When it comes to protecting online accounts, multi-factor authentication—especially the use of tokens—has been considered the strongest protection against password theft and account takeover. A recent article from the NY Times, How Hackers Snatch Real-Time Security ID Numbers, explains the lengths that online criminals will go to in order to steal personal information and takeover accounts.

In the article, they explain a scenario involving an infection called the Clampi trojan, but the success of an account theft or takeover isn’t dependent on any specific trojan. All it takes is some method of infecting a computer in order to provide real time data from that computer back to the online criminal. The NY Times article details the way a trojan spreads and watches for ideal account targets. (more…)

This week the Associated Press reported that a Miami man and two Russian co-conspirators stole over 130 million credit card numbers in the largest theft of credit information ever.

Anyone who doesn’t think that online crime has transitioned into big time business should take note.  Online criminals are coordinated and remarkably well organized. They are becoming increasingly adept and efficient at not only obtaining, but sharing, valuable data: namely credit and identity information.

The extent to which online commerce companies rely on their ability to trust in this very same data cannot be overstated. Today, most online transactions are checked for fraud based upon credit and identity checks. If trust in that data is undermined, then the business models of hundreds of thousands of online retailers will suffer. (more…)

We recently announced an amazing achievement and this is a proud moment for everyone at iovation. Since our inception, we have processed over 2.0 billion real-time device reputation inquiries for our subscribers.

Over two billion times, our subscribers have used one of our device printing technologies while interacting with end-users and then reached out to our service with device printing data plus their unique account or transaction identifier. In real-time (sub-second response times) our service then follows business rules that are unique to each subscriber and leverages terabytes of information in our global fraud database, the Device Reputation Authority (DRA).  We can tell subscribers if they have ever seen a given device and if any related accounts and devices have a history of fraud or abuse at their site. We can also tell subscribers if any related devices are associated with fraud or abuse at other subscriber sites. (more…)

A very interesting article on MediaPost reports that Texas lawmakers have passed a bill making it illegal to create a phony profile on social networking sites. At iovation we deal with these issues for social networking sites all the time and it is especially problematic on iDating sites.

It will be interesting to see how this law plays out and whether it turns into simple grandstanding by lawmakers or if it will be able to have a real affect. The most likely impact of this law will be to address bullies or even families who use fake profiles to intimidate or harass others, as in the case that culminated in the suicide of a young girl. This law is unlikely, however, to have any impact on organized criminals who create multiple phony accounts to target and defraud users on social networks.

Device fingerprinting is a technology that has been growing in importance over the past few years. Online businesses are dealing with the problem of increased identity theft and manufactured identities being used to create new accounts, purchase goods, and in general transact with the online business in some way. Device fingerprinting complements existing identity based techniques to address this problem and to identify repeat offenders and fraud rings that target these businesses. In a recent online fraud survey put out by Cybersource, device fingerprinting was identified as the number one technology to be adopted, in terms of percentage of planned new adoption, over the course of the next year due to its high effectiveness.

At iovation, many of the questions we field revolve around how we do device fingerprinting. Rather than get into a detailed definition of device fingerprinting, I will address the basic choices available to companies and explain how iovation uses them. Essentially, device fingerprinting is used online to identify and then re-recognize a PC or other Internet device that visits an online site. There are really 4 different ways that this can be accomplished: (more…)

In a recent post I spoke about the recent phishing attack spoofing the social security administration. Today I would like to discuss a variation of this identity theft scam, vishing. Where phishing uses social engineering through e-mail to trick people into visiting fake websites, vishing uses social engineering through the phone system to get you to connect to phony phone numbers to harvest your personal information. There is a good article on vishing attacks at cnet. Don’t be fooled by the fact that a voice mail is directing you to a toll free number. Vishing attacks use temporary 800 numbers to enhance legitimacy.

This attack is even more relevant to me personally as I witnessed this attack on a friend of mine this past weekend. My friend received a voice message telling him that his debit card account had indications of fraud and to call the 800 number immediately to get details. Once he connected to this number he was directed to enter his card number to get details on the incident. It so happened that he didn’t have his card with him so he hung up intending to call back later. When he did call back, he called the number of his financial institution on his card instead of the number left on voice mail. It was a good thing he did. There they indicated that there was no fraud activity on his account and that he had been a victim of a vishing attack.

