European Cybercrime Not Slowing Down

Device reputation authority iovation published a report revealing that the number of fraudulent transactions originating from Europe has risen dramatically over the past two years. From April 2011 to April 2012, iovation prevented approximately 15 million fraudulent online transactions in Europe. That’s an increase of 60% over the previous year. The rate of European fraud attempts jumped from 1.3% of total transactions in the first quarter of 2011 to 2.1% in the first quarter of 2012, and has risen steadily throughout the past two years.

iovation stops fraud attempts with their ReputationManager 360 solution, which has the unique ability to determine which online transactions are less trustworthy via patented reputation capabilities. By examining the established reputation of mobile phones, tablets, and computers, and uncovering other device relationships, iovation helps businesses find out ahead of time which online transactions are safe and trustworthy.

Consumers should really be checking their credit card statements monthly, at a minimum. Checking online statements once a week is preferred and setting up alerts such as, “Send me a text or email every time a charge over $100 takes place on my credit card” doesn’t hurt either.

While cybercriminals are everywhere, the countries within Europe where iovation has seen more “denied transactions” as compared to all of the transactions from a particular country include Romania, Lithuania and Croatia. The type of fraud being uncovered includes eCommerce fraud such as the use of stolen credentials or card-not-present (CNP) fraud, financial fraud and bonus abuse on gambling sites, and a plethora of online scams and solicitations being detected in social networks and dating sites.

Scammers who spend their days targeting consumers in the developed world are often blocked by businesses that are using layered fraud prevention technologies. iovation’s real-time device reputation technology detects computers and other Internet-enabled devices that have been involved with financial fraud and other abuses and lets businesses know when those devices are interacting with their websites.

iovation’s network of associations among 950 million devices provides businesses with the ability to know when devices are related to one another, so they can quickly and efficiently shut down sophisticated fraud rings and fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures.)

Identity Thief Gets 4 Years in Club Fed

Four years and six months doesn’t seem like a particularly severe sentence for a thief in Washington state who stole 15 people’s identities, including four police officers, created fake driver’s licenses, washed checks, and used “mules” to steal sensitive documents, make purchases with stolen credit, and sell the merchandise. The thief’s attorneys described him as a “38-year-old drug addict who has had medical and mental setbacks and was living in a motel.” I don’t know what his mental setbacks are, but all the meth he was doing may have been a contributing factor.

I spoke about this very case at the Merchant Risk Council’s 2012 MRC Annual e-Commerce Payments & Risk Conference in Las Vegas. I shared the stage with Detective Adam Haas, who investigated the case, and Jon Karl, from device reputation leader iovation, to discuss was “How Device Associations Helped Law Enforcement Tie Multiple ID Theft Cases Together.”

The thief in this case stole tax records and Social Security numbers from mailboxes and used the stolen information to take over victim’s credit accounts and to create counterfeit checks and fake driver’s licenses, which he used to purchase expensive items as local stores. He sold many of the stolen items on eBay or Craigslist, or simply exchanged them directly for drugs. After being arrested and released pending trial, the thief fled, posted “catch me if you can” on his MySpace page, and continued committing the same crimes. In January, he pled guilty to bank fraud and aggravated identity theft.

Kirkland police detectives received a great deal of assistance from Portland-based iovation. iovation’s ReputationManager 360 service was used to track down the fraudulent credit applications at various retail chains, which originated from a group of computers that iovation linked together within their vast network of more than 950 million unique devices. In addition to nabbing the thief, they were able to help identify other victims within the state who were not yet aware they had been impacted.

In a statement, the Detective commented, “The online digital bread crumbs sniffed out by iovation were critical in tying everything together, leading to a much bigger crime ring than we originally suspected.”

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses organized criminal hackers on Good Morning America. (Disclosures.)

Beware of Ghost Brokers

The insurance industry is thoroughly regulated, with numerous checks and balances. In the United Kingdom, however, scammers are able to pose as insurance brokers—or “Ghost Brokers”—offering significantly cheaper insurance than legitimate insurance firms.

The Telegraph reports, “The multi-million pound scam is operated by fraudsters who target drivers who are economising and looking for cheaper motor insurance deals. These motorists are likely to be vulnerable pensioners, young drivers struggling with soaring premiums and those living within communities where English is a second language.”

The scary part of this scam is that when unsuspecting victims purchase policies, they get certificates of insurance that are essentially worthless. In the event of an accident, they will not be covered.

In some cases, the ghosts will contact legitimate insurance brokers and broker deals for insurance policies that they then pay for using stolen credit cards. The victim gets a real certificate of insurance, but it’s been paid for with stolen money. When the fraud is discovered, the policy is cancelled.

These rogue brokers engage in guerilla marketing campaigns involving windshield flyers, classified ads, and professional-looking websites.

Major insurance companies would fare better if they could identify ghost brokers and stop them in their tracks. One anti-fraud service that’s been garnering attention for delivering fast and effective results is iovation’s ReputationManager 360. This SaaS-based fraud prevention solution incorporates device identification, device reputation, and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and abuse in real time by analyzing the computers, smartphones, and tablets being used to connect to websites. iovation’s service can recognize devices that have been involved in scams and help insurance companies stop fraudsters upfront.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

How Much Fraud On Record-Breaking Cyber Monday?

