We all know cold remedies are made to treat the symptoms, not kill the virus. In a way, reactive anti-fraud solutions work the same way. They’re good at cleaning up the mess or correcting the problem once fraud has occurred, but have difficulty preventing cyber crimes from happening in the first place, or worse, stopping them from reoccurring over and over again.

The truth is, even diligent businesses running the latest security software remain vulnerable to the growing number of new and unknown forms of online fraud and abuse. Take it from Mark Patterson, co-owner of PATCO Construction Inc: when it comes to fighting ACH fraud the new FFIEC authentication guidance falls short. He says that until banks become legally liable and accountable for such online crimes, businesses will remain susceptible to online fraud.

In the BankInfoSecurity article, “Fraud: The Victim’s Perspective,” Patterson, whose small residential and commercial construction company lost over $550,000 to fraudulent ACH transactions, said that while he’s glad updates have been made to the security guidelines, they don’t go far enough. In order for small businesses to protect themselves from online crimes like ACH fraud and account takeover, they need to take it upon themselves to also incorporate their own internal policies and processes to detect fraud and abuse. Some of his recommendations include:

• Talk to your bank about the ACH fraud policy to understand if fraud losses are covered
• Monitor all online transactions for bad IP addresses, anomalies, and suspicious activity
• Run and analyze reports to recognize patterns and velocities
• Educate yourself about online threats and how bad they really are

(more…)

When it comes to victims of online dating fraud, we’ve heard the stories of how unsuspecting lonely hearts have lost tens of thousands of dollars. The emotional hardships and financial setbacks that victims of online romance scams go through can be devastating. This week, we saw another story that left one victim with no money, homeless, hungry, and eventually hospitalized with pneumonia in a foreign land thousands of miles from home.

In the article, “American Stranded in Ukraine in Online Dating Scam,” former write-in candidate for governor of Arizona, Cary Dolego, traveled to the city of Chernivti, Ukraine, eager to meet up with the woman he fell in love with online and one day hoped to marry. She never showed.

Turns out, Dolego was a victim of an online dating scam that stemmed from account takeover. Apparently, someone or some group hacked into a woman’s account on an international dating website and was communicating with Dolego on behalf of a woman named Yulia. While the woman later said the account on the dating site that Dolego had been corresponding with was hers, she claims she was not part of the scam. (more…)

The attack vectors of online scams morph faster and faster, making it consistently more difficult for security professionals to develop effective preventative solutions. Merely keeping pace with fraudsters’ latest tricks is not enough to adequately protect a system or network. This is especially true for online retailers and other businesses that open their virtual doors to international business.

According to the article, “Credit card fraud is a cross-border crime,” statistics have shown in recent years that online fraud trends can differ dramatically between countries. For example, online payment fraud in the UK dropped 10% from 2009-2010, while the US experienced a 157% rise in attempted payment fraud during that same period. (more…)

When talking to people on the street about fraud and abuse in multiplayer online games, they are often surprised that such a thing even exists! But the reality is that once a game reaches a certain level of popularity, it becomes equally attractive to the dark side.

Nexon America is one gaming publisher that takes this threat very seriously! They not only fight fraud and abuse head-on; they take a proactive approach with the assumption that every possible flavor of abuse will be attempted and they’re armed and ready for it.

At a recent fraud prevention user group for iovation’s gaming clients during E3 in Los Angeles, Nexon led discussions on preventing account takeovers, chargebacks and gold farming with other fraud professionals who attended. Gold farming (stealing virtual goods or using stolen credit cards to obtain them) is a serious abuse that destroys in-game economies and contributes to poor player experience. Additional topics that were covered during the iovation user group included friendly fraud, code hacking, password education, blacklists and biometrics, just to name a few. (more…)

For years now, it’s become customary for companies to write off a certain percentage of online transactions on the P&L to account for the fraud they assume will get passed their anti-fraud defenses. But is accepting a certain amount of fraud loss any way to combat a problem that’s increasingly impacting sales revenues and taking a bite out of your bottom line?