In this incident it turned out ok because he never entered his personal information, but it could have easily turned out differently. The lesson from this incident is that as with websites, you shouldn’t trust messages directing you to a phone number that requests personal or financial data. If you receive an indication of fraud or some other problem with a financial, or other account, you should dial the actual company number and have them direct you to the appropriate department. Do not trust phone numbers left to you in a voice mail that ask you for personal information.

When personal identities have such value to scammers, individuals must be increasingly vigilant about protecting this data and ensuring that they do not deliver it into the hands of the bad guys.

Visa is launching a new card aimed at combating card not present (CNP) fraud in the UK. The card essentially adds a two factor authentication token to the back of the card that can be used to validate possession of the card online.

This is an interesting concept, but the execution of this with online businesses will make all the difference. The key here is the merchants and their adoption of this technology. If adoption is slow, then the card company may be forced to allow use of this card at sites without the pin. If this is the case, the improved authentication is rendered useless because a scammer could still steal the card information and use it online. If, on the other hand, the card issuer continues to require the use of the pin in order to complete an online transaction despite slow adoption by merchants, this could doom the use of the card by consumers as they won’t find enough places to use it.

Online merchants are the key to the success of this experiment and they have incentives to make this work. CNP fraud is a big problem and costs online companies billions of dollars per year. If they can band together to speed adoption of this technology, it will go a long way to changing how online fraud occurs.

I have recently answered several questions from individuals asking about device reputation. They have asked about the value of reputation data built by identifying infected PCs, i.e. botnets, as opposed to identifying PCs that have been used to commit actual online fraud or abuse. iovation pioneered the use of device fingerprinting in a shared database to build device reputations in 2004 and we have a lot of experience with this issue. There is a big difference between the two types of reputations and their relevant value. (more…)

Yesterday, SC Magazine reported that malware distributed on social networks was 10 times more effective than the same malware distributed through e-mail. They report that it is a big threat to the future of social networks and hypothesize that its effectiveness is due to the trust relationships that exist on these sites.

While the trust between friends on sites like Facebook and MySpace certainly contributes to the problem, there are probably three other factors that should be mentioned: (more…)

An SC Magazine article, out today, reports that a new phishing attack is now targeting individuals who will be receiving an economic payout later this month.

Phishing attacks are usually at the forefront of identity collection in today’s Fraud as a Service process. Phishing utilizes social engineering, which is both one of the oldest forms of security attack and is one of the hardest to fix. Social engineering tricks users into giving up sensitive data that online criminals would normally have a very difficult time obtaining in any other way. Today, the users personal information is the target of choice, but this is also very effective for obtaining account information and passwords.

Combating phishing isn’t difficult, it just requires the user to keep in mind that online businesses simply will not ask for sensitive information in an e-mail or link to a page that collects that data from an e-mail.

There has been some recent discussion in different articles regarding whether or not device identification (also referred to as device fingerprinting) constitutes a violation of privacy, in the context of fighting online fraud. The topic came up recently at a panel at RSA on the Benefits and Dangers of Device Fingerprinting. Device fingerprinting provides significant benefits for online businesses; it provides an additional factor for authentication, used by many online banks, and aides in the fight against fraud by identifying computers that have been used in the past for fraudulent activities and stopping future transactions from those systems.

The argument against this type of technology, however, is that the device information could be collected and sold, constituting a violation of privacy of the online user. What needs to be taken into consideration, however, is how device fingerprinting compares with existing identity-based fraud prevention techniques. Device fingerprinting solutions, such as the device reputation system offered by iovation, ideally work to reduce fraud while simultaneously protecting the privacy of the individual. iovation’s ReputationManager service, as an example, collects and requires no personal information from our customers. Our online service is completely incapable of assigning any online activity to an individual and we market it that way.

The reality is that device fingerprinting systems provide online businesses with some of the only fraud management tools that don’t rely heavily on personally identifiable information. Instead of decrying privacy violations, privacy advocates should be looking to embrace systems that achieve the purpose of reducing online fraud while still protecting the privacy of good online users.

