March 26, 2012
Is the Internet the world's largest crime scene?
"If the Internet is a place, it's probably the world's largest crime scene," said Peter Liske, vice president of product management at Threatmetrix. Listening to Peter talk recently at the 1st annual CARTES in North America conference, I immediately visualized my computer screen filled with chalked outlines of bodies representing victims of online crimes. While crime on the Internet can take on many forms, I am focusing today's blog on online shopping fraud. According to CyberSource's 2012 Online Fraud Report, merchants lost an estimated $3.4 billion in 2011 due to fraud taking place in "the world's largest crime scene."
Although $3.4 billion in losses is nothing to smile about, the report offers some good news in the merchants' ongoing battle against cybercriminals. Most notably, merchants are proving that when technology and other fraud detection tools are implemented effectively, fraud can be reduced. In 2011, merchants reported that 0.6 percent of orders were lost to fraud, a 33 percent decrease from 2010. A key reason for this decline of orders lost to fraud appears to be increased investment or usage of tools by the merchants to identify, track, and prevent fraud. In 2011, merchants used more technology and other tools to automatically detect fraud. They also engaged in more manual reviews of orders. In fact, during 2011, the largest merchants (annual online revenue of over $25 million) used more automated fraud detection tools than did smaller merchants, resulting in substantially lower fraud rates for the largest merchants.
Unfortunately, these fraud detection tools come with a cost, and the manual review of transactions is both an expensive and laborious task. According to the CyberSource report, 75 percent of the merchants surveyed do not plan to increase staffing levels related to fraud management in 2012. Further, 78 percent of the merchants expect to make no increase to their fraud management budgets in 2012.
As sales volume on the Internet continues to grow, merchants will have the difficult task of fighting fraud with their limited resources. To keep battling in "the world's largest crime scene," it will be imperative for them to optimize their automated fraud detection tools in today's constrained environment. As merchants engage in this tight-wire act between fraud losses and prevention costs, will they continue to be able to lower the incidents of fraud?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 26, 2012 in cybercrime, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e9435b56970c
Listed below are links to blogs that reference Is the Internet the world's largest crime scene?:
Comments
October 03, 2011
Cyberspace trust: Proving you're not a dog
A very real discomfort underlies the classic joke: "On the Internet, nobody knows you're a dog." How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate's Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you're reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.
The most recent installment of the Payments Spotlight podcast series features Jeremy Grant, leader of the U.S. Department of Commerce's National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is a White House initiative that works collaboratively with the private and public sectors to improve the security of online transactions by increasing online security and solving the problem of weak and inconvenient passwords.
"The genesis of it was President Obama's cyberspace policy review that was conducted shortly after he took office in 2009," Grant explains. The goals of the new cyberspace policy include "the creation of an identity management vision and strategy that the country could implement that would focus both on the securities aspects of the topic, as well as be dedicated to preserving or enhancing privacy and civil liberties." A critical first step, says Grant, is addressing the fact that "passwords are fundamentally broken and insecure, and simply don't cut it these days as a way to identify and authenticate online." (A May 2011 Payments Spotlight podcast addressed the weakness of single-factor authentication, such as logging in with just a password.)
Although the government is coordinating the NSTIC effort, the program is designed as a private-public partnership. Grant says it is not the government's role "to figure this out for the rest of the world, but to convene different private sector stakeholders, [including] tech firms, banks, healthcare firms, security firms, advocacy groups in the privacy and consumer communities, and other interested individuals." A major goal of NSTIC is to foster collaboration. He says, "We really want to have an open and participatory process where all different stakeholders can come together and collaborate and work out practical solutions to some of the challenges that the NSTIC lays out. Government will convene and we'll be an early adopter, but we are not going to actually lead this." Some private businesses are already excited about NSTIC. Michael Barrett, Chief Information Security Officer at PayPal, has voiced his support: "[We] will be offering more services to our customers over the coming months that directly support the NSTIC, which we expect will result in many new benefits to both our customers and the Internet overall."
