Posted by Andre Edelbrock on Wed, Jan 27, 2010
Last week, the BBC reported that bank anti-fraud systems are blocking donations to Haitian relief following the earthquake that has brought the small, impoverished country literally to its knees.
Although it is a well-known technique of fraudsters to use stolen cards at charitable sites to make "micro-donations" to test whether a card is still active and usable, using an indiscriminate block to refuse legitimate donations in a time of extreme need is surely an immoral and insensitive use of technology, and a severe unintended consequence of a security measure taken to protect the banks' own interests. I'm sure they did not mean to stop money from getting to the relief effort, but the reality is, we can do a lot better.
Anti-fraud solutions for card-not-present fraud are infinitely more sophisticated than this today. It's relatively easy to identify risk both statistically and behaviorally (preferably in combination), and in extreme situations override rules can be programmed quickly. It might be an extra expense for the bank to contact the card customer and do a live fraud check, but especially in this case where the world is trying to reach out with an empathetic hand, that's exactly what they need to do, because automatic transaction blocks to the Red Cross are going to leave banks with yet another big raspberry on their collective faces.
So, let's call for some common sense. It's bad enough when a sledgehammer rule costs you a bit of profit by falsely rejecting a legitimate customer; it's devastating when it could cost lives and prevent help from getting to where it's needed.
Please, if you haven't contributed yet, consider making a donation to Haitian relief. This link connects you directly to the Red Cross, and lists several legitimate charities that are participating in the direct immediate support that is desperately needed.
http://www.redcross.ca/article.asp?id=000043&tid=016
Posted by Andre Edelbrock on Fri, Sep 04, 2009
Vacation is supposed to be a time when you finally relax and break away from the demanding pressures of work-a-day life. But with the economy down, and many worried about doing enough to keep their jobs, the increase in computing mobility means that larger than ever numbers of people are taking work with them when they head for the beach. Be honest -- you took your laptop or Blackberry with you, and if nothing else, checked for email while you were away this summer, didn't you?
So maybe you weren't working as you sipped pina coladas on the beach and surfed not on the water, but on your PC. Maybe you were "just shopping", or watching the latest viral videos on YouTube.
So guess what? Ever on top of new trends, fraudsters have spotted a big new vulnerability to capitalize on. Adding another coined phrase to our fraud glossary, Fox News reports, “vacation hacking” is a new avenue for criminals to steal from those who rely on free wifi or unsecured networks while away from the office to get their internet fix.
Beach fraud
Ok, so you aren't one of those clueless tourists walking around with a sign on your back saying "Hack Me". You're a businessperson who's been around the block a few times, you've got AV software and a firewall -- not so easily taken. Really? Have you ever logged on at the airport, trying to squeeze in just a couple more emails before departure?
So-called "white-hat" hackers recently surveyed a number of large airports, discovering what they said was an alarming amount of hacker generated connections. Hackers are now identifying these airport wifi access points as their new hotspots and enticing busy road warriors unaware that they are at risk, to sign on to a hacker’s portal, not just willingly handing over their credit card info, but also leaving their laptop at risk and their information unprotected.
Data breaches, phishing, botnets, spam, fake portals, unsecured networks -- all can be used to steal personal information for fraudulent gain. But what can you do to stop it?
Is there any escape? Is any protection good enough?
Everyone will always tell you ways to make your environment more secure, and build a better barrier to keep the bad from getting in. But that doesn't help much when the bad gets in, nor does it deal with the root of the problem. Just ask Heartland Payment Systems, who thought they had a totally secured PCI DSS compliant environment.
Only part of the problem is lack of security. Another critical part of the problem is the value of what gets stolen. We must re-double efforts to make the stolen data worth less, if not worthless. Make it harder to use. Fully thwart attempts to convert data to cash. Increase the penalties and prosecution efforts such that the perpetrator of the biggest data breach in history faces more than a couple slaps on the wrist and a cushy job as informant for the secret service.
Become more aware of what makes us vulnerable, and stop depending on technical solutions that no one understands and which often increase complacency and therefore the probability of loss.
Simple solution: address the problem at its source
The solution as I see it is two-fold:
- Educate users about risk, and what to look out for -- what makes something suspicious and why you shouldn't hand over a social security number when someone calls asking for it, for example
- Stop financial fraud at source, by getting banks, card issuers, card processors, anti-fraud vendors and the targeted merchants all working together to provide a backstop when security fails
Simple right?
Take the poll
Let us know what you think. More security? Better fraud detection? Stiffer penalties? Simplicity? Less technology? Collaboration? Smarter users? What is going to help us gain control of things?
Take our poll, and after you hit the button, you'll see a graph of the compiled results. And, if your answer isn't on the list, give us your solution in the comments below.
Aren't you glad that summer vacation is almost over and you're back to work?
Posted by Andre Edelbrock on Wed, Sep 02, 2009
Quiet congratulations to the authorities' for finally catching up with their man - Albert Gonzalez - and getting indictments handed down by the grand jury in two of the largest deliberate data breaches in history at Heartland Payment Systems and Hannaford Bros.
Gonzalez, going by the alias Segvec, was also indicted in breaches at 7-11 and 2 other unnamed national retailers, as investigations continue into whether he might have been the linchpin in a number of other systems intrusions. In a path of financial havoc rivalling the damages of Hurricane Katrina and Bernie Madoff combined, we wonder how many more shoes there are to drop, as Gonzalez is already being held on charges stemming from the TJX breach in 2007, the previous largest breach on record before Heartland came to light.
Low Key Celebrations
Perhaps a sigh of relief is in order, but not too much more in the way of celebration. Loud hurrahs and back-slapping would be inappropriate, lest we be lulled into complacency, and thinking this means the internet is safe again.
