Bought a Car Recently? Watch Your Identity Information

Over the past 15 years, we have watched hackers’ evolution from “phreaking” phone systems, to hacking government agencies like NASA, and eventually creating viruses that take down networks. In the beginning, their primary motivations were fun, fame, and amusement. Over the past ten years, the game changed dramatically, from fun and fame to financial gain. Hackers targeted government agencies, then colleges, banks, retailers, credit card processors, hotels, and eventually, major multinational corporations.

Who are they hacking now? Well, everyone. And as journalist Brian Krebs has pointed out on his blog, Krebs On Security, they are targeting auto dealerships in a big way. Why? Because auto dealerships’ records include lots of Social Security numbers, which identity thieves can use to apply for credit cards in their victims’ names.

Krebs states, “Recent hacker break-ins at a half-dozen car dealerships nationwide are a reminder of just how easily one’s personal and financial information can be jeopardized by poor security at any of tens of thousands of organizations that have access to that data.”

This results in “new account fraud.” This is a form of financial identity theft in which victims’ personal identifying information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are frequently used to commit new account fraud.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is a necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.  And when you are actively seeking credit, as Experian points out, “You should plan ahead and lift a freeze, either completely if you are shopping around, or specifically for a certain creditor, a few days before actually applying for new credit.”

Device reputation leader, iovation Inc., helps credit issuers spot new account fraud through the device intelligence that it provides back in real time. iovation alerts issuers to the computers or mobile devices that are applying for multiple credit accounts with different identity information, or masking its location while applying for credit, along with other highly-suspicious behavior.  The credit issuer simply sets up their own unique business rules and iovation runs those rules while the applicant is on the site, and returns back and Allow, Deny or Review response for the transaction along with the reasons why.

By identifying new account fraud in real time, credit issuers can save millions of dollars per year from fraud losses.  In one case, a Fortune 100 credit issuer using iovation identified 43,000 fraudulent credit applications saving them $8 million dollars from fraud loss over two years.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Javelin Study Shows Increased Credit Card Fraud Risk

Consumers, businesses, retailers, and even the media are becoming numb to news about data breaches. Not a week goes by when we don’t hear of another major breach affecting thousands or even millions of customer accounts.

Criminal hackers are getting smarter and savvier all the time, and they often have better technology than the banks and retailers tasked with protecting your data.

Time reported on a recent Javelin Strategy and Research survey in which Javelin analyzed 23 of the biggest credit card issuers’ online security practices. When companies were graded on a 100-point scale, the average result was just 59. Javelin head of security and risk analyst Phil Blank, who authored the study, explained, “The good news is issuers are doing a better job overall of resolution, but that’s the easiest thing to do. Prevention is the hardest to do but it’s got the biggest payback.”

The report also found that for a full year after your bank account information has been hacked, there is a strong chance that you will be a victim of credit card fraud. So even though you may be getting a little hardened to data breach warnings, you still need to watch your credit card statements closely. As long as you dispute unauthorized credit card charges within 60 days, federal laws limit liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500.

One of the FFIEC’s recommendations for financial institutions involves using complex device identification. iovation, an Oregon-based security firm, offers an advanced device identification service that incorporates real-time risk assessments, the history of fraud on linked devices (such as chargebacks, identity theft and credit application fraud) and exposes fraudsters working together to steal from online businesses.

“Complex device identification” involves the creation of a digital fingerprint based on several characteristics of the device including hardware and software configuration, Internet protocol addresses, and geolocation. Unfortunately, complex device ID by itself only increases the strength of identification; it does little to increase the efficacy of an overall anti-fraud strategy.

“Device reputation” offers all of the security measures that complex device ID does, but it also strategically incorporates velocity, anomalies, proxy busting, webs of associations (linking devices and accounts), and fraud and abuse histories. Device reputation moves from a micro to a macro view of transactions which takes into account how particular devices behave or have behaved beyond its activities with a financial institution, its usage by a current user or other users, and/or its relationship to other devices.  This chart explains what is involved with each:

Leading financial institutions aren’t merely complying with the FFIEC’s security recommendations, but are going beyond it by incorporating device reputation and other authentication and anti-fraud tools into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Regulation E Protects Consumers, Not Businesses

Consumers enjoy a certain level of protection that business bank accounts do not, and it’s called “Regulation E.”

Here is Regulation E in black and white:

ELECTRONIC FUND TRANSFERS (REGULATION E)

Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

1. Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

2. Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less.”

