In the article, “Cybercrime is now a booming industry,” the new Global Risks for 2012 report says that along with a steady increase in cyber attacks on businesses and governments around the globe, the top concern for illegal digital data sellers is maintaining trust with their customers.

According to an ethical hacker in India, the digital black market has become so competitive that entrepreneurial cyber criminals depend on their trustworthiness, along with free trials, discounted offers and money-back guarantees on stolen goods, to succeed in the shady underworld.

“Today, the main concern for the data sellers is to generate trust among their clients.”

Any legitimate business knows the importance of building and maintaining a high level of trust and confidence with their paying customers. Without it, we have no customers. Turns out, the cyber underground is no different. In order to sell stolen goods to their customers, cyber criminals, whose livelihood is based on creating a web of lies to steal other people’s information, also have to establish and preserve an upstanding reputation among their likeminded clients.

At iovation, we’ve always understood the power of reputation — both good and bad. In fact, our business is built on the experiences and expertise of more than 2,000 fraud analysts from leading brands worldwide, who have all contributed to our device reputation database of over 800 million unique devices, including PCs, laptops, smartphones, tablets and consoles.

Unlike anti-fraud solutions that rely on personally identifiable information (PII), iovation’s advanced device reputation technology focuses on the user’s device to identify and stop fraud in real time, as well as make quicker decisions on legitimate online orders and business transactions. By including a fraud prevention service like iovation’s ReputationManager 360 to any multi-layered security strategy, organizations don’t have to rely solely on potentially stolen or misrepresenting information provided by criminals to perpetrate fraud over the Internet.

While there’s no arguing that trust is essential for doing business — apparently between cyber criminals, as well — having a trusted resource like iovation to uniquely recognize known fraudulent devices, expose hidden fraud rings and identify good customers before the transaction takes place, can play a pivotal role in any business’s ongoing challenge to reduce online fraud rates.

While monetary gains are always the ends to the means for cyber thieves, the digital goldmine appears to be personal and financial information stolen from email accounts and bank accounts, as well as intellectual property, all of which hackers can sell on the cyber black market. Some additional points in the Global Risks for 2012 report included:

• Cybercrime, cyber-espionage and cyberwarfare are on the rise
• Credit card cloning is flourishing in India, conducted by Nigerians living in India who are using card data received from Russian underground forums
• Hackers are launching chance attacks on individual users and more targeted attacks on businesses and governments to exploit system security flaws
• Corporate source codes for products, intellectual property and defense data is extremely valuable to competitive organizations and governments
• Enterprises leveraging social media tools should consider the risks of employees accessing social media sites while on the corporate network

It’s truly an honor to follow in the footsteps of some of the most recognizable technology companies in the world such as Google, YouTube, Skype and eBay, who have all been previously selected to Red Herring’s prestigious Top 100 Global list.

This recognition is a direct result of years of hard work evolving our fraud protection service into a full spectrum device reputation solution that supports native and web integrations for mobile and desktop devices, tagged and tagless device recognition, real-time transparent risk scoring, and on-demand and scheduled reporting. Our remarkable growth is attributed to the collaborative work and effectiveness of our global device intelligence network, which today protects billions of transactions for our clients representing multiple industries around the globe.

Red Herring Chairman, Alex Vieux, elaborated on the difficulty the editorial staff goes through each year in selecting the Global Top 100.

“Choosing the best out of the previous two years was by no means a small feat. After rigorous contemplation and discussion, we narrowed down our list from 1,100 potential companies to 100 winners. It was an extremely difficult process. iovation should be extremely proud of its achievement, the competition for the Top 100 was fierce. The Top 100 Global are truly the best of the best.”

Companies were evaluated on both quantitative and qualitative criteria such as financial performance, technology innovation, management quality, strategy and market penetration.

The full list of 2011 winners is located at: http://www.herring100.com/RHG/2011/top100.html.

Computerworld reports:

“Tony Perez III, of Hammond, Indiana, pleaded guilty to the charges on April 4. In his plea, Perez said he sold counterfeit credit cards encoded with stolen account information. Perez found customers through criminal ‘carding forums,’ Internet discussion groups set up to aid in the buying and selling of stolen financial account information and related services.”

“During a June 2010 search of Perez’s residence, Secret Service agents found 20,987 stolen credit card accounts on his computers, in his email messages, in an online account and on counterfeit credit cards he was in the process of manufacturing, according to court documents. Credit card companies have reported more than US$3.1 million in fraudulent charges associated with those accounts, court documents said.”

Carding is a full time profession for thousands of hackers worldwide. Retailers’, banks’, credit card processors’, and many other corporations’ databases often contain millions of credit card numbers, and are targeted in “advanced persistent threats.” Any entity that accepts credit cards online or in the physical world is a ripe target for fraud.

It’s in the retailer’s best interest to put online fraud prevention measures in place to thwart credit card fraud use on their sites. This not only helps them keep their chargebacks and fees low, but it also protects their brand reputation with their loyal customers. But how can retailers detect when fraudsters are stealing from their websites in the first place?

Before verifying identity and credit information, first make sure that the computer, tablet or smartphone connecting to the site is not a known fraudulent device – one used to steal from your business in the past, or from other online businesses.

Would you like to know if the device is acting suspicious such as masking its IP address or constantly changing its characteristics between transactions? Is it opening an excessive number of new accounts, or are new countries suddenly accessing your customer’s existing accounts?