In fact, if you didn't feel a little uneasy about the inequality of armaments between the criminals and those defending against them, remember that Gonzalez pulled off his elaborate heist literally while authorities were watching. His crew deployed the worms that siphoned data from Heartland and others, while he was acting as an informant, after he had already been caught acting as an administrator for a prominent carding site called Shadowcrew.
End of the Beginning?
So, unlike many, we do not believe this heralds the beginning of the end for big time cybercrime -- rather just the opposite: it signals the end of the beginning. It will only get worse from here. How do we know?
Gonzalez is not the world's only smart hacker, and although authorities say there are few in his skill range, we believe there are many who are even smarter and who will learn from his mistakes. There are plenty of his kind working in crime hotspots all over the world. Not only are they well-trained, they are among the world's best mathematicians and scientists, often living in a climate where criminal behavior is tolerated, even respected -- where it is regarded as a legitimate tax-paying business, and even directly supported in some cases by the state.
Birth of a Hacker Hero
Gonzalez has shown the next generation of hackers how to win, and how to win big. Nevermind the arrogance and hubris which pushed him to take dumb chances that allowed him to be caught. He wrote the blueprint for others to follow.
His brazen finger-in-the-eye crime makes him a hacker hero, energizing the whole hacker community to go him one better. His primary misstep was getting too cocky, repeatedly going back to the same well as he perpetrated the biggest credit card scams in history under the noses of the Secret Service. If he had not already been known to law enforcement, and acting as an informer, is it possible he may have escaped detection entirely? Had he been a little less greedy, or a little less in-your-face with his tactics and scale of assault, might we still be looking for him for years to come?
Copycats Will Multiply
The hacker community is well-connected and well organized. Despite getting caught, Gonzalez's work is still impressive, and many will emulate his tactics. They will learn from both his success and his failure. The next big-time hacker, will be a little less full of bravado, and a little more cautious. They will evolve their M.O. a little more frequently, and run just below the radar.
So, while some see the catching of Gonzalez as a major blow to the fraudsters, I view it differently. Segvec is a harbinger of the increasing sophistication of attack on the horizon, and portends accelerating and increasingly deceptive attempts to commit CNP fraud against retailers to convert stolen data to cash.
Are you ready for what's coming?
Posted by Andre Edelbrock on Tue, Aug 25, 2009
It's not often we have an opportunity to "brag on" our board members, but today it's a personal privilege for me to do just that. First Secretary of Homeland Security and Ethoca director, Governor Tom Ridge, has completed his long awaited book "The Test of Our Times: America Under Siege and How We Can Be Safe Again". Scheduled for release on September 1, it promises to a super bestseller.
The book is Secretary Ridge’s account of his up-close and personal journey immediately following the attacks of September 11, 2001 – through his days as White House Homeland Security Director – his leadership of the Department of Homeland Security – and his experiences following that historic endeavor. He praises the unsung heroes of that journey, lays out the challenges and the victories along the way and offers his views on how we can achieve a better, safer world.
Tom is one of those rare men who truly deserves the accolade "American hero," although he also is a man of genuine humility who would be first to pass that mantle on to others he feels more deserving of recognition. He brings a unique perspective to our board, both as an accomplished businessman in his own right, and as a pre-eminent authority in the global threats of terrorism, cybercrime and financial fraud, and the connections between them.
We know his book will prove a riveting fireside read, and a popular first telling of the history of 9/11, and we wish him the best of success in his upcoming launch. And, we promise we'll be among the first to offer a review in the days following the book's release.
Online Retail Fraud Risk Insights from Secretary Ridge
Read what Secretary Ridge had to say about managing online retail fraud risk in an era of globalization, East European cybercrime gangs, and unparalleled data security breaches.
Download a copy of his keynote address to the 2009 Merchant Risk Council conference.
Posted by Andre Edelbrock on Thu, Nov 20, 2008
Sales growth slowing…
Fresh data show that U.S. retail ecommerce grew 1% year-over-year in October, representing the sixth consecutive month this year of slowing growth rates.
The picture in the UK is not all that better as IMRG/Capgemini reported the latest figures for October show that month-on-month growth was 3.8% and year-on-year growth was 12.7% representing the lowest year-on-year growth since December 2004 – reflecting the suffering economy.
With more and more people hunkering down and less and less credit available, a turnaround to previous growth levels looks far off, and perhaps an overall decrease is in the cards.
Fraud activity on the rise… 
As Gartner security analyst Avivah Litan reports that in recent months, banking clients have been warning her of a spike in fraud, much of it based on the use of stolen financial data. “There’s been a marked increase in the number of attacks and the number of successful fraud attempts,” says Litan, due to publish a report in December. “This is the busiest my practice has ever been.”
We’ve also heard something very disturbing last week from one online businesses in that they are starting to see a rise in fraud from their good customers - commonly referred to as 1st party fraud. Good customers who are now turning to fraudulent activity in tough times by making false claims e.g., orders not being shipped or making up customer service complaints.
Shift in spend… 
Jonathan Penn, an analyst at Forrester Research, in September reported that the bulk of IT spend during the banking meltdown will go toward systems designed to keep former employees or disgruntled workers out of proprietary systems and to prevent business-killing data breaches. Often resulting in less for other areas of security.
This all adds up to…
Tough times ahead for online retailers as good customers spend less, fraud increases (now even the good customers getting in on the act!) and fraud managers being asked to do more with less. All attention shifts to the Fraud Manager. He or she is looked upon as the ultimate fighter in the battle to strike balance between revenue and fraud. He or she plays a big role in the profitability of your online business so you’d be wise to give him or her the your undivided attention.
Have a conversation…
Start by asking your Fraud Manager: “Are we doing everything possible with our available resources?”
Then ask: “What more could we do with the resources of others?”
If you get a