Making sure that your fraud team is prepared for the growing number of online orders over peak sales periods is critical if you’re going to get the most out of the holiday sales season.

1. When handing your card to a clerk or cashier, pay close attention. The card should be swiped through a point of sale terminal or keyboard card reader once, maybe twice. If your card is swiped through an additional reader, the card number may have been stolen.

2. Shop only at trusted sites. Phantom websites appear online all year round. They look legitimate, resembling well-known online retailers. But only do business those you recognize. Established online merchants are best.

3. Unsolicited emails that request sensitive data such as credit card numbers or lead you to a too-good-to-be-true offer are most likely phishing emails. Don’t disclose your information, and don’t click unknown links.

4. Check your credit card statements daily, if possible. Once a week is sufficient. Refute any unauthorized withdrawals or transactions within the time limit stipulated by your bank. For most credit cards, it’s 60 days, and for debit cards the limit can be 30 days or less.

Internet crime schemes steal millions of dollars annually from victims. If you are looking for more helpful tips, the Internet Crime Complaint Center is a great resource. Their site provides preventative measures that help you be more informed prior to making purchases on the Internet.

Holiday schemes will be in full force this year. Charge or purchase wisely.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Criminal hackers are getting smarter and savvier all the time, and they often have better technology than the banks and retailers tasked with protecting your data.

Time reported on a recent Javelin Strategy and Research survey in which Javelin analyzed 23 of the biggest credit card issuers’ online security practices. When companies were graded on a 100-point scale, the average result was just 59. Javelin head of security and risk analyst Phil Blank, who authored the study, explained, “The good news is issuers are doing a better job overall of resolution, but that’s the easiest thing to do. Prevention is the hardest to do but it’s got the biggest payback.”

The report also found that for a full year after your bank account information has been hacked, there is a strong chance that you will be a victim of credit card fraud. So even though you may be getting a little hardened to data breach warnings, you still need to watch your credit card statements closely. As long as you dispute unauthorized credit card charges within 60 days, federal laws limit liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500.

One of the FFIEC’s recommendations for financial institutions involves using complex device identification. iovation, an Oregon-based security firm, offers an advanced device identification service that incorporates real-time risk assessments, the history of fraud on linked devices (such as chargebacks, identity theft and credit application fraud) and exposes fraudsters working together to steal from online businesses.

“Complex device identification” involves the creation of a digital fingerprint based on several characteristics of the device including hardware and software configuration, Internet protocol addresses, and geolocation. Unfortunately, complex device ID by itself only increases the strength of identification; it does little to increase the efficacy of an overall anti-fraud strategy.

“Device reputation” offers all of the security measures that complex device ID does, but it also strategically incorporates velocity, anomalies, proxy busting, webs of associations (linking devices and accounts), and fraud and abuse histories. Device reputation moves from a micro to a macro view of transactions which takes into account how particular devices behave or have behaved beyond its activities with a financial institution, its usage by a current user or other users, and/or its relationship to other devices.  This chart explains what is involved with each:

Leading financial institutions aren’t merely complying with the FFIEC’s security recommendations, but are going beyond it by incorporating device reputation and other authentication and anti-fraud tools into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

iovation has seen first-hand mobile transactions increase by more than 300% annually. With merchants expecting more fraud as a percentage of sales from their mobile channel, I look forward to participating alongside with other leading mobile security authorities in the panel, “Mobile Security: Improving Systems to Mitigate Fraud,” at the Mobile Contactless Payment Innovations Summit in Chicago.