So when can we expect to see NSTIC implemented? Currently the National Program Office is laying the groundwork for pilots, which can be expected sometime next year. In terms of resources, Grant notes that "for fiscal year 2012, the White House has proposed $24.5 million for NSTIC, including $17.5 million that would go towards pilot programs." The funds have not yet been appropriated, so budget wrangling may still change those numbers. Those pilots will be just the first step in architecting a more secure Internet identity infrastructure. If NSTIC achieves its vision, we can be confident that no fraudsters—or dogs—lurk behind our friends' Facebook profiles and e-mail addresses!
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
October 3, 2011 in collaboration, consumer protection, cybercrime | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8bfd2b8e970d
Listed below are links to blogs that reference Cyberspace trust: Proving you're not a dog:
Comments
June 20, 2011
Is a national data breach notification law on the horizon?
Extensive privacy regulations exist that provide a framework for promoting identity theft prevention, data security, use of data limitations, requirements for data destruction, notice, user content, and accountability. Some of these laws are the Fair Credit Reporting Act, the Right to Financial Privacy Act, and the Gramm-Leach Bliley Act, among others. Each of these financial privacy laws has been amended several times since their enactment, but none have standardized data breach notification rules.
On the state level, some legislatures have tackled data breaches by stepping up privacy and encryption requirements for organizations that handle credit and debit card data. According to the National Conference of State Legislatures, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have passed laws that require some form of notification when security breaches involving personal information occur. Most of the state laws have common themes, yet several differences exist among them, making it difficult, costly, and burdensome to develop a consistent and effective security incident response plan.
A push for national data breach laws
In 2009, there were two federal data security laws pending that cleared the U.S. Senate Judiciary Committee. One even cleared the U.S. House of Representatives. However, neither became law. One was the Personal Data Privacy and Security Act of 2009 (Data Privacy Act), and the other was the Data Breach Notification Act. The Data Privacy Act sought to mitigate identity theft, ensure privacy, and require that breached individuals be notified. The Data Breach Notification Act also imposed notification requirements but provided a safe harbor whereby organizations were not required to report the breach if a risk assessment determined the incident would not harm consumers.
Other efforts were seen when the Federal Trade Commission (FTC) and the U.S. Department of Commerce (DoC) both released reports within days of each other with recommendations for protecting consumer privacy online. The FTC's report came out on December 2, 2010, and the DoC's report came out on December 16. The DoC report focuses on national consistency surrounding security breach notification rules. The DoC recommends the implementation of a "[f]ederal commercial data security breach notification (SBN) law that sets national standards, addresses how to reconcile inconsistent State laws, and authorizes enforcement by State authorities."
Seeking exemption from the FTC and DoC recommendations
Not everyone is on board with the DoC and FTC recommendations. On January 31, 2011, the Securities Industry and Financial Markets Association (SIFMA), a consortium of financial firms, sent a letter to the FTC and DoC asking that their recommendations on privacy exclude industries—including the financial services industry—already subject to sector-specific regulations. SIFMA's letter expressed the view that existing national privacy laws like the Fair Credit Reporting Act, the Gramm-Leach Bliley Act, and the Electronic Communications Privacy Act are sufficiently addressing the management of consumers' personal data.
SIFMA did express support of the introduction of a uniform national breach notification law that would preempt state laws, but only by requiring that consumers be notified of a breach when there is a significant risk of identity theft. SIFMA pointed out that "requiring notification if there is no significant risk of identity theft could have the unanticipated effect of overwhelming consumers with notices that might cause confusion and likely desensitize them to future notices."
Finding common ground
The deadline for comments to the FTC report closed February 18, 2011. Both the FTC and DoC are expected to issue final reports and guidance this year. The coincident timing of the FTC's and DoC's reports seems to have renewed focus on online privacy and what best practices should be used to address perceived shortcomings.
Perhaps the FTC and DoC recommendations can shed some light on whether the need for a national data breach notification law is warranted or whether the existing national and state-level laws sufficiently address the management of consumers' personal data. For now, it appears that most industry watchdogs believe that consumers and businesses alike could benefit from a national standard for security breach obligations, mainly because the differences in form and substance between states make it increasingly complicated for effectively reporting data breaches to the public and present undue costs to business and burden streamline industry compliance.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
June 20, 2011 in consumer protection, cybercrime, identity theft, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e89435696970d
Listed below are links to blogs that reference Is a national data breach notification law on the horizon?:
Comments
January 31, 2011
Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens
Play podcast (MP3 7:23)
Transcript
Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.
Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.
Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.
Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.
Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.
Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.
Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 31, 2011 in account takeovers, ACH, banks and banking, cybercrime, data security, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c823e9d8970c
Listed below are links to blogs that reference Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens:
Comments
November 01, 2010
Beware of cybercrashers to your social network party
According to the Nielsen Company, the overall global traffic to social network sites grew nearly 30 percent in one year, from 244.2 million users in February 2009 to 314.5 million users in February 2010. In the United States alone, the average active social network audience grew 22.8 percent, from 115 million to 149 million during that same time period. If social networks are expanding this rapidly, can the growth of associated risks—specifically, data privacy—be far behind?
|
|
|
|
Establishing privacy parameters
Privacy is perhaps the most significant concern surrounding the use of online social networking sites. Recently, BBC Mobile reported that consumer confidence in social networking sites has been shaken as issues over privacy concerns have come to light. Results of an RSA 2010 Global Online Consumer Security Survey show that, even as thousands of individuals join social networking websites each day, nearly 65 percent of survey respondents indicated that they are less likely to interact or share information due to growing security concerns. Although most online social networking sites have privacy protections in place that allow users to establish their own level of security settings, online social networks are inherently public, which makes it difficult to secure nonpublic information. But if users are shielding their personal information through security settings, how, then, are hackers able to extract this information and steal their identities? Could the simple act of sharing, friending, or posting make it easier for hackers to attack a social network site and impersonate its users?
Facing incoming threats to social network sites
Corporations that use social networks as communication tools (or corporations whose employees use them without IT's authorization) are faced with significant security and compliance risks. In a survey that FaceTime conducted of IT groups, 14 percent of respondents reported that they've seen data leak through social networks. According to this study, Web 2.0 applications like instant messaging, Skype, and the chat functions within social networks can travel undetected through an organization's network, thus posing the risk that confidential information such as credit card details will leave the organization's control without authorization. Hackers use various means to attack social network sites, including phishing, spam, and malware. Their success is in part due to the trust users place in their networks. The study also notes that users are far more likely to click on a link from a friend on a social network site than in an e-mail.
Using small bits of information to gain entry
Gateway data, a term coined by Herbert Thompson a professor at Columbia University, refers to the confidential information harvested by cybercriminals from social networking sites. According to Thompson and researchers at Carnegie Mellon University, hackers can use such confidential information as someone's mother's maiden name—discovered from a social network site—to answer a challenge question and gain access to the person's account or personal financial data. Users of gateway data can also use these single pieces of information to trick the user into revealing even more sensitive information.
In a 2009 study, researchers from Carnegie Mellon University were able to deduce the Social Security numbers of millions of individuals just by sifting through fragments of data typically shared on social networks and other publicly available sources. Another study, this one by Consumer Reports, found that 52 percent of social network users disclose information that could leave them vulnerable to cybercriminals. Pieces of information such as a mother's maiden name, home address, or home or mobile phone number can lead perpetrators to steal users' identities.
Deterring cybercrime with a healthy dose of skepticism
The global reach and public nature of social networking websites have made them a favored target for online criminals. While consumers enjoy the ease of communication and information sharing on these social networks, these online forums have introduced new and unanticipated risks. Users must take some crucial steps to deter thefts of their identities, included becoming educated in the types of online crime while avoiding such common pitfalls as weak security settings and compulsive information sharing.
A healthy dose of skepticism on what, how much, or with whom to share can go a long way in reducing the exposure of personal, confidential information, because what is shared on the Internet stays on the Internet.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
November 1, 2010 in cybercrime, identity theft, privacy, social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013488a0b457970c
Listed below are links to blogs that reference Beware of cybercrashers to your social network party:
Comments
August 09, 2010
Shopping at the Fraud Mall: Fictional fantasy or harsh reality?
