Organized Crime Drives Increasing Auto Insurance Costs

All over the world, insurance fraud equates to a multi-billion dollar issue. The Guardian reports that in the United Kingdom, “insurance fraud [has] been on the rise since the recession began. Figures to be published by the Association of British Insurers (ABI) are expected to show that these are still on the rise. As it is, the ABI puts the total cost to the industry of undetected general insurance claims fraud at £2bn per year. This adds around £40 a year to the insurance premiums paid by all policyholders.”

Much of this increase is said to be due to the involvement of organized criminals. The most common fraud technique is known as a “crash for cash” scam, in which criminals slam on their brakes in order to cause an accident with the car behind them, leaving the victim’s insurance on the hook for the cost of damages.

One way of minimizing fraud is to stop organized criminals from transacting with a business over the Internet. Online insurance, retail, gaming, and even dating sites can weed out risky accounts based on devices’ reputations using iovation’s device identification service. When PCs, Macs, tablets, or smartphones collude, a pattern can be detected and fraud can be prevented.

By utilizing iovation’s fraud detection service, insurance companies can not only recognize high-risk devices responsible for creating fraudulent online policies, but also avoid paying for frequent “crash for cash” scams and help to reduce the rise in premiums for honest policyholders.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Beware of Ghost Brokers

The insurance industry is thoroughly regulated, with numerous checks and balances. In the United Kingdom, however, scammers are able to pose as insurance brokers—or “Ghost Brokers”—offering significantly cheaper insurance than legitimate insurance firms.

The Telegraph reports, “The multi-million pound scam is operated by fraudsters who target drivers who are economising and looking for cheaper motor insurance deals. These motorists are likely to be vulnerable pensioners, young drivers struggling with soaring premiums and those living within communities where English is a second language.”

The scary part of this scam is that when unsuspecting victims purchase policies, they get certificates of insurance that are essentially worthless. In the event of an accident, they will not be covered.

In some cases, the ghosts will contact legitimate insurance brokers and broker deals for insurance policies that they then pay for using stolen credit cards. The victim gets a real certificate of insurance, but it’s been paid for with stolen money. When the fraud is discovered, the policy is cancelled.

These rogue brokers engage in guerilla marketing campaigns involving windshield flyers, classified ads, and professional-looking websites.

Major insurance companies would fare better if they could identify ghost brokers and stop them in their tracks. One anti-fraud service that’s been garnering attention for delivering fast and effective results is iovation’s ReputationManager 360. This SaaS-based fraud prevention solution incorporates device identification, device reputation, and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and abuse in real time by analyzing the computers, smartphones, and tablets being used to connect to websites. iovation’s service can recognize devices that have been involved in scams and help insurance companies stop fraudsters upfront.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

5 Insidious Forms of Auto Insurance Fraud

Insurance is intended to have your back in the event that something goes wrong, but some individuals have found loopholes in the system, effectively turning insurance companies into their own personal banks. These scammers have long been known to engage in “slip and falls,” claiming “whiplash,” and engaging in elaborate scams that can take years to uncover and cost insurance companies millions.

Auto insurance scams are some of the most prevalent in the insurance industry, allowing fraudsters to easily obtain policies and take advantage of the “he said, she said” nature of auto accidents.

Here are five major scams plaguing the industry:

1. Ghost brokers: Even in such a heavily regulated industry, scammers are able to pose as legitimate insurance agents, offering steep discounts on consumer policies that are, in fact, worthless.

2. Crash for cash: These are typically rear-end accidents in which the victims unintentionally crash into the scammers. “Crash for cash” scams often occur at roundabouts or rotaries, intersections, and highway on-ramps. See the UK’s top crash for cash hotspots.

3. Soft tissue scams: Scammers may collude with physical therapists, chiropractors, and doctors to fake back pain, neck pain, and other hard-to-prove injuries that can’t be detected on an X-ray.

4. Staging scams: Generally, in this type of scam two or more cars are involved in a preplanned “accident.” The participants have agreed ahead of time to split the proceeds from repairs and injuries.

5. Phantom victims: After either a staged or legitimate accident, people who were not present at the incident are included in the claim.