I will be joining Marc Washawsky, SVP Mobile Channel Executive at Bank of America, Kevin Gillick, Executive Director at GlobalPlatform, Jack Jania, SVP GM Secure Transactions at Gemalto, and moderator, James Wester, Editor of Mobile Payments Today, as we share with executives from retailers, banks, card issuers and payment networks insights on assessing risk and detecting fraudulent behavior from mobile devices, including smart phones and tablets. Some of the topics we will cover include: 

• The importance of mobile security
• Common perceptions customers have towards mobile devices
• Mobile standards, practices and identity issues
• The security and fraud implications for consumer vs. business devices
• The future of mobile security

Each year, iovation assesses billions of online transactions for our customers, most notably in financial services, online retail and online communities like social networks and dating sites. Of the mobile transactions we’ve assessed for risk to date, 35% were from Android devices, 32% from iPhones, 24% from iPads, and 9% have been from Blackberry and other mobile devices.

The mobile fraud panel will take place on Tuesday, October 18th, beginning at 11:15 a.m. at the W Hotel City Center, Chicago, Illinois. If you are attending this conference, I hope you can join us for this very important presentation.

According to the article, “Cyber crime hit 431 million adults in 24 countries,” a recent Norton cybercrime report found online crime jumped 3% compared to its 2010 study, costing fraud victims more than $388 billion worldwide over the past year.

Eating up 35% of the global cybercrime bill were U.S. fraud victims, who spent $139 billion on cybercrime last year. That amounts to 141 victims per minute, an alarming statistic even for Norton’s consumer cybercrime expert, Helen Malani.

“We were astounded by the costs in terms of cash lost. The number came to more than $US388 billion globally. That’s more than the illegal drugs market in heroin, cocaine and marijuana. Cybercrime is an illegal underground economy and it needs to be taken seriously.”

According to the study, one of the biggest gains in cybercrime last year came in crimes against mobile devices, which are up 10% globally. No surprise there, considering the explosion of smartphones and tablets being used to connect to the Internet. Malani said the chief concern with mobile fraud is users inability to stay on top of security updates. She said only 20% of people accessing their mobile devices have installed the most up-to-date mobile security. With up to 80% of mobile devices improperly protected, this provides fertile ground for cybercrime activity.

Similar to any other legitimate economy, growth in the illegal underground marketplace is driven by innovation, and tapping into the next opportunity. For cyber crooks, it’s all about exploiting the latest technology before the security gaps are identified and closed.

For online businesses that allow users to access their websites and corporate networks via mobile devices, this is especially disconcerting. Operating without the tools to effectively detect when fraudulent devices are logging onto their sites and requesting transactions, organizations and their customers are vulnerable to evolving schemes such as credit card fraud, card-not-present (CNP) fraud, account takeover, phishing and identity theft.

Today, building a multi-layered fraud preventative strategy that includes device reputation technology is critical to identifying when an Internet-based device, whether it’s a PC, smartphone and tablet, is already registered or attempting to log onto a website. The device intelligence that iovation’s ReputationManager 360 provides in real-time allows online businesses to recognize when a remote device that has been used to commit fraud or abuse in the past and stop any illegal or unwanted activity before it happens.

With nearly 150 users (just in the U.S.) exposed to some type of fraud every minute, it’s time businesses gain an extra layer of protection needed to stop more advanced forms of online fraud and abuse. Performing real-time risk analysis on transactions from every country in the world, iovation has already flagged nearly 40 million fraudulent transactions for its B2B customers just this year.

Their main concern was that companies could set up shop, accept tons of credit card charges, and then vanish, leaving the banks short. Mail order fraud was also big. A stolen credit card could be used to place orders over the phone, and when the fraudulent charges were discovered, merchants would suffer from chargebacks.

At the time, it wasn’t even necessary to provide a correct expiration date, as long as the card wasn’t already expired. Then credit card companies began verifying billing addresses to authenticate mail orders. Eventually, an additional verification code was added to cards, referred to as a CVC or CVV. We still use these codes today, but they can be fraudulently obtained in a number of ways.

When merchants moved from catalogs to websites, IP addresses were used to track transactions. But bad guys figured out how to spoof them.

Now we have a number of new technologies designed to fight credit card fraud. The most effective and widely implemented is device reputation, an effective online fraud prevention method that helps protect retailers from fraudulent CNP transactions by examining the computer or other device for a history of unwanted behavior, plus any suspicious activity at the time of transaction.