Today we announced our new device-based risk score that leverages the experience from profiling over a billion devices and the reputations of over 120 million devices in iovation’s Device Reputation Authority. Our risk score is unique because it is based entirely off of device-based information and doesn’t rely on any personal information. Check out the announcement here: http://www.iovation.com/press-release-042909

It’s been a busy week at RSA for iovation and I have just about talked myself out of words, but as always it is a great show to connect to security professionals and measure security trends. The show attendance seemed to be down some, but as I have noticed at other shows the quality of attendees seemed to be up in general. There were a lot less people searching for chotchkies and more who seemed to be there to get information and do business. Three quick observations from the show:

1. ROI for security vendors is more important than ever. The time when businesses make investments on loose Fear, Uncertainty and Doubt (FUD) is coming to a close. Companies are looking to solve real, existing problems and more than ever are being held accountable to the impact of their investments on the bottom line of their company.
2. Fraud as a Service resonates. I blogged a couple of weeks ago about a podcast from RSA where they referred to Fraud as a Service to describe the way online criminals are specializing and working together to commit online fraud.  I am officially changing to this term in preference to the Fraud Value Chain.  I spoke to reporters, analysts and security professionals about this concept and it really resonated.  I had an interview with Bank Info Security that included this topic and here is the podcast.
3. Application Whitelisting vs Blacklisting. I spent some time with the folks at CoreTrace and I think that Application Whitelisting may finally be hitting the market at the right time. Eric Ogren, from the Ogren Group, and I spoke about this and we both agreed that blacklisting systems, in other words anti-virus, provide little to no value in preventing attacks and more than ever are relegated to clean up tools that identify infection after the fact and remove it.  Whitelisting has a way to go before it completely replaces anti-virus, but it has a good future.

That’s it from RSA, now it’s time to head back and fight the bad guys.

Here is an interesting article that I came across that is proposing stronger criminal sentences for online crimes where an anonymizing proxy is used. The intent here is that crimes committed while using an anonymizer indicate a higher level of sophistication. Critics of the measure state that this puts a stigma on what is many times seen as a good practice for protecting the online user’s privacy.

Independent of those issues, we at iovation have actually been studying the correlation of use of a proxy to online fraud and abuse. The early results are that for online businesses, users who utilize an anonymizing proxy have a higher rate of fraud and abuse than those that don’t, but it isn’t a sufficient independent indicator of fraudulent activity. In other words, for analyzing the risk of a given online transaction, checking for the use of a proxy is one of many important checks in assessing the overall risk, but it is not sufficient independently to determine whether an online user is bad. This also varies by industry. For example, the use of proxies is rarer at mainstream sites like online banks and retail sites as opposed to online dating sites where individuals may be more concerned about maintaining anonymity.

One thing remains certain, however, and that is the use of proxies to mask their true IP address remains extremely high. We have found that if an online criminal, for example, is using stolen French credit cards to defraud businesses from the Ukraine, the criminals will often go to the extent to ensure that they use a proxy that identifies their machine as originating from France to bypass many of the fraud checks that online businesses use.

In my 17+ years in security I have often heard and repeated that security is a process, not an event, and in the high stakes games of online fraud, this is no different.

Richi Jennings at ComputerWorld has a nice summary of blogs and articles on the activation of the Conficker botnet that is going to provide new avenues for online fraud. What began as a mass worm infection has now moved into the serious business of establishing a botnet that can be used for black market commerce.

This is a good of an example of the way that Fraud as a Service is enabled which I talked about in my previous blog post. Now that Conficker has established a botnet, it can be used for a variety of ends. Here are a few to consider:

• Spam distribution – many of this morning’s articles have focused on the first use of this botnet to distribute spam. Spam can be for illegal services or can also be links to phishing sites.
• Identity theft – any botnet or trojan horse can simply be used to steal and transmit personal information. The way it generally works is that the user’s online web activity is monitored to capture user IDs and passwords from targeted sites like online banks, massively-multiplayer online games (MMOs), or commerce sites. That stolen data is then transmitted back to the scammer’s database.
• Hosting phishing websites or download sites – Many times individual’s PCs can be turned into hosting sites for phishing websites or illegal data download sites.

Botnets continue to be a big problem and are an important part of online criminal activity. Certainly individuals need to ensure their anti-virus software is up to date, and the industry needs to take steps to make account takeover more difficult, through more common use of authentication tokens and personal information less valuable online through the use of other fraud detection techniques like device fingerprinting and device reputation.