Aug 01

Surveillance, staging and the fraud lifecycle

Share this:
Twitter Email Linkedin

Imagine the following scenario: an attacker acquires consumers’ login credentials through a data breach. They use these credentials to test account access and observe account activity to understand the ebbs and flows of normal cash movement – peering into private financial records – verifying the optimal time to strike for the most financial gain.

Surveillance and fraud staging are the seemingly benign and often-transparent account activities that fraudsters undertake after an account has been compromised but before that compromise has been detected or money is moved. Activities include viewing balances, changing settings to more effectively cover tracks, and setting up account linkages to stage eventual fraudulent transfers.

The unfortunate thing is that the actual theft is often the final event in a series of several fraudulent surveillance and staging activities that were not detected in time. It is the activity that occurs before theft that can severely undermine consumer trust and can devastate a brand’s reputation.

Read more about surveillance, staging and the fraud lifecycle in this complimentary whitepaper.

Jul 24

Another Breach, Another Instance of Weak Passwords Causing in Account Takeover

Share this:
Twitter Email Linkedin

Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it’s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with.

Account takeover is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security.  This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential.

As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we’ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it’s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication.

What can consumers and organizations do to protect themselves?

Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim’s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience.

In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information.

Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware.

Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. 

Learn more about 41st Parameter fraud detection and prevention solutions here.

Jul 14

The Fraudster Underground – Revealing secrets of highly industrialized criminal organizations

Share this:
Twitter Email Linkedin

In our most recent webinar, I had the pleasure of moderating a panel session with four fraud experts spanning across many diverse backgrounds. The consistent theme throughout was that cyber criminals have become quite proficient at stealing data or account credentials. Once a cyber criminal has valid account data, they have incredible access to a broad range of possibilities. How an account is used; a real-time view of deposit and withdrawal patterns and what types of alerts and notification settings are in place. A determined fraudster may observe accounts for long periods to ensure they are able to make their move at the optimal time.

One of the biggest issues is being able to tell “friend from foe”, particularly in light of the endless supply of perfect, disposable data. I posed this scenario to our panel and asked what organizations can do now to protect themselves:

SCENARIO – Telling friend from foe

Credit card companies encourage travellers to alert them in advance of unusual travel to avoid red flags or declines while out of town. This can be a double-edged sword. A fraudster with appropriate credentials can contact a credit card company a few weeks before a “trip” to alert them of planned travel. At the start of the “trip” the distraught fraudster can then contact the credit card company to report a stolen card and request a replacement be expedited to them at their “destination.” The result is a fraudster armed with a completely legitimate card they can use at their leisure and with little risk of detection.

There were three key take-aways the expert panel recommended:

  1. Enhance your visibility. Without this important tactic, you won’t know what hit you. Fraudsters are armed with pristine identity data so they will look and act more like your best customers.
  2. Employee multiple security layers. You may be focused on ensuring that you know your customer, but does the transaction pattern fit normal behavior for the user? Malware could be embedded on the device. Are items such as language and other settings consistent with what you’d expect for your legitimate customers?
  3. Protect profile setups / online enrolment and reward programs the way you protect transactions. While the financial risk to your business may be limited, the potential regulatory exposure and brand reputation hit can be significant. It takes years to build your reputation with your best customers – but only seconds to destroy it. Undermining their trust in online or mobile interactions with your business has an immediate and destructive impact on loyalty.

What do you think? Let us know.

Jun 25

Mobile Fraud Trends #CreditChat – there’s always a first time for everything

Share this:
Twitter Email Linkedin
David Britton Online Fraud Industry Expert

David Britton
Online Fraud Industry Expert

Today I co-hosted a TweetChat with Experian on mobile fraud trends. To be honest, it was the first Twitter Chat I took part in. It was fun, informative and a great way to connect with folks in our industry – from our customer base, partners and more.

The discussion was fast paced and the 140-character limit for tweets means I wasn’t able to elaborate on many of the points I made. Thus, thought I would share my insight through a blog post.

What are the most common types of mobile fraud?  

Malware. According to Forbes, 97 percent of mobile malware is on Android devices. That’s not to say that Apple isn’t seeing it, too. They are, but at a much reduced scale due to their validation processes. Forbes also states that android malware rose from 238 threats in 2012 to 804 new threats in 2013 and continues to rise.