The Washington Post reports that this holiday season, Cyber Monday expanded into an entire week of record-breaking online shopping. From Sunday, November 27 through Saturday, December 3, consumers spent nearly $6 billion over the Internet, a 15% increase over the same week in 2010. During the first 32 days of the November-December holiday season, online spending had already reached $18.7 billion, also a 15% increase from last year.

Which begs the question: when the dust settles, how much of this uptick in online sales will equate to online fraud? It is inevitable that some consumers will detect unauthorized charges on their credit and bank accounts, and many retailers will suffer high chargebacks.

Consumers should seek out and patronize businesses that implement a comprehensive, in-depth approach to protecting customers from identity theft and financial fraud. They should also check credit and banking statements carefully, scrutinize each and every charge, and call their bank or credit card company immediately to refute any unauthorized transactions.

Retailers should consider adding device identification technology to prevent more crime upfront before product ships and stolen credit cards are charged. This emerging technology examines the PC, smartphone, or tablet being used to conduct an online transaction in order to determine whether the device’s characteristics, behavior, and history indicate a high level of risk. The leading provider of device identification and device reputation services is iovation Inc. Take a look at iovation’s stats from Black Friday and Cyber Monday.

Fraud analysts from online retailers around the world interact with iovation’s database of device intelligence daily, and through sharing information and running real-time risk assessments, they block millions of online fraudulent attempts each year.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discussesCyber Monday on Fox Boston. Disclosures

6 Tips for Cyber Monday

Bad guys know perfectly well that when the online bargains begin after Thanksgiving, specifically, on the Monday after Thanksgiving, you will be providing your credit card number to retailers all over the world.

1. Go big. Do your online business with major retailers, or those you already know, like, and trust. The chances of a major online retailer stiffing you, or of their database being compromised, are slimmer than those of an unknown.

2. Do your homework. If you search for a particular product and wind up at an unfamiliar website, do some research on the retailer before putting down your credit card number. Search for the company’s name and web address to see if there have been complaints.

3. Don’t give out more personal data than necessary. Many retailers require your name, address, phone number, and credit card information. This is normal. But if you are asked for anything beyond that, like bank account numbers or your Social Security number, run hard and fast.

4. Vary your passwords. Often, online retailers will ask you to register with their website when you make your first purchase. Never register using the same password you’ve already used for another website. Otherwise, if one website is hacked, your password could be used to infiltrate your other accounts.

5. Use HTTPS sites. Websites that have a secure checkout process, with “https://” in the web address (as opposed to “http://”) are safer.

6. Print out and save online receipts. Keeping track of what you bought, where, and for how much can become confusing when making multiple purchases online. You need to pay close attention to your purchases in order to reconcile your credit card statements.

Smart retailers are already protecting consumers behind the scenes by implementing multiple layers of fraud protection. One very effective fraud detection technology is the use of device identification and device reputation to alert businesses to known fraudsters on their site. iovation Inc. provides this service, taking it another level to analyzing the device’s reputation by assessing risk on each transaction.

“The most reputable online sites all ramp up their security processes during the holidays,” says Molly O’Hearn, iovation’s VP of Operations & Co-founder. “This is a very good thing for online consumers because this is the time of year that your identity and credit card information is most at risk.”

Whether you are buying electronics as gifts this holiday season, or sports and entertainment tickets for friends and family, iovation is working hard in the background of these sites to keep the bad guys out so you can have a safe and fun experience.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

The Evolution of Holiday Thievery

Black Friday, the day after Thanksgiving, kicks off the holiday shopping season. Retailers advertise Black Friday bargains in order to lure you through their doors.

As far back as I can remember, police have been warning of thieves who target cars in parking lots, smashing windows to steal shopping bags left in plain sight. Then, we’d be warned that as the Christmas lights went up, thieves would target the wrapped gifts underneath the tree. I thought, “It can’t get worse than this?”

Then Cyber Monday came along. It was born as a marketing opportunity that has taken on a life of its own over the past five or six years. Online retailers promote their Cyber Monday offers throughout the fall, creating hype that whips shoppers into a frenzy. It’s become as essential to the retail community as Black Friday.

Now the warnings are different: no longer so focused on crime in the physical world, but instead, on threats in the virtual world.

When shopping online, you risk unintentionally visiting an infected website, which could infect your PC with keylogging spyware, which would be used to steal your data. Or you might provide your credit card information to a legitimate online merchant that later falls victim to a data breach. Another risk is that you might order a particular product but receive something of lesser quality, or a different item entirely, and then have to contend with poor customer service.

And, of course, your identity might get stolen. Lovely. My, how times have changed!

Online retailers would spread more holiday cheer if they did their part to protect the public from credit card fraud by implementing device reputation. Device reputation, offered by iovation Inc., taps into a global device identification network that also contains millions of verified fraud and abuse events such as chargebacks, identity theft, shipping fraud on those devices. The device’s reputation is assessed in real time when a transaction is being attempted on a retailer’s website.  And when the device (such as a computer, phone or tablet) has no prior history, iovation profiles its potential risk for the online retailer, identifying high-risk activity before the transaction is approved or product shipped.

