What The FFIEC Is Doing to Protect You and Your Bank

FFIEC is the Federal Financial Institutions Examination Council which is a government body empowered to prescribe uniform principles, standards and report forms for the federal examination of financial institutions by and for numerous other government, public, private and financial entities.

If there is a “good” place for your tax dollars to head, it’s to the FFIEC. And very recently the FFIEC has issued updated guidelines for financial institutions in regards to their cyber security and new threats your bank needs to counter.

Over the past decade as we have all (mostly) have banked and bought stuff online, criminals have formed organized web mobs to sniff out transactions and take over existing accounts and in some cases open up new accounts.

The FFIEC has certainly pointed this out and at the same time has made additional security recommendations since the last time they did in 2005 based on new kinds of criminal hacking and new technologies to combat it.

Hacking in its many forms involves compromising a system from numerous vantage points. A network can be hacked from the inside by an employee or former employee with credentialed access or from the outside by seeking vulnerabilities in a networks technology. But more often hacking takes place when an account holders access such as username and passwords are compromised.

To defend against all of these hacks the FFIEC recommends to financial institutions what’s called a “layered approach” of anti-fraud tools and techniques to combat crime. Meaning it’s not simply a matter of applying a firewall and having anti-virus to protect the network, but going much deeper in protecting many interaction points within the banking site (not just login) and using a variety of proven fraud prevention solutions.

That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website. The FFIEC has recognized complex device identification strategies as a viable solution that’s already proven strong at very large financial institutions. ReputationManager360 by iovation leads the charge with device reputation encompassing identification and builds on device recognition with real-time risk assessment, uniquely leveraging both the attributes and the behavior of the device.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Grandmother Taken for $5400 in Online Dating Scam

All my life, I’ve been waiting for someone to give me a million dollars in diamonds, which have been willed to me by my long-lost Somalian stepfather, who’s supposedly the third generation dictator under the humble Mr. George Kinneus the Third. Or something like that.

If you receive an offer resembling that one, run for the hills.

This is what happened to the 55-year-old grandmother in New Zealand, who was simply looking for love online. She was checking out her prospects on Match.com, the most popular dating site. The grandmother got a “wink,” which is like a “poke” on Facebook, from “kiwibloke25.” According to his profile, “kiwibloke25” was a 55-year-old man seeking a serious relationship with a woman between 49 and 68 years old.

In his first message, he told the grandmother that she “[seemed] to be the type of person he [was] looking for,” and gave her his personal email address. Soon they were exchanging emails and talking on the phone. The man shared numerous intimate details about his life.

Exchanges like these lure unsuspecting victims into scammers’ traps. In this case, “kiwibloke25” claimed to have been robbed by Somalian gangsters while traveling through Dubai, and asked his victim for $5400 to cover the duty on some diamonds he had supposedly purchased. She wired him the money but became suspicious when he asked for more, to pay for a company to securely transfer the diamonds back to New Zealand. She then discovered that “kiwibloke25,” as she thought she knew him, never existed at all.

If you use an online dating service, be on guard for scams. Stick to legitimate, well-known websites, and get referrals from friends who have successfully met romantic partners online. But never let your guard down.

When creating your dating profile, never post personal information, including your middle name, full address, phone number or entire birth date.

To vet potential dates, look for information about them elsewhere online, and confirm that it matches the information in their online dating profiles.

If a potential date asks for a loan or any financial information, report them to the dating website immediately.

Dating sites could protect users by incorporating device identification, device reputation and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, called ReputationManager 360.  It has been recognized over the past few years for “Best New Technology” used by the internet dating industry. This service is established and has protected over 2 billion online dating activities for its clients and has flagged 2.7 million of those identified as scams and solicitations, spam, identity mining/phishing, profile representation and other abuses.  Stopping scams and abusive behavior upfront greatly helps online dating sites not only protect their brand reputation, but most importantly protect their active members.

According to Industry Consultant, Mark Brooks, “The dating industry uses three lines of defense against scammers and abuse: automated software defense, user flagging and customer/abuse teams. iovation’s technology has enabled many dating sites to work together to beat scammers.”