Mobile malware has a couple of varieties that everyone should be aware of. They’re increasingly common and you’ve likely seen the first one making media headlines like rapid fire in recent months:

  1. Ransomware: locks a user’s phone and fraudsters demand payment to unlock it.
  2. Credential stealing malware: attempts to capture the credentials of the victim as they access a service.
  3. Premium dialing/texting malware that uses victim phones to increase traffic and charges to rogue accounts.
Courtesy of AppleInsider

Courtesy of AppleInsider

Mobile fraud, as a category, also needs to include the use of the mobile device by fraudsters as the attacking instrument. Fraudsters exploit the fact that organizations may not have applied the same security measures to their mobile access points that they have in their traditional online access. Big mistake. All organizations should make sure that they are not exposed to fraud originating from the mobile channel (either mobile app or mobile web based.) Companies need to ensure they can identify the device regardless of platform.

Am I more at risk on my mobile device than I am on my computer? 

As a consumer, industry data has illustrated that there is no significant difference between the risk of the PC and a mobile device. The PC is still a much more valuable target to fraudsters, considering its wide use. But as the mobile platform continues to grow, mobile exploits are also growing, forcing the industry to build in more robust strategies around mobile access. This includes the platform providers, app developers and businesses that want to increase their mobile offerings.

The bigger point here is that the Apple platform has much less malware activity than the Android platform does today. Apple has stringent developer policies and scrutiny.

For businesses, as a relative percentage of device activity, we are beginning to see that there is more fraud in the mobile channel than in the traditional channel. Bear in mind that mobile volumes today are still much smaller than the traditional PC. Mobile can also be a fraud staging area, where fraudsters can see balances and activity and then takeover your account… But this is not a vulnerability with the consumer using their device, rather it’s with the fraudsters using the mobile channel since it’s a separate channel where the banks may not have effective cross-channel visibility.

How do I know if you have a legitimate app vs a fake / fraudulent app? 

There are a few simple steps to verify the legitimacy of apps – check for typos, grainy logos and images and check user reviews on the app store. Moreover, this is an issue of where users are getting their apps. Make sure you are only downloading apps from the platforms’ authorized app environments. And keep in mind that the prevalence of malware on the Google Play platform is much higher than that on the AppStore.

What other risks do mobile devices pose to personal identity?

The phone doesn’t necessarily present greater risks than PCs, but people do tend to use them more frequently, and with less of a thought toward security. My advice: make a habit of locking your phone and don’t buy apps from sketchy platforms.

What are the methods that banks and retailers are choosing to secure mobile payments?

It’s a device access versus personal access issue. Need for business is to recognize devices regardless of payment type.  In the NFC space, there’s also a question of liability… who is on the hook when happens? Is it the merchant? The card issuer?  There are still some gray areas when it comes to mobile wallet (NFC) transactions being used for physical purchases.

For NFC (in person) payments, the POS makers use industry standards – but they can still be vulnerable to attack based on malware distributed via POS terminals, as we have seen lately.

For mobile bank payments – some banks use device recognition and device behavior– but all banks really should use it – best way to detect rogue activity from the device.

Most retail mobile payments are tied to a wallet – so wallet providers must also secure access to the wallet ensure that it doesn’t become the weakest link.

Will passwords ever die? What other forms of identification might be used?  

For businesses, passwords are already dead, since most have been stolen over the years. Businesses should be using device recognition – it’s one of the strongest tools to differentiate between good and bad users.

Any final tips on how people can protect themselves from mobile fraud? 

Don’t buy apps from sketchy third party platforms. Don’t click on links from untrusted parties, lock your device, make sure your device is backed up and don’t pay ransomware demands.

If you have any other questions that weren’t answered in the #TweetChat, please leave a comment here or tweet to me at @DBritton41st.

Jun 24

Secrets that The Fraudster Underground don’t want you to know – live webinar panel

Share this:
Twitter Email Linkedin
Pose your questions to our panel! Click the image above and we'll make sure your questions are included in our live discussion.

Pose your questions to our panel!
Click the image above and we’ll make sure your questions are included in our live discussion.