If a customer’s PC, smartphone, or tablet indicates an abnormally high level of risk, the merchant can reject the purchase in advance. iovation, the global leader in device reputation, flagged 35 million online transactions as high-risk in the last year for its clients and will flag 50 million or more by the end of 2011.

Protect yourself from credit card fraud by checking your statements regularly. Set up your own email alerts so that at a minimum, you are notified of any transactions over your specified amount occur on your account. Businesses set up triggers and alerts to protect themselves, shouldn’t you?

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

In 2010, we screened nearly 2 billion transactions and stopped over 35 million fraud attempts. The collaboration we support and the meaningful impact we have in stopping all types of online fraud and abuse are part of what makes us proud of what we do here at iovation.

This was our most successful year ever and we have even higher expectations for next year. Thanks for working with us to make the Internet a safer place. Here’s to seeing what we can accomplish together in 2011.

Happy holidays and best wishes for the New Year.

Sincerely,
Greg

Raising consumers’ awareness of new holiday scams is also in the best interest of online businesses. Doing so can help prevent criminals from stealing consumers’ financial information and identities that they use to perpetrate identity fraud against businesses and financial institutions.

The following are some of Siciliano’s top scams that hackers are using this holiday season to trick consumers into divulging their personal and financial information:

With online sales expected to increase this holiday season, consumers and businesses need to be aware of what hackers are up to. Of course, online shoppers should always take extra precautions and use common sense when opening unsolicited emails. To mitigate online threats that use stolen information to create new fraudulent accounts or take over legitimate ones, organizations need to deploy security tools that go beyond the personal and financial data provided by the user. By identifying known fraudulent computers or mobile devices that are trying to access a website, iovation’s ReputationManager 360 helps companies prevent online criminal activity and improve the security of both online and mobile transactions.

With cybercrime more prevalent during the holiday rush, this got me thinking about what gifts would be at the top of fraud manager’s wish lists, and how iovation can help fulfill those holiday wishes. Here is my list of the top gifts fraud managers would like to see this holiday season:

1. Secure online and mobile transactions: Online and mobile payments are the lifeblood of many companies today. Having the right tools to secure both online and mobile transactions is critical to mitigating fraud risks. In addition to identifying computers accessing their online stores, iovation helps companies assess risk on all transactions from iPads, tablets, and mobile devices including iPhones, Android, Blackberries, and many other brands.

2. Multi-layered security defense (“defense-in-depth”): Any anti-fraud strategy that doesn’t work together with other defenses can leave weaknesses in the system that cybercriminals take advantage of to perpetrate fraud and abuse. Inclusion of iovation’s ReputationManager 360 solution helps provide a multi-layered security strategy that allows organizations to prevent attacks by coordinating multiple defense techniques that complement each other, filling in the gaps of existing anti-fraud tools.

3. Early recognition of bad guys through their devices: As fraudsters continuously provide false or stolen information to create multiple online profiles to apply for credit online and access websites, companies cannot expect to effectively catch criminals with tools that rely solely on the data provided by the user. iovation’s 4 billion device reputation checks enable businesses to identify devices with a history of online fraud or abuse to help businesses stop criminal activity such as credit card fraud, account takeovers and identity theft, no matter what information the user has provided.

4. Eliminating heavy burden of manual reviews: As the volume of online orders increases during the holidays, organizations need a way to reduce the number of orders they review. By accurately identifying devices with fraud history, as well as devices and accounts associated with fraudulent or abusive behavior, in real-time, iovation significantly reduces the number of suspicious online orders that need to be reviewed, easing the heavy burden of manual reviews.

5. Expediting legitimate, good orders: Of course, accepting more good orders from satisfied customers is the key to growing profits. Leveraging iovation’s device intelligence through the Device Reputation Authority database enables companies to gain the confidence they need to block bad orders and accept good orders faster through more precise risk management. As a result, organizations can better protect their good customers while increasing their operational efficiencies and overall business revenues.