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on E! True Hollywood Stories. (Disclosures)

Consumer Fraud No Longer Shocking

The depth, breadth, creativity, and depravity of scams and the scammers that perpetrate them no longer shock or offend. From grandmother scams to online dating scams, identity theft, data breaches, and any form of phishing or advanced fee scams, when you’ve seen one, you’ve seen them all. But the bad guys continue to find new ways to skin a cat.

The Better Business Bureau and the Consumer Sentinel Network received 725,000 consumer complaints of fraud in 2010. The defrauded consumers who reported fraud last year lost $1.7 billion.

Beware of the following scams.

Auction Scams: This ruse involves fake profiles advertising goods and accepting payments, with no intention of ever shipping any items. Scammers often contact potential victims within an auction website, but then bring communications to outside email or phone. Once the target engages with the scammer, social engineering commences.

Craigslist Scams: A scammer responds to a seller, claiming he wishes to purchase an item. He mails the seller a fake check for an amount in excess of the purchase price, with extra money included for shipping, and requests that the buyer deposit the check and then wire the payment to the shippers from the buyer’s own account. By the time the check bounces, the scammer has already received the seller’s money.

Dating Scams: Criminals pose as lovesick Romeos or Juliets, looking to sweep their victims off their feet while emptying their bank accounts. Marriage is often discussed within the first week of communications, and the word love is used as frequently as the victims’ names, which coincidently are two of the most important words a person can hear.

For consumers, education and awareness is key. For platforms on which the scams proliferate, one risk mitigation solution employed by auction sites, retailers, and dating sites is device reputation management. This not only keeps known bad computers or mobile devices from creating more fake accounts, but it also protects businesses against brand new devices that are behaving similarly to cyber criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Scambaiting on Fox News. (Disclosures)

Canadian Charged in Ticket Scams – Auction Sites Need to Step Up Fraud Prevention Techniques

Online classified advertising site scams are typically conducted by scammers in countries such as Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, or Malaysia, who spend their days targeting consumers in the developed world.

Scammer grammar and general awkwardness make these scams relatively easy to detect. But when a scammer is local, the ruse becomes more insidious and effective.

The Toronto Sun reports that a man in Hamilton, Ontario faces “60 charges for allegedly selling thousands of dollars worth of non-existent tickets to concerts and sporting events, mostly at venues in Toronto.” The suspect “allegedly used Craigslist to sell tickets to pop concerts like Lady Gaga, Taylor Swift and Justin Bieber, or sporting events like Wrestlemania.”

As in most Craigslist scams, the perpetrator had the victims wire money to him, and in this case it was to a local account, which reduced suspicions. He told victims they would get a shipping confirmation number once the money was received, but of course, this was entirely bogus.

At the top of every post, Craigslist reminds you, “Avoid scams and fraud by dealing locally!” But they may not consider that scammers can deal locally, too. My suggestion is to always meet the seller with cash in hand, or simply buy tickets directly from the venue or venue’s website.

Craigslist and auction sites could better protect end users and prevent the majority of these scams by using readily available and proven fraud detection tools on the market. They could easily round up accounts opened by scammers by tracking them back to the computers, tablets and smart phones that opened them up in the first place by using device reputation management. And when those computers try to open more accounts under more stolen identities, the accounts are automatically denied upfront—at the “account creation” stage.

Craigslist could easily employ customized business rules to identify high-risk activity such as those offered by iovation’s ReputationManager 360 anti-fraud service.  For example, if someone posted a local offer, iovation could expose to the business when users are hiding behind proxies to make them appear as if they were in the local region.  If they are selling a used car supposedly in Irvine, California and they are going through the work to mask their IP and make it “look” like they are in Irvine, but their real IP is exposing that they are in Ghana, wouldn’t that be a red flag?  When this happens, the business could automatically deny the attempt in a fraction of a second, or at a minimum send it to a review queue so that fraud analysts can take a closer look before exposing a scammers’ offer to the public.

In general, with today’s sophisticated fraud prevention technologies and techniques, scammer accounts could and should easily be stopped at the front door (while attempting to set up a new account) — before ads are placed, before ads are read by the public, and before tens to hundreds of visitors act on the ad by engaging in conversation with a cyber criminal who wants to steal their money.