Secrets revealed during live panel webinar

Tuesday July 1 2014 – 10:30 AM – 11:30 AM PDT

“The Fraudster Underground – revealing secrets of highly industrialized criminal organizations”

Once a cyber criminal has valid account data, they have incredible access to a broad range of possibilities. How an account is used; a real-time view of deposit and withdrawal patterns and what types of alerts and notification settings are in place. A determined fraudster may observe accounts for long periods to ensure they are able to make their move at the optimal time.

Don’t miss this “Tales from the Fraudside” live webinar, where our expert panel from MasterCard, HackSurfer and 41st Parameter, will reveal more secrets of these despicable cyber criminals. With these experts from a variety of industries, attendees will walk away with a better understanding of this critical piece of the lifecycle of fraud and what  can be done about it.

Jun 18

Experts from MasterCard, HackSurfer and 41st Parameter weigh in on the secrets of highly industrialized cyber criminal orgs; live webinar

Share this:
Twitter Email Linkedin

The Fraudster Underground – revealing secrets of highly industrial criminal organizations

Experts from MasterCard, HackSurfer and 41st Parameter weigh in.

Experts from MasterCard, HackSurfer and 41st Parameter weigh in.

Live webinar event
Tuesday, July 1, 2014
10:30 AM PDT
Register

Data breaches; phishing; account takeovers. Cyber criminals have become quite proficient at stealing data or account credentials. Make no mistake… these cyber criminals are crafty – and they’ve taken their cue from any large organization – each have their own specialties and this nefarious practice is a big piece to the Fraudside story.

 

But this “Tales from the Fraudside” story isn’t focused on the theft; no, this tale is far sinister. Imagine these criminals stalking bank accounts, understanding the ebbs and flows of cash movement – peering into private financial records – anticipating just the right time to strike. This is the world of highly industrialized cyber criminals – and where our “Tale” begins.

 

In this “Tales from the Fraudside” live webinar, our expert panel from MasterCard, HackSurfer and 41st Parameter, will reveal secrets of these despicable criminals. You will walk away with a better understanding of this critical piece of the lifecycle of fraud and what you can do about it.

Jun 13

Defeating the Ghost Army – or protecting your business with a layered security strategy

Share this:
Twitter Email Linkedin

It’s no secret that e-commerce merchants, retailers, and financial institutions are prime targets for these digital ghosts as they look to quickly monetize their recent data heist. Unfortunately, many organizations are still scrambling to deploy proper defenses. So how do you defend against an unregulated, networked enemy intent on inciting chaos and filling their bank accounts? Following any data breach, it is essential that organizations gain complete visibility of their customers and transactions across channels.

Once a breach has occurred, it is critical for organizations to perform a forensic review of the attack to identify and understand all of the potential points of vulnerability, what data was stolen and how that data was transmitted back to the attackers. What can be more concerning is that the initial scope may quickly expand into something much larger. This makes it essential that retailers and financial institutions rapidly gain complete visibility of their customer data and transactions across channels and keep drilling-down until the root cause can be identified and protected against a repeat attack.

Unfortunately, that type of consolidated view does not exist in most companies. Organizations need to ask themselves some serious questions.

  1. Do you really know who is logging into your customers’ accounts? Without realizing their data has been compromised, consumers can fall prey to personalized phishing attacks and “give away the keys” to their accounts.
  2. How can you be certain a VIP customer is really behind a high-dollar transaction being rushed to an overseas address? No one wants to decline legitimate orders from loyal customers; but with revenue, reputation and brand equity at stake, no one can afford to ignore the potential risk.
  3. What controls are in-place to ensure that a fraudster in Malaysia isn’t using legitimate identity data and an anonymous proxy to submit credit card applications that are a perfect match to credit bureau data? Or to alert when a long-standing offline banking relationship suddenly enrolls online? Once access is established, address and other data can be updated and sold to the highest bidder in underground forums.

All of these questions can be addressed through the combination of complex device intelligence, a powerful risk engine and support from industry-leading experts in fraud and risk management.