Sure, we’d all like to sleep as quiet as a mouse come Christmas Eve. This holiday, iovation is providing online businesses with the protection they need to safeguard their IT environments so they can get a crime-free, good night’s sleep.

According to the article, “Watch out for credit card hackers this Christmas,” Rob McAdam of Pure Hacking, an organization dedicated to helping businesses protect their information assets, said it’s just not large corporations that hackers are targeting during the holiday season, but mid-sized retailers are becoming more and more affected by security breaches involving credit cards.

“We are typically finding larger retailers that rely on reputable payment gateways and who have made data security a priority are no longer the main targets for fraud.”

As Cyber Monday is just days away, experts forecast online sales to break the $887 million spent last year. For many global merchants where holiday sales are already in full swing, iovation is actively involved helping them prevent fraud and keep chargebacks and related fees to a low.

Merchants are effectively leveraging iovation’s device reputation network (with over 450 million unique devices) to know whether those devices connecting to their websites have been involved in credit card fraud, shipping fraud, account takeovers, phishing and identity theft, and if the transactions coming from those devices are suspicious or considered to be high risk.

Join us for a live webinar, “Detecting High-Risk Transactions,” on Tuesday, July 20th. Learn how you can proactively assess risky transactions to better protect your business from more sophisticated schemes and elaborate fraud rings. Along with discussing the various techniques today’s cyber criminals use to hide their identities, you’ll learn more about the top 5 methods of detecting transaction risk, including:

Transaction Anomaly — Check mismatches, proxies and disabled components.
Velocity Rules — Know when activity counts have been met or exceeded.
Profile Risk — Check against aggregate profiles of risky accounts or devices.
Factual Evidence — Identify when known bad devices touch your website.
Account Associations — Identify and shut down fraud rings for good.

Register today at iovation.com/risk-mitigation.

We look forward to a very insightful, interactive discussion.

I recently sat down with Failsafe’s chief operating officer, Patrick Sallnert, to discuss some of the top online payment challenges facing today’s merchants, its integrated e-commerce platform, Certo Payment Gateway, and how our partnership will help provide safe and secure online payment services for merchant customers.

Max Anhoury: We are very excited to be partnered with Failsafe Payments and your Certo Payment Gateway. Would you please tell our readers about Failsafe Payments and how it got started?

Patrick Sallnert: Failsafe Payments was created in 2007 as a regular billing company by a very experienced team within e-payments. Our goal early on was to make it easy for merchants to find suitable billing solutions along with an easy API or payment page integration along with excellent customer support. In 2008, we established Failsafe Payments North America with an office in Cleveland, Ohio, and it was around this time I started to think about the product that would later become Certo Payment Gateway.

MA: What do you see as the major payment challenges facing online merchants today?

PS: I am glad you asked that question as this was exactly the reason for creating the Certo Payment Gateway. There are so many alternative payment brands, services and solutions out there that it’s difficult for merchants to keep track of them. Enabling these solutions requires a lot technical expertise for all the integrations. We have done all that for them, and make it affordable by not including any ridiculous set-up or monthly fees. We charge a per transaction fee. That’s it. Merchants can pick and choose the solution right for them, and we help them with the paperwork towards each partner and service they want to enable. The more payment methods a merchant can offer, local or international, smaller brands and bigger brands, the more sales and conversions they will experience. We will also integrate MSPs, banks and shopping carts.

MA: The Certo Payment Gateway is quite complex. Would you explain how it works, who uses it, and how you intend to offer iovation towards your customers?

PS: Certo Payment Gateway is extremely complex, but not for the intended customers. The customers we are targeting are merchants that want to sell their goods or services locally and internationally. We also offer a white labeled solution for MSPs. That, too, without the set-up fees others are charging. We were even quoted a $50,000 USD set-up fee from one of our competitors. I was flabbergasted to say the least.

iovation’s solution will be offered to our merchants that use our payment page integration. We simply enable it when the merchant wants us to. We have customized iovation ReputationManager so the merchant does not have to think about any other aspects than their core business, which is selling their goods or services and maximizing profits.