Stopping fraudulent transactions upfront spares many holiday revelers the burden of covering the bill for the gift lists of cyber criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Feds Catch Carder



“Carders” are the people who test and sell credit card details (most likely phished) to other individuals who carry out the actual credit card fraud. Carders are the most visible of criminals who distribute and sell stolen data to whoever is willing to take it and burn it onto a white card or make purchases over the internet. “Dumps” is a term for the batches stolen credit card data they buy and sell.

Computerworld reports:

“Tony Perez III, of Hammond, Indiana, pleaded guilty to the charges on April 4. In his plea, Perez said he sold counterfeit credit cards encoded with stolen account information. Perez found customers through criminal ‘carding forums,’ Internet discussion groups set up to aid in the buying and selling of stolen financial account information and related services.”

“During a June 2010 search of Perez’s residence, Secret Service agents found 20,987 stolen credit card accounts on his computers, in his email messages, in an online account and on counterfeit credit cards he was in the process of manufacturing, according to court documents. Credit card companies have reported more than US$3.1 million in fraudulent charges associated with those accounts, court documents said.”

Carding is a full time profession for thousands of hackers worldwide. Retailers’, banks’, credit card processors’, and many other corporations’ databases often contain millions of credit card numbers, and are targeted in “advanced persistent threats.” Any entity that accepts credit cards online or in the physical world is a ripe target for fraud.

It’s in the retailer’s best interest to put online fraud prevention measures in place to thwart credit card fraud use on their sites. This not only helps them keep their chargebacks and fees low, but it also protects their brand reputation with their loyal customers.  But how can retailers detect when fraudsters are stealing from their websites in the first place?

Before verifying identity and credit information, first make sure that the computer, tablet or smartphone connecting to the site is not a known fraudulent device – one used to steal from your business in the past, or from other online businesses.

Would you like to know if the device is acting suspicious such as masking its IP address or constantly changing its characteristics between transactions?  Is it opening an excessive number of new accounts, or are new countries suddenly accessing your customer’s existing accounts?

There are many indicators of risk and companies like Oregon-based iovation Inc. helps online businesses set up fraud and risk rules in advance so that as transactions come in, the rules run and all checks in a fraction of a second. This device identification service can stop the transaction right then and there.

Carders are just one piece of the cybercrime puzzle.  Having a defense-in-depth approach to fraud prevention is essential.  And sharing fraud intelligence with other businesses can only help you catch more fraud, and meanwhile, take more business with confidence.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

It Takes Sharing and Organization to Fight Organized Crime

The amount of money made and lost due to fraud is surpassing the illegal drug trade. A digital arms race has law enforcement officials nipping at the criminals’ heels. Retailers and banks continue to fight criminal hackers, but are being bombarded by advanced, persistent threats that eventually make their way into the network.

There are data breaches every week, and I’d bet every day, but we may not hear about the majority. All of these breaches have a method, signature, or feature in common, which retailers and banks can learn from.

Criminals are organizing like never before. They are learning from each other, sharing information and strategies. When one publicizes an exploit, other criminals execute it, leading law enforcement off in a new direction. It’s like a vicious game of whack-a-mole.

Today, governments around the world are organizing to fight fraud. But what’s even more exciting is that competing banks, retailers, and small businesses are all sharing fraud information to help each other out. These fraud targets are finding strength in numbers.

Oregon-based iovation Inc. has created an exclusive network of global brands across numerous industries, with thousands of fraud professionals reporting more than 10,000 fraud and abuse attempts each day. iovation’s shared database contains more than 700 million unique devices including PCs, laptops, iPhones, iPads, Android, Blackberries—practically every Internet-enabled device that exists.

Many leading banks and big brand retailers use this device reputation service to detect fraud early by not only customizing their own real-time rules to set off triggers, but they leverage the experiences of other fraud analysts to know if the device touching them at this moment has been involved in chargebacks, identity theft, bust-outs, loan defaults, and any other kind of online abuse you could imagine.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

FFIEC Mandates “System Of Layered Security” to Combat Fraud

For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands.

Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They are using stolen usernames and passwords to transfer money through wire transfers, Automated Clearing House (ACH) and through billing fraud.

The Federal Financial Institutions Examination Council (FFIEC) has repeatedly implored that come January 2012, any lagging financial institutions will be required to significantly upgrade their security protocol. Since any existing form of authentication can be compromised, the FFIEC recommends that financial institutions should institute systems of “layered security.”

Previous FFIEC recommendations discussed authentication, suggesting that the security issue takes place when a user logs in. But in fact, not all the danger occurs at login. Other website integration points are vulnerable to security issues, particularly at the point when money is transferred.

According to the FFIEC’s recent update:

“Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

One of the FFIEC’s recommendations for financial institutions involves complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Smart financial institutions aren’t just complying with the FFIEC’s security recommendations, but are going beyond by incorporating device reputation into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Why Complex Device Identification Isn’t Enough

“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account.

The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.” You can listen to the FFIEC-related webinar presentation at:

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures