The truth is, even diligent businesses running the latest security software remain vulnerable to the growing number of new and unknown forms of online fraud and abuse. Take it from Mark Patterson, co-owner of PATCO Construction Inc: when it comes to fighting ACH fraud the new FFIEC authentication guidance falls short. He says that until banks become legally liable and accountable for such online crimes, businesses will remain susceptible to online fraud.

In the BankInfoSecurity article, “Fraud: The Victim’s Perspective,” Patterson, whose small residential and commercial construction company lost over $550,000 to fraudulent ACH transactions, said that while he’s glad updates have been made to the security guidelines, they don’t go far enough. In order for small businesses to protect themselves from online crimes like ACH fraud and account takeover, they need to take it upon themselves to also incorporate their own internal policies and processes to detect fraud and abuse. Some of his recommendations include:

• Talk to your bank about the ACH fraud policy to understand if fraud losses are covered
• Monitor all online transactions for bad IP addresses, anomalies, and suspicious activity
• Run and analyze reports to recognize patterns and velocities
• Educate yourself about online threats and how bad they really are

Today, too many companies struggle to keep the security of their desktop computers and mobile devices up-to-date, which puts their customers, business and brand reputation at risk. The FFIEC Guidance was designed to outline a multi-layered approach of processes and technologies that banks need to mitigate fraud risks, but if those recommendations aren’t applied and internally enforced businesses could still have trouble identifying and stopping risky transactions.

To combat the millions of online fraud and social engineering schemes attempted on banks and businesses every day (we should know, we stop more than 150,000 fraudulent transactions every day for our clients), an effective defense-in-depth anti-fraud strategy requires the ability to recognize high-risk transactions before they are accepted. iovation’s device reputation technology goes beyond traditional blacklists and personally identifiable information (PII) to identify, re-recognize and root out fraudulent devices and accounts in real time so businesses can proactively stop bad transactions from occurring, as well as shut down hidden fraud rings that are committing repeat fraud within their IT environment.

iovation’s ReputationManager 360 is a fraud prevention solution that provides an added layer of protection for any defense-in-depth anti-fraud strategy. By leveraging the power of device identification, iovation takes complex device ID a step further and equips financial services firms and other businesses with a dynamic collection of device intelligence, association data, analytics and reporting tools that allow fraud managers to assess larger sets of attributes and apply pattern recognition algorithms and pattern-learning processes to identify fraudulent devices, anomalies, velocities and other suspicious behavior taking place on their website every day.

In the article, “American Stranded in Ukraine in Online Dating Scam,” former write-in candidate for governor of Arizona, Cary Dolego, traveled to the city of Chernivti, Ukraine, eager to meet up with the woman he fell in love with online and one day hoped to marry. She never showed.

Turns out, Dolego was a victim of an online dating scam that stemmed from account takeover. Apparently, someone or some group hacked into a woman’s account on an international dating website and was communicating with Dolego on behalf of a woman named Yulia. While the woman later said the account on the dating site that Dolego had been corresponding with was hers, she claims she was not part of the scam.

While this and other similar stories continue to generate media attention about the potential dangers of online dating scams, many of the common tactics hackers use to commit fraud against good members of matchmaking sites could be avoided if the website’s fraud strategy didn’t rely so much on personally identifiable information (PII) to spot and stop fraud within their online social networks.

Unlike anti-fraud tools that collect and use PII to detect fraud online, iovation’s advanced device identification technology is not susceptible to the personal information that users are required to provide when creating new online dating profiles or accessing existing ones. By identifying the actual device used to open or access online accounts — not the user’s PII — iovation’s fraud prevention service provides dating and social networking sites real-time intelligence on more than 750 million known devices. This enables romance sites to instantly accept, deny or pull for further review suspicious transactions before they happen, as well as expose hidden associations between devices and accounts that PII-based fraud detection tools simply can’t do.

Because personal information gathered from social networking sites such as Facebook is what hackers use to open new online accounts or break into legitimate ones, dating sites need a fraud detection tool like iovation that goes beyond the user’s personal information. Without it, dating and social networking sites will remain vulnerable to profile misrepresentations, fake accounts, chargebacks, account takeovers and other online scams that fraudsters can think of using PII, which today is too easily accessible on the Internet.

According to the article, “Credit card fraud is a cross-border crime,” statistics have shown in recent years that online fraud trends can differ dramatically between countries. For example, online payment fraud in the UK dropped 10% from 2009-2010, while the US experienced a 157% rise in attempted payment fraud during that same period.

