In the article, “Why Internet crimes go unpunished,” security expert Roger Grimes breaks down some interesting numbers around cybercrime, and how hackers are (to put it mildly) beating the odds. According to the FBI’s 2011 Internet Crime Report, of the more than 300,000 complaints that netted criminals $1.1 billion in 2010, law enforcement agencies convicted an average of one crook for every 50,635 victims. In other words, as Grimes eloquently states:

Steal someone’s identity and your odds of being caught are almost infinitesimal.

With all the hacks and fraud headlines 2011 will be remembered for, that’s definitely not the way we want to ring in the New Year. But as Grimes also warns, if we aren’t careful we could see history repeat itself as criminals not only continue defrauding computer users, but launch recycled attacks against the explosion of worldwide mobile device users, who could fall victim to the same old PC tricks.

While law enforcement certainly has its challenges in tracking down and prosecuting cyber criminals, nobody will argue that we can always be doing something on our part to help reduce the risk of fraud where the criminal is utilizing a computer, as well as emerging mobile platforms like smartphones and tablets.

Whether you’re an individual, small to mid-size business, or even a large international corporation, in many ways you’re sort of on your own in cyberspace. This is why taking matters into your own hands and implementing defense-in-depth fraud preventative strategies is so critical to protecting yourself, your employees and business from both evolving and old-school scams targeting every form of Internet-connected device that we use.

This is the time of year when most businesses are setting their budgets and determining business goals for 2012. While improving customer service and increasing revenues are certainly at the top of any CEO’s to-do list, mitigating costly fraud risks that can take a hefty bite out of annual profits (not to mention cause significant reputation damage) requires organizations to deploy effective security tools like iovation’s ReputationManager 360 solution to reduce the risk of fraud or abuse over all devices and platforms connecting to their online business environment.

In the recent article, “How to steal an identity in seven easy steps,” software developer, Herbert Thompson, shows us just how easy it is to collect personal information that allows fraudsters to gain access to somebody’s personal and financial online accounts. This is disturbing news, especially when you consider that roughly 40% of web users are ‘likely’ or ‘very likely’ to provide their personal information in one of six online scams, like the Ponemon Institute, commissioned by PC Tools, recently discovered after interviewing over 1,000 UK web users.  

Essentially, Thompson cites a number of online resources that criminals can tap into to gather personal information that increases their chances of cracking security questions and passwords required to access personal emails or financial accounts, including:

1. General Web Search: Searching someone’s name on a search engine such as Google can provide an assortment of information about a person including where they live and their social networking communities.
2. Personal Blog: Doing a keyword search on things like birthday, pets and mother’s maiden name can reveal personal data that users apply for questions relating to password reset and account login.
3. Public Websites: Public websites such as the DMV and state traffic court provide resources for obtaining information on traffic violators that could include things like birth date and vehicle type.
4. Resume/Job Seekers Webpages: Job seekers are constantly updating their work history and joining networking groups that disclose current home addresses, phone numbers, emails, where they’ve lived and their professional background.
5. Alumni Webpages: High school or college online social networking communities can make known somebody’s personal history, nicknames and other close friendships.

As you can see, online romancers aren’t the only ones susceptible to identity theft. This scenario essentially applies to anyone sharing personal information over the Internet.

While individuals need to always apply common sense before sharing personal information that really never goes away, so do the providers of these popular online environments. To ensure the safety of their legitimate users and maintain their reputable brand reputation, online dating and social networking sites need to deploy fraud detection tools that can stop known fraudsters before they enter their communities and root out fraud rings that are committing repeat fraud against good members.

iovation’s ReputationManager 360 does both. By identifying the user’s actual device, not the personally identifiable information (PII) they provide to create their profile, online communities can detect when a known fraudulent device is trying to enter their site, as well as expose bad devices and their associated accounts that are already active in the community. This unique level of device reputation intelligence enables Internet communities to improve their ability to deny fraudulent transactions before they happen and rid their trusted online communities of cyber criminals who are already perpetrating fraud or collecting personal information they can use later to break into personal or financial accounts.

In the USA Today article, “Travelers at high risk of identity theft, experts say,” travelers lost a total of 11,000 mobile devices at the busiest U.S. airports this year. And that only accounts for items lost before travelers reach their intended destinations. In a study of 200 data breaches, Trustwave’s SpiderLabs found that hotels and resorts are prime targets for crooks stealing financial information, with respondents saying 38% of data thefts took place at hotels or resorts.

John Sileo, an identity theft and fraud expert who experienced identity fraud first-hand while traveling to Disney World, says people can be particularly vulnerable when they are unfamiliar with their surroundings. In his case, he suspected someone took a photo of his card number at the theme park before his bank informed him that his credit card had been shut down when someone attempted to make $3,000 worth of online charges to his card.

“Data theft goes through the roof on the road,” says Sileo, a spokesperson for CSID, an identity-protection provider.

When preparing to travel, Steve Schwartz, executive vice president of consumer services at Intersections, says there are several precautions every traveler should take to protect their personal information, including:

1. Use a credit card to book flights, hotels and arrangements: Because federal law limits the liability of card holders if your credit card is lost or fraudulent purchases are made to your card, it’s best to use a credit card to book all travel arrangements rather than a debit card, which has different federal protections that could result in additional financial losses.

2. Clear out your wallet before a thief does: As much as we would like to trust our fellow travelers, you can never be sure when criminals are scoping out airport waiting areas, hotel lobbies or public media centers looking for the right moment to steal somebody’s personal property.

3. Travel with only two credit cards: Walking around with one card and storing a backup in a hotel safe limits a thieve’s ability to swipe multiple cards and access various personal accounts.

4. Leave your social security card at home: Most of us don’t carry around our social security cards anyway, so safely storing your SSN somewhere when you’re on the road is a good idea.