One of the most fascinating scenes in the cavalcade of Harry Potter movies is the requisite trip to Diagon Alley, the quaint London backstreet where the Hogwarts students go shopping in various specialty stores for their school supplies, such as books, potions, strange pets, magic wands, capes, and, of course, flying brooms. Over the past several weeks, battered by the never-ending news of one new payments fraud scheme after another, I lapsed into a daydream in my office about a mythical, but similar, Fraud Village, where fraudsters go to shop for their wares. My vivid recollections follow.
Wandering down Fraudster Alley
As I entered Fraudster Alley, I saw John Doe's ID Shoppe on the right, apparently a business selling payment credentials. On the various shelves, I saw arrays of credit and debit card numbers arranged by issuer, as well as actual bank account numbers sorted by geographical locations in order to minimize the confusion associated with those silly routing number assignments. The data is priced from $1 to $100, the cost depending on the relative credit lines and payment histories of the actual cardholders.
In the premium product aisle I saw a card with a glittering $95 tag for a person with a $30,000 limit that travels frequently and pays off monthly. At the back of the store I located the bank account number case priced from $2 to $1,000 with the top of the line offering belonging to a high balance account holder with several electronic withdrawals and a home banking service with a bank who has notoriously weak access controls. Keeping a couple of good sale items in mind, I slipped outside and gazed up at a remarkable billboard advertising a school for hackers.
|
|
Easing past a street vendor selling memory sticks, I did some window shopping at Willie's Web Emporium, a small shop hawking a variety of e-mail credentials that listed businesses with poorly protected financial software. A gaudy red $12 tag is affixed to a URL touted as hosting a poorly protected payroll system. I chatted with the clerk to see why these credentials were on sale, and he said that the market has been flooded in recent months by an oversupply that has driven the price down.
I got his business card and eased next door into a software/hardware store called Mystic Malware. I was overpowered by flashing displays of various fraud solutions, including a vast array of nearly 500 variations of Zeus malware packages designed to take over small business systems. Like my local Kroger cereal section, the options were bewildering—key-logging variations, with or without icons to be loaded onto desktops, call detection modules, and payment duplication engines. I noticed that some of the older products, like Win32/Conflicker were marked way down in light of the implementation of successful security blockers, while Renos and Vundo versions are premium priced, reflecting their recent success and popularity. In another area, I found a treasure trove of hardware devices, such as ATM skimmers, in bins labeled for the various makes and models of cash dispensers.
Across the street was Mikhail's Money Mule shop, where I browsed through employment applications for folks interested in being "financial managers" for Internet firms. They are arranged by cities, which made it particularly convenient for me to target accounts at choice banks trying to grow their retail base. I briefly scanned a number of "personals" arranged on a bulletin board, each highlighted by a special skill, such as the ability to break Triple DES encryption on a particular server. Next door was the Fraudsters Training Academy, an attractive storefront with a small auditorium running periodic films and live interviews with well-known fraudsters with names like Dark Vader and Card Warrior. Travel posters for Nigeria, the Ukraine, and Romania added a bit of gaiety to the walls.
Fiction turns to fact
I was startled awake from my daydream by a colleague calling for a coffee break. Sipping an overpriced Starbucks, I came to the disturbing realization that much of what I dreamed is simply the harsh reality of today's world of payments. While there is no such physical fraud village, the Internet has in fact become a virtual shopping mall for crooks intent on striking innocent, poorly educated, and singularly unaware business owners and consumers. The possible prices for illegal wares noted above are taken from a recently published study by First Data Corporation that refers to other studies by Symantec and Microsoft.
The billboard shown above actually stands on Interstate 75 near downtown Atlanta. In just the past week, I have read these headlines: "FBI, Slovenian and Spanish Police Arrest Botnet Creator, Operator", "Two Arrested in Massive Scheme: Investigators Recover Skimmers, Fake Cards, 1,000 Pages of ID's," and "Atlanta Security Company Startled At Check Stealing Software."