Businesses do not get this kind or protection. So when business accounts are compromised, they often have to fight for their money. And today, more than ever, they are losing. But banks are losing, too. The only winners here are the criminal hacking enterprises.

In order to meet the Federal Financial Institutions Examination Council’s compliance guidelines by January of 2012, banks must implement multiple layers of security. Called out in the recent FFIEC guidance was using complex device identification and moving to out-of-wallet questions. 

Financial institutions and their clients aren’t only losing millions to fraud; they are losing millions more fighting each other. It makes more sense for banks to beef up security (all while properly managing friction for legitimate customers) than to battle with their customers.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep cyber criminals out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360, which is used by leading financial institutions such as credit issuers and banks, to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Fox News. Disclosures

The Evolution Of Online Fraud Prevention

Around 1994, when I operated a small mail order catalog business, it was very difficult to obtain “merchant status,” or approval to accept Visa, MasterCard, Discover, and American Express cards. It was easier if you had a storefront, but payment processors made mail order businesses jump through more hoops.

Their main concern was that companies could set up shop, accept tons of credit card charges, and then vanish, leaving the banks short. Mail order fraud was also big. A stolen credit card could be used to place orders over the phone, and when the fraudulent charges were discovered, merchants would suffer from chargebacks.

At the time, it wasn’t even necessary to provide a correct expiration date, as long as the card wasn’t already expired. Then credit card companies began verifying billing addresses to authenticate mail orders. Eventually, an additional verification code was added to cards, referred to as a CVC or CVV. We still use these codes today, but they can be fraudulently obtained in a number of ways.

When merchants moved from catalogs to websites, IP addresses were used to track transactions. But bad guys figured out how to spoof them.

Now we have a number of new technologies designed to fight credit card fraud. The most effective and widely implemented is device reputation, an effective online fraud prevention method that helps protect retailers from fraudulent CNP transactions by examining the computer or other device for a history of unwanted behavior, plus any suspicious activity at the time of transaction.

If a customer’s PC, smartphone, or tablet indicates an abnormally high level of risk, the merchant can reject the purchase in advance. iovation, the global leader in device reputation, flagged 35 million online transactions as high-risk in the last year for its clients and will flag 50 million or more by the end of 2011.

Protect yourself from credit card fraud by checking your statements regularly. Set up your own email alerts so that at a minimum, you are notified of any transactions over your specified amount occur on your account.  Businesses set up triggers and alerts to protect themselves, shouldn’t you?

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

It Takes Sharing and Organization to Fight Organized Crime

The amount of money made and lost due to fraud is surpassing the illegal drug trade. A digital arms race has law enforcement officials nipping at the criminals’ heels. Retailers and banks continue to fight criminal hackers, but are being bombarded by advanced, persistent threats that eventually make their way into the network.

There are data breaches every week, and I’d bet every day, but we may not hear about the majority. All of these breaches have a method, signature, or feature in common, which retailers and banks can learn from.

Criminals are organizing like never before. They are learning from each other, sharing information and strategies. When one publicizes an exploit, other criminals execute it, leading law enforcement off in a new direction. It’s like a vicious game of whack-a-mole.

Today, governments around the world are organizing to fight fraud. But what’s even more exciting is that competing banks, retailers, and small businesses are all sharing fraud information to help each other out. These fraud targets are finding strength in numbers.

Oregon-based iovation Inc. has created an exclusive network of global brands across numerous industries, with thousands of fraud professionals reporting more than 10,000 fraud and abuse attempts each day. iovation’s shared database contains more than 700 million unique devices including PCs, laptops, iPhones, iPads, Android, Blackberries—practically every Internet-enabled device that exists.

Many leading banks and big brand retailers use this device reputation service to detect fraud early by not only customizing their own real-time rules to set off triggers, but they leverage the experiences of other fraud analysts to know if the device touching them at this moment has been involved in chargebacks, identity theft, bust-outs, loan defaults, and any other kind of online abuse you could imagine.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Trust: A Rare Commodity Online

People lie when they set up online dating profiles, they lie when they put up fake social media profiles, and they lie to the innocent victims of their scams.

Banks and retailers know better than anyone that people lie. There are countless scenarios and justifications, but people who lie invariably do it in order to get something.

In general, we strive to be a kind and civil species. We trust by default. We want to be helpful and accommodating. We don’t want to believe that people lie, but they do.

Dishonesty poses a challenge to banks and retailers in the form of theft. Theft is a big problem on the Internet, and any online business knows that they can’t afford to trust you, regardless of how honest you may be.

