In the article, “Why Internet crimes go unpunished,” security expert Roger Grimes breaks down some interesting numbers around cybercrime, and how hackers are (to put it mildly) beating the odds. According to the FBI’s 2011 Internet Crime Report, of the more than 300,000 complaints that netted criminals $1.1 billion in 2010, law enforcement agencies convicted an average of one crook for every 50,635 victims. In other words, as Grimes eloquently states:

Steal someone’s identity and your odds of being caught are almost infinitesimal.

With all the hacks and fraud headlines 2011 will be remembered for, that’s definitely not the way we want to ring in the New Year. But as Grimes also warns, if we aren’t careful we could see history repeat itself as criminals not only continue defrauding computer users, but launch recycled attacks against the explosion of worldwide mobile device users, who could fall victim to the same old PC tricks.

While law enforcement certainly has its challenges in tracking down and prosecuting cyber criminals, nobody will argue that we can always be doing something on our part to help reduce the risk of fraud where the criminal is utilizing a computer, as well as emerging mobile platforms like smartphones and tablets.

Whether you’re an individual, small to mid-size business, or even a large international corporation, in many ways you’re sort of on your own in cyberspace. This is why taking matters into your own hands and implementing defense-in-depth fraud preventative strategies is so critical to protecting yourself, your employees and business from both evolving and old-school scams targeting every form of Internet-connected device that we use.

This is the time of year when most businesses are setting their budgets and determining business goals for 2012. While improving customer service and increasing revenues are certainly at the top of any CEO’s to-do list, mitigating costly fraud risks that can take a hefty bite out of annual profits (not to mention cause significant reputation damage) requires organizations to deploy effective security tools like iovation’s ReputationManager 360 solution to reduce the risk of fraud or abuse over all devices and platforms connecting to their online business environment.

The Federal Financial Institutions Examination Council’s (FFIEC) updated security guidelines go into effect in less than a month. It is imperative that financial institutions recognize that the security precautions currently in place are ineffective in the face of new, more sophisticated attacks. Criminals have gotten around the minor hurdles posed by the tools being used to authenticate clients and prevent unauthorized transactions.

Basic multifactor authentication may be relatively effective for bank accounts that generally contain only enough to pay a month’s worth of bills. But high value accounts are more prone to attacks, and require additional levels of security. Ultimately, what is most important is that a security program includes multiple layers of protection rather than relying on a single mechanism of defense.

Using advanced device identification is also essential. The FFIEC suggests complex device identification, which is more advanced than previous techniques, and the leader in this space is iovation Inc.  They take complex device identification much further by delivering to financial institutions, a reputation of the device as it accesses their site to apply for credit, create an account, transfer money and more.

This proven strategy not only utilizes advanced methods to identify the devices being used to connect to a bank, it also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect financial institutions from cybercrime.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Computerworld reports:

“Tony Perez III, of Hammond, Indiana, pleaded guilty to the charges on April 4. In his plea, Perez said he sold counterfeit credit cards encoded with stolen account information. Perez found customers through criminal ‘carding forums,’ Internet discussion groups set up to aid in the buying and selling of stolen financial account information and related services.”

“During a June 2010 search of Perez’s residence, Secret Service agents found 20,987 stolen credit card accounts on his computers, in his email messages, in an online account and on counterfeit credit cards he was in the process of manufacturing, according to court documents. Credit card companies have reported more than US$3.1 million in fraudulent charges associated with those accounts, court documents said.”

Carding is a full time profession for thousands of hackers worldwide. Retailers’, banks’, credit card processors’, and many other corporations’ databases often contain millions of credit card numbers, and are targeted in “advanced persistent threats.” Any entity that accepts credit cards online or in the physical world is a ripe target for fraud.

It’s in the retailer’s best interest to put online fraud prevention measures in place to thwart credit card fraud use on their sites. This not only helps them keep their chargebacks and fees low, but it also protects their brand reputation with their loyal customers. But how can retailers detect when fraudsters are stealing from their websites in the first place?

Before verifying identity and credit information, first make sure that the computer, tablet or smartphone connecting to the site is not a known fraudulent device – one used to steal from your business in the past, or from other online businesses.

Would you like to know if the device is acting suspicious such as masking its IP address or constantly changing its characteristics between transactions? Is it opening an excessive number of new accounts, or are new countries suddenly accessing your customer’s existing accounts?

There are many indicators of risk and companies like Oregon-based iovation Inc. helps online businesses set up fraud and risk rules in advance so that as transactions come in, the rules run and all checks in a fraction of a second. This device identification service can stop the transaction right then and there.

Carders are just one piece of the cybercrime puzzle. Having a defense-in-depth approach to fraud prevention is essential. And sharing fraud intelligence with other businesses can only help you catch more fraud, and meanwhile, take more business with confidence.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

In the InternetRetailing article, “Online shopping fraud down in first half of 2011,” during the six months ending in June, online shopping fraud including mail order and phone fraud dropped to £109.2m compared to the £118.2m in fraud losses in the first six months of 2010.

Source: Financial Fraud Action UK, Cheque & Credit Clearing Company and The UK Cards Association

While findings like these are certainly encouraging, it doesn’t mean the bad guys have given up. Far from it. While an increase in fraud protection measures play a significant role in the declining numbers, once a security hole is filled fraudsters typically turn their energies elsewhere.

DCI Paul Barnard, head of the Dedicated Cheque and Plastic Crime Unit (DCPCU), is quick to point out that while online shopping fraud losses are down, the fraudulent use of lost or stolen cards is up 20%.

“There has been an increase in old fashioned scams – criminals using distraction techniques and social engineering methods to get hold of people’s cards or phone banking details. We are urging everyone to be on their guard.”

As organized cyber criminals shift tactics, the ability to expose thieves who are fraudulently using someone else’s personal or financial information to purchase items online is essential to preventing fraud or abusive activity that impacts consumers and an online business’s bottom line. This is something iovation does every day for merchants that sell goods and services over the Internet.

Checking millions of daily transactions coming into our B2B customers’ websites against our dynamic, device reputation database that’s now 715 million deep, iovation’s ReputationManager 360 provides real-time device intelligence IT fraud teams need to instantly recognize and reject bad orders on the spot to prevent an array of fraud techniques and social engineering schemes designed to defraud today’s online businesses.

According to the article, “Cyber crime hit 431 million adults in 24 countries,” a recent Norton cybercrime report found online crime jumped 3% compared to its 2010 study, costing fraud victims more than $388 billion worldwide over the past year.

Eating up 35% of the global cybercrime bill were U.S. fraud victims, who spent $139 billion on cybercrime last year. That amounts to 141 victims per minute, an alarming statistic even for Norton’s consumer cybercrime expert, Helen Malani.

“We were astounded by the costs in terms of cash lost. The number came to more than $US388 billion globally. That’s more than the illegal drugs market in heroin, cocaine and marijuana. Cybercrime is an illegal underground economy and it needs to be taken seriously.”

According to the study, one of the biggest gains in cybercrime last year came in crimes against mobile devices, which are up 10% globally. No surprise there, considering the explosion of smartphones and tablets being used to connect to the Internet. Malani said the chief concern with mobile fraud is users inability to stay on top of security updates. She said only 20% of people accessing their mobile devices have installed the most up-to-date mobile security. With up to 80% of mobile devices improperly protected, this provides fertile ground for cybercrime activity.

Similar to any other legitimate economy, growth in the illegal underground marketplace is driven by innovation, and tapping into the next opportunity. For cyber crooks, it’s all about exploiting the latest technology before the security gaps are identified and closed.