Carl Clump, Group Chairman of Retail Decisions (ReD), a leading payment fraud prevention provider (and iovation partner), said this is particularly disconcerting for online merchants that do business overseas. As attack methods vary considerably in different parts of the world, e-retailers operating with a limited security scope could be leaving their networks and customers vulnerable to fraud trends for which their existing security tools are not adequately prepared.

“E-commerce businesses that only focus on fraud in their own sector will not immediately spot a new ploy that criminals have used in another industry. The narrower the retailer’s perspective of fraud, the harder it becomes to keep pace with rapidly changing fraud techniques.”

As online retailers expand their businesses abroad, the key to mitigating the risk of unknown attacks is having collective intelligence that spans beyond borders. iovation’s global Device Reputation Authority fraud database shares the firsthand experiences of 2,000 worldwide fraud analysts that have provided fraud evidence on more than 650 million Internet-connected devices across the globe that criminals use to perpetrate all types of fraud and other unwanted activities including credit card fraud, card-not-present (CNP) fraud, account takeovers, and shipping/re-shipping fraud.

Leveraging the power of device reputation goes beyond the stolen information that criminals use to commit fraud. Knowing if a device has a history of fraud or abuse, or is associated with other known fraudulent devices or online accounts helps online businesses identify and stop cyber crime in real time, no matter what country or region they are doing business in. Now businesses can adapt, protect themselves, and share information worldwide — even faster than the fraudsters.

When talking to people on the street about fraud and abuse in multiplayer online games, they are often surprised that such a thing even exists! But the reality is that once a game reaches a certain level of popularity, it becomes equally attractive to the dark side.

Nexon America is one gaming publisher that takes this threat very seriously! They not only fight fraud and abuse head-on; they take a proactive approach with the assumption that every possible flavor of abuse will be attempted and they’re armed and ready for it.

At a recent fraud prevention user group for iovation’s gaming clients during E3 in Los Angeles, Nexon led discussions on preventing account takeovers, chargebacks and gold farming with other fraud professionals who attended. Gold farming (stealing virtual goods or using stolen credit cards to obtain them) is a serious abuse that destroys in-game economies and contributes to poor player experience. Additional topics that were covered during the iovation user group included friendly fraud, code hacking, password education, blacklists and biometrics, just to name a few.

Sharing best practices, tools and strategies is essential in the fight against online fraud. iovation facilitates the sharing of information not only through in-person user groups, but directly through its ReputationManager 360 fraud prevention service. For example, if one gaming site is hit with gold farmers or a group of devices involved in a fraud ring, other iovation clients know this information upfront, before incurring chargebacks or other damage. Our customers benefit greatly from this immediate feedback on devices that are new to them, but not new to iovation.

Even when a device touches a gaming site for the first time, and iovation has no previous history for that particular device, we can still leverage what we know about the associated account and its history, the geolocation information of the transaction, and a host of other device-related properties that might indicate risk based on everything we know about similar devices.  Twelve percent (12%) of the transactions iovation flags as high risk are from new devices.  That’s 1.6 million just the first half of this year.

Online gaming companies like Nexon are motivated to ensure their gaming environments are first and foremost fun and safe for players. This not only helps protect their brand; it strengthens the trust between the company and their valued players.

————–

Nexon America, Inc. develops multiplayer online games in North America. It develops Mabinogi, a multiplayer online role-playing game; Combat Arms, a multiplayer online first-person shooter; and PopTag, an arcade-style multiplayer action game. The company was founded in 2005 and is based in Los Angeles, California. Nexon America, Inc. operates as a subsidiary of Nexon Corporation.

To reduce fraud rates, social networking sites are using their own social verification systems to determine whether the person at the other end of a Web transaction is actually who they say they are. According to the article, “How your social network can protect your credit card,” social networking sites like Facebook collect various pieces of information about a user’s personal network to identify a person and reduce fraudulent activities such as credit card fraud, account takeover and account hijacking within their network. But while the social networking giant and others prefer to keep their data to themselves, think about the possibilities this type of information could have in the fight against global fraud.

With so many credit card details and social security numbers now in the hands of organized cyber criminals, we need a broader mindset if we are going to truly stop the growing fraud problem that stretches across continents, technologies and industries.

By sharing intelligence on more than 600 million Internet-connected devices including PCs, smartphones and tablets, iovation’s ReputationManager 360 fraud prevention solution allows businesses across all industries to see if a device requesting an online transaction has a history of fraud, or is associated with known fraudulent accounts or devices, before the transaction takes place. With a nearly 30% device crossover rate between industries, we understand how important working together and sharing critical information is to fighting online fraud and abuse. This is how we are able to help our cross-industry customers stop 35 million online fraudulent transactions and activities a year.

Much like any legitimate user, fraudsters come in from computers or devices they’ve used before. Having the goods on bad guys’ devices enables businesses to decide whether to deny, accept, or pull for review any pending transactions to prevent credit card fraud and other unwanted behavior. As a result, businesses don’t have to write off future online transactions that are ultimately impacting their sales revenues and bottom line.

CNET broke down Twitter’s recent blog post, which celebrates their significant numbers: “It took three years, two months, and one day for Twitter to hit 1 billion tweets; now, a billion tweets are posted in the course of a week. An average of 460,000 new accounts were created per day over the past month, and an average of 140 million tweets were posted per day. Twitter now has 400 employees, 50 of whom have been hired since January.”

Spammers, scammers, and thieves are paying attention.

Techland reports, “At least 10,000 Twitter users fell for a scam that spread like wildfire across the social networking site early today. Quick action by link shortening service bit.ly – as well as thousands of people retweeting warnings – brought the scam attack under control in a few hours.”

Common Twitter scams include:

Hijacked Accounts: Numerous Twitter accounts have been hacked, including those of President Obama and, recently, Ashton Kutcher. Kutcher’s account was most likely “Firesheeped,” which can occur when a wireless device is used to access an unsecured site.

Social Media Identity Theft: Hundreds of imposter accounts are set up every day. Sarah Palin, St. Louis Cardinals coach Tony LaRussa, Kanye West, The Huffington Post, and many others have been impersonated by fake Twitter accounts opened in their names.

Worms: Twitter has been plagued by worms, which spread messages encouraging users to click malicious links. When one user clicks, his account is infected and used to further spread the message. Soon his followers and then their followers are all infected.

Phishing: Hacked Twitter accounts are used to send phishing messages, which instruct users to click links that point to spoofed sites, where users will be prompted to enter login credentials, putting themselves at risk of identity theft.

Social media sites could go a long way in protecting their users by incorporating device reputation management. Rather than accepting information provided by an anonymous user, device reputation allows social sites to leverage knowledge about a device’s history—which could include spam, phishing attempts, predatory behavior, profile misrepresentation and even credit card fraud. Device reputation alerts businesses to suspicious behavior exhibited while bad actors are on their websites, uncovers the device’s true location, and exposes hidden relationships to other high-risk accounts and devices.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses social media hacking on Fox Boston. (Disclosures)

Last year more than 60 of iovation’s online betting, poker, sportsbook and casino customers reported and shared 350,000 fraud and abuse attempts through the ReputationManager 360 device reputation service, including the likes of William Hill, Entraction and WagerWorks. These experiences are shared along with our knowledge base of more than 500 million unique devices (computers, tablets and mobile phones) which online gaming sites leverage to gain insight into suspicious activity to prevent fraud before it happens.

Many fraudulent transactions can look like a single transaction to an online gaming site, but often times they’re not. By providing customers with a unique view of devices used by criminals to perpetrate online fraud and abuse, iovation gives gaming sites the ability to see if a normal-looking transaction is actually a coordinated attack across multiple sites. We detect these attacks through velocity triggers and shared experiences across our customer base to alert affected businesses and prevent potential attacks.

During the online gaming panel which takes place Thursday, March 3rd at the Sans Souci Ports Conventions Center, I will be sharing experiences I’ve had working closely with many of the world’s largest online gaming sites. I hope to see you there, and please stop by the iovation Booth #26, at get your Virtual Crime Fighter t-shirt!

According to Errol Weiss, who runs the Financial Services Information Sharing and Analysis Center (FS-ISAC) corporate account takeover task force, the effort by his group and other federal law enforcement agencies is to make businesses and consumers more aware of this type of cybercrime and provide recommendations on how they can protect themselves against such attacks.

“Educating all stakeholders (financial institutions, businesses and consumers) on how to identify and protect themselves against this activity is the first step to combating cybercriminal activity…The information contained in these advisories is intended to provide basic guidance and resources for businesses to learn about the evolving threats and to establish security processes specific to their needs.”

Since 2004, iovation has been providing business intelligence to clients about account takeovers and hijack attempts. The devices used to maliciously compromise other people’s accounts are closely tracked in the Device Reputation Authority database and this evidence of fraudulent activity is shared with all iovation subscribers, so that they can have prior knowledge and use that intelligence when deciding whether or not to allow a particular device access to their online business.