There are many indicators of risk and companies like Oregon-based iovation Inc. helps online businesses set up fraud and risk rules in advance so that as transactions come in, the rules run and all checks in a fraction of a second. This device identification service can stop the transaction right then and there.

Carders are just one piece of the cybercrime puzzle. Having a defense-in-depth approach to fraud prevention is essential. And sharing fraud intelligence with other businesses can only help you catch more fraud, and meanwhile, take more business with confidence.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Today, anyone seeking federal aid for the thousands of online courses can do so while maintaining their anonymity. Without the physical checkpoints traditionally used to cross-reference and validate that applicants are who they say they are, higher education online programs are being hit with what’s being dubbed financial aid fraud, or distance-education fraud.

In the recent New York Times article, “As Online Courses Grow, So Does Financial Aid Fraud,” financial aid scams have become a serious problem. In a number of high-profiled cases, distance-education fraud rings have stolen hundreds of thousands of dollars using various techniques. For example, a woman submitted applications on behalf of 23 unknowing prison inmates that she gathered information on while working in the prison’s education department. The applications were admitted and granted more than $450,000 in federal aid, including nearly $125,000 for books, transportation and living expenses.

Other fraud rings use “straw students” who have no intention of pursuing an education or are simply unaware applications are being filed in their name. With the vast majority of colleges and universities now offering online courses, Kathleen S. Tighe, inspector general for the Department of Education, said more needs to be done to stop financial aid fraud, including clamping down on identity verification.

“Without that money there would be significantly less incentive for this particular scam. We’ll do the best we can with our resources to investigate the allegations we receive, but there are actions that can be taken to help reduce the appeal of this quick-cash-for-little-effort scam.”

Identity verification processes that provide red flags for suspicious applications give higher education programs the ability to monitor and identify online transaction anomalies, velocities and geolocation information before federal aid is approved. For example, when a single computer is applying for multiple grants under different names, fraud preventative solutions like iovation’s ReputationManager 360 help online businesses spot and stop suspicious transactions in real-time without collecting or relying on any personally identifiable information (PII).

Having effective, fraud prevention tools in place provides a multi-layered approach to help identify and stop fraudulent transactions that are costing online businesses, including higher education programs, hundreds of thousands of dollars each year.

Their main concern was that companies could set up shop, accept tons of credit card charges, and then vanish, leaving the banks short. Mail order fraud was also big. A stolen credit card could be used to place orders over the phone, and when the fraudulent charges were discovered, merchants would suffer from chargebacks.

At the time, it wasn’t even necessary to provide a correct expiration date, as long as the card wasn’t already expired. Then credit card companies began verifying billing addresses to authenticate mail orders. Eventually, an additional verification code was added to cards, referred to as a CVC or CVV. We still use these codes today, but they can be fraudulently obtained in a number of ways.

When merchants moved from catalogs to websites, IP addresses were used to track transactions. But bad guys figured out how to spoof them.

Now we have a number of new technologies designed to fight credit card fraud. The most effective and widely implemented is device reputation, an effective online fraud prevention method that helps protect retailers from fraudulent CNP transactions by examining the computer or other device for a history of unwanted behavior, plus any suspicious activity at the time of transaction.

If a customer’s PC, smartphone, or tablet indicates an abnormally high level of risk, the merchant can reject the purchase in advance. iovation, the global leader in device reputation, flagged 35 million online transactions as high-risk in the last year for its clients and will flag 50 million or more by the end of 2011.

Protect yourself from credit card fraud by checking your statements regularly. Set up your own email alerts so that at a minimum, you are notified of any transactions over your specified amount occur on your account. Businesses set up triggers and alerts to protect themselves, shouldn’t you?

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

We all know that the top priority for any IT fraud team is to ensure their good customers can safely and easily communicate and do business within their online environment. However, because many business websites have networking communities that bring likeminded individuals together to socialize, the potential for users or criminals to act inappropriately towards others can create problems that can impact the user experience.

For the verticals we serve, including online dating and Internet gaming and gambling websites, the social interaction that goes on between their members is core to their business and daily revenue stream. If somebody gets out of line or breaks corporate policy, it not only impacts the user’s experience, but can put the organization’s reputation at risk.

If any online business fails to maintain the trust and confidence of their paying subscribers, those customers can simply take their business elsewhere. This is why online romance sites and Internet gaming environments need to be aware of the impact member abuse can have on their bottom line.

One of the challenges of protecting networking sites from abusive behavior is stopping it before it happens. But how? While most anti-fraud measures still focus on the person connecting to a site, iovation’s ReputationManager 360 solution checks the device being used to log onto a site or request transactions against a dynamic database of more than 700 million unique devices and their reputations to give businesses deeper insight to those connecting to their network. Understanding when a device on your network — whether it’s a PC, smartphone or tablet — has been used to perpetrate abusive or fraudulent behavior on another site is valuable information fraud teams can use to prevent unwanted behavior against their members.

The bottom line is, when it comes to online services, consumers have more choices than ever. If their trust and confidence has been violated as a result of online fraud or abuse, they can walk away at any time. Organizations leveraging device reputation technology to protect their social communities have an additional layer of intelligence needed to prevent both fraudulent and abusive behavior before it impacts the user experience or results in a financial loss.

This is why combating increasingly sophisticated fraud techniques requires online merchants to identify fraudulent orders faster and boost the efficiency of their fraud management functions, without increasing overhead. For one North America retailer whose fraud losses were eating into profits and affecting the customer experience, implementing the right fraud prevention service enabled them to drop annual fraud losses from a peak of $2 million to $180,000.