To reduce fraud rates, social networking sites are using their own social verification systems to determine whether the person at the other end of a Web transaction is actually who they say they are. According to the article, “How your social network can protect your credit card,” social networking sites like Facebook collect various pieces of information about a user’s personal network to identify a person and reduce fraudulent activities such as credit card fraud, account takeover and account hijacking within their network. (more…)

Twitter’s numbers are astounding. In the physical world, when communities become larger and more densely populated, crime rises. The same applies to online communities.

CNET broke down Twitter’s recent blog post, which celebrates their significant numbers: “It took three years, two months, and one day for Twitter to hit 1 billion tweets; now, a billion tweets are posted in the course of a week. An average of 460,000 new accounts were created per day over the past month, and an average of 140 million tweets were posted per day. Twitter now has 400 employees, 50 of whom have been hired since January.”

Spammers, scammers, and thieves are paying attention.
(more…)

I’m really looking forward to the upcoming Dominican Republic Caribbean Gaming Show and Conference in Santo Domingo. As one of the presenters on the online gaming panel, I will examine strategies for identifying high-risk transactions that help sportsbooks and online casinos prevent fraudulent activities like financial fraud, money laundering, fraudulent deposits, player collusion, bonus abuse and account takeover.

Last year more than 60 of iovation’s online betting, poker, sportsbook and casino customers reported and shared 350,000 fraud and abuse attempts through the ReputationManager 360 device reputation service, including the likes of William Hill, Entraction and WagerWorks. These experiences are shared along with our knowledge base of more than 500 million unique devices (computers, tablets and mobile phones) which online gaming sites leverage to gain insight into suspicious activity to prevent fraud before it happens. (more…)

A pair of cyberfraud advisories were issued to warn businesses and consumers about corporate account takeover fraud.

According to Errol Weiss, who runs the Financial Services Information Sharing and Analysis Center (FS-ISAC) corporate account takeover task force, the effort by his group and other federal law enforcement agencies is to make businesses and consumers more aware of this type of cybercrime and provide recommendations on how they can protect themselves against such attacks. (more…)

Along with the enormous success of mobile phone sales, wireless carriers and resellers have to contend with a variety of issues around theft and fraud. Working closely with several carriers and resellers, we’ve seen four primary fraud threats that financially impact carrier business. They include:

1. Account creation / application fraud – In this case, a fraudster uses a stolen identity to apply for an account online to order phones and services.  After initiating a shipping scheme to obtain the goods, the fraudster runs up the phone bill until the carrier or identity theft victim uncovers the charges.Much like credit issuers, carriers perform comprehensive identity and financial background checks on applicants, however, the checks are on the identity theft victim.  By adding a device check at the front of the process (which looks at the computer or Internet-enabled device being used), carriers can quickly identify suspicious activity such as when the same computer initiates multiple applications under various identities, or if the computer being used has been involved in previous fraudulent activity. (more…)

This week alone, I have seen two separate iPhone apps enabling multi-factor authentication for the likes of your accounts at AOL, eBay, PayPal and Blizzard, the provider of the popular online game World of Warcraft. The first application is provided by Verisign and provides multi-factor authentication for AOL, eBay, and PayPal to combat identity theft and account takeover. This could easily be expanded to include other sites and is a significant improvement over the options that were previously available. The second application is provided by Blizzard to authenticate users to their popular online games, like World of Warcraft, and is intended to address their account takeover problems.

Before these mobile applications, sites could either provide a separate hardware token for multi-factor authentication which was expensive and difficult to manage, or it could provide this capability through a text message on the phone which could be costly for both the consumer and the company. This application solves the token problem by attaching itself to something that most users always have in their possession (their mobile phone) and solves the cost problem by bypassing costly text messages and embedding the password generation intelligence in the mobile app. There is a beta version of the Verisign app for some BlackBerry models and for another 40 phones in development. The Blizzard version is currently only available for the iPhone and iPod touch, but other models will likely follow.  The ease of adoption for the iPhone could be the difference make in this instance and it could be a positive step in the direction at combatting online fraud and more specifically account takeovers.