Even after a breach has occurred, the risk can be managed. First, consumers need to be informed on how to protect themselves from sophisticated use of their data. Second, arm your organization with a layered security strategy that includes device intelligence. This will prepare you for the onslaught of compromised card usage, fraudulent enrollments, phishing attacks and attempted account takeovers that follow in the wake of a data breach.

Jun 10

The true lifecycle of fraud

Share this:
Twitter Email Linkedin

There are some definite misunderstandings about the lifecycle of fraud. The very first phase is infection – and regardless of HOW it happens, the victim’s machine has been compromised. You may have no knowledge of this fact and no control. All of that compromised data is off in the ether and has been sold. The next phase is to make sure that the next set of fraudsters can validate those compromised accounts and make sure they got their money’s worth. It’s only at the last phase – theft – that any money movement occurs. We call this out because there are a lot of organizations out there who have built their entire solution on this last phase. We would say you are about two weeks too late as the crime actually began much earlier.

So how can you protect your organization? Here are five take-aways to consider:

  1. User / device trust. Do this user and device share a history? Has this user seen of been associated with this device historically? It may not be fraud but it is something we watch for.
  2. User / device compatibility. Does the user align with devices they’ve used in the past? What are the attributes of the device with respect to user preferences, profile and so on.
  3. Device hostility. Look at its behavior across your ecosystem. How many identities has it been associating with? Is it associated with a number of personal attributes or focused on risky activities?
  4. Malware. Does this device configuration suggest malware? Because we have information about the device itself, we can show that it’s been infected.
  5. Device reputation. Has this device been associated with previous crimes? There are some organizations who have built their entire solution around device reputation. We believe this is interesting to include but it’s more important to look at everything in the context across your entire ecosystem rather that focus on just one area.

Want to learn more? Listen to this on-demand webinar “Where the WWW..wild things are – when good data is exploited for fraudulent gain”.

Jun 10

FICO Integrates Leading Fraud Management System with 41st Parameter’s Cybersecurity Technology to Reduce Blocks on Online Transactions

Share this:
Twitter Email Linkedin

FICO (NYSE: FICO), a leading predictive analytics and decision management software company, has partnered with 41st Parameter®, a part of Experian® and a leader in securing online relationships, to fight fraud on card-not-present (CNP) transactions, the top source of payment card fraud today, while letting more genuine transactions proceed in real time. FICO is integrating 41st Parameter’s TrustInsight™ with the FICO® Falcon® Platform, which protects 2.5 billion card accounts and is used by more than 9,000 financial institutions worldwide. Authenticating the device being used in a transaction provides yet another layer of detection to the Falcon Platform, which includes proprietary analytics based on more than 30 patents.

41st Parameter’s TrustInsight™ solution provides a real-time analysis of a transaction, crowd-sourced from a network of merchants, that produces a TrustScore™ indicating whether the transaction is likely to be genuine and should be approved. TrustInsight helps reduce the number of “false positives,” or good transactions that are declined or investigated by the card issuer. The TrustScore, integrated with the FICO Falcon Fraud Manager Platform, provides a link between data the merchant knows and data the issuer knows to enable issuers to utilize additional information that is not currently available in their fraud detection process, including the identification of a cardholder’s “trusted devices.”

Read the entire release here.

Jun 09

Fraud and data breaches… or when good data is exploited for fraudulent gain

Share this:
Twitter Email Linkedin

During last week’s live webinar, David Britton, online fraud industry expert and vice president, industry solutions at 41st Parameter said this:

Webinar production notes

Download the webinar production notes here

“At 41st Parameter, we begin our days somewhat differently. We believe that the internet was never built for security in mind. We also assume that all user data has been stolen. Every bit of consumer data has been compromised. Why? It puts us on a much more heightened state of awareness to help mitigate the type of environment we work in. We also believe that we are not just fighting against naturally evolving organisms. Rather, we are combating a very sophisticated and powerfully-motivated individuals who are highly creative.”

During the 45-minute live webinar, Britton also provided five distinct actions that businesses can take to help protect their organizations as well as real-world strategies for preventing and detecting fraud online AND maintaining a positive online experience for valued customers.

Want to learn more? Link to the on demand webinar here and stay tuned for next month’s panel where we will focus on the surveillance and validation of data prior to theft. Viewers will be armed with tactics that they can leverage in their own organizations.

Older posts «