MA: Mitigating risk in online transactions is something both of our companies are very familiar with. Can you tell us why you chose the fraud protection partners that you did, and the benefits that will be passed on to your merchants?

PS: We have our own MPI software for 3-D Secure transactions that we can enable for any merchant that wants to process with 3-D Secure, as long as the acquiring bank supports it. Basically, we chose the top providers of different kind of fraud screening to pass on the possibility to choose the best ones for that particular merchant and their types of goods or services. Of course, merchants can enable several for comprehensive, multi-layered approach. iovation’s device reputation service is a perfect fit in our portfolio of integrated partners. Our merchants can enable fraud screening solutions immediately, without doing all the technical integrations and tweaking. In that sense, we’ve done the work for them.

MA: Thanks Patrick.  We are very excited about teaming up with Failsafe Payments, and look forward to helping provide your online merchants with solutions that improve their business and mitigate risk of online payment fraud.

For more information on Failsafe Payments, visit failsafepayments.com.

Additionally, as perpetrators of online crime get smarter and savvier, it’s becoming increasingly difficult to distinguish between legitimate email and spam. Especially during the holidays—a busy time for fraudsters, as we’ve already discussed—there are plenty of opportunities to take advantage of the upswing in online shopping for Christmas. For example, take a look at the top 10 subject lines for seasonal spam, as reported in the December issue of Symantec’s monthly report, State of Spam:

1. Sales Receipt from Amazon
2. Sales Order from walmart.com
3. Incredible sale for luxury goods
4. Re: what she wants for Christmas
5. Give her luxury this holiday season
6. Bling yourself up this Christmas
7. Get the perfect gift for Christmas
8. Impress your friends this holiday season
9. Xmas on-line cookies
10. Time limited Christmas promotion

It’s worth noting that the top two subject lines both incorporate the names of well-known online retailers, in a devious attempt to make the spam seem legitimate. Unfortunately, these emails could very well end up being malware designed to steal credit and identity information.

While this is certainly something important for individuals to be vigilant about, it should also be a serious concern for online merchants. Why? Two reasons, #1. These kind of schemes are going to make online users increasingly suspicious and therefore less responsive to legitimate advertising, and less likely to participate in online shopping. #2 (We just can’t say it enough) At the end of the day what online criminals are after is money, so as they become increasingly successful at running online spam and phishing schemes, they will turn increasingly to online businesses to “cash out.”

One way for online businesses to keep up with changing fraud trends and protect themselves from malware and scams is to work together to provide information on what kinds of fraud and trends other online businesses are facing. In the real world, when law enforcement simply isn’t enough we turn to our neighbors to help watch for crime and protect each other. The same is possible online. iovation provides a platform that allows businesses to join forces to expose Internet devices that have defrauded other businesses so they can better protect their businesses from fraudulent transactions and other scams that are on the rise.

Besides providing statistics on what online purchases people were spending their hard-earned money on during Black Friday, ReD also noted that online criminals were out in force, busy spending other people’s money. “Whilst online retailers witnessed a huge upturn in sales this Black Friday, fraudsters are also ‘spending’ more, with an average value of $248 per transaction online, 23% more than the average genuine customer,” said ReD’s CEO, Carl Clump.

And in most cases, it seems that fraudsters were clamoring for the same hot commodities as everyone else. Based on ReD’s list, the three most popular items bought with stolen credit cards were gift cards, Nintendo Wiis and Xbox 360s. Of course, this doesn’t mean that fraudsters will soon be kicking back and playing their stolen video games. It’s important to remember that for criminals, online theft is a business, and the principles of supply and demand are still in effect. Fraudsters choose to steal items that are in high demand because it will be easy to turn those goods around for a quick profit.