5. Safely store contact numbers of card companies: In the event you find your personal possessions missing, you can quickly contact your card companies and have them stop any purchases until you locate your card or are issued a new one.

6. Never type passwords or credit card numbers over unsecured wireless networks: Doing so can allow fraudsters using special software to conduct a “man-in-the-middle” attack, which enables crooks to control and intercept messages between two legitimate users without them knowing it.

7. Never share travel plans on social networks: While vacationers are always tempted to share their travel plans or instantly post pictures over social networks, this information can let criminals known when you are away from home. It’s best to provide a recap of your business trip or vacation once you’ve returned.

While individuals can do several things to protect themselves while traveling, the same holds true for businesses.

With millions of company employees on the road at any given time, organizations need to take proper security measures to protect their business data when workers are accessing their corporate network remotely. Making sure they are regularly updating all anti-virus software, encrypting sensitive data, and having effective fraud detection and prevention tools in place to secure their private networks can help reduce the risk of fraud for their traveling employees and better protect their business assets.

As far back as I can remember, police have been warning of thieves who target cars in parking lots, smashing windows to steal shopping bags left in plain sight. Then, we’d be warned that as the Christmas lights went up, thieves would target the wrapped gifts underneath the tree. I thought, “It can’t get worse than this?”

Then Cyber Monday came along. It was born as a marketing opportunity that has taken on a life of its own over the past five or six years. Online retailers promote their Cyber Monday offers throughout the fall, creating hype that whips shoppers into a frenzy. It’s become as essential to the retail community as Black Friday.

Now the warnings are different: no longer so focused on crime in the physical world, but instead, on threats in the virtual world.

When shopping online, you risk unintentionally visiting an infected website, which could infect your PC with keylogging spyware, which would be used to steal your data. Or you might provide your credit card information to a legitimate online merchant that later falls victim to a data breach. Another risk is that you might order a particular product but receive something of lesser quality, or a different item entirely, and then have to contend with poor customer service.

And, of course, your identity might get stolen. Lovely. My, how times have changed!

Online retailers would spread more holiday cheer if they did their part to protect the public from credit card fraud by implementing device reputation. Device reputation, offered by iovation Inc., taps into a global device identification network that also contains millions of verified fraud and abuse events such as chargebacks, identity theft, shipping fraud on those devices. The device’s reputation is assessed in real time when a transaction is being attempted on a retailer’s website.  And when the device (such as a computer, phone or tablet) has no prior history, iovation profiles its potential risk for the online retailer, identifying high-risk activity before the transaction is approved or product shipped.

Stopping fraudulent transactions upfront spares many holiday revelers the burden of covering the bill for the gift lists of cyber criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

1. When handing your card to a clerk or cashier, pay close attention. The card should be swiped through a point of sale terminal or keyboard card reader once, maybe twice. If your card is swiped through an additional reader, the card number may have been stolen.

2. Shop only at trusted sites. Phantom websites appear online all year round. They look legitimate, resembling well-known online retailers. But only do business those you recognize. Established online merchants are best.

3. Unsolicited emails that request sensitive data such as credit card numbers or lead you to a too-good-to-be-true offer are most likely phishing emails. Don’t disclose your information, and don’t click unknown links.

4. Check your credit card statements daily, if possible. Once a week is sufficient. Refute any unauthorized withdrawals or transactions within the time limit stipulated by your bank. For most credit cards, it’s 60 days, and for debit cards the limit can be 30 days or less.

Internet crime schemes steal millions of dollars annually from victims. If you are looking for more helpful tips, the Internet Crime Complaint Center is a great resource. Their site provides preventative measures that help you be more informed prior to making purchases on the Internet.

Holiday schemes will be in full force this year. Charge or purchase wisely.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

According to the article, “Cyber crime hit 431 million adults in 24 countries,” a recent Norton cybercrime report found online crime jumped 3% compared to its 2010 study, costing fraud victims more than $388 billion worldwide over the past year.

Eating up 35% of the global cybercrime bill were U.S. fraud victims, who spent $139 billion on cybercrime last year. That amounts to 141 victims per minute, an alarming statistic even for Norton’s consumer cybercrime expert, Helen Malani.

“We were astounded by the costs in terms of cash lost. The number came to more than $US388 billion globally. That’s more than the illegal drugs market in heroin, cocaine and marijuana. Cybercrime is an illegal underground economy and it needs to be taken seriously.”

According to the study, one of the biggest gains in cybercrime last year came in crimes against mobile devices, which are up 10% globally. No surprise there, considering the explosion of smartphones and tablets being used to connect to the Internet. Malani said the chief concern with mobile fraud is users inability to stay on top of security updates. She said only 20% of people accessing their mobile devices have installed the most up-to-date mobile security. With up to 80% of mobile devices improperly protected, this provides fertile ground for cybercrime activity.

Similar to any other legitimate economy, growth in the illegal underground marketplace is driven by innovation, and tapping into the next opportunity. For cyber crooks, it’s all about exploiting the latest technology before the security gaps are identified and closed.

For online businesses that allow users to access their websites and corporate networks via mobile devices, this is especially disconcerting. Operating without the tools to effectively detect when fraudulent devices are logging onto their sites and requesting transactions, organizations and their customers are vulnerable to evolving schemes such as credit card fraud, card-not-present (CNP) fraud, account takeover, phishing and identity theft.

Today, building a multi-layered fraud preventative strategy that includes device reputation technology is critical to identifying when an Internet-based device, whether it’s a PC, smartphone and tablet, is already registered or attempting to log onto a website. The device intelligence that iovation’s ReputationManager 360 provides in real-time allows online businesses to recognize when a remote device that has been used to commit fraud or abuse in the past and stop any illegal or unwanted activity before it happens.

With nearly 150 users (just in the U.S.) exposed to some type of fraud every minute, it’s time businesses gain an extra layer of protection needed to stop more advanced forms of online fraud and abuse. Performing real-time risk analysis on transactions from every country in the world, iovation has already flagged nearly 40 million fraudulent transactions for its B2B customers just this year.