Imagine the scale of bad accounts that could be shut down instantly.  Sophisticated fraud rings could be identified within the business’s network and thousands of fraudulent accounts shut down, making Craigslist and other auction sites a much safer place for the public to look for desired products and services.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scambaiting on Fox News. (Disclosures)

Fraudulent Credit Applications Starts with the Device

When Jim Smith opens a credit card account, he doesn’t have to pay the bill. That’s because Jim Smith is committing new account fraud by using Fred Jones’s name and Social Security number.

All Jim Smith needs is some basic information about Fred Jones, much of which is available in the phonebook, in his trash, in discarded files in the bank’s dumpster, or on social media sites. Maybe Fred also happens to work with Jim, and Jim has direct access to Fred’s files.

Once Jim has Fred’s information, all he has to do is go online with the PC in his cozy office, or head down to the local coffee shop and fire up his iPad, or even fill out a credit card application from his mobile phone.

Scenarios like this one happen all day long across the globe.  Credit issuers are constantly looking for new tools to identify fraudulent applications faster.

Since online credit applicants can fool you with any number of tricks to get approved for credit leaving you holding the bag for losses, instead of verifying identity information on fraudulent applicants, consider verifying the reputation of the device (or computer) being used to submit the application in the first place. When a fraudster connects to your business, the computer being used can be evaluated in a fraction of a second for its risky intentions.

If you know the device being used is a known fraudster, you don’t have to spend the time, resources, and money running other fraud checks such as verifying identity information.  You know the source is suspect and you can block the transaction upfront. Device fingerprinting coupled with the device’s reputation and risk profile helps identify the bad guys in the acquisition channel, so you don’t have to rely on other fraud detection tools that drive up the cost to decision an application.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

67% of Companies Fail Credit Card Security Compliance

All merchants who accept credit cards are now subject to strict Payment Card Industry standards, rules, and regulations, which require a level of security that took about five years to finally implement.

 

PCI exists to increase credit card security and, among other goals, to stave off government intervention. While significant effort has been made to improve the security of credit card data processing, adequate attention has yet to be given to the identification, authentication, and accountability of cardholders.

 

For consumers, the primary concern is account takeover. Account takeover occurs when your existing bank or credit card accounts are infiltrated and your money is siphoned out. A hacked account or stolen credit card is often to blame.

 

InformationWeek reports that according to a new Ponemon Institute survey, “50% of security professionals view PCI as a burden, and 59% don’t think it helps them improve security. Furthermore, comparing this study with the inaugural one conducted in 2009, the number of respondents who said they had sufficient resources to comply with PCI dropped from 40% to 38%. Ponemon also found that the number of organizations that had experienced a data breach in the past two years increased from 79% in 2009 to 85% in 2011.”

 

Retailers who invest in device fingerprinting and device reputation make it much easier to identify bad guys during purchases, making those stolen credit card numbers way less valuable to thieves. By instantly evaluating a device’s history for criminal activity and assessing risk on new devices within a fraction of a second, retailers can stop fraudulent transactions before the order is accepted and product shipped.

 

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston.

Scam Artists Sell Over $4 Million in Fake Tickets Every Month

Second-hand ticket retailer viagogo has revealed that scam artists that have been selling fake tickets are collectively reeling in just over $4 million a month, or $49 million a year.

Viagogo found that more than 67,000 fake music festival tickets were sold last year. In 2011, that number could reach 100,000. Most of this scamming occurs during the summer, the most popular season for concerts.

Ticket scams have been occurring for years. When a ticket is nothing but a piece of paper with a barcode that is scanned at the gate, counterfeiting is child’s play. Some events provide wristbands to ticketed attendees, and these wristbands can also be easily faked.

Watermarks and other security features make tickets a bit more difficult to recreate, but these low-tech methods of determining a ticket’s authenticity are often lost on the general public. The victim only realizes the scam when he’s denied entry to an event.

Avoid scalpers, period. Unless you know them personally, just buy tickets at the venue’s window. When purchasing tickets online, stick to legitimate websites. An online search will probably turn up plenty of options, but only buy from familiar, trusted brokers.

Scam artists often take advantage of online ticket companies by buying up blocks of tickets with stolen credit cards, either to counterfeit or simply to overcharge the public.