In our newly downloadable case study, “Online Retailer Uses New Fraud Detection Systems To Cut Fraud Loss Rates,” Forrester Research principal analyst, Andras Cser, shares how the online merchant was able to reduce fraud loss by $1.8 million after deploying iovation’s ReputationManager 360 along with our partner’s case management system.

Initially lacking the ability to configure its own business rules and review important order details in one place with its existing fraud management solution, iovation allowed the retailer to create versatile fraud detection rules and review complete order information from a robust, single-screen user interface. iovation’s Real IP technology also revealed the true IP addresses of the devices cyber criminals were using to perpetrate fraud so the merchant could identify high-risk activity relating to velocity, anomalies and detection of proxy in real-time to automatically flag suspicious orders for review or stop them in their tracks.

Recognizing fraudulent orders before they are approved and shipped is critical to reducing fraud rates, which is why iovation’s device reputation technology is essential for any online retailer’s fraud prevention strategy.

For banks around the globe, protecting customer accounts is becoming more challenging as cyber criminals work together to create more sophisticated attacks with the aim of defeating existing security measures. In fact, fraudsters have become so efficient at figuring out new ways to access critical data from a bank’s IT system that the article,“European banking industry lacks guidance to combat cybercrime,” suggests that the entire ecosystem — from government to banks — should take a cue from the criminals themselves.

Powered by the collaboration of over 2,300 IT, security and fraud professionals, spanning multiple industry’s worldwide, iovation’s globally shared fraud database allows subscribers to benefit from everybody’s hard work and experience fighting online fraud and abuse. For example, if a multinational bank flags a device for credit card fraud today, and that same device came to your website tomorrow, next week or next month, how valuable would that information be to you? That’s the power of device reputation.

The presentation, “Selling Your Fraud Strategy Internally and Overcoming Challenges Deploying Third Party Tools,” will demonstrate how focusing on things like brand protection, company image, customer acquisition and retention, and boosting profits can strengthen your case when lobbying for fraud prevention projects that help reduce fraud rates and improve the health of your IT environment.

The iovation client presenting with Cory brings first-hand experience undergoing proper tool evaluation to determine which fraud tools to build in-house and which to purchase through a third party. The presentation will provide merchants that have online social aspects (user to user) with tips on how to compete against other internal revenue-generating projects. Specific points that will be covered include:

• How to match third-party tools with unique business problems

• How to decide which tools to buy and which to build in-house

• Why understanding the technical aspects of third-party tools can help you make correct decisions

• How to win budget and resources for fraud projects

• How a clean marketplace and user base contribute to your corporate brand and company health

If you are attending MRC Fall Platinum next week, be sure to set some time aside to attend this presentation.  If you’d like to talk about any specific fraud or abuse challenges that your online business is currently, I will be at Chicago meeting on Monday through Wednesday and would be happy to meet with you.

The study found that IP theft (£9.2bn) and industrial espionage (£7.6bn), combined, account for over two-thirds of the overall cost to UK businesses per annum. IP theft is largely committed against companies with high volumes of IP or IP that’s easy to hack, while industrial espionage includes stealing or exploiting non-IP data from organizations that depend on large amounts of financial transactions and monetary activities.

Other significant cyber crimes that impact UK businesses include extortion (£2.2bn), direct online theft (£1.3bn), and loss or stolen customer data (£1bn), according to the report.

Because organizations today are becoming increasingly dependent on cyber space for business commerce, communications, and daily operations and production, cyber threats pose a significant threat to individual nations, as well as the global economy. This is why reports like these are so important.

Understanding the economical impact cyber crime can have on businesses, industry, and the economy can play a critical role in setting effective security policies and implementing proactive fraud preventative strategies, such as iovation’s device reputation service, which combats new and evolving forms of cyber crime that have a negative impact on organizations across the globe.

According to the article, “Online dating scams harm ‘thousands’ in Lee County,” Stacey Payne of the Lee County Sheriff’s Office community relations department says oftentimes those seeking love online either don’t want to believe it, are embarrassed, or simply don’t mind that the person they are in love with is a scammer.

“Oftentimes the victims don’t care they are being scammed – they want that companionship. Or they don’t believe they’re being scammed. They’re in love. If a person is of sound mind they can give their money to whomever they want to give their money.”

Payne estimates that 30% of online relationships, at least in Lee County, are based on lies. Contributing factors such as an aging population and affluent places such as Gasparilla Island can make such areas prime targets for online scammers, Payne says.

Because online perpetrators focus on the emotional heartstrings of their victims, Internet dating websites need to continually educate their members on how to spot potential sweetheart scams before victims get emotionally involved. While keeping members up to speed on fraud schemes and providing tips on how they can avoid being scammed, anti-fraud security tools also play a pivotal role in identifying and stopping online fraud before it happens.

Leading fraud prevention services such as iovation ReputationManager 360 uses device reputation to not only identify and re-recognize when Internet-connected devices with a history of fraud or abuse log onto a dating website, but also reveal hidden associations between fraudulent devices and other online accounts that are already active within a community.

Just since January 1, 2011, iovation has already flagged 15 million fraudulent activities for its dating and social networking clients, further protecting the client’s brand reputation and ensuring its members have a safe experience.  Many of those activities had to do with online scams and solicitations and take place all over the world.

Exposing the connections between fraudsters working together is critical for helping online dating sites reduce fraud rates and remove bad accounts that impacts its customers’ trust and confidence.