Network World reports, “The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled 77 financial institutions and asked how many account takeovers occurred in 2009 and during the first six months of 2010. The FS-ISAC consists of a group of banks that shares threat information and interacts with the federal government on critical infrastructure issues. Its members include Citi, Prudential, Bank of America, JPMorgan Chase, Goldman Sachs and Wells Fargo, among others.”

Account takeover occurs when thieves infiltrate your existing bank or credit card account and siphon out your money. This typically occurs after your account has been hacked or your credit card or personal identity has been stolen.

21 of the institutions polled reported a total of 108 commercial account takeovers during the first six months of 2010, compared to 86 for the full year of 2009.

In 2010, 36% of fraud attempts were successfully thwarted, whereas 2009, fraud was only prevented 20% of the time.

I have previously referenced a report from Javelin Strategy: “When examining account takeover trends, the two most popular tactics for fraudsters were adding their name as a registered user on an account or changing the physical address of the account. In 2010, changing the physical address became the most popular method, with 44 percent of account takeover incidents conducted this way.”

Unfortunately, FS-ISAC’s study failed to disclose what methods were used to thwart the account takeovers. Many financial institutions are protecting their users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360, which is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses discussesonline banking security on CBS Boston. Disclosures

In the article, “Fraudster used Facebook to hack bank accounts,” cyber criminal Iain Wood spent 18 hours a day online collecting information posted by his neighbors on social networking sites including Facebook to figure out passwords that would defeat online banking security checks. Prior to getting caught by police, he managed to steal more than £35,000 (approx. $55,000 USD) over a two-year period.

This is just a small example of how a single hacker can stage an ongoing crime spree that impacts individual users and their banks. Prosecutor, Neil Pallister, said Wood followed and befriended several neighbors online to obtain enough personal information that helped him break into their online bank accounts.

“He would make friends with people on Facebook and got their usernames. He would try it on the bank websites, on the basis people use the same passwords. If that did not work he would fill in the security information, which he got from Facebook and Friends Reunited.”

With this type of criminal behavior taking place every day, online banks can no longer afford to rely on personal information to validate customers and detect fraud. Today, knowledge-based security defenses are leaving online businesses and their customers vulnerable to schemes that allow fraudsters to easily answer security questions and de-code passwords. Now more than ever financial institutions need to deploy security tools that go beyond the data provided by customers to access their accounts. Businesses need the ability to identify the actual device used to access online accounts to see when someone is using stolen or false information to fraudulently access another person’s account.

The fact is, fraudsters will continue to gather personal information from the Internet to fool even the latest security tools. While these fraud practices may be impossible to stop, a multi-layered security approach that includes iovation’s ReputationManager 360 allows online businesses to look beyond personally identifiable information (PII) and see when any type of Internet-connected device (PC, smartphone or tablet) with a history of fraud or abuse logs onto a website or tries to access an account using personal information. This is why having deeper insight into online transactions, without relying on the information a user provides, is essential for protecting online businesses and their customers from today’s more sophisticated, knowledge-based fraud schemes.

The Better Business Bureau and the Consumer Sentinel Network received 725,000 consumer complaints of fraud in 2010. The defrauded consumers who reported fraud last year lost $1.7 billion.

Beware of the following scams.

Auction Scams: This ruse involves fake profiles advertising goods and accepting payments, with no intention of ever shipping any items. Scammers often contact potential victims within an auction website, but then bring communications to outside email or phone. Once the target engages with the scammer, social engineering commences.

Craigslist Scams: A scammer responds to a seller, claiming he wishes to purchase an item. He mails the seller a fake check for an amount in excess of the purchase price, with extra money included for shipping, and requests that the buyer deposit the check and then wire the payment to the shippers from the buyer’s own account. By the time the check bounces, the scammer has already received the seller’s money.

Dating Scams: Criminals pose as lovesick Romeos or Juliets, looking to sweep their victims off their feet while emptying their bank accounts. Marriage is often discussed within the first week of communications, and the word love is used as frequently as the victims’ names, which coincidently are two of the most important words a person can hear.

For consumers, education and awareness is key. For platforms on which the scams proliferate, one risk mitigation solution employed by auction sites, retailers, and dating sites is device reputation management. This not only keeps known bad computers or mobile devices from creating more fake accounts, but it also protects businesses against brand new devices that are behaving similarly to cyber criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Scambaiting on Fox News. (Disclosures)

All Jim Smith needs is some basic information about Fred Jones, much of which is available in the phonebook, in his trash, in discarded files in the bank’s dumpster, or on social media sites. Maybe Fred also happens to work with Jim, and Jim has direct access to Fred’s files.

Once Jim has Fred’s information, all he has to do is go online with the PC in his cozy office, or head down to the local coffee shop and fire up his iPad, or even fill out a credit card application from his mobile phone.

Scenarios like this one happen all day long across the globe.  Credit issuers are constantly looking for new tools to identify fraudulent applications faster.

Since online credit applicants can fool you with any number of tricks to get approved for credit leaving you holding the bag for losses, instead of verifying identity information on fraudulent applicants, consider verifying the reputation of the device (or computer) being used to submit the application in the first place. When a fraudster connects to your business, the computer being used can be evaluated in a fraction of a second for its risky intentions.

If you know the device being used is a known fraudster, you don’t have to spend the time, resources, and money running other fraud checks such as verifying identity information.  You know the source is suspect and you can block the transaction upfront. Device fingerprinting coupled with the device’s reputation and risk profile helps identify the bad guys in the acquisition channel, so you don’t have to rely on other fraud detection tools that drive up the cost to decision an application.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

According to the article, “Securing Internet Payments,” 70% of all fraudulent credit card transactions originate from card-not-present (CNP) transactions. This has a substantial impact on the public’s confidence using their credit card for online transactions. Lacking the capability to prevent unauthorized transactions and associated fraud and abuse ultimately trickles down to Internet-based businesses’ bottom line revenues and profits.