In most cases, scammers file their fraudulent insurance claims online. The criminals who perpetrate these sorts of online scams tend to repeat their trick over and over, generating a pattern that can easily be detected by iovation’s device reputation service. This service spots online evildoers by examining the computers, smartphones, and tablets being used to connect to a website. If a device is recognized as having previously committed financial crimes, or is a new device but exhibiting high-risk behavior, the website has the opportunity to reject the transaction, preventing losses to the business before they occur.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

How Device Reputation Can Help Prevent Fraud in the Insurance Industry

Insurance companies, like banks and retailers, are forced to deal with a wide spectrum of fraud, which costs the industry and its customers billions of dollars each year. According to the Insurance Fraud Bureau, “Undetected general insurance claims fraud total £1.9billion a year adding on average £44 to the annual costs individual policyholders face, on average, each year.”

Savvy criminals who perpetrate insurance fraud have learned to mask their true identities when setting up policies online, regularly changing account information to circumvent conventional methods of fraud detection. Now, more than ever, insurance companies need to be wary of these schemes from the onset and deploy effective solutions to analyze information beyond that supplied by users.

By initiating the application process with a device reputation check provided by iovation Inc., insurance companies can stop fraud before it happens and avoid further checks and fees when a device is known to be associated with identity theft and other frauds.

The insurance industry has an opportunity to work in tandem with merchants, banks, and others to share data that helps pinpoint the devices responsible for fraudulent activity. Shared device reputation intelligence makes this possible for the first time.
The insurance industry can utilize the established reputations of over 800 million devices in iovation’s device reputation knowledge base. While a computer applying for insurance on a site may be new for the first time, it is rarely new to iovation’s global client base. By assessing risk based on the device in real-time, an insurance company can better determine whether a particular device is trustworthy before a transaction has been approved or an account has been opened.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

5 FFIEC Compliance Tips For Banks

Experian’s Chris Ryan addressed five major questions about compliance with the FFIEC’s recent guidance on banking authentication. What follows are his responses, summarized:

  • What does “layered security” actually mean?

“‘Layered security’ refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.”

  • What does “multi-factor” authentication actually mean?

“A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.”

  • Who does this guidance affect? And does it affect each type of credit grantor/ lender differently?

“The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment.”

  • What will the regulation do to help mitigate fraud risk in the near-term and long-term?

“The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly.”

  • How are organizations responding? 

“Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, ‘layered’ approach that the guidance is seeking.”

To learn more, watch Experian and iovation’s webinar, titled Ensuring Optimal Efficacy and Balance with Out-of-Wallet Questions and Device Identification, dedicated to discussing the recent FFIEC guidance and taking a defense-in-depth approach to fraud prevention.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Banking Security Guidelines Go Into Effect in January 2012

As banking applications evolve, common attacks on banks are becoming correspondingly more sophisticated. Small businesses, municipalities, and moneyed individuals are often targeted for obvious reasons: they have hundreds of thousands of dollars, if not a few million, in the bank, but their security is often no more effective than that of an average American household.

The Federal Financial Institutions Examination Council’s (FFIEC) updated security guidelines go into effect in less than a month. It is imperative that financial institutions recognize that the security precautions currently in place are ineffective in the face of new, more sophisticated attacks. Criminals have gotten around the minor hurdles posed by the tools being used to authenticate clients and prevent unauthorized transactions.

Basic multifactor authentication may be relatively effective for bank accounts that generally contain only enough to pay a month’s worth of bills. But high value accounts are more prone to attacks, and require additional levels of security. Ultimately, what is most important is that a security program includes multiple layers of protection rather than relying on a single mechanism of defense.