Infographics: Hotel Credit Card Hacking © CreditDonkey

When travelers go online to research hotels to plan a vacation or business trip, things like proximity, cleanliness, amenities, and safety play a huge role in their decision-making process. But those priorities may be changing. With credit card fraud becoming more prevalent in the hotel industry, a hotel’s reputation in relation to online security and fraud risks may soon override many of the traditional considerations that consumers have for choosing hotel accommodations.

According to the article, “Hotel Guests More Likely to Be Credit Card Hacking Victims, CreditDonkey Illustrates Danger,” a study estimates that 38% of all credit card hacking involves hotels. That’s two-times more than the financial industry (19%), which surprises Charles Tran, founder of the credit card comparison website, CreditDonkey.

“We were surprised at the numbers showing that hotel visitors run the greatest risk of all for having their credit card information stolen.”

One of the reasons for these unexpected numbers may be the recession. Because the hotel industry has been hit so hard, many hotels and hotel chains have not adequately upgraded their computer security systems. This, along with the fact that travelers typically use credit cards to pay for their hotel stays, may explain why hotels have become prime targets for cyber criminals.

All of this could create a shift in priorities for travelers selecting a hotel. As a result, hotels need to make sure they implement effective anti-fraud security strategies that help reduce the risk of credit card fraud.

As cyber thieves get more sophisticated, hotels must deploy security tools that help them identify fraudulent activity before they happen. Fraud prevention tools like iovation ReputationManager 360 uses device reputations to identify in real-time when a device with a history of fraud or is associated with other known fraudulent accounts is attempting a transaction.

By recognizing or re-recognizing any type of Internet-connected device — whether it’s a PC, laptop, tablet or smartphone — before the transaction takes place, hotels can mitigate their risk of credit card fraud and other unwanted activities, all of which can have a significant impact on their brand reputation and, ultimately, their business revenues.

To reduce fraud rates, social networking sites are using their own social verification systems to determine whether the person at the other end of a Web transaction is actually who they say they are. According to the article, “How your social network can protect your credit card,” social networking sites like Facebook collect various pieces of information about a user’s personal network to identify a person and reduce fraudulent activities such as credit card fraud, account takeover and account hijacking within their network. But while the social networking giant and others prefer to keep their data to themselves, think about the possibilities this type of information could have in the fight against global fraud.

With so many credit card details and social security numbers now in the hands of organized cyber criminals, we need a broader mindset if we are going to truly stop the growing fraud problem that stretches across continents, technologies and industries.

By sharing intelligence on more than 600 million Internet-connected devices including PCs, smartphones and tablets, iovation’s ReputationManager 360 fraud prevention solution allows businesses across all industries to see if a device requesting an online transaction has a history of fraud, or is associated with known fraudulent accounts or devices, before the transaction takes place. With a nearly 30% device crossover rate between industries, we understand how important working together and sharing critical information is to fighting online fraud and abuse. This is how we are able to help our cross-industry customers stop 35 million online fraudulent transactions and activities a year.

Much like any legitimate user, fraudsters come in from computers or devices they’ve used before. Having the goods on bad guys’ devices enables businesses to decide whether to deny, accept, or pull for review any pending transactions to prevent credit card fraud and other unwanted behavior. As a result, businesses don’t have to write off future online transactions that are ultimately impacting their sales revenues and bottom line.

As part of our effort to expand our device identification, device reputation and real-time risk mitigation services for online businesses in France, I am pleased to announce that Philippe Mazurier has joined iovation as Country Manager, heading up sales and business development and is based in Montpellier.

Philippe brings strong business relationships and deep, in-market experience that will be instrumental in helping us meet online fraud protection demands in this market. He understands the serious and damaging impacts that cybercrime has on online businesses.

As we continue to serve the French market, protecting e-commerce, financial services, gaming and online communities from fraud and abuse, having a seasoned veteran in authentication and fraud prevention services representing iovation will help us serve this market even better.

To arrange meetings with Philippe to talk about any fraud or abuse issues your company is experiencing, please email france@iovation.com or call +33 (0)6 69 79 12 33.

With criminals targeting online casinos around the clock (we’ve got the data to prove it!), gaming sites need all the help they can get to rid their tables of costly criminal activity such as credit card fraud, chargebacks, account takeover and player collusion. Leveraging iovation’s global database of over 600 million unique devices, our gaming customers gain deep insight into every device, whether it’s a PC, smartphone or tablet, attempting to login or play on their site. Using customizable business rules that allow them to assess risk at various integration points, online gaming providers will spot characteristics that are consistent with fraud and abuse to stop criminals before they strike.

Based on the online gaming transactions iovation has checked since January 1, 2011, here’s a sample of what we’ve stopped and what we’ve seen:

This prestigious award is a testament to our continued commitment to reduce fraud and abuse in the online gaming industry. For 7 years now, we’ve been helping gaming sites detect cyber criminals and shut down global fraud rings so our customers can improve their business profits and maintain a reliable, trustworthy reputation with their good players.

In the article, “Independent Study Reveals Corporate Account Takeover Fraud Continues to Plague SMBs and Banks,” the 2011 Business Banking Trust Study found that SMBs have struggled to make progress in stopping payments fraud as 56% of businesses said they had experienced fraud within the last 12 months. While 61% said they were victimized more than once over that period, 75% of businesses participating in the study said they experienced online account takeover and/or online fraud.