Because e-commerce is expanding faster than conventional transactions, financial institutions, merchants and other organizations that depend on online payments to do business need to have effective fraud preventative tools in place to identify the cardholder before the remote transaction actually takes place. Doing this requires the ability to look beyond the credit card information provided by the individual requesting the transaction.

iovation ReputationManager 360 does this by checking the reputation of the actual device being used to request the online transaction against a database of more than 550 million unique devices, some of which have been used for fraud or are associated with other devices that have been involved with fraud or abusive behavior. This allows businesses to accept, deny or review transactions to stop criminals before they cause damage to the business or customers.

Using iovation’s configurable business rules engine, financial services organizations can automatically make decisions at transaction time. Here are just a few example rules that could be written. Of course, there is not a “one size fits all” model when it comes to business rules, so these are purely examples.

If you plan to attend NACHA Payments 2011 in Austin, Texas, April 3-6, and would like to learn more about how device reputation helps protect financial institutions from CNP fraud, chargebacks, identity theft, account takeovers, and other fraudulent activities, stop by our Booth #332. I will be there along with Don Megale and we both look forward to meeting you.

Fraudulent credit card applications are the most lucrative form of credit card fraud. Identity thieves love credit cards because they are the easiest accounts to open, and they allow thieves to quickly turn data into cash. Meanwhile, consumers don’t find out that credit cards have been opened in their names until they are denied credit or bill collectors start calling.

Identity thieves use any number of tricks to fool banks, retailers, and creditors into approving their online credit applications, extending credit that leaves the creditor on the line for losses.

It doesn’t need to be this way.

Instead of simply verifying the identification provided by fraudulent applicants, newer technologies allow creditors to verify the reputation of the computer or smartphone being used to submit the application. By instantly evaluating a device’s history for criminal activity, creditors can prevent fraudulent transactions.

“In addition to telling businesses that a single device has been involved in fraud, iovation can also determine if that device is associated with bad activity through its associations,” said, Jon Karl, VP of Corporate Development for iovation. “Beyond fingerprinting and reputation, we provide our clients with early warnings about devices visiting their website in real-time, based on the behavior of devices and accounts associated with that device.”

Device fingerprinting and device reputation analysis help identify bad guys during the application process, allowing creditors to avoid more expensive solutions.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosure)

New account fraud refers to financial identity theft in which the victim’s personal identifying information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

Since the thief typically submits a different mailing address when applying for new accounts, the victim never receives the bills and may remain unaware of their existence until creditors come seeking payment for debts the thief has accumulated in the victim’s name.

Variations on new account fraud include:

Utility fraud, in which the identity thief opens new utility accounts, such as gas, electric, phone, or cable, in the victim’s name, accounts for as much as 20% of all instances of identity theft.

Loan fraud accounts for approximately 10% of instances of identity theft. In order to obtain a loan of any kind, applicants are nearly always required to provide a Social Security number.

Credit card fraud is the most lucrative type of new account fraud, and the most prevalent, accounting for almost half of all identity theft cases. Simply put, identity thieves love credit cards because they are the easiest accounts to open, and they can quickly be turned into cash.

The availability of instant credit means instant identity theft. Identity thieves froth at the mouth when they obtain personal identification information and are in range of a major retailer.

An identity theft protection service can help mitigate the risk of new account fraud by monitoring your credit for new account activity, as well as by monitoring the Internet for your personal information.

One cool company that’s watching your back is iovation. iovation spots cyber criminals by analyzing the device reputation of the computers they use to connect to a website. They investigate for suspicious history and check for characteristics consistent with fraudulent users. And the best part is that iovation can prevent a criminal from using stolen data to open a new account in the first place.

According to Scott Waddell, Vice President of Technology at iovation Inc., “iovation sees identity thieves carry out their attacks in very short-time windows to exploit their newly stolen credentials. What might typically look like one transaction to a single business is often a shotgun attack across our globally shared view. One device may be opening a new credit card account, then going to an online retailer, then applying for instant credit all within minutes, and iovation can detect that through velocity triggers and shared experience across subscribers to alert the affected businesses and thwart the attacks. That’s great for the protected businesses and for the consumers who would otherwise be dealing with fraudulent charges made under their identities.”

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Social Security Numbers as National IDs on Fox News. (Disclosures)

The government’s voluntary Identity Ecosystem is an ambitious, but evolutionary step in securing online transactions and activities. However, it manages to fall short in circumventing fraudsters and raises the ire of privacy advocates. In contrast, device reputation and risk assessment, which uses device fingerprints to identify known fraud device reputations, focuses on recognizing and blocking the devices fraudsters use rather than the people themselves. This is an important point for the nefarious that don’t want to be identified, the paranoid that don’t want an online identity, and the rest of us whose personally identifiable information has been too easily compromised in the past.

With over 10 million Americans becoming victims of identity theft each year, solutions such as device reputation preserve the privacy for end users while still offering the fraud and abuse fighting benefits that strong systems require to protect their business and online users. As a result, devices can play a critical role in raising trust associated with online IDs and in the government’s plan for securing identities in online transactions and creating a trusted online environment. In order for the plan to be put into action, it will take time, but today there are many technologies already available that the government should consider for the underlying infrastructure that supports this national strategy.

iovation’s Device Reputation Authority (DRA) contains a plethora of information around devices, accounts, transactions, reports of fraud and abuse and more, all used to detect and prevent online fraud and abuse for businesses and their customers. It leverages customizable business rules, risk profiles, direct experiences with scammers as well as the experiences from the world’s leading online brands, all for the highest level of online fraud protection. iovation combines cross-vertical fraud prevention expertise with unmatched device recognition technology. This offering already protects over 300 major online brands from fraud and abuse today, such as financial fraud, shipping fraud, affiliate fraud, chat abuse, spam, scams and solicitations, identity theft, phishing, account takeovers, and more.

