According to the Banking Times article, “Criminals shifting to card-not-present fraud because of chip and PIN success,” they are on the move again. Data recently released by FICO, a leading provider of analytics and decision management technology, shows that across Europe card-not-present (CNP) fraud has dramatically increased, accounting for 72% of all fraud losses between March 2009 and March 2011. The big reason for this change? Chip and PIN technology, which has helped reduce counterfeit fraud by 60% over the same period.

In comparison, a similar study conducted three years ago found that ‘card present’ fraud accounted for 60% of Europe’s credit card fraud. But since European banks adopted the smartcard payment system, that number has dropped significantly over the past couple of years.

So, remaining consistent to their adaptive nature, it appears that cyber criminals have shifted their attention to CNP schemes like online fraud, targeting countries and business systems with weaker detection and prevention capabilities, said Martin Warwick, FICO’s Fraud Chief in Europe, the Middle East and Africa.

“Our analysis of the data shines a spotlight on the tremendous change that has occurred in Europe’s fraud landscape.”

While European credit issuers continue to leverage Chip and PIN technology as part of their defensive strategies to fight fraud, the Merchant Advisory Group (MAG) recently rolled out a recommended roadmap for a U.S. electronic payments strategy that includes Chip and PIN adoption.

Such strategies have proven to help reduce card present fraud, but as the report shows, their success has also pushed hackers into new directions. Instead of using the actual credit card to defraud businesses in person, criminals are collecting credit card and personal information and using it to commit a host of online crimes including CNP fraud, account takeover and identity fraud.

As criminals increasingly pursue online fraud opportunities around the globe, businesses that rely on online payments need effective fraud detection tools that protect the growing number of online transactions taking place within the U.K. and across international borders.

Leveraging our fraud database of more than 800 million desktop and mobile device reputations worldwide, iovation performs 6.5 million device reputation checks a day for our customers. A complementary fraud prevention solution like iovation’s ReputationManager 360 provides businesses with unique intelligence and a deeper understanding of each device accessing their website or requesting a transaction, allowing them to make quicker, better informed decisions on all online transactions even if fraudsters try to re-invent how they defraud businesses over the Internet.

The truth is, even diligent businesses running the latest security software remain vulnerable to the growing number of new and unknown forms of online fraud and abuse. Take it from Mark Patterson, co-owner of PATCO Construction Inc: when it comes to fighting ACH fraud the new FFIEC authentication guidance falls short. He says that until banks become legally liable and accountable for such online crimes, businesses will remain susceptible to online fraud.

In the BankInfoSecurity article, “Fraud: The Victim’s Perspective,” Patterson, whose small residential and commercial construction company lost over $550,000 to fraudulent ACH transactions, said that while he’s glad updates have been made to the security guidelines, they don’t go far enough. In order for small businesses to protect themselves from online crimes like ACH fraud and account takeover, they need to take it upon themselves to also incorporate their own internal policies and processes to detect fraud and abuse. Some of his recommendations include:

• Talk to your bank about the ACH fraud policy to understand if fraud losses are covered
• Monitor all online transactions for bad IP addresses, anomalies, and suspicious activity
• Run and analyze reports to recognize patterns and velocities
• Educate yourself about online threats and how bad they really are

Today, too many companies struggle to keep the security of their desktop computers and mobile devices up-to-date, which puts their customers, business and brand reputation at risk. The FFIEC Guidance was designed to outline a multi-layered approach of processes and technologies that banks need to mitigate fraud risks, but if those recommendations aren’t applied and internally enforced businesses could still have trouble identifying and stopping risky transactions.

To combat the millions of online fraud and social engineering schemes attempted on banks and businesses every day (we should know, we stop more than 150,000 fraudulent transactions every day for our clients), an effective defense-in-depth anti-fraud strategy requires the ability to recognize high-risk transactions before they are accepted. iovation’s device reputation technology goes beyond traditional blacklists and personally identifiable information (PII) to identify, re-recognize and root out fraudulent devices and accounts in real time so businesses can proactively stop bad transactions from occurring, as well as shut down hidden fraud rings that are committing repeat fraud within their IT environment.

iovation’s ReputationManager 360 is a fraud prevention solution that provides an added layer of protection for any defense-in-depth anti-fraud strategy. By leveraging the power of device identification, iovation takes complex device ID a step further and equips financial services firms and other businesses with a dynamic collection of device intelligence, association data, analytics and reporting tools that allow fraud managers to assess larger sets of attributes and apply pattern recognition algorithms and pattern-learning processes to identify fraudulent devices, anomalies, velocities and other suspicious behavior taking place on their website every day.

It’s been a busy year with a ton of new features and enhancements ranging from big to small. We thought we’d take a moment to share with you some of the highlights from 2011.

As with any technology, there are many, many things that go into a new feature including design, development, testing, documentation, integration and other operational requirements. We won’t go into that amount of detail here, but instead will focus on the primary achievements within each of the four principle areas of specialization at iovation, which include:

According to the Politico article, “Free pass for dating site liars,” people can take comfort in knowing that they don’t have to worry about being prosecuted or hauled off to jail for telling a little white lie over the Internet. While this certainly makes sense, at the same time we’re still walking on shaky ground when it comes to online lies, falsifications, profile misinterpretations, or whatever you want to label it. The fact is, when it comes to identity fraud, fake accounts or other crimes on romance sites, lying is typically the basis for the crime. It sets the stage for deeper criminal activity that can cost victims both emotional and financial hardships, not to mention damage to the dating site’s reputation. 

In the recent blog, “Online Trust Remains Risky Business,” I discussed how most of us have at one time or another told some kind of little white lie on the Internet. Would this be cause for criminal prosecution? Probably not. However, if the intent is to steal or commit some type of crime against another person or business, the lie could be a violation of corporate policy covered by the Computer Fraud and Abuse Act (CFAA), which criminalizes “exceeding authorized access” of a computer.

While DoJ spokeswoman, Alisa Finelli, says it’s not the DoJ’s position that lying violates the CFAA, its current position is one that could be open for change.

“We understand the concern that is motivating these criticisms of the statute, and we are willing to work with Congress on legislative proposals in this area.”

While Congress works on legislation that clarifies what would be grounds for prosecution when it comes to lying on the Internet, to protect their members and online environments dating sites need to take action by deploying anti-fraud detection tools that help them identify risky behavior. At the moment, there may not be an actual online “lie detector” that can distinguish when a member is telling the truth or not, but there are tools available, such as iovation’s device identification service, that helps detect online scammers, spammers and bad actors attempting to mine the identity details of legitimate members.

“Social fakes” are invented profiles on social media (often referred to as profile misrepresentation), which can be used to harass or mock victims anonymously. But the more lucrative fake profile is one that imitates a legitimate business, damaging that business’s online reputation.

The impostors’ ultimate goal? Spam leading to scams.

Social-web security provider Impermium published the results of their recent analysis of the cost of social spam. “Online ID signup fraud” is an emerging trend, with fraudulent accounts ranging from a low of 5% to 40% of users. “Scammers are registering accounts by the millions as they perpetrate fake “friend requests,” deceptive tweets, and the like, while the black market for bulk social networking accounts is growing exponentially.”

They also warned about social web abuse, describing current “sleeper cells” as “a ticking time bomb.” Last month, more than 30,000 fraudulent accounts coordinated an attack, in which attackers submitted more than 475,000 malicious wall posts in one hour. According to Impermium, “Even accounts you’ve had for years could be lying in wait for just the right moment.”

Multiple issues stem from fake accounts, such as brand damage for both the website and its users, scams being perpetrated on existing or potential customers, and for social networking websites, an inflated, incorrect summation of active subscribers—to name a few.

Social media sites can use iovation’s device reputation service to help identify fraudsters at account setup. When a device (or related group of devices) signs up for more than your allotted number of accounts, you can receive alerts on this behavior. When multiple countries are logging into the same accounts within a specified timeframe, you can set alerts on this activity. When users are constantly changing their device attributes between multiple online registrations (to look like new, legitimate consumers), you can know this immediately—and automatically deny the new accounts outright or send them to your fraud review queue. If 1,000 accounts were just set up from the same machine, one after another, wouldn’t you want to know that while it’s happening so you can do something before the scams start?

Rather than relying on information provided by the user, which may not be honest or accurate, device reputation technology goes deeper, identifying the computer being used to register an account. This exposes negative behaviors right away, allowing a website operator to deny access to threatening accounts before your business reputation is damaged and your users are abused.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses hackers hacking social media on Fox Boston. Disclosures

Online auction and classifieds websites are unwittingly participating in car sale scams. Ads gain credibility by appearing on eBay, Craigslist, and other online automobile sales websites, but some are either completely phony or have been copied and pasted from other websites.

The FBI’s Internet Crime Complaint Center received nearly 14,000 complaints from 2008 through 2010, from consumers who have been victimized, or at least targeted, by these auto sale scams. Of the victims who lost money, the total dollar amount is staggering: nearly $44.5 million.

The FBI explains how the scam works:

“Consumers find a vehicle they like—often at a below-market price—on a legitimate website. The buyer contacts the seller, usually through an e-mail address in the ad, to indicate their interest. The seller responds via e-mail, often with a hard-luck story about why they want to sell the vehicle and at such a good price.

In the e-mail, the seller asks the buyer to move the transaction to the website of another online company….for security reasons….and then offers a buyer protection plan in the name of a major Internet company (e.g., eBay). Through the new website, the buyer receives an invoice and is instructed to wire the funds for the vehicle to an account somewhere. In a new twist, sometimes the criminals pose as company representatives in a live chat to answer questions from buyers.

Once the funds are wired, the buyer may be asked by the seller to fax a receipt to show that the transaction has taken place. And then the seller and buyer agree upon a time for the delivery of the vehicle.”

Consumers should watch out for the following red flags:

• Cars are advertised at too-good-to-be true prices
• Sellers want to move transactions from the original website to another site
• Sellers claim that a buyer protection program offered by a major Internet company covers an auto transaction conducted outside that company’s website
• Sellers refuse to meet in person or allow potential buyers to inspect the car ahead of time
• Sellers who say they want to sell the car because they’re in the U.S. military about to be deployed, are moving, the car belonged to someone who recently died, or a similar story
• Sellers who ask for funds to be wired ahead of time

Online classified and auction websites could work together, and share information on the devices running these scams, through the device reputation service provided by iovation Inc. Their fraud detection service, called ReputationManager 360, is a B2B SaaS solution incorporating complex device identification, device reputation and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and behavioral abuse in real time by analyzing the computer, smartphone, or tablet connecting to their online properties.

iovation’s “living shared database” is used by fraud analysts daily and shares the reputations of devices from literally every country in the world. This reputation is a combination of fact-based evidence (such actual chargebacks, identity theft, online scams and account takeovers), plus what risk can be inferred at transaction time. Fraud analysts take this fight seriously and submit 10,000 events of fraud or abuse into the shared database each day.

Performing a device reputation check on a scammer attempting to create a new account at a sale or auction website would stop him before he has a chance to post advertisements for scams, preventing damage to the business and its customers. And when one of your good customers has been scammed, you can submit that evidence back into the iovation database to make sure it does not happen again, whether from the same device, or a related device.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures.

With iovation ReputationManager 360, Japanese businesses are able to leverage the reputation of devices inside and outside of their network to:

• Expose relationships between accounts and transactions that are otherwise being hiddenKnow when a device or group of devices on their website previously defrauded or caused other problems for another business, even when all other fraud checks returned no risk
• Expose relationships between accounts and transactions that are otherwise being hidden
• Know when a device or group of devices on their website previously defrauded or caused other problems for another business, even when all other fraud checks returned no risk
• Combat both direct financial fraud and abuse-related incidents such as chat abuse, spam, promotion abuse, policy violations, profile misrepresentation, code hacking and phishing attempts
• Identify high-risk devices based on device characteristics and behavior analytics

For Japanese businesses looking to integrate fraud prevention services to reduce fraud losses, increase operational efficiencies and protect online customers, here is the contact for Info Innovation Japan.