With mobile banking growth rates on the rise, these findings are alarming to Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, which commissioned the study. With 38% of respondents saying they access their company’s banking accounts from mobile devices such as smartphones and tablet PCs compared to 23% in 2010, Ponemon doesn’t anticipate things turning around for SMBs anytime soon..

“As online and mobile banking adoption continues to grow, the possibility for more fraud and more lost customers escalates. Endpoint security will be challenged to keep up with the growing number of devices and threats, and banks are in the best position to take the lead on proactively protecting all account holders from the wide variety of threats.”

It’s these types of findings that underscore the need for businesses to be proactive and implement fraud preventative strategies that stop new forms of financial fraud that costs businesses millions in profits each year. To protect systems from new and emerging online threats that continue to torment SMBs and the financial services industry, iovation’s ReputationManager 360 uses a combination of device identification, device reputation and risk scoring that effectively stops fraud rings that are committing account takeover, phishing schemes and other types of online fraud, regardless of whether they are using PCs, smartphones or tablets to access a financial institution’s website or mobile application.

In order for the business rules engines to be productive, the rules they operate on need to reflect the particular risks the organization faces. When it comes to customizing business rules, this is not a “one size fits all” model. Giving a retailer, financial institution, or gaming company the ability to easily create and manage rules that are run against their transactions requires a tool that makes it simple to see, add, edit, and experiment with rules.

The iovation business rules editor provides great flexibility in managing the set of rules to be reviewed for transactions such as login, account creation, account change, and checkout. Rule sets are the collections of rules for each end-customer touch point. Rules can be added with a familiar drag-and-drop, enabled and disabled with one click, parameters can be adjusted, and lists of common items can be managed and included. An example of a list is a ‘risky ISP list’, where the user can create a list of risky ISPs and use that same list in multiple rules. If the list changes, all rules leveraging that list will be immediately updated. New rules can be evaluated without impacting scoring results by giving them a zero weight and tracking how frequently they are triggered.

The iovation rules editor provides additional flexibility to help you keep up with the evolution of fraud while protecting your business.

There are many facets to building a highly available, lightning fast infrastructure (which we will cover in more depth in future blog posts), but today I would like to start at the very beginning with our DNS architecture.

The first thing that happens when an iovation ReputationManager 360 customer (or a customer’s end user) tries to connect is a DNS (Domain Name System) lookup to convert a name (like www.iovation.com) to an IP address (74.121.28.140).  This DNS query must complete before any further interaction with the service can proceed.

To make this as fast and reliable as possible, iovation leverages IP Anycast technology. Anycast allows DNS requests to be handled by the closest member of a global cluster consisting of 17 distributed nodes (with 5 more on the way).   Without IP Anycast technology, requests are randomly routed to a single server, which may be half way around the globe.

Beyond the speed aspect, Anycast DNS also has a number of other advantages over Unicast.  With Anycast, the loss of a single node does not impact the ability to resolve DNS. Requests are simply routed to the next closest node.  This distributed architecture helps protect against Denial of Service attacks by spreading the load among the entire cluster and by limiting attacks to the region from which they originate.

As a quick example, let’s run a traceroute from my house (in Portland, Oregon) to one of iovation’s DNS servers, ns1.p20.dynect.net.

admin@router:~$ traceroute ns1.p20.dynect.net
traceroute to ns1.p20.dynect.net (208.78.70.20), 30 hops max, 40 byte packets
1 L100.PTLDOR-VFTTP-18.verizon-gni.net (98.108.131.1)  5.044 ms  5.046 ms  5.031 ms
2  184.19.244.32 (184.19.244.32)  4.982 ms  4.969 ms  4.961 ms
3 so-7-3-0-0.SEA01-BB-RTR1.verizon-gni.net (108.57.128.160)  9.898 ms  9.890 ms  9.876 ms
4  0.so-0-3-0.XT1.SEA7.ALTER.NET (152.63.105.169)  37.321 ms  37.308 ms  37.294 ms
5  0.so-6-0-0.BR1.SEA7.ALTER.NET (152.63.105.113)  12.279 ms  12.250 ms  12.233 ms
6  204.255.169.74 (204.255.169.74)  12.218 ms  12.425 ms  12.411 ms
7  po-3.r00.sttlwa01.us.bb.gin.ntt.net (129.250.4.178)  12.398 ms  12.385 ms  12.369 ms
8  fa-4-4.r00.sttlwa01.us.ce.gin.ntt.net (198.104.202.66)  12.355 ms  12.435 ms  12.422 ms

Not bad! Less than 13 ms round trip to the node in Seattle. But we would expect low latency between Portland and Seattle, so let’s go run the same test from a computer located in Chicago to the same iovation DNS server.