After a three-year investigation by the FBI and the UK’s Serious Organized Crime Agency (SOCA), British authorities announced they have arrested the sophisticated network of cyber criminals behind DarkMarket, one of the world’s top criminal websites. The site, which operated out of an unassuming London Internet café, was an international cyber supermarket for stolen credit card and bank account information that officials say has cost the banking industry tens of millions of dollars.

According to a recent article, “Welcome to DarkMarket: a global shop for cybercrime and banking fraud,” the DarkMarket site was an online superstore of personal data, viruses, tutorials, and a whole host of other resources for fraudsters. In order to gain access to the site, which was by invitation only, those wanting to become members had to offer up details of 100 compromised credit cards – 50 each to two separate members who would then test the cards in the market to see if the information was valid. If the information was usable, the applicant would gain entrance to the site. If not, access would be denied.

Once in, members could trade everything from credit card details to bank account PIN numbers obtained through hacking, phishing scams, and ATM skimming devices. The site even had a crime “menu,” where for very reasonable prices, members could purchase, among other things:

• Information needed for online transactions ($3-$10 depending on quality)
• Credit card images ($30 each)
• Bank logins (2% of available balance)
• Billing details needed for opening or taking over accounts ($150 for accounts of $10k balances, $300 for accounts with balances of $20k)

Of the estimated 2,000 members who had access to the site, so far the bust has led to the arrest of more than 60 members who are scattered throughout the globe, in countries including the UK, United States, Canada, Germany, France Turkey, Israel and Russia.

The scope and reach of the DarkMarket website underscores the magnitude of such an operation, as well as the growing problem of organized fraud. With more personal information accessible over the Internet, cyber criminals have built thriving illegal networks to buy, sell and trade financial data and share information on how to defraud all types of online businesses. Certainly businesses are dealing with an increasingly sophisticated threat and must continually evolve and be vigilant to defend their businesses from attack.

I commend the National Fraud Reporting Centre (NFRC) for getting the hotline going. The helpline will allow individuals and small businesses to report cyber crime to a central agency, simplifying what would otherwise be a confusing process involving potentially several different government ag encies. A similar effort in the U.S., the Internet Crime Complain Center (IC3), currently allows individuals to file complaints of internet fraud through its website.

In both cases, setting up centralized agencies to manage reports of internet crime allows for greater cooperation among different law enforcement agencies—from local police to state and federal bureaus—so that large-scale operations of identity theft and phishing attacks, for example, can be more easily identified and addressed at the appropriate level. Also, by offering individuals one clear method of reporting internet fraud, as opposed to several, the hope is that more victims and informed third-parties will be inclined to report what they know.

As we’ve mentioned in previous posts, because most cyber crimes are committed across national borders, local law enforcement is severely limited in its ability to catch and prosecute individuals who commit such crimes. While continuing efforts are being made to stop these criminals, engaging the public about online fraud trends is a worthwhile step in helping raise awareness and hopefully prevent more people and businesses from becoming victims of Internet crimes.

Establishing programs such as the Action Fraud hotline and the IC3, can also build alliances and partnerships between individuals, groups and businesses that could benefit from sharing fraud information and intelligence. Collaborating with your peers to fight fraud is the basic concept behind iovation’s fraud management system, which provides a shared environment that allows online businesses to benefit from the thousands of additional resources, tools and experiences to better protect themselves from online fraud and abuse.

Besides providing statistics on what online purchases people were spending their hard-earned money on during Black Friday, ReD also noted that online criminals were out in force, busy spending other people’s money. “Whilst online retailers witnessed a huge upturn in sales this Black Friday, fraudsters are also ‘spending’ more, with an average value of $248 per transaction online, 23% more than the average genuine customer,” said ReD’s CEO, Carl Clump.

And in most cases, it seems that fraudsters were clamoring for the same hot commodities as everyone else. Based on ReD’s list, the three most popular items bought with stolen credit cards were gift cards, Nintendo Wiis and Xbox 360s. Of course, this doesn’t mean that fraudsters will soon be kicking back and playing their stolen video games. It’s important to remember that for criminals, online theft is a business, and the principles of supply and demand are still in effect. Fraudsters choose to steal items that are in high demand because it will be easy to turn those goods around for a quick profit.

The problem is, if online criminals are profiting—it means online merchants aren’t. And while a new camera or video game might be at the top of many of our wish lists this season, for online criminals, it always comes down to one thing: money.

In the case of identity theft, it’s a common myth that malware, botnets, and other internet scams are to blame; however, Smith cites a study done by Travelers Insurance that actually shows that the majority (78%) of incidents of identity theft actually occur offline. This indicates that peoples’ fears may have been, at least in part, misplaced. Individuals would benefit from an increased awareness and vigilance in all aspects of their life, not just online.

This being said, there still remains the question of identity fraud: what happens once someone’s personal information has been compromised? This is where online businesses still need to be on high alert, because online sites (and not physical stores) will likely remain the No. 1 target of identity fraud. Here’s why: 

It’s safer to commit online identity fraud: Taking advantage of the Internet’s anonymity keeps criminals at a safe distance from their victims and the businesses they are trying to steal from. In other words, why would a fraudster risk getting caught red-handed when he could commit fraud in the comfort of his own home?

It’s more efficient: As you would imagine, today’s Internet-savvy criminals work extremely fast. Within minutes, one stolen identity can be used to apply for multiple credit cards or a stolen card can be used to charge thousands of dollars worth of goods at multiple online sites. By the time the theft is reported, the damage can be wide-reaching.

It’s easier to work in fraud rings: For ages, criminals have used whatever tools were at their disposal to organize and run their operations. Today, criminals around the globe are leveraging the Internet to work together, share information, and trade, sell and purchase stolen personal and financial information like never before.

It’s not limited by geography: Criminals that obtain stolen credit or personal information are no longer limited by their geography. With the Internet all but eliminating distance, crime can now occur anywhere, at anytime, making online businesses everywhere equally vulnerable.

While statistics show that most identity theft occurs offline, you can take it to the bank that once an identity has been stolen, fraudsters will turn to their real target – online businesses, to commit identity fraud.

The retail sites for Amazon.com, Apple, Best Buy, Target and Wal-Mart each saw more than 4 million unique visits Friday, comScore said, with Amazon receiving the most traffic (up 28% from 2008). Apple, Best Buy and Wal-Mart sites also experienced double-digit traffic gains. According to Experian Hitwise, another Web monitoring firm, other e-commerce standouts included Sears, Staples and Dell.

These results are welcome news for retailers who have been concerned that fear of identity theft could have a noticeably negative impact on sales. Just last week SC Magazine predicted overall online spending to be down this year because of such fears. Luckily, so far, this does not appear to be the case.

With online commerce looking healthy, online retailers can now turn their focus from enticing online shoppers to ensuring that the orders that are coming in are valid. With the increase in shopping will inevitably come an increase in fraud. Unfortunately, as the volume of orders increases, it often involves increased time spent on manual reviews to distinguish the fraudulent orders from the legitimate ones.

Periods of high volume online shopping, such as now, underline the need for effective tools that can identify fraud more quickly with less manual intervention. Running checks on the device history, in addition to credit, identity, and shipping information, are all important steps in finding (and stopping) online criminals and repeat offenders.

We at iovation wish all online retailers a profitable and fraud-free online shopping season!

“As we head into Q4 and the busiest season for online shopping and Internet use by those considered inexperienced users, click fraud will likely run rampant as scammers seek to tap into the increased attention, experts warned.”

Click fraud (which is when affiliate sites dishonestly increase online ad traffic in order to gain unearned revenue) is one of many types of fraud becoming more common with the use of botnets. In addition to click fraud, many other types of fraud—including spam, phishing attacks, and identity theft—are gaining in prevalence with the use of botnets. The result is that consumer PCs are under siege and individuals and businesses alike bear the cost.

“The significant rise in botnet-generated click fraud lines up with recent findings of several well-known malware and online fraud tracking experts,” said Paul Pellman, CEO of Click Forensics. “Botnets perpetrating click fraud and other online schemes continue to grow in number and sophistication.”
Another post from the Kansas City Star confirms this problem as well as provides some tips for individuals to protect themselves:

Slightly more than 4.3 percent of American adults were the victims of identity theft last year, according to the 2009 Identity Fraud Survey Report, and the percentage is expected to go higher when wallets are lost and stolen in the holiday shopping season. The average fraud amount per victim was $4,849 and took about 30 hours to resolve, The Javelin Strategy & Research Center reported.

It is worth noting that the $4,849, cited above, does not take into account the significant costs that businesses suffer as a result of fraud. And with all indications pointing to an increase in online fraud as the shopping season ramps up, online businesses are currently trying to prepare. A good fraud prevention process ought to be able to recognize the following items:

• Is the credit card valid? There are a number of security checks available that can point to credit card fraud. This includes authorization checks, AVS checks, card verification (i.e. checking CVV2 number), and other card validation checks.
• Has the individual committed fraud in the past? There are a number of commercial systems and internal databases that help businesses check whether the supplied Personally Identifiable Information (PII) has been associated with fraud in the past. This kind of system essentially checks whether the information submitted by the customer matches information that has been associated with fraud in the past.
• Does this transaction have high risk characteristics? Businesses should be tracking and flagging transactions that have high risk characteristics. Contributing factors can include: the country of origin of the purchase, the kind of goods being purchased, the use of IP proxies, the time of the purchase, and many others factors. For fraud systems that work with these risk factors, often a large number of factors are taken into consideration in order to determine a risk score for each transaction. Based on that score, businesses can make a decision whether to allow, deny, or flag that transaction for review.
• Has this computer been used for fraud before? Device reputation systems are now considered a best practice for fighting online fraud. An online business should be able to understand, independent of personal information, whether or not a computer that is being used to conduct online business already has a history of fraud. The critical components of this system are: the ability to identify and re-recognize a computer and the ability to take into consideration historical fraudulent activity associated with that computer.

With these techniques in place, businesses will go a long way to stopping holiday fraud.

But while that kind of fraud certainly does exist, there is another type of fraud that can be equally troublesome and, to some extent, even harder to combat: fraud committed by individuals using their own legitimate information. A very common example of this kind of crime is shipping fraud and it takes several different forms. Here are a few examples and tips on how companies can address this problem.

• Denying receipt of goods – In this case, an individual will legitimately place an order and actually receive the goods, but then turn around and deny that they were received. Strangely enough, people will even do this more than once for the same good after another item has been shipped. Online businesses that ship high-value goods often combat this by requiring signatures for receipt of goods. For many businesses, however, this is isn’t a practical solution. Ideally, organizations would like to be able to identify individuals who have a habit of doing this on any site.
• Denying the purchase – In this era of rampant identity theft, many individuals are using it to their advantage, claiming that their credit card was stolen and they were not the ones who made the purchase, therefore they should not have to pay for it. This is a hard type of fraud to detect and defeat, and the only real solution is to require a signature, or have an internal tracking system to identify repeat fraud.
• Returning the wrong good – I have talked with merchants before who have had individuals return old or damaged goods in place of the new ones they ordered and then demand a refund. These cases can be easier to address by simply refusing to refund the purchase, but they are still a problem that businesses would like to be able to address before shipping.

All in all, shipping fraud can be difficult to detect and defeat, but it is worth considering that typically individuals who do this once don’t quit while they’re ahead. Instead they become repeat offenders, targeting multiple online merchants. Tracking the activity of online criminals and sharing that information among a network of online businesses can significantly reduce this type of fraud. Imagine the benefit if businesses could identify the computer before a purchase was completed, and determine if that computer already has a history of shipping fraud.

