Looks like congress feels like credit card companies haven’t done enough to stop online fraud and identity theft. The general feeling from lawmakers was that while the PCI standard does provide guidelines on how to protect customer card data and personal information, it isn’t effective at addressing ever changing threats. Lawmakers used an example of a company that had recently passed PCI compliance and was compromised while the actual certification was being granted.

Predictably representatives from the PCI council and the cards industry defended the standard and said that any company that had been shown to be breached was in violation of one of the standards at the time.

The reality of this all is that evidence of a breach doesn’t invalidate a standard. No regulation is going to stop online fraud, but it can dramatically reduce the risk as opposed to the absence of the standard. The real question should be how many breaches would have occurred without the standard and how must the standard evolve to be more effective and meet the worlds changing threat.

This week alone, I have seen two separate iPhone apps enabling multi-factor authentication for the likes of your accounts at AOL, eBay, PayPal and Blizzard, the provider of the popular online game World of Warcraft. The first application is provided by Verisign and provides multi-factor authentication for AOL, eBay, and PayPal to combat identity theft and account takeover. This could easily be expanded to include other sites and is a significant improvement over the options that were previously available. The second application is provided by Blizzard to authenticate users to their popular online games, like World of Warcraft, and is intended to address their account takeover problems.

Before these mobile applications, sites could either provide a separate hardware token for multi-factor authentication which was expensive and difficult to manage, or it could provide this capability through a text message on the phone which could be costly for both the consumer and the company. This application solves the token problem by attaching itself to something that most users always have in their possession (their mobile phone) and solves the cost problem by bypassing costly text messages and embedding the password generation intelligence in the mobile app. There is a beta version of the Verisign app for some BlackBerry models and for another 40 phones in development. The Blizzard version is currently only available for the iPhone and iPod touch, but other models will likely follow.  The ease of adoption for the iPhone could be the difference make in this instance and it could be a positive step in the direction at combatting online fraud and more specifically account takeovers.

There is an interesting article today in the online Fortune Magazine focusing on the potential use of social networks to facilitate collaboration between online criminals intent on committing online fraud. The interesting hook for the article is that fraudsters may begin using social networks like Facebook and Twitter to communicate, share data and pass illegal information. The reality is that online criminals have been working together for some time and have established a sophisticated online fraud value chain where fraudsters specialize in a particular fraud deliverable.

Generally you won’t find the online criminal who commits all aspects of an online fraud independently from stealing the identity, obtaining fraudulent credit, to finally defrauding an online business. Instead, online criminals may specialize in different areas of the fraud process. One criminal may specialize in establishing and utilizing botnets to steal identities. John Pescatore at Gartner Group has been particularly vocal about the rampant threat of botnets on his blog. Another criminal may specialize in hosting phishing sites with guaranteed uptime. Whether it is spam and phishing e-mail distribution, identity theft, credit card databases, or other elements of the fraud value chain, you can find an individual or organization specializing in it.

My point is this. Yes, it is possible and perhaps even likely that online criminals may begin to collaborate and communicate on Facebook and Twitter. The reality of today’s environment, however, is that these criminals have been working together for years in an underground fraud market. That is why it is so essential that legitimate online businesses similarly work together to fight online fraud. That is exactly part of the unique value we bring to our customers at iovation. The chance to work with their peers to establish and share over 100 million unique device reputations to fight online fraud and abuse.

I came across a good article this morning on detecting and avoiding phoney fraud alerts.  The problem is that I found myself thinking yet again that as online sites employ even more identity-based fraud management solutions to combat online fraud, the likelihood of these phishing attacks to succeed goes up.  More and more often we are being asked for increasing amounts of personal information to validate our identity.

There are two problems with this.  First, we are training online users that providing personal information in addition to credit credentials, i.e. color of your first car, your pet’s name, etc. is required to complete a transaction.  As this has become the norm it  is harder to spot phishing attacks.  Second, we are feeding the online databases created by botnets with increasingly personal information that the scammers can use to bypass these same checks.

I truly believe that the long term viability of solutions that require input of substantial personal information is in question.  To fight fraud, account takeover and identity theft, we should move more to systems that do not require this information like a variety of multi-factor authentication tokens, device fingerprinting, and smart cards.