Info Innovation Japan Inc.
1-3-6 Kitaaoyama Minato-Ku
Tokyo 107-0061 JAPAN
Phone: +81-3-3470-2239
Email: info@iovj.co.jp

In a nutshell, merchants must take a proactive approach by adopting tailored fraud and risk management solutions to protect their businesses. As fraudsters become more sophisticated, Badran said protecting an online business environment from fraudulent orders and safeguarding cardholder data is critical to overall business revenues and brand reputation.

“Merchants risk incurring damage to their reputation and brand, and the consequences associated with loss of trust from customers are difficult to overcome. Merchants simply cannot ignore the impact of fraud to their business and their bottom line.”

According to Badran, one way to help mitigate bad orders is to implement fraud and risk scoring tools that provide multiple data points beyond the actual card data. Information such as velocity behavior, bill to/ship to address, IP address and device ID can help merchants set parameters for their businesses and score online transactions.

“Fraud scoring tools can help in making the right automated decisions quicker and more effectively during high-volume periods so that you are able to accept more good orders and reduce the number that may result in chargebacks.”

One way iovation helps online merchants make decisions in an efficient and effective manner is by offering customizable real-time business rules.  Within the latest release of ReputationManager 360, weighted business rules allow our customers to define a set of rules that, taken together, reflect a more accurate measure of risk for each transaction.

Here’s how Weighted Business Rules work:

1. Define the rules to be used at a specific website interaction point such as login or checkout
2. Assign a weight that reflects the risk associated with each rule
3. Set threshold limits to reflect Accept, Deny or Review (A, D, R) real-time responses
4. Once implemented, all rules will be tested within the set and a Transaction Score will be calculated for those rules that were ‘true’
5. The real-time response (A, D, R) returned is determined by where the Transaction Score falls within the thresholds.

In the example above, an online business has chosen to create a rule set that contains rules for:

• Velocity (such as the number of devices that touch a particular account within a period of time)
• Evidence (such as financial fraud evidence exists on this account)
• Geolocation (such as a high-risk IP range)
• Anonymous Proxy (such as users hiding their IP address or making it appear they are coming from another location)
• Anomaly (such as a timezone/geolocation mismatch)

While all business rules were checked, only two returned a ‘true’ response, velocity and evidence.  The weights associated with these two rules created a Transaction Score of -125.  The threshold previously set by the business states that anything less than -100 would automatically return a ‘deny’ response for this transaction, hence rejecting the high-risk transaction.

Within each of these rule categories, multiple rules exist and can be applied and customized by our customers.  Additional categories such as Risk Profiles and Watch Lists are also available. Based on the customized business rules set, iovation’s customers are able to automatically Accept, Deny or Review any transaction at any integration point — including (but not limited to) account creation, login, account change, deposit or withdrawal and checkout.  As a result, online businesses can accept good orders faster and reduce bad ones without impacting the business process or end user experience.

Unfortunately, these kinds of velocity checks are of limited value against more sophisticated fraudsters who have the information, the technology, and the general savvy to set up multiple accounts that all, on paper, look completely different—different names, different credit card numbers, different shipping addresses, different IP addresses.

This is why including the device associated with an account or transaction can be an extremely valuable component of velocity-based rules. Even if all the elements of personal data look different among a set of accounts or transactions, if they all have the same device in common, it’s a good indication that something is wrong. With velocity-based rules focused on the device, you can monitor the number of accounts created, or the number orders placed, from one single computer.

In a world where hackers are making it more difficult for online businesses to verify the real identities of the people they’re doing business with, device fingerprinting combined with velocity-based rules provides a powerful one-two punch for identifying suspicious activities and stopping fraud that operates under the radar of many fraud detection systems. For many of our customers, having visibility into this activity is one of the biggest advantages they gain from including device fingerprinting as part of their fraud prevention process.