The problem is, if online criminals are profiting—it means online merchants aren’t. And while a new camera or video game might be at the top of many of our wish lists this season, for online criminals, it always comes down to one thing: money.

Much like online businesses, cyber criminals are working around the clock this time of year. But instead of sending out legitimate emails promoting online sales, fraudsters are sending out emails containing bogus links that closely resemble real retail websites. While their intent is to steal credit card information from unsuspecting online shoppers, the real victims in this crime will end up being online merchants.

The reason for this is what’s known as a chargeback—a truly dirty word for anyone in online retail. It works like this: once an individual whose credit information has been stolen discovers a fraudulent purchase on his or her account, she contacts the bank to report the fraudulent charge. The charge is then refunded to the individual, and charged back to the online merchant.

Unfortunately, by the time a chargeback is processed, the merchant has usually already accepted the order and shipped the goods to the address provided by the online criminal. And once the goods are out the door, they’re most likely never coming back. This means that goods have essentially been stolen—but not at the expense of the person whose credit information was stolen, instead it is at the expense of the online merchant.

Not only that, but the loss of the stolen merchandise isn’t the only way online merchants suffer from chargebacks. Other setbacks include:

• Increased fees: As credit card chargeback rates get higher, so do online merchants’ rates with card companies. If the fraud rate gets too high, online merchants may lose the ability to accept cards entirely, resulting in seriously negative impacts to revenue.

• Increased operational costs & overhead: The more questionable charges an online merchant encounters, the more resources—both time and money—will be spent trying to distinguish between good and bad orders. This can lead to a serious imbalance of resources.

• Member attrition & tarnished reputation: Once an online merchant’s website has been associated with fraud, retaining good customers and generating new ones becomes extremely difficult, resulting in more customer attrition and loss of potential business revenues.

Ultimately, when it comes to online holiday scams it’s the online merchants, not the shoppers, who are left with the bill. And while increased business this holiday season is good for online merchants, having the tools to effectively identify bad transactions may be the biggest gift of all.

The retail sites for Amazon.com, Apple, Best Buy, Target and Wal-Mart each saw more than 4 million unique visits Friday, comScore said, with Amazon receiving the most traffic (up 28% from 2008). Apple, Best Buy and Wal-Mart sites also experienced double-digit traffic gains. According to Experian Hitwise, another Web monitoring firm, other e-commerce standouts included Sears, Staples and Dell.

These results are welcome news for retailers who have been concerned that fear of identity theft could have a noticeably negative impact on sales. Just last week SC Magazine predicted overall online spending to be down this year because of such fears. Luckily, so far, this does not appear to be the case.

With online commerce looking healthy, online retailers can now turn their focus from enticing online shoppers to ensuring that the orders that are coming in are valid. With the increase in shopping will inevitably come an increase in fraud. Unfortunately, as the volume of orders increases, it often involves increased time spent on manual reviews to distinguish the fraudulent orders from the legitimate ones.

Periods of high volume online shopping, such as now, underline the need for effective tools that can identify fraud more quickly with less manual intervention. Running checks on the device history, in addition to credit, identity, and shipping information, are all important steps in finding (and stopping) online criminals and repeat offenders.

We at iovation wish all online retailers a profitable and fraud-free online shopping season!

“As we head into Q4 and the busiest season for online shopping and Internet use by those considered inexperienced users, click fraud will likely run rampant as scammers seek to tap into the increased attention, experts warned.”

Click fraud (which is when affiliate sites dishonestly increase online ad traffic in order to gain unearned revenue) is one of many types of fraud becoming more common with the use of botnets. In addition to click fraud, many other types of fraud—including spam, phishing attacks, and identity theft—are gaining in prevalence with the use of botnets. The result is that consumer PCs are under siege and individuals and businesses alike bear the cost.

