We have exciting news to share! Now that the nomination phase of the first annual 2010 Internet Dating Industry Awards is complete, iovation has been named a finalist for the Best New Technology. This award recognizes the best individual technology created by a vendor for dating or matchmaking sites. The award will be announced at the 7th Annual Internet Dating Conference. (more…)
While not often talked about, the malicious use of domain names is becoming a serious problem. Domain names provide a means to an end for criminals attempting all kinds of scams and online fraud. In phishing attacks, for example, a hacker-controlled domain name serves as the redirection point for a fake or infected site. In the case of botnet operations, a domain name replaces a unique IP address as the point of command and control, allowing fraudsters access to a much larger set of data with less risk of detection. (more…)
In a recent post I spoke about the recent phishing attack spoofing the social security administration. Today I would like to discuss a variation of this identity theft scam, vishing. Where phishing uses social engineering through e-mail to trick people into visiting fake websites, vishing uses social engineering through the phone system to get you to connect to phony phone numbers to harvest your personal information. There is a good article on vishing attacks at cnet. Don’t be fooled by the fact that a voice mail is directing you to a toll free number. Vishing attacks use temporary 800 numbers to enhance legitimacy.
This attack is even more relevant to me personally as I witnessed this attack on a friend of mine this past weekend. My friend received a voice message telling him that his debit card account had indications of fraud and to call the 800 number immediately to get details. Once he connected to this number he was directed to enter his card number to get details on the incident. It so happened that he didn’t have his card with him so he hung up intending to call back later. When he did call back, he called the number of his financial institution on his card instead of the number left on voice mail. It was a good thing he did. There they indicated that there was no fraud activity on his account and that he had been a victim of a vishing attack.
In this incident it turned out ok because he never entered his personal information, but it could have easily turned out differently. The lesson from this incident is that as with websites, you shouldn’t trust messages directing you to a phone number that requests personal or financial data. If you receive an indication of fraud or some other problem with a financial, or other account, you should dial the actual company number and have them direct you to the appropriate department. Do not trust phone numbers left to you in a voice mail that ask you for personal information.
When personal identities have such value to scammers, individuals must be increasingly vigilant about protecting this data and ensuring that they do not deliver it into the hands of the bad guys.
I have recently answered several questions from individuals asking about device reputation. They have asked about the value of reputation data built by identifying infected PCs, i.e. botnets, as opposed to identifying PCs that have been used to commit actual online fraud or abuse. iovation pioneered the use of device fingerprinting in a shared database to build device reputations in 2004 and we have a lot of experience with this issue. There is a big difference between the two types of reputations and their relevant value. (more…)
Yesterday, SC Magazine reported that malware distributed on social networks was 10 times more effective than the same malware distributed through e-mail. They report that it is a big threat to the future of social networks and hypothesize that its effectiveness is due to the trust relationships that exist on these sites.
While the trust between friends on sites like Facebook and MySpace certainly contributes to the problem, there are probably three other factors that should be mentioned: (more…)
An SC Magazine article, out today, reports that a new phishing attack is now targeting individuals who will be receiving an economic payout later this month.
Phishing attacks are usually at the forefront of identity collection in today’s Fraud as a Service process. Phishing utilizes social engineering, which is both one of the oldest forms of security attack and is one of the hardest to fix. Social engineering tricks users into giving up sensitive data that online criminals would normally have a very difficult time obtaining in any other way. Today, the users personal information is the target of choice, but this is also very effective for obtaining account information and passwords.
Combating phishing isn’t difficult, it just requires the user to keep in mind that online businesses simply will not ask for sensitive information in an e-mail or link to a page that collects that data from an e-mail.
There is an interesting article today in the online Fortune Magazine focusing on the potential use of social networks to facilitate collaboration between online criminals intent on committing online fraud. The interesting hook for the article is that fraudsters may begin using social networks like Facebook and Twitter to communicate, share data and pass illegal information. The reality is that online criminals have been working together for some time and have established a sophisticated online fraud value chain where fraudsters specialize in a particular fraud deliverable.
Generally you won’t find the online criminal who commits all aspects of an online fraud independently from stealing the identity, obtaining fraudulent credit, to finally defrauding an online business. Instead, online criminals may specialize in different areas of the fraud process. One criminal may specialize in establishing and utilizing botnets to steal identities. John Pescatore at Gartner Group has been particularly vocal about the rampant threat of botnets on his blog. Another criminal may specialize in hosting phishing sites with guaranteed uptime. Whether it is spam and phishing e-mail distribution, identity theft, credit card databases, or other elements of the fraud value chain, you can find an individual or organization specializing in it.
My point is this. Yes, it is possible and perhaps even likely that online criminals may begin to collaborate and communicate on Facebook and Twitter. The reality of today’s environment, however, is that these criminals have been working together for years in an underground fraud market. That is why it is so essential that legitimate online businesses similarly work together to fight online fraud. That is exactly part of the unique value we bring to our customers at iovation. The chance to work with their peers to establish and share over 100 million unique device reputations to fight online fraud and abuse.
I came across a good article this morning on detecting and avoiding phoney fraud alerts. The problem is that I found myself thinking yet again that as online sites employ even more identity-based fraud management solutions to combat online fraud, the likelihood of these phishing attacks to succeed goes up. More and more often we are being asked for increasing amounts of personal information to validate our identity.
There are two problems with this. First, we are training online users that providing personal information in addition to credit credentials, i.e. color of your first car, your pet’s name, etc. is required to complete a transaction. As this has become the norm it is harder to spot phishing attacks. Second, we are feeding the online databases created by botnets with increasingly personal information that the scammers can use to bypass these same checks.
I truly believe that the long term viability of solutions that require input of substantial personal information is in question. To fight fraud, account takeover and identity theft, we should move more to systems that do not require this information like a variety of multi-factor authentication tokens, device fingerprinting, and smart cards.