For online businesses that allow users to access their websites and corporate networks via mobile devices, this is especially disconcerting. Operating without the tools to effectively detect when fraudulent devices are logging onto their sites and requesting transactions, organizations and their customers are vulnerable to evolving schemes such as credit card fraud, card-not-present (CNP) fraud, account takeover, phishing and identity theft.

Today, building a multi-layered fraud preventative strategy that includes device reputation technology is critical to identifying when an Internet-based device, whether it’s a PC, smartphone and tablet, is already registered or attempting to log onto a website. The device intelligence that iovation’s ReputationManager 360 provides in real-time allows online businesses to recognize when a remote device that has been used to commit fraud or abuse in the past and stop any illegal or unwanted activity before it happens.

With nearly 150 users (just in the U.S.) exposed to some type of fraud every minute, it’s time businesses gain an extra layer of protection needed to stop more advanced forms of online fraud and abuse. Performing real-time risk analysis on transactions from every country in the world, iovation has already flagged nearly 40 million fraudulent transactions for its B2B customers just this year.

For banks around the globe, protecting customer accounts is becoming more challenging as cyber criminals work together to create more sophisticated attacks with the aim of defeating existing security measures. In fact, fraudsters have become so efficient at figuring out new ways to access critical data from a bank’s IT system that the article,“European banking industry lacks guidance to combat cybercrime,” suggests that the entire ecosystem — from government to banks — should take a cue from the criminals themselves.

Powered by the collaboration of over 2,300 IT, security and fraud professionals, spanning multiple industry’s worldwide, iovation’s globally shared fraud database allows subscribers to benefit from everybody’s hard work and experience fighting online fraud and abuse. For example, if a multinational bank flags a device for credit card fraud today, and that same device came to your website tomorrow, next week or next month, how valuable would that information be to you? That’s the power of device reputation.

The latest security recommendations strongly suggest a layered or “defense-in-depth” approach, which the National Security Agency defines as a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy strikes a balance between the protection capability and cost, performance, and operational considerations.

The FFIEC recommends that financial institutions replace simple device identification with complex device identification, which most banks had already implemented long ago. Therefore, the next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences. iovation, an Oregon-based security firm, offers this service and more.

The FFIEC also recommends that financial institutions replace challenge questions, which are often fact-based questions, and can be easy to figure out with the use social networking data, with “Out of Wallet” (OOW) questions that don’t rely on publicly available information.

Challenge questions include, “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” OOW questions are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Keir Breitenfeld, Senior Director of Experian Decision Analytics recently joined Device Reputation pioneer and leader, iovation, for a webinar presentation addressing the FFIEC guidelines. You can listen to his presentation on applying proportional treatment to risk-based authentication efforts and dynamically managing credit and non-credit data questions to mitigate fraud via the webinar.

Ultimately, financial institutions must implement a layered approach to security. iovation’s device reputation service is a must-have layer that contributes greatly to a defense-in-depth approach, assessing risk throughout multiple points on an institution’s website.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

The study found that IP theft (£9.2bn) and industrial espionage (£7.6bn), combined, account for over two-thirds of the overall cost to UK businesses per annum. IP theft is largely committed against companies with high volumes of IP or IP that’s easy to hack, while industrial espionage includes stealing or exploiting non-IP data from organizations that depend on large amounts of financial transactions and monetary activities.

Other significant cyber crimes that impact UK businesses include extortion (£2.2bn), direct online theft (£1.3bn), and loss or stolen customer data (£1bn), according to the report.

Because organizations today are becoming increasingly dependent on cyber space for business commerce, communications, and daily operations and production, cyber threats pose a significant threat to individual nations, as well as the global economy. This is why reports like these are so important.

Understanding the economical impact cyber crime can have on businesses, industry, and the economy can play a critical role in setting effective security policies and implementing proactive fraud preventative strategies, such as iovation’s device reputation service, which combats new and evolving forms of cyber crime that have a negative impact on organizations across the globe.

And despite the constant stream of bad news, consumers continue divulging a tremendous amount of data to retailers, auction sites, dating sites, and gaming sites. While awareness of fraud and cybercrime is at an all time high, consumers seem to feel they don’t have much of a choice but to provide all their data.

People have grown to love the Internet and all the conveniences it offers, both commercially and socially. In my household, little people under five years old whack away at online iPhone games, never knowing what it’s like not to have the Internet.

Many seem to feel that their privacy is the price they must pay for all this connectedness and convenience, and are even willing to put their personal security at risk in exchange.

Scammers know and are capitalizing on this. There isn’t an online gamer, dater, social networker, or consumer today who isn’t at some level of risk.

While all necessary defenses must be employed to prevent hackers from compromising data, an additional layer of protection should be implemented to keep them off websites in the first place.

Every one of these platforms would do well to stem the tide of fraud by incorporating device reputation. One anti-fraud service offering fast and effective results is iovation’s ReputationManager 360. This service incorporates device identification, device reputation, and real-time risk profiling. Hundreds of online businesses prevent fraud and abuse by analyzing the computer, smartphone, or tablet connecting to their websites, and with iovation’s service, they stop 150,000 online fraudulent activities each day.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

According to the Wall Street Journal article, “Cyber crime now an industry,” the average cyber criminal is not at all who we think he is. He’s not some socially awkward kid cooped up in a poorly lit basement causing havoc across the globe. That’s not to say there aren’t organized gangs causing worldwide headaches. There are. But, from a technical standpoint, the majority of those perpetrating online fraud and abuse are more like you and me.

Because readily available toolkits and easily accessible information have lowered the talent bar for cybercrime candidates, the skill sets required for today’s high-functioning and effective cyber criminals are as basic as they can get. With criminal factories producing attack kits, today’s criminals need little to no computer skills to get into the underworld business.

The recently released Verizon 2011 Data Breach Investigations Report found an interesting trend in the information cyber criminals are seeking to commit online fraud. Basically, usernames and password details have replaced credit card details, which have dropped in value in the black market from roughly $10 to ten cents, or less. Cyber criminals also use easily accessible personal information that they easily swipe from social networking websites like Facebook and LinkedIn to socially engineer their victims.

Either way you look at it, cybercrime has evolved from being perpetrated by computer-savvy, introverted whiz-kids to an industrial machine where the job requirements include as little as a computer and some cash.

With the computer the primary mechanism used to perpetrate online crimes, the more you know about the device requesting a transaction the better chance you have in defending your online business and customers from being victimized by such crimes. iovation’s fraud prevention service shares the reputations of 600 million devices including PCs, smartphones and tablets to assess risk on 8 million transactions each day to help organizations stop fraudulent transactions before they happen.

By taking data collected from 113 million servers globally that track cyber attacks like identity theft, phishing threats and fraud activity, the Cybercrime Index is a website that acts like a stock index, informing Internet users about the day’s biggest online threats.

Along with giving users up-to-date reports on malware activity, the Cybercrime Index is an educational tool that provides tips on how Internet users can avoid cybercrime, said Dan Nadir, senior director of consumer products at Norton.

“With the increasing sophistication of cyber threats and the staggering amount of money lost to cybercriminals, it’s important for people and businesses alike to think seriously about how they are protected online. We’re constantly trying to educate people around the dangers of online threats.”

While there’s certainly no substitute for education when it comes to keeping up with the latest trends in cybercrime, businesses in particular require fraud prevention tools and techniques that work together to effectively defend their virtual environments and customers from all types of online fraud and abuse attempts. Education and training, combined with highly effective and comprehensive security solutions like iovation’s ReputationManager 360, provide a stronger, multi-layered defense that today’s organizations need to protect their businesses from all forms of online crime, including the top threats of the day.

Studies like these continue to remind us of how vulnerable consumers are to the growing threats that exist online. Unfortunately, the second victim to these crimes are the online merchants that are targeted by cyber criminals using stolen data to commit fraudulent transactions.

From a business perspective, iovation closely tracks countries that have high online fraud rates through the 5 million device reputation checks it processes daily. Based on the percentage of transactions denied out of the total number of transactions from that country in the last 90 days, the top 5 countries experiencing the highest levels of online fraud include Ghana, Romania, Nigeria, Korea and Israel.

While most of the online transactions we look at are from the U.S., the percentage of those that are denied is only 0.98%. As a result, the U.S. ranks 24th on our list of countries with the highest percent of total transactions denied.

Either way you look at it, online fraud and abuse continues to have a psychological and financial impact on both consumers and businesses around the globe. For the e-commerce industry, educating consumers about emerging security threats and implementing tools that stop more sophisticated attacks is critical to reducing fraud rates that continue to impact the financial well-being of online merchants and their customers.

Given the impact that cyber crime has on our economy, online businesses especially have a lot riding on the success of these government initiatives. A recent report from LexisNexis estimates that U.S. businesses lose $191 billion annually from computer related crimes. This is why Mr. Schmidt’s combined experience in both government and the private sector will hopefully be an important asset, allowing him to simultaneously understand the issues currently facing businesses and be able to cut through the red tape on Capitol Hill to make real change happen.

Of his appointment, Mr. Schmidt remarked:

Because ultimately no one—not government, not the private sector, not individual citizens—can keep us safe and strong alone. When it comes to cyber security, our vulnerability is shared. I’m committed to bringing all these stakeholders together around a new, comprehensive cyber strategy that keeps America secure and prosperous.

The President and Mr. Schmidt clearly see eye-to-eye regarding the importance of cyberspace on our economy, homeland security, and the U.S.’s ability to remain competitive in a global economy. More importantly, by appointing Schmidt, President Obama is following through on his remarks about securing our nation’s cyber infrastructure: “America’s economic prosperity in the 21st century will depend on cyber security. For all these reasons, it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”

For government and online businesses alike, protecting sensitive information is a shared obligation and needs to continually be addressed. I’m glad President Obama and Mr. Schmidt understand this. I hope that they are successful in leading a coordinated effort to combat this threat. With our personal experience in stopping literally millions and millions of online fraudulent transactions, iovation understands the seriousness of cyber crime.

With a website devoted to the new campaign, it’s easy to take a quick look at some statistics about fraud in the UK, and some of them are quite frightening. While the information on the site is based on UK numbers, the concerns that those statistics raise are likely applicable in many countries, as identify theft is a world-wide problem.

A few stand-out numbers:

• £1.2 billion : The annual amount that identify fraud costs the UK economy
• 60,000: The approximate number of UK residents who have been a victim of identity theft in the current year. (Up 36% from the same time last year.)
• 36: The percentage of businesses that have no clear policy on how to dispose of documents including sensitive information (such as customers’ names, addresses, credit information, photocopies of passports, etc.)

As a whole, the site paints a clear picture: identity theft is a real problem with real consequences, which most people are aware of—and yet neither businesses nor individuals are, in great enough numbers, taking the steps required to prevent it from happening.

Here at iovation, we’re working on the other end of things: helping companies defend against online criminals using stolen identities to commit fraud. While businesses and individuals need to do more to prevent identity information from being stolen, it is also important for online companies to do everything they can to prevent criminals who are using those stolen identities. Unfortunately, most online businesses depend entirely upon information provided by the user, leaving them no way to know if, for example, 50 accounts, all set up with different names and addresses, are actually all coming from the same computer.

To do their part, businesses need to look at the different technologies, people, and processes that can complement core identity-based systems and expand the net to catch online fraud. For my part, I will be at the E-Commerce Expo next week in London to talk to online retailers about combating online fraud. Certainly this is a problem that businesses need to address together. Building national awareness of the problem and encouraging businesses to work together and share best practices is an important step to curbing this epidemic.