There’s an old adage that applies here: “Fool me once, shame on you. Fool me twice, shame on me.”  When it comes to online fraud, businesses would do well to track fraudulent activity, learn from past experiences, and work together to minimize fraud this shopping season.

With a website devoted to the new campaign, it’s easy to take a quick look at some statistics about fraud in the UK, and some of them are quite frightening. While the information on the site is based on UK numbers, the concerns that those statistics raise are likely applicable in many countries, as identify theft is a world-wide problem.

A few stand-out numbers:

• £1.2 billion : The annual amount that identify fraud costs the UK economy
• 60,000: The approximate number of UK residents who have been a victim of identity theft in the current year. (Up 36% from the same time last year.)
• 36: The percentage of businesses that have no clear policy on how to dispose of documents including sensitive information (such as customers’ names, addresses, credit information, photocopies of passports, etc.)

As a whole, the site paints a clear picture: identity theft is a real problem with real consequences, which most people are aware of—and yet neither businesses nor individuals are, in great enough numbers, taking the steps required to prevent it from happening.

Here at iovation, we’re working on the other end of things: helping companies defend against online criminals using stolen identities to commit fraud. While businesses and individuals need to do more to prevent identity information from being stolen, it is also important for online companies to do everything they can to prevent criminals who are using those stolen identities. Unfortunately, most online businesses depend entirely upon information provided by the user, leaving them no way to know if, for example, 50 accounts, all set up with different names and addresses, are actually all coming from the same computer.

To do their part, businesses need to look at the different technologies, people, and processes that can complement core identity-based systems and expand the net to catch online fraud. For my part, I will be at the E-Commerce Expo next week in London to talk to online retailers about combating online fraud. Certainly this is a problem that businesses need to address together. Building national awareness of the problem and encouraging businesses to work together and share best practices is an important step to curbing this epidemic.

But people shouldn’t be too quick to jump to the conclusion that an increase in fraud is necessarily the result of negligent or inadequate fraud measures. It is unclear from this article that credit card fraud in Australia is any worse than in the rest of the world. I would be interested to know how they define a “victim” of credit card theft.

If being a victim simply means that an individual’s number has been stolen, then the United States might be in even worse shape. The attack on Heartland Payment Systems—located in the United States—resulted in over 130 million credit card numbers being stolen. Given that the current U.S. population is projected to be just over 307 million, then assuming the majority of the card numbers stolen were from Americans, our baseline fraud rate would be around 1 in 3 people.

Regardless of whether Australia is in worse shape than we are, it is clear that our credit systems are under siege. The sophistication and coordination of attacks on our personal and corporate machines, with the intention to commit fraud, has never been higher. No matter what country you reside in, identify theft and credit fraud is a serious problem and poses the most significant threat to the ecommerce industry.

Anyone who doesn’t think that online crime has transitioned into big time business should take note.  Online criminals are coordinated and remarkably well organized. They are becoming increasingly adept and efficient at not only obtaining, but sharing, valuable data: namely credit and identity information.

The extent to which online commerce companies rely on their ability to trust in this very same data cannot be overstated. Today, most online transactions are checked for fraud based upon credit and identity checks. If trust in that data is undermined, then the business models of hundreds of thousands of online retailers will suffer.

As we have stated many times before, the use of identity and credit-based checks is an essential part of the online purchasing process, but it is not a complete solution. Businesses need to have a way to check for fraud based on data that is not as easily compromised as credit and identity information. Device fingerprinting solutions, such as our device reputation service, offer that ability.

Device reputation provides significant uplift in fighting fraud because it is independent of the data used in so many of today’s attacks. Things that were previously completely invisible, such as repeat offenders and relationships between organized criminals, now come to light. Device reputation, at its most basic level, uses the ability to identify and re-recognize a PC in order to track that computer’s history of fraud and abuse—all without using any personal information. Those device reputations can then be shared among online businesses so that an entire online community can work together to fight this serious problem. Now, more than ever, the time has come for online businesses to give serious consideration to adopting new technologies to keep in step with an ever-evolving online world.

Botnet and malware based reputation. There are device reputation services that derive online reputation for devices or IP addresses through detection of malware infection or botnet characteristics. A good example of a service like this is Cisco’s Ironport Senderbase service. Here this reputation is used to fight spam, phishing, and malware propagation. The question for online businesses is how relevant is this data when used to combat fraudulent purchases or bogus account setup. In evaluating this question it is helpful to look at the various uses of botnets. There is a good submission on botnets in Wikipedia that describes the various uses of botnets. The top uses of botnets in this article are as follows:

1. Botnets are used to propagate denial of service attacks.
2. They are used for spam and phishing distribution. This use of botnets is so prevalent that they call them spambots.
3. Finally, they are used to harvest data usually either account information, personal information, or credit data.

While botnets can have correlation to online fraud, a large collection of computers that have been associated with an infection or malware is not the same thing as an online fraud reputation database. Think of botnets as the miners of the raw materials to commit online fraud. Typically that data is sent off the compromised PC to a central location where the identity data is collected and resold on the Internet. The actual fraud occurs on different PCs.

Fraud and abuse based device reputation. These reputation services, like iovation’s, track actual histories of fraud and abuse that are associated with a given device by its device fingerprint. iovation tracks over 30 types of online fraud and abuse ranging from credit card fraud to affiliate fraud and customer harassment. Tracking the actual abuses reported for a given device gives our customer actionable information with a very low false positive rate and information that is specifically relevant to their business. iovation has profiled well over 1 billion devices and tracks the unique reputation of over 120 million online devices allowing us to provide unique insight that is unmatched by other services.

Botnet and malware based reputation services are no doubt valuable at combating enterprise security exploitations, but their value simply doesn’t extend to protecting online businesses in the same way. If you are thinking about evaluating a device fingerprinting or device reputation service, be sure to ask the following questions:

1. How many devices do you profile on a daily basis and how many have you profiled in the past year?  This will give an important sense of the scale of the organization.
2. Do you track device reputations, or are you entirely risk based? Device reputation is distinct from device risk in that it identifies a device and its fraudulent history with certainty instead of assigning a likelihood that it is fraudulent.
3. If you say you have identified a fraudulent device, what type of fraudulent activity have you verified? Is this a history of an actual fraud, i.e. a credit card chargeback, or is it simply an infected PC?
4. Can you provide granularity to the reputation that is specifically relevant to my business? Is your fraud reputation one-size-fit all or do you track specific categories of fraud?

Many businesses are looking at this new category of device reputation and seeing how it can help their business. It is important to consider how that reputation is built and how effective it will be in stopping online fraud and abuse.

While the trust between friends on sites like Facebook and MySpace certainly contributes to the problem, there are probably three other factors that should be mentioned:

1. Social networking sites are driven by links. Where e-mail is about easy and quick communication, social networking sites are driven by shared links to interesting news propagating on the web. In the case of Twitter, probably more than 90% of tweets contain links to articles on the web.
2. Browser exploits are THE method of propagation for malware. Worried about the latest self propagating worm exploiting a zero day vulnerability? The threat from a worm pales in comparison to the volume of attacks coming through your browser. TippingPoint’s Pwn2Own contest highlights browser vulnerabilities and the results from this year’s contest were scary. On the first day Safari, Firefox and Internet Explorer all hit the dust with new zero day exploits. This contest actually saw the first official exploit for IE8. Today, scammers take advantage of the weakness of the browser by linking users to infected sites through phishing and link postings. URL shortening complicates this because the user has no idea of what site they are really linking to.
3. Social posts are far less filtered than e-mail. The e-mail spam and virus filtering market has matured and most users have some rudimentary form of filtering for one or both of these items in e-mail. With social networks there is no such filter other than choosing who you befriend and follow. If you are following the latest #trend on Twitter, you will get the good, bad and ugly of links including links to phishing sites.

Link quality poses a serious threat to social networking sites. With numbers demonstrating that the effectiveness of malware attacks in social networks is 10 times as effective as e-mail you can be sure that scammers are taking notice. The inherent nature of social networks makes this a difficult problem to combat. The best advice for all users today? Think before you click and keep your anti-virus software up to date.  Social networks need to identify scammers, ban their accounts and prevent them from creating new ones in order to ensure the future of their sites. This, coupled with greater user awareness, should help reduce the problem.

Phishing attacks are usually at the forefront of identity collection in today’s Fraud as a Service process. Phishing utilizes social engineering, which is both one of the oldest forms of security attack and is one of the hardest to fix. Social engineering tricks users into giving up sensitive data that online criminals would normally have a very difficult time obtaining in any other way. Today, the users personal information is the target of choice, but this is also very effective for obtaining account information and passwords.

Combating phishing isn’t difficult, it just requires the user to keep in mind that online businesses simply will not ask for sensitive information in an e-mail or link to a page that collects that data from an e-mail.

Predictably representatives from the PCI council and the cards industry defended the standard and said that any company that had been shown to be breached was in violation of one of the standards at the time.

The reality of this all is that evidence of a breach doesn’t invalidate a standard. No regulation is going to stop online fraud, but it can dramatically reduce the risk as opposed to the absence of the standard. The real question should be how many breaches would have occurred without the standard and how must the standard evolve to be more effective and meet the worlds changing threat.

Before these mobile applications, sites could either provide a separate hardware token for multi-factor authentication which was expensive and difficult to manage, or it could provide this capability through a text message on the phone which could be costly for both the consumer and the company. This application solves the token problem by attaching itself to something that most users always have in their possession (their mobile phone) and solves the cost problem by bypassing costly text messages and embedding the password generation intelligence in the mobile app. There is a beta version of the Verisign app for some BlackBerry models and for another 40 phones in development. The Blizzard version is currently only available for the iPhone and iPod touch, but other models will likely follow.  The ease of adoption for the iPhone could be the difference make in this instance and it could be a positive step in the direction at combatting online fraud and more specifically account takeovers.

Generally you won’t find the online criminal who commits all aspects of an online fraud independently from stealing the identity, obtaining fraudulent credit, to finally defrauding an online business. Instead, online criminals may specialize in different areas of the fraud process. One criminal may specialize in establishing and utilizing botnets to steal identities. John Pescatore at Gartner Group has been particularly vocal about the rampant threat of botnets on his blog. Another criminal may specialize in hosting phishing sites with guaranteed uptime. Whether it is spam and phishing e-mail distribution, identity theft, credit card databases, or other elements of the fraud value chain, you can find an individual or organization specializing in it.

My point is this. Yes, it is possible and perhaps even likely that online criminals may begin to collaborate and communicate on Facebook and Twitter. The reality of today’s environment, however, is that these criminals have been working together for years in an underground fraud market. That is why it is so essential that legitimate online businesses similarly work together to fight online fraud. That is exactly part of the unique value we bring to our customers at iovation. The chance to work with their peers to establish and share over 100 million unique device reputations to fight online fraud and abuse.

There are two problems with this.  First, we are training online users that providing personal information in addition to credit credentials, i.e. color of your first car, your pet’s name, etc. is required to complete a transaction.  As this has become the norm it  is harder to spot phishing attacks.  Second, we are feeding the online databases created by botnets with increasingly personal information that the scammers can use to bypass these same checks.

I truly believe that the long term viability of solutions that require input of substantial personal information is in question.  To fight fraud, account takeover and identity theft, we should move more to systems that do not require this information like a variety of multi-factor authentication tokens, device fingerprinting, and smart cards.