Federal Investigators Bust Credit Fraud Ring

A federal investigation dubbed “Operation Open Market” recently yielded 19 arrests in nine states, for crimes including identity theft and counterfeit credit card trafficking. The defendants allegedly participated in “,” a Las Vegas-based transnational ring that bought and sold stolen personal and financial information and manufactured counterfeit IDs and credit and debit cards in order to commit fraud. This criminal organization has also been known to host online forums wherein members are encouraged to buy and sell counterfeit documents and stolen data.

Executive Director of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations James Dinkins commented, “The actions of computer hackers and identity thieves not only harm countless innocent Americans, but the threat they pose to our financial system and global commerce cannot be understated.”

According to the Federal Financial Institutions Examination Council’s latest update, “Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

The FFIEC recommends that financial institutions incorporate device identification into their layered security approach in order to thwart attacks like these, but smart financial institutions are going a step further by employing device reputation analysis approach.

iovation, an Oregon-based firm helping to fight cybercrime, offers device reputation, which builds on its complex device identification technology. It does this by offering real-time risk assessments which look at evidence of past fraud attacks, risk profiles, detects anomalies, and uncovers relationships between devices and accounts that have a history of working in collusion to stealing from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses the latest data breach on Good Morning America. (Disclosures.)

5 FFIEC Compliance Tips For Banks

Experian’s Chris Ryan addressed five major questions about compliance with the FFIEC’s recent guidance on banking authentication. What follows are his responses, summarized:

  • What does “layered security” actually mean?

“‘Layered security’ refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.”

  • What does “multi-factor” authentication actually mean?

“A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.”

  • Who does this guidance affect? And does it affect each type of credit grantor/ lender differently?

“The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment.”

  • What will the regulation do to help mitigate fraud risk in the near-term and long-term?

“The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly.”

  • How are organizations responding? 

“Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, ‘layered’ approach that the guidance is seeking.”

To learn more, watch Experian and iovation’s webinar, titled Ensuring Optimal Efficacy and Balance with Out-of-Wallet Questions and Device Identification, dedicated to discussing the recent FFIEC guidance and taking a defense-in-depth approach to fraud prevention.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)