The Federal Financial Institutions Examination Council recently instructed both retailers and banks to enhance their security procedures, in response to the increasingly creative lies concocted by scammers.

One of those FFIEC recommendations involves incorporating complex device identification. This means that banks and retailers should adopt technology that actually recognizes and analyzes the PCs, smartphones, and tablets being used to access their websites. Once the device is identified, knowing the device’s reputation is where it really gets interesting. Is it acting suspicious or is it a known device that has been used in a fraud ring, in money laundering, or has been attempting account takeovers?  Knowing the device’s reputation lets businesses know ahead of time who they can trust online.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

 

Social Web Loaded With Profile Misrepresentation

“Social fakes” are invented profiles on social media (often referred to as profile misrepresentation), which can be used to harass or mock victims anonymously. But the more lucrative fake profile is one that imitates a legitimate business, damaging that business’s online reputation.

The imposters’ ultimate goal? Spam leading to scams.

Social-web security provider Impermium published the results of their recent analysis of the cost of social spam. “Online ID signup fraud” is an emerging trend, with fraudulent accounts ranging from a low of 5% to 40% of users. “Scammers are registering accounts by the millions as they perpetrate fake “friend requests,” deceptive tweets, and the like, while the black market for bulk social networking accounts is growing exponentially.”

They also warned about social web abuse, describing current “sleeper cells” as “a ticking time bomb.” Last month, more than 30,000 fraudulent accounts coordinated an attack, in which attackers submitted more than 475,000 malicious wall posts in one hour. According to Impermium, “Even accounts you’ve had for years could be lying in wait for just the right moment.”

Multiple issues stem from fake accounts, such as brand damage for both the website and its users, scams being perpetrated on existing or potential customers, and for social networking websites, an inflated, incorrect summation of active subscribers—to name a few.

Social media sites can use iovation’s device reputation service to help identify fraudsters at account setup.  When a device (or related group of devices) signs up for more than your allotted number of accounts, you can receive alerts on this behavior.  When multiple countries are logging into the same accounts within a specified timeframe, you can set alerts on this activity. When users are constantly changing their device attributes between multiple online registrations (to look like new, legitimate consumers), you can know this immediately—and automatically deny the new accounts outright or send them to your fraud review queue.  If 1,000 accounts were just set up from the same machine, one after another, wouldn’t you want to know that while it’s happening so you can do something before the scams start?

Rather than relying on information provided by the user, which may not be honest or accurate, device reputation technology goes deeper, identifying the computer being used to register an account. This exposes negative behaviors right away, allowing a website operator to deny access to threatening accounts before your business reputation is damaged and your users are abused.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses hackers hacking social media on Fox Boston. Disclosures

Study Shows Banks Blocking More Fraud

Network World reports, “The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled 77 financial institutions and asked how many account takeovers occurred in 2009 and during the first six months of 2010. The FS-ISAC consists of a group of banks that shares threat information and interacts with the federal government on critical infrastructure issues. Its members include Citi, Prudential, Bank of America, JPMorgan Chase, Goldman Sachs and Wells Fargo, among others.”

Account takeover occurs when thieves infiltrate your existing bank or credit card account and siphon out your money. This typically occurs after your account has been hacked or your credit card or personal identity has been stolen.

21 of the institutions polled reported a total of 108 commercial account takeovers during the first six months of 2010, compared to 86 for the full year of 2009.

In 2010, 36% of fraud attempts were successfully thwarted, whereas 2009, fraud was only prevented 20% of the time.

I have previously referenced a report from Javelin Strategy: “When examining account takeover trends, the two most popular tactics for fraudsters were adding their name as a registered user on an account or changing the physical address of the account. In 2010, changing the physical address became the most popular method, with 44 percent of account takeover incidents conducted this way.”

Unfortunately, FS-ISAC’s study failed to disclose what methods were used to thwart the account takeovers. Many financial institutions are protecting their users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360, which is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses discussesonline banking security on CBS Boston. Disclosures

 

Online Auto Sales Often Involve Scary Scams

Online auction and classifieds websites are unwittingly participating in car sale scams. Ads gain credibility by appearing on eBay, Craigslist, and other online automobile sales websites, but some are either completely phony or have been copied and pasted from other websites.

The FBI’s Internet Crime Complaint Center received nearly 14,000 complaints from 2008 through 2010, from consumers who have been victimized, or at least targeted, by these auto sale scams. Of the victims who lost money, the total dollar amount is staggering: nearly $44.5 million.