Alarmingly, it is time for all of us in the payments world to realize that yesterday's fiction is today's reality in the harsh world of payments fraud and protecting our assets, our people, and our reputations is going to take more time an effort than ever before.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
August 9, 2010 in consumer fraud, cybercrime, fraud, identity theft, malware, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348607ca64970c
Listed below are links to blogs that reference Shopping at the Fraud Mall: Fictional fantasy or harsh reality?:
Comments
March 15, 2010
Global challenge: Catching crooks while protecting privacy
As I watched the Winter Olympics unfold in Vancouver, I marveled at the stories of athletes who had gained citizenship in other countries in order to pursue their dreams. A Canadian moguls skier moved to Australia (which I kind of get) and a Japanese pairs figure skater fled to Russia (which I don't get). In both cases, their renationalization was rewarded with Olympic medals, and in both cases, I was reminded of how completely we have merged into a one-world family and a one-world economy.
Amidst this clear and widely embraced trend to global industrialization and trade, we find that our payments systems lag miserably behind. Certainly this is not because of the lack of availability of technology to wire us together; in fact, both good guys and bad guys use the Internet to order and ship goods and services, as well as commit fraud, across the globe in minutes. And, certainly, this is not because of trade practices. As I found out from Linda Coven, a senior executive at the Silicon Valley Bank in California, a technology firm born in the Silicon Valley becomes a global firm the minute they put up their Web site. Even a modest-sized bank such as hers can develop the expertise and partnerships to help such companies cope with the financial aspects of worldwide markets.
Tangled web
The fly in the international payments ointment is the complex web of regulatory and law enforcement regimens that quite naturally do not as yet mesh. In fact, this can still be a problem domestically, no less globally. The global version of this dilemma gained center stage on February 2010 when the folks at the European Parliament voted to reject the interim EU-US agreement on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programs (TFTP). These programs were established by the U.S. Treasury in the wake of the September 11, 2001, attacks. The TFTP allows the Treasury law enforcement agencies to issue administrative subpoenas for terrorist-related data, including the records of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), the world's largest network for banking transactions. Privacy laws and liabilities were cited as the major stumbling block in this reversal of form from previous agreements. Efforts by SWIFT to implement new technology to separate their databases into geographical segments may still allow some access to data involving a U.S. institution, but the EU ruling could ultimately impede law enforcement activities aimed at catching criminals that make today's global payments world a bit of the wild, wild West.
For those who feel that today's regulatory/law enforcement climate borders on paranoia, I would counter that in the face of global terrorism and money laundering there may be ample reason for paranoia. It is clear that cross-border payments applications deserve greater scrutiny to make sure they are not vehicles for financing dangerous and unsavory organizations. Strong compliance policies and screening practices are even more critical in this environment than they are domestically. Nevertheless, we see once again the incongruent goals of catching criminals and preserving privacy. In cases where cooperation and trust have been established there have been great successes. Internet corporate takeover rings have been stymied and Nigerian-based fraudulent check schemes have been terminated to the benefit of numerous domestic corporations and consumers.
Building a team
At the Retail Payments Risk Forum, we are working with various parties to find ways to synthesize the conflicting goals of privacy and enforcement to create a more directed and timely approach to catching the bad guys. As we progress, we will have to be ever-mindful of the fact that the next step will be to use our domestic examples as templates for solving the same problems internationally. Useful new work groups and task forces have been established here in the United States, such as the Interagency Payments Fraud Working Group under the current co-chairmanship of the Justice Department and the Federal Reserve Board, that are directed at better cooperation between law enforcement and the bank/non-bank regulatory community. Extending such collaboration into the international arena needs to become a priority for our industry if we are truly going to mitigate payments risk and catch offenders. It is no secret that this will be a difficult challenge, but fighting cyber crime is no longer a domestic issue here in the States or anywhere else. While we cast aside old norms in the payments and technology areas to do business across borders, we must also be open and innovative in regulatory and law enforcement circles if we are to have any chance of keeping up with criminals.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
March 15, 2010 in cybercrime, fraud, law enforcement, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01310f823141970c
Listed below are links to blogs that reference Global challenge: Catching crooks while protecting privacy:
