After a three-year investigation by the FBI and the UK’s Serious Organized Crime Agency (SOCA), British authorities announced they have arrested the sophisticated network of cyber criminals behind DarkMarket, one of the world’s top criminal websites. The site, which operated out of an unassuming London Internet café, was an international cyber supermarket for stolen credit card and bank account information that officials say has cost the banking industry tens of millions of dollars. (more…)

How much money has the world lost to e-crime so far? … A trillion dollars. That’s the estimated annual cost of e-crime worldwide, according to a recent article, “National online-fraud helpline to launch in April.” Despite the staggering losses attributed to online crime, victims of such crimes—both individuals and businesses—have not had a simple option for reporting them. Hopefully this is about to improve, with the UK’s new Action Fraud helpline, one of the first attempts at streamlining a call-in process for victims to report online crime.

I commend the National Fraud Reporting Centre (NFRC) for getting the hotline going. The helpline will allow individuals and small businesses to report cyber crime to a central agency, simplifying what would otherwise be a confusing process involving potentially several different government ag encies. A similar effort in the U.S., the Internet Crime Complain Center (IC3), currently allows individuals to file complaints of internet fraud through its website. (more…)

Well it’s been a good year for our blog. We’ve tried to address a number of topics all relevant to helping businesses fight online fraud. As the year wraps up, I thought it would be a good time to summarize some of the themes from the year and highlight some of our posts. While we touched on a number of topics, a few main themes remained consistent:

Device reputation is an important component of best practice fraud management – 2009 was a difficult year for business, but one trend that emerged was an increased visibility into how valuable device fingerprinting and reputation solutions can be as part of any sophisticated fraud prevention architecture. Some of our articles on this topic:

• The First Five Benefits You Will See From Device Reputation
• Not All IP Addresses are Created Equally
• Device Fingerprinting Techniques – Several Choices

Online retailers are under attack – Online retailers continue to find themselves under attack and we touched on this topic a number of times this year. Here are some of the highlights: (more…)

If you’re curious to know what’s topping people’s wish lists this holiday season, just take a look at online sales. No big surprise, electronics are where it’s at. Based on information provided by fraud prevention experts (and iovation partner) Retail Decisions (ReD), the top-ten list of products sold online during Black Friday was dominated by GPS systems, televisions, digital cameras and video game consoles.

Besides providing statistics on what online purchases people were spending their hard-earned money on during Black Friday, ReD also noted that online criminals were out in force, busy spending other people’s money. “Whilst online retailers witnessed a huge upturn in sales this Black Friday, fraudsters are also ’spending’ more, with an average value of $248 per transaction online, 23% more than the average genuine customer,” said ReD’s CEO, Carl Clump. (more…)

In a recent post I spoke about the recent phishing attack spoofing the social security administration. Today I would like to discuss a variation of this identity theft scam, vishing. Where phishing uses social engineering through e-mail to trick people into visiting fake websites, vishing uses social engineering through the phone system to get you to connect to phony phone numbers to harvest your personal information. There is a good article on vishing attacks at cnet. Don’t be fooled by the fact that a voice mail is directing you to a toll free number. Vishing attacks use temporary 800 numbers to enhance legitimacy.

This attack is even more relevant to me personally as I witnessed this attack on a friend of mine this past weekend. My friend received a voice message telling him that his debit card account had indications of fraud and to call the 800 number immediately to get details. Once he connected to this number he was directed to enter his card number to get details on the incident. It so happened that he didn’t have his card with him so he hung up intending to call back later. When he did call back, he called the number of his financial institution on his card instead of the number left on voice mail. It was a good thing he did. There they indicated that there was no fraud activity on his account and that he had been a victim of a vishing attack.

In this incident it turned out ok because he never entered his personal information, but it could have easily turned out differently. The lesson from this incident is that as with websites, you shouldn’t trust messages directing you to a phone number that requests personal or financial data. If you receive an indication of fraud or some other problem with a financial, or other account, you should dial the actual company number and have them direct you to the appropriate department. Do not trust phone numbers left to you in a voice mail that ask you for personal information.

When personal identities have such value to scammers, individuals must be increasingly vigilant about protecting this data and ensuring that they do not deliver it into the hands of the bad guys.

Visa is launching a new card aimed at combating card not present (CNP) fraud in the UK. The card essentially adds a two factor authentication token to the back of the card that can be used to validate possession of the card online.

This is an interesting concept, but the execution of this with online businesses will make all the difference. The key here is the merchants and their adoption of this technology. If adoption is slow, then the card company may be forced to allow use of this card at sites without the pin. If this is the case, the improved authentication is rendered useless because a scammer could still steal the card information and use it online. If, on the other hand, the card issuer continues to require the use of the pin in order to complete an online transaction despite slow adoption by merchants, this could doom the use of the card by consumers as they won’t find enough places to use it.

Online merchants are the key to the success of this experiment and they have incentives to make this work. CNP fraud is a big problem and costs online companies billions of dollars per year. If they can band together to speed adoption of this technology, it will go a long way to changing how online fraud occurs.

Yesterday, SC Magazine reported that malware distributed on social networks was 10 times more effective than the same malware distributed through e-mail. They report that it is a big threat to the future of social networks and hypothesize that its effectiveness is due to the trust relationships that exist on these sites.

While the trust between friends on sites like Facebook and MySpace certainly contributes to the problem, there are probably three other factors that should be mentioned: (more…)