“The significant rise in botnet-generated click fraud lines up with recent findings of several well-known malware and online fraud tracking experts,” said Paul Pellman, CEO of Click Forensics. “Botnets perpetrating click fraud and other online schemes continue to grow in number and sophistication.”
Another post from the Kansas City Star confirms this problem as well as provides some tips for individuals to protect themselves:

Slightly more than 4.3 percent of American adults were the victims of identity theft last year, according to the 2009 Identity Fraud Survey Report, and the percentage is expected to go higher when wallets are lost and stolen in the holiday shopping season. The average fraud amount per victim was $4,849 and took about 30 hours to resolve, The Javelin Strategy & Research Center reported.

It is worth noting that the $4,849, cited above, does not take into account the significant costs that businesses suffer as a result of fraud. And with all indications pointing to an increase in online fraud as the shopping season ramps up, online businesses are currently trying to prepare. A good fraud prevention process ought to be able to recognize the following items:

• Is the credit card valid? There are a number of security checks available that can point to credit card fraud. This includes authorization checks, AVS checks, card verification (i.e. checking CVV2 number), and other card validation checks.
• Has the individual committed fraud in the past? There are a number of commercial systems and internal databases that help businesses check whether the supplied Personally Identifiable Information (PII) has been associated with fraud in the past. This kind of system essentially checks whether the information submitted by the customer matches information that has been associated with fraud in the past.
• Does this transaction have high risk characteristics? Businesses should be tracking and flagging transactions that have high risk characteristics. Contributing factors can include: the country of origin of the purchase, the kind of goods being purchased, the use of IP proxies, the time of the purchase, and many others factors. For fraud systems that work with these risk factors, often a large number of factors are taken into consideration in order to determine a risk score for each transaction. Based on that score, businesses can make a decision whether to allow, deny, or flag that transaction for review.
• Has this computer been used for fraud before? Device reputation systems are now considered a best practice for fighting online fraud. An online business should be able to understand, independent of personal information, whether or not a computer that is being used to conduct online business already has a history of fraud. The critical components of this system are: the ability to identify and re-recognize a computer and the ability to take into consideration historical fraudulent activity associated with that computer.

With these techniques in place, businesses will go a long way to stopping holiday fraud.

But while that kind of fraud certainly does exist, there is another type of fraud that can be equally troublesome and, to some extent, even harder to combat: fraud committed by individuals using their own legitimate information. A very common example of this kind of crime is shipping fraud and it takes several different forms. Here are a few examples and tips on how companies can address this problem.

• Denying receipt of goods – In this case, an individual will legitimately place an order and actually receive the goods, but then turn around and deny that they were received. Strangely enough, people will even do this more than once for the same good after another item has been shipped. Online businesses that ship high-value goods often combat this by requiring signatures for receipt of goods. For many businesses, however, this is isn’t a practical solution. Ideally, organizations would like to be able to identify individuals who have a habit of doing this on any site.
• Denying the purchase – In this era of rampant identity theft, many individuals are using it to their advantage, claiming that their credit card was stolen and they were not the ones who made the purchase, therefore they should not have to pay for it. This is a hard type of fraud to detect and defeat, and the only real solution is to require a signature, or have an internal tracking system to identify repeat fraud.
• Returning the wrong good – I have talked with merchants before who have had individuals return old or damaged goods in place of the new ones they ordered and then demand a refund. These cases can be easier to address by simply refusing to refund the purchase, but they are still a problem that businesses would like to be able to address before shipping.

All in all, shipping fraud can be difficult to detect and defeat, but it is worth considering that typically individuals who do this once don’t quit while they’re ahead. Instead they become repeat offenders, targeting multiple online merchants. Tracking the activity of online criminals and sharing that information among a network of online businesses can significantly reduce this type of fraud. Imagine the benefit if businesses could identify the computer before a purchase was completed, and determine if that computer already has a history of shipping fraud.

There’s an old adage that applies here: “Fool me once, shame on you. Fool me twice, shame on me.”  When it comes to online fraud, businesses would do well to track fraudulent activity, learn from past experiences, and work together to minimize fraud this shopping season.