Using advanced device identification is also essential. The FFIEC suggests complex device identification, which is more advanced than previous techniques, and the leader in this space is iovation Inc.  They take complex device identification much further by delivering to financial institutions, a reputation of the device as it accesses their site to apply for credit, create an account, transfer money and more.
This proven strategy not only utilizes advanced methods to identify the devices being used to connect to a bank, it also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect financial institutions from cybercrime.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Supermarket Skimming Scam Highlights Retailer Risk

A California supermarket chain recently sent letters informing customers that a security breach had been discovered at 20 of their stores. The breach notification letter released by Lucky Supermarkets reads, in part:

“Dear Lucky Customer:

In the course of regular store maintenance, we discovered our credit/debit card readers at the self-check lanes ONLY in 20 stores (listed below) had been tampered with. Steps were taken immediately to remove the tampered card readers in the affected stores, as well as enhance security to every credit/debit card reader in all 234 stores in our company. We are not aware nor have we been notified of any reports that customer accounts were compromised.”

The “tampering” referenced in this letter has been described as skimming, which occurs when a separate piece of hardware is affixed to an ATM or point-of-sale terminal. The hardware is designed to blend in with the face of the machine and record card data whenever a card is swiped. Criminals either remove the skimming device later or retrieve data remotely via wireless Bluetooth or mobile SMS.

In this particular case, however, it isn’t clear exactly what happened. What is known is that the POS terminals were compromised. When point-of-sale terminals have been compromised in the past, this has usually meant that criminals actually entered the store, physically removed an entire machine, and replaced it with one that resembled the original, but had been tweaked to capture and transmit customer data.

Consumers cannot protect themselves from this crime. All they can do is check their bank statements frequently and refute any unauthorized charges or withdrawals. On the other hand, online retailers who are subject to having stolen credit cards used on their sites can, in many cases, prevent fraudulent transactions upfront by checking the device’s reputation used during the transaction. Computers, tablets and smartphones are assessed for fraud, high-risk and suspicious activity in real-time, which means while that device is interacting with the retailer’s website.  By checking against iovation Inc.’s global shared database of more than 800 million unique devices and their associations, online retailers can protect themselves against chargeback losses, shipping fraud, account takeovers and identity theft attempts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses POS skimming on CBS. Disclosures.

Firm Documents Increase In Holiday Cyber Fraud

iovation is the leader in device reputation technology. They work to prevent all types of fraud and abuse on the Internet, including account takeovers, which occurs when your existing bank or credit card accounts are infiltrated and money is siphoned out. iovation also helps prevent new account fraud, which refers to financial identity theft in which the victim’s personal identifying information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

During this year’s record-breaking Black Friday and Cyber Monday, iovation documented a significant rise in fraudulent transactions, which included account takeover attempts.

Their comparison of the two hottest shopping days of this year vs. last year found:

  • 400% increase in the rate of fraudulent transactions on Black Friday (up from 1% to 4%)
  • 25% increase in the rate of fraudulent transactions on Cyber Monday (up from 3% to 4%)
  • 15% greater transaction volume on Cyber Monday compared to Black Friday
  • 4% mobile fraud rate on both Black Friday and Cyber Monday.

These statistics are compounded by the dramatic and impressive consumer spending numbers for these dates. Consumers must understand that their credit card numbers are fueling the rise in cyber fraud. Throughout the holiday season and beyond, it is imperative that cardholders check their statements carefully, matching them up against receipts to confirm that each charge was authorized.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Holiday Shopping Security on Fox News  Disclosures

Feast of the 7 Phishes 2011

Every year at the Siciliano household, we have a holiday tradition based on the Italian Feast of the Seven Fishes, which is, as you probably guessed, a meal consisting entirely of fish. There’s lobster, mussels, clams, scallops, shrimp, smelt, and cod, all either fried or cooked in red sauce, spicy sauce, or white sauce. This year we’re dedicating our feast to “Miles for Miracles,” a fundraiser for Children’s Hospital Boston. I’ll be running the Boston Marathon this coming April in support of the cause.

Another of my holiday traditions is to expose the year’s phishing scams. The following examples come straight from my inbox or spam filter, and have been abbreviated to demonstrate the nature of the scam and specific hook being used.

1. This first phishing email appears to have been sent from LinkedIn, but the link that supposedly leads to the FDIC’s website is in fact a virus.

“From: LinkedIn linkedXXX@em.linkedin.com

Temporary FDIC insurance coverage news. To obtain more information about temporary FDIC insurance coverage of transaction accounts, please refer to http://www.xxxxxx. Yours faithfully, Federal Deposit Insurance Corporation.”