Of the total number of account takeover attempts reported by iovation’s cross-industry customers, over the past 90 days, 50% came from businesses representing online communities such as Internet dating sites and social networks. Online retail customers accounted for 36%, while 11% of account takeover attempts during this time were reported by iovation’s massively multiplayer online (MMOs) and social gaming customers.

Clients use iovation ReputationManager 360 to assess risk on all incoming transactions. This comprehensive service combines shared evidence of fraud and abuse from the world’s leading brands, configurable advanced real-time business rules, account relationships, device profiles and anomaly checks.

1. Account creation / application fraud – In this case, a fraudster uses a stolen identity to apply for an account online to order phones and services.  After initiating a shipping scheme to obtain the goods, the fraudster runs up the phone bill until the carrier or identity theft victim uncovers the charges.Much like credit issuers, carriers perform comprehensive identity and financial background checks on applicants, however, the checks are on the identity theft victim.  By adding a device check at the front of the process (which looks at the computer or Internet-enabled device being used), carriers can quickly identify suspicious activity such as when the same computer initiates multiple applications under various identities, or if the computer being used has been involved in previous fraudulent activity.
2. Account takeover – This crime targets people with existing business or personal accounts. If the cyber criminal is unable to hack directly into an existing account, a phishing attempt occurs to obtain the credentials needed to access the account. Once in, sub-accounts are created that the legitimate user may not immediately notice. The fraudster places orders for phones and service through sub-accounts against the victim’s credit lines. Criminal activity against business accounts is particularly costly to the carrier.For businesses not yet using device identification or fingerprinting techniques, they do not see the relationships that exist between fraudulent accounts.  With iovation ReputationManager, hidden relationships are exposed between fraudulent devices and their associated accounts. When the device (or set of devices) logs into multiple wireless accounts that otherwise appear unrelated, fraud rings are exposed and multiple compromised accounts can be shut down at once.
3. Hacking reseller accounts to purchase equipment – This is a costly expense for resellers because they discount the price of the phones below what they actually paid for them. For example, a $100 Blackberry on the market may have cost the carrier $300. When a fraudster purchases a phone with a stolen identity, receives it and adds a new SIM chip, they now have a perfectly good new phone. After paying for service, they will sell it on an Internet auction site. If they get as much as half the retail value, they’ve made out.
4. Prepaid phone fraud – There’s two issues around prepaid. First, there’s the use of stolen credit cards to top-up the service. Because of the anonymity of buying a prepaid phone, there’s no credit check performed if a fraudster purchases through a local retailer or orders online. So when the fraudster goes online to order additional minutes, the carrier is unaware that they’re using a stolen credentials because they don’t know who is behind the phone. Knowing that the top-up request came from a known fraudulent device is an extremely effective way of stopping all of the bad transactions coming from the device.The second issue wireless carriers deal with is answering subpoenas about prepaid phones. Because many organized criminals use multiple phones for fraud activity, when their minutes run dry they toss the phone. With iovation, if the carrier is subpoenaed about a specific phone, forensic intelligence can be provided to law enforcement about additional phone numbers associated with the device that used the stolen credit card to purchase the phones

The biggest driver behind many of these mobile phone crimes is that criminals can obtain phones without walking into a retail store – they can now run their operation from the web. As a result, the carriers are facing rising criminal threat. By layering strong anti-fraud solutions which include the device, carriers can address both the credit application side of the business as well as the retail side.

With four main areas of exposure, mobile phone carriers must be armed with a solution that covers new account origination, existing account management, and prepaid. iovation covers all three sectors. Many times these sectors are distinct and separate with a company, and have different risk and fraud departments to handle them. With iovation, we bridge the gap between all lines of business to prevent the growing fraud challenges of mobile phone theft and fraud.

Before these mobile applications, sites could either provide a separate hardware token for multi-factor authentication which was expensive and difficult to manage, or it could provide this capability through a text message on the phone which could be costly for both the consumer and the company. This application solves the token problem by attaching itself to something that most users always have in their possession (their mobile phone) and solves the cost problem by bypassing costly text messages and embedding the password generation intelligence in the mobile app. There is a beta version of the Verisign app for some BlackBerry models and for another 40 phones in development. The Blizzard version is currently only available for the iPhone and iPod touch, but other models will likely follow.  The ease of adoption for the iPhone could be the difference make in this instance and it could be a positive step in the direction at combatting online fraud and more specifically account takeovers.