[root@prextmon01 ~]# traceroute ns1.p20.dynect.net
traceroute to ns1.p20.dynect.net (208.78.70.20), 30 hops max, 40 byte packets
1  173-203-80-2.static.cloud-ips.com (173.203.80.2)  21.168 ms  21.425 ms  21.662 ms
2  core1-aggr301a-1.ord1.rackspace.net (173.203.0.168)  0.434 ms  0.526 ms  0.549 ms
3  vlan901.edge1.ord1.rackspace.net (173.203.0.33)  0.317 ms  0.358 ms  0.412 ms
4  xe-7-1-0.edge1.Chicago2.Level3.net (4.71.248.53)  0.795 ms  1.938 ms  1.938 ms
5  ae-2-52.edge4.Chicago3.Level3.net (4.69.138.166)  34.377 ms  0.947 ms  0.961 ms
6  xe-6-2.r02.chcgil09.us.bb.gin.ntt.net (129.250.8.77)  1.203 ms  1.172 ms  1.193 ms
7  ae-3.r21.chcgil09.us.bb.gin.ntt.net (129.250.2.72)  1.239 ms 1.332 ms 1.253 ms
8  po-4.r00.chcgil09.us.bb.gin.ntt.net (129.250.2.208)  1.224 ms  1.191 ms
9  ge-7-15.r00.chcgil09.us.ce.gin.ntt.net (128.242.180.110)  1.325 ms 1.393 ms 1.435 ms
[root@prextmon01 ~]#

This path is actually faster, taking only 1.4ms. This query was handled by the Chicago Anycast node rather than having to come all the way back to Seattle. This is precisely the magic of Anycast.  This same scenario holds true for queries issued in Japan or Germany – they get routed to their closest node.

Without Anycast, just imagine how bad this problem is for customers that have globally distributed users with many outside the United States.  Connectivity from the other side of the globe is a minimum of 250ms round trip (and often times much longer). That delay can add up quickly if you’ve got multiple round trips to your SaaS providers.

It’s important to consider things like globally distributed DNS infrastructure when integrating third party services with your site to make sure the value from the SaaS you’re buying isn’t offset by slower page loads for your users.

Retail Decisions CEO, Carl Clump, credits innovations in fraud prevention technologies for the estimated 15% decline over the past year. This defied the trend where overall CNP (card not present) fraud losses have grown consistently over the past five years. Despite the total drop in losses, Clump was quick to point out that the current trend, which would continue well into 2010, may not be here to stay.

“The positive impact of current fraud prevention technologies will still factor in 2010. We estimate a further 5% reduction in the value of CNP fraud throughout 2010. However, this downturn is unlikely to be ongoing. A return to previous growth trends in CNP fraud is expected for 2011, as fraudsters find more creative ways of conquering new security measures and tightened regulations.”

Carl further comments, “Payment fraud is an organised crime that will continue to evolve on a global scale. Despite constant innovation in fraud prevention, thieves will undoubtedly remain persistent in finding new avenues to perpetrate their trade, the latest of these being the migration to online channels like smart phones and ultra-portable laptops, which allow consumers constant access to online shopping sites. For consumers, the growth in mobile commerce brings greater convenience. However, for the fraudster, it brings an expanding payment landscape to attack. ReD’s role remains in being vigilant to new forms of fraudulent attack and protecting retailers at risk.”

According to APACS, the UK payments association, CNP fraud now accounts for 50% of plastic card fraud losses. While Retail Decisions estimates the total CNP fraud losses for 2010 to drop to GBP264 million, they don’t predict the same reduction for 2011.

Much like online businesses, cyber criminals are working around the clock this time of year. But instead of sending out legitimate emails promoting online sales, fraudsters are sending out emails containing bogus links that closely resemble real retail websites. While their intent is to steal credit card information from unsuspecting online shoppers, the real victims in this crime will end up being online merchants.

The reason for this is what’s known as a chargeback—a truly dirty word for anyone in online retail. It works like this: once an individual whose credit information has been stolen discovers a fraudulent purchase on his or her account, she contacts the bank to report the fraudulent charge. The charge is then refunded to the individual, and charged back to the online merchant.

Unfortunately, by the time a chargeback is processed, the merchant has usually already accepted the order and shipped the goods to the address provided by the online criminal. And once the goods are out the door, they’re most likely never coming back. This means that goods have essentially been stolen—but not at the expense of the person whose credit information was stolen, instead it is at the expense of the online merchant.

Not only that, but the loss of the stolen merchandise isn’t the only way online merchants suffer from chargebacks. Other setbacks include:

• Increased fees: As credit card chargeback rates get higher, so do online merchants’ rates with card companies. If the fraud rate gets too high, online merchants may lose the ability to accept cards entirely, resulting in seriously negative impacts to revenue.

• Increased operational costs & overhead: The more questionable charges an online merchant encounters, the more resources—both time and money—will be spent trying to distinguish between good and bad orders. This can lead to a serious imbalance of resources.

• Member attrition & tarnished reputation: Once an online merchant’s website has been associated with fraud, retaining good customers and generating new ones becomes extremely difficult, resulting in more customer attrition and loss of potential business revenues.

Ultimately, when it comes to online holiday scams it’s the online merchants, not the shoppers, who are left with the bill. And while increased business this holiday season is good for online merchants, having the tools to effectively identify bad transactions may be the biggest gift of all.

In the case of identity theft, it’s a common myth that malware, botnets, and other internet scams are to blame; however, Smith cites a study done by Travelers Insurance that actually shows that the majority (78%) of incidents of identity theft actually occur offline. This indicates that peoples’ fears may have been, at least in part, misplaced. Individuals would benefit from an increased awareness and vigilance in all aspects of their life, not just online.

This being said, there still remains the question of identity fraud: what happens once someone’s personal information has been compromised? This is where online businesses still need to be on high alert, because online sites (and not physical stores) will likely remain the No. 1 target of identity fraud. Here’s why: 

It’s safer to commit online identity fraud: Taking advantage of the Internet’s anonymity keeps criminals at a safe distance from their victims and the businesses they are trying to steal from. In other words, why would a fraudster risk getting caught red-handed when he could commit fraud in the comfort of his own home?