2. In this phish, the sender claims to be Canadian, but the email suffix “.cn” is Chinese, and the scammer grammar is clearly East African in nature.

“From: Mrs.Martha Chery tesXXX@k.cn

Dear Beloved,

I am Mrs.Martha Chery from Canada,I am 58 years old,i am suffering from a long time cancer of my brain,from all indication my conditions is really deteriorating and it is quite obvious that i may not live for the next two months.”

3. Wow, my “email address has won.” Lucky me?

“From: payofficeXXX@aim.com

WINNING NUMBER: OL/656/020/018

OUR DEAR WINNER, THIS IS TO NOTIFY YOU THAT YOUR EMAIL ADDRESS HAS WON ONLINE LOTTO AND GAMING CORPORATION SUM OF (ONE MILLION EURO).”

4. This scammer responded to a Craigslist ad I had posted. Apparently I “sounded gorgeous in the ad.” I probably did!

“From: Justina Serini justinaXXX@hotmail.com

Hi Robert, I found your posting and wanted to ask you something essential. I am in a relationship and caught my partner cheating on me so I decided to get even! My co-worker said Craigslist list would be the best place to find someone nearby who I can be with for one time only so thought the hell, I would email someone I thought sounded gorgeous in the ad and came across yours!”

5. In this phish, I’m being scammed in Hebrew!

“החינמון!!! info@free2XXX.co.il

יכול לחסוך לעצמו עשרות או מאות אלפי שקלים – ובקלות! גם אם לקחתם משכנתה והשגתם את התנאים הטובים ביותר,”

6. Oh, wow, the United Nations is contacting me directly. How exciting!

“From: UNITED NATIONS bankimoonXXX@yahoo.com

Attn: Beneficiary, This is to inform you that the International Community has received series Complaints from Beneficiaries who are yet to receive their outstanding Contract/Inheritance Funds.”

7. Download this report, and you’re as doomed as a boiled lobster.

“From: Jerry Bush benoit.metzger@XXXueamachine.com

This report applies to the ACH transfer (ID: 963623905410) that was recently sent from your banking account. The current status of the referred transfer is: failed due to the technical error. Please find the detailed information in the report below.”

Hey, that reminds me, I have fish to fry!

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses phishing on Fox Business Disclosures

Marketers (and Criminals) Buzz About Mobile Tuesday

Fresh off the most successful Cyber Monday, which turned into a Cyber Week or even a Cyber Month, spanning from mid-November into December, marketers and advertisers are now positioning themselves for a 2012 Mobile Tuesday.

Forbes reports, “Consumers are going mobile in large numbers, and the 2011 holiday season proved it. IBM Coremetrics recently reported that consumers increased shopping on smartphones and tablets on Black Friday. Purchases made on mobile devices accounted for 9.8% of online sales, which is up 3.2% from last year. GSI announced a 254% increase in US mobile sales on Black Friday. PayPal Mobile announced a 516% increase in global mobile payment volume over last year, and eBay Mobile reported US purchases were nearly two and a half times what they were last year.”

Criminals are paying attention.

The National Cyber Security Alliance and McAfee released a study showing that in the last six months, 50% of Americans have used smartphones to research potential purchases, 27% have used them to shop, 12% have used them to shop at auction websites, specifically, and 18% have used their phones to make online payments.

To stay safe while mobile shopping this holiday season:

1. Keep mobile security software current. The latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.

2. Automate software updates. Many software programs can update automatically to defend against known risks. If this is an available option, be sure to turn it on.

Retailers should be aware that criminals aren’t just using desktops to commit fraud, but are also making purchases with stolen credit card information via mobiles and tablets. They should adopt security technology that actually recognizes and analyzes the PCs, smartphones, and tablets being used to access their websites. Once a device has been identified, its reputation can be assessed in real-time to determine the risk of fraud. Is the device exhibiting suspicious behavior, or it already known to have been used for fraud, money laundering, or account takeovers?

Examining a device’s reputation allows businesses to know which online transactions are trustworthy beforehand, rather than waiting until fraud has already occurred.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Mobile Security on Cyber Monday on Fox Washington. Disclosures