Fortunately, some ticket brokers have deployed device reputation, which allows them to uncover computers or other devices responsible for fraudulent activity or exhibiting suspicious behavior at the point of sale, and deny transactions from these devices. This kind of visibility gives ticketing services businesses a powerful advantage. More than ever, they can easily identify the scam artists where they’re coming from.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses yet another data breach on Good Morning America. (Disclosures)

Auction Fraud is the Third Most Common Internet Complaint

The Internet Crime Complaint Center fielded 303,809 reports of cybercrime in 2010. Of those cybercrime reports, auction fraud was the third most common complaint.

Auction fraud refers to fraudulent transactions on online auctions. Either a product advertised for sale is misrepresented, or purchases are never delivered at all.

The IC3’s annual report explains, “Historically, auction fraud has been the leading complaint reported by victims, with a high of 71.2 percent of all referrals in 2004. However, in 2010, auction fraud represents slightly more than 10 percent of referrals. This demonstrates the growing diversification of crimes related to the Internet.”

In other words, auction fraud is still profitable for scammers, and they’ve also discovered many new techniques for scamming consumers.

IC3 advises consumers against conducting online transactions with anyone who exhibits the following suspicious behavior:

  • The seller creates an online auction as though he resides in the United States, but responds to buyers with an email claiming he’s outside the United States for business reasons or a family emergency. Or, the seller posts the auction under one name, but asks for payment to be transferred to a different name.
  • The seller requests payment via Western Union, MoneyGram, or bank-to-bank wire transfer. This makes the money virtually unrecoverable once the victim discovers the scam. Any transaction involving a money transfer control number (MTCN) may indicate fraud.
  • The seller poses as an authorized dealer or factory representative in a country where there are no such dealers.
  • The buyer asks for a purchase to be shipped to another via a particular method in order to avoid customs or taxes.
  • The buyer uses a credit card for which the billing address does not match the shipping address. Always secure the cardholder’s authorization before shipping any purchased items.

Online classified and auction websites could prevent fraud and protect their users by incorporating device reputation management. One anti-fraud service getting lots of attention for its fast and effective results is iovation’s ReputationManager 360. This service incorporates device identification, device reputation, and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and abuse by analyzing the computer, smartphone, or tablet connecting to their online properties.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donny Deutsch. (Disclosures)

Craigslist Scammers Ship Checks Via FedEx

FedEx isn’t responsible for this scam, but their brand unintentionally lends credibility to the scammers, who reference FedEx in their scammy emails, knowing that aligning with FedEx helps their scam proliferate. It’s an insidious ruse that hurts all involved.

FedEx can and should deny suspicious online transactions. Moneygram and Western Union could also make some effort to deter scammers. It’s hard to weed out the bad guys, but there are technologies that help.

What kind of scam am I talking about? A good friend recently called to ask what I know about check scams. He had received a $2,400 check from a major chemical company via FedEx. He had no idea why, but mentioned that he had placed an add on Craigslist, asking $150 for an item he wished to sell, and that a deaf woman had called him through a translating service and offered to FedEx a check.

I explained that this is advanced fee fraud, or a shipping scam, and that he will undoubtedly receive an email demanding that the difference be paid to shippers.

Maybe the scammer pretended to be deaf, using the translator service as a third party to scramble the caller’s location. Or maybe the buyer really was a deaf woman.

But why send a check for $2,400, and why from a chemical company? Probably because it was the only seemingly legitimate check the scammer had printed up at the time, and it’s a nice score if he sends back the $2,250 difference.

My buddy was flabbergasted to think that anyone would fall for such a scam, and insisted that if someone came to his house to pick up the purchased item and demanded he pay the purchaser $2,250, he’d punch them in the face.

Shortly after getting off the phone with me, he received this email:

“Hello Dean,

How are you doing today?

The check has been delivered via Fedex,Thanks for your honesty towards this transaction so far.Well, the overpayment is meant to cover the cost of shipment for the item alongside my other properties including tax and insurance plus the movers and agent fees.

Please deposit the check today so that it clears tomorrow after the check has cleared,All you have to do is go the bank and have the rest of the money withdrawn in cash and have it sent to the movers via money gram

Here’s the movers information below.

Name : Jason Shambaugh

Address : 2330 Contra Costa Blv

City : Pleasant Hill

state : CA

Post code : 94523

Do let me know your schedule for the week regarding pickup as i have some other properties to be moved alongside the item. Please do act accordingly as agreed after deducting your money for the item, make the rest fund available to the movers via money gram Money Transfer at any of their outlet around you or check on www.moneygram.com{click find us} and check for their outlets around and get back to me with the transfer details below (as it appears on the receipt) so i can contact the movers for the pick-up at your location ….Deduct the money gram money transfer charges from my fund also $50 for yourself (meant for any hassle or run around).

1}Sender’s name and address

2}Reference number {which is the 8 digits number on the Money Gram receipt}

3}Actual amount sent after the fee had been deducted

Hope i can trust you with the overpayment? Your Honesty and transparency will be appreciated”

The email also included the FedEx tracking information, with my friend’s address. Looking up the shipping address on Google maps reveals an office building, which most likely has some vacancies. The scammer probably has some connection to the building, allowing for anonymous shipments.

Craigslist could easily prevent the majority of these scams easily by using device reputation management. Many Craigslist scammers based in Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, and Malaysia spend their days targeting consumers in the developed world. But real-time device reputation checks, such as those offered by iovation, can detect computers that have been used for auction fraud and expose all of the accounts associated with the suspicious device or group of devices. This provides Craigslist and other websites with the opportunity to instantly shut down sophisticated fraud rings and thousands of fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scambaiting on Fox News. (Disclosures)

Sex Offender Checks Won’t Stop Assaults

Match.com has begun screening for users whose names appear on public sex offender registries. As I told the E-Commerce Times, “Doing nothing is a poor option. Also, consider that not every sex offender is tech-savvy, and some will get banned.”

My first passion has always been personal security as it relates to violence prevention. I got into this business 20 years ago as a result of violence in my own life, and began to write, speak and train in self-defense. Things are no different today, except that there are now many more ways for bad guys to ensnare their victims.

Studies show online dating and matchmaking services are growing, even in a recession. Many single men and women are signing up and attending speed-dating sessions than ever before. There are a couple of reasons for the increase in online dating’s popularity. First, it is cheaper to join a service than to spend money on countless bad blind dates. Second, in turbulent times, people want the comfort of a romantic partner. Having a companion to share in the fear, uncertainty, and doubt can help people vent and find relief.

Protect yourself from online dating scams and risks.

1. Educate yourself about self-defense techniques and personal security. Watch instructional videos or take a course. The single most effective self-defense offering on the planet is a program called “Impact Model Mugging,” which you can find nearby with an online search. Taking this course is worthwhile, even if you have to drive 500 miles, and bring your children. In this case, knowledge certainly is power.

2. You’ve probably heard this advice before but it merits repeating. Drive yourself to meet your date in a public, populated location, and continue to do this for the first several dates. Get to know the energy of your potential mate, learn what makes them tick, before offering your trust. Be alert for unhealthy behaviors. If they are easily irritated or make offensive jokes, move on.

3. Do not drink alcohol when meeting someone from the Internet, even with a meal. Alcohol lowers inhibitions and leads us to accept inappropriate behavior. Don’t accept drinks from anyone unless you see the drink being poured and it goes straight to your hands. Slipping drugs in drinks happens every day.

4. Be direct about splitting the bill for dinner. While this may seem extreme to some, studies show that a large percentage of men still feel that after buying a woman dinner, she “owes” him sex.

5. Get information about your date. Ask all the questions: name, address, previous address, home phone number, cell phone, place of birth, birth date, workplace, license plate, and if you can squeeze it out of them, I kid you not, get their Social Security number.

6. Do your own sex offender checks. Do background checks, Use Google and Facebook. Vet your potential mate thoroughly, since determining who you might marry is about as important as any life decision can be.

Online dating services must also take on a certain level of responsibility for members’ personal security. One option is to take advantage of new technologies such as device reputation management, which identifies user devices and analyzes their history, allowing websites to ban users whose device history indicates that they pose a threat to other users.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on E! True Hollywood Story. (Disclosures)