The FBI explains how the scam works:

“Consumers find a vehicle they like—often at a below-market price—on a legitimate website. The buyer contacts the seller, usually through an e-mail address in the ad, to indicate their interest. The seller responds via e-mail, often with a hard-luck story about why they want to sell the vehicle and at such a good price.

In the e-mail, the seller asks the buyer to move the transaction to the website of another online company….for security reasons….and then offers a buyer protection plan in the name of a major Internet company (e.g., eBay). Through the new website, the buyer receives an invoice and is instructed to wire the funds for the vehicle to an account somewhere. In a new twist, sometimes the criminals pose as company representatives in a live chat to answer questions from buyers.

Once the funds are wired, the buyer may be asked by the seller to fax a receipt to show that the transaction has taken place. And then the seller and buyer agree upon a time for the delivery of the vehicle.”

Consumers should watch out for the following red flags:

  • Cars are advertised at too-good-to-be true prices
  • Sellers want to move transactions from the original website to another site
  • Sellers claim that a buyer protection program offered by a major Internet company covers an auto transaction conducted outside that company’s website
  • Sellers refuse to meet in person or allow potential buyers to inspect the car ahead of time
  • Sellers who say they want to sell the car because they’re in the U.S. military about to be deployed, are moving, the car belonged to someone who recently died, or a similar story
  • Sellers who ask for funds to be wired ahead of time

Online classified and auction websites could work together, and share information on the devices running these scams, through the device reputation service provided by iovation Inc. Their fraud detection service, called ReputationManager 360, is a B2B SaaS solution incorporating complex device identification, device reputation and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and behavioral abuse in real time by analyzing the computer, smartphone, or tablet connecting to their online properties.

iovation’s “living shared database” is used by fraud analysts daily and shares the reputations of devices from literally every country in the world. This reputation is a combination of fact-based evidence (such actual chargebacks, identity theft, online scams and account takeovers), plus what risk can be inferred at transaction time.  Fraud analysts take this fight seriously and submit 10,000 events of fraud or abuse into the shared database each day.

Performing a device reputation check on a scammer attempting to create a new account at a sale or auction website would stop him before he has a chance to post advertisements for scams, preventing damage to the business and its customers. And when one of your good customers has been scammed, you can submit that evidence back into the iovation database to make sure it does not happen again, whether from the same device, or a related device.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures.

International Credit Card Hackers Hammered

Retailers can temporarily rejoice (for about a minute) now that six cyber villains have been caught in two different international credit card fraud rings.

The Register reports, “After investigations that began in 2009, the police executed three search warrants in metropolitan Sydney, retrieving EFTPOS terminals, computers, cash, mobile phones, skimming devices, and several Canadian credit cards. Other seizures in the two-year investigation have included 18,000 blank and counterfeit credit cards, stolen EFTPOS terminals, and skimming devices. The men arrested are Malaysian and Sri Lankan nationals, and are accused of coordinating the fraud operation in Australia, North America and Europe.”

Meanwhile, “a Brooklyn man has pleaded guilty to aggravated identity theft for his role in an operation that defrauded credit card issuers of almost $800,000 in bogus charges. FBI and Secret Service agents recovered data for 2,341 stolen accounts on his computer and on the magnetic stripes of cards, according to court documents.”

Cooperation between U.S. law enforcement agencies and international governments can be credited in taking down these thieves. However, studies show there are plenty of other criminals involved in fraudulent acts from countries like China, Nigeria, Vietnam, Ukraine, Malaysia, Thailand, Indonesia, Saudi Arabia and South Korea to take their place.

There is an anti-fraud company in Oregon, called iovation Inc., that helps online businesses connect the devices used in fraud rings across geographies, by associating them with the accounts they access. Whether the device is a PC, smartphone, tablet or other Internet-enabled device, iovation’s device identification technology recognizes new and returning devices touching their client’s sites within multiple industries.

Cyber criminals with a history of fraud or abuse are obviously flagged by iovation’s ReputationManager 360 service, but even more interesting are the real-time checks that happen within a fraction of a section as the user is interacting with the website. This might include assessing risk for activities such as setting up an account, logging in, changing account information, or attempting to make a purchase or transfer funds. Real-time checks differ for each website integration point as businesses customize and continually fine-tune them to detect fraudulent and risky behavior so that they can identify and keep bad actors off their site for good.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses organized criminal hackers busted on Good Morning America. Disclosures