It’s more efficient: As you would imagine, today’s Internet-savvy criminals work extremely fast. Within minutes, one stolen identity can be used to apply for multiple credit cards or a stolen card can be used to charge thousands of dollars worth of goods at multiple online sites. By the time the theft is reported, the damage can be wide-reaching.

It’s easier to work in fraud rings: For ages, criminals have used whatever tools were at their disposal to organize and run their operations. Today, criminals around the globe are leveraging the Internet to work together, share information, and trade, sell and purchase stolen personal and financial information like never before.

It’s not limited by geography: Criminals that obtain stolen credit or personal information are no longer limited by their geography. With the Internet all but eliminating distance, crime can now occur anywhere, at anytime, making online businesses everywhere equally vulnerable.

While statistics show that most identity theft occurs offline, you can take it to the bank that once an identity has been stolen, fraudsters will turn to their real target – online businesses, to commit identity fraud.

Fraudsters are using a variety of bogus and legitimate recruitment channels to con job-hunters into thinking they have found genuine employment. But in each case the job comes down to asking the victim to receive relatively small amounts of money into their own account and then move them onwards to another bank.

The result is that unsuspecting individuals can become liable for stolen money being funneled through their accounts and end up suffering the consequences. As an essential component of many types of fraud, money laundering is a big problem because it enables criminals to move money around without being traced to the initial theft. This not only affects online banking, but it is also a problem anywhere money changes hands—like online casinos or auction sites.

Money laundering is one of the big issues that many of our clients face, and we’ve discovered that there are some key characteristics associated with the problem that device reputation technology can reveal. Here are three things that we help our clients look for to expose organized fraud rings likely to be involved in laundering money:

• Too many accounts accessed by a single PC – One of the first indicators of potential money laundering (as well as several other types of fraud) is a high number of accounts associated with a single computer. For criminals, it is common behavior to be running anywhere from ten to several hundred accounts, so that money can be transferred and moved around without detection.
• Too many devices accessing a single account – The converse of the first indicator can also be a sign of money laundering. Many devices accessing a single account can indicate that several people are all sharing an account, which may be typical behavior of criminals running schemes.
• The web of associations – A web of association shows connections that exist between accounts and computers. With money laundering rings, and other organized fraud groups, this web can grow quite large, encompassing hundreds of accounts and devices.

Any one of these three items can be an indicator of organized money laundering and often you will see all three. It is also important that online banks and online merchants work together and share information to expose this behavior and prevent it from spreading. Money laundering doesn’t limit itself to one bank, so relationships between different banks can bring fraud to light that was previously invisible.

“As we head into Q4 and the busiest season for online shopping and Internet use by those considered inexperienced users, click fraud will likely run rampant as scammers seek to tap into the increased attention, experts warned.”

Click fraud (which is when affiliate sites dishonestly increase online ad traffic in order to gain unearned revenue) is one of many types of fraud becoming more common with the use of botnets. In addition to click fraud, many other types of fraud—including spam, phishing attacks, and identity theft—are gaining in prevalence with the use of botnets. The result is that consumer PCs are under siege and individuals and businesses alike bear the cost.

“The significant rise in botnet-generated click fraud lines up with recent findings of several well-known malware and online fraud tracking experts,” said Paul Pellman, CEO of Click Forensics. “Botnets perpetrating click fraud and other online schemes continue to grow in number and sophistication.”
Another post from the Kansas City Star confirms this problem as well as provides some tips for individuals to protect themselves:

Slightly more than 4.3 percent of American adults were the victims of identity theft last year, according to the 2009 Identity Fraud Survey Report, and the percentage is expected to go higher when wallets are lost and stolen in the holiday shopping season. The average fraud amount per victim was $4,849 and took about 30 hours to resolve, The Javelin Strategy & Research Center reported.

It is worth noting that the $4,849, cited above, does not take into account the significant costs that businesses suffer as a result of fraud. And with all indications pointing to an increase in online fraud as the shopping season ramps up, online businesses are currently trying to prepare. A good fraud prevention process ought to be able to recognize the following items:

• Is the credit card valid? There are a number of security checks available that can point to credit card fraud. This includes authorization checks, AVS checks, card verification (i.e. checking CVV2 number), and other card validation checks.
• Has the individual committed fraud in the past? There are a number of commercial systems and internal databases that help businesses check whether the supplied Personally Identifiable Information (PII) has been associated with fraud in the past. This kind of system essentially checks whether the information submitted by the customer matches information that has been associated with fraud in the past.
• Does this transaction have high risk characteristics? Businesses should be tracking and flagging transactions that have high risk characteristics. Contributing factors can include: the country of origin of the purchase, the kind of goods being purchased, the use of IP proxies, the time of the purchase, and many others factors. For fraud systems that work with these risk factors, often a large number of factors are taken into consideration in order to determine a risk score for each transaction. Based on that score, businesses can make a decision whether to allow, deny, or flag that transaction for review.
• Has this computer been used for fraud before? Device reputation systems are now considered a best practice for fighting online fraud. An online business should be able to understand, independent of personal information, whether or not a computer that is being used to conduct online business already has a history of fraud. The critical components of this system are: the ability to identify and re-recognize a computer and the ability to take into consideration historical fraudulent activity associated with that computer.

With these techniques in place, businesses will go a long way to stopping holiday fraud.

But while that kind of fraud certainly does exist, there is another type of fraud that can be equally troublesome and, to some extent, even harder to combat: fraud committed by individuals using their own legitimate information. A very common example of this kind of crime is shipping fraud and it takes several different forms. Here are a few examples and tips on how companies can address this problem.

• Denying receipt of goods – In this case, an individual will legitimately place an order and actually receive the goods, but then turn around and deny that they were received. Strangely enough, people will even do this more than once for the same good after another item has been shipped. Online businesses that ship high-value goods often combat this by requiring signatures for receipt of goods. For many businesses, however, this is isn’t a practical solution. Ideally, organizations would like to be able to identify individuals who have a habit of doing this on any site.
• Denying the purchase – In this era of rampant identity theft, many individuals are using it to their advantage, claiming that their credit card was stolen and they were not the ones who made the purchase, therefore they should not have to pay for it. This is a hard type of fraud to detect and defeat, and the only real solution is to require a signature, or have an internal tracking system to identify repeat fraud.
• Returning the wrong good – I have talked with merchants before who have had individuals return old or damaged goods in place of the new ones they ordered and then demand a refund. These cases can be easier to address by simply refusing to refund the purchase, but they are still a problem that businesses would like to be able to address before shipping.

All in all, shipping fraud can be difficult to detect and defeat, but it is worth considering that typically individuals who do this once don’t quit while they’re ahead. Instead they become repeat offenders, targeting multiple online merchants. Tracking the activity of online criminals and sharing that information among a network of online businesses can significantly reduce this type of fraud. Imagine the benefit if businesses could identify the computer before a purchase was completed, and determine if that computer already has a history of shipping fraud.

There’s an old adage that applies here: “Fool me once, shame on you. Fool me twice, shame on me.”  When it comes to online fraud, businesses would do well to track fraudulent activity, learn from past experiences, and work together to minimize fraud this shopping season.

President Obama makes some important points indicating that our networks and IT infrastructure are important national assets and it is imperative to protect them. Acknowledging the growing strength of online spending, President Obama says, “The Internet and e-commerce are keys to our economic competitiveness.”

Cyber thieves are costing the U.S. and other countries billions of dollars in fraud losses every year; this is in addition to the significant impact that individuals suffer as a result of identity theft and the propagation of malware on personal computers. Obama calls on a public/private partnership to address this threat and secure our networks.

Regardless of your political leanings, providing a safe environment for online business is an important goal for our country and the rest of the world. There is no doubt that our online activities are under siege and jeopardized by an increasing cyber threat. Thwarting this threat and providing a safe environment for online businesses and individuals is a key mission for iovation and our customers.

But people shouldn’t be too quick to jump to the conclusion that an increase in fraud is necessarily the result of negligent or inadequate fraud measures. It is unclear from this article that credit card fraud in Australia is any worse than in the rest of the world. I would be interested to know how they define a “victim” of credit card theft.

If being a victim simply means that an individual’s number has been stolen, then the United States might be in even worse shape. The attack on Heartland Payment Systems—located in the United States—resulted in over 130 million credit card numbers being stolen. Given that the current U.S. population is projected to be just over 307 million, then assuming the majority of the card numbers stolen were from Americans, our baseline fraud rate would be around 1 in 3 people.

Regardless of whether Australia is in worse shape than we are, it is clear that our credit systems are under siege. The sophistication and coordination of attacks on our personal and corporate machines, with the intention to commit fraud, has never been higher. No matter what country you reside in, identify theft and credit fraud is a serious problem and poses the most significant threat to the ecommerce industry.

Despite widespread adoption of the new technology and expected decreases in credit card fraud, there was instead a dramatic increase in fraud recently. Creditcardsweb.co.uk reports:

“Last year the value of credit card fraud in the UK came to a massive £610 million, which reflected a rise of 43 percent in the space of just two years.

Whilst CHIP and PIN technology was brought in to provide increased protection for consumers who were using their cards on the High Street, no such protection is in place when using a card to make online or telephone transactions, and this is why fraud in these areas has risen so sharply over recent years.”

Certainly online fraud is rising at an alarming rate, but there is way more to this trend than a simple response to a card present anti-fraud technology. CNP fraud is on the rise because it is far more profitable and safe than in person fraud. It is easy to see why:

• There are no video cameras online
• There is no signature required
• There are no security guards
• I don’t have to drive to a new store to use a credit card a second time
• I am not constrained by my geography
• I can use multiple cards to purchase goods and they don’t know I’m the same person
• Online credit card fraud is rarely successfully prosecuted

The list goes on and on. I think the lesson from this is not that new fraud fighting techniques like CHIP and PIN, or pictures on your credit card, or whatever it might be are driving fraud online. The lesson is that any technology that is intended to fight credit card fraud must account for Card Not Present situations which are more common than ever.

The argument against this type of technology, however, is that the device information could be collected and sold, constituting a violation of privacy of the online user. What needs to be taken into consideration, however, is how device fingerprinting compares with existing identity-based fraud prevention techniques. Device fingerprinting solutions, such as the device reputation system offered by iovation, ideally work to reduce fraud while simultaneously protecting the privacy of the individual. iovation’s ReputationManager service, as an example, collects and requires no personal information from our customers. Our online service is completely incapable of assigning any online activity to an individual and we market it that way.

The reality is that device fingerprinting systems provide online businesses with some of the only fraud management tools that don’t rely heavily on personally identifiable information. Instead of decrying privacy violations, privacy advocates should be looking to embrace systems that achieve the purpose of reducing online fraud while still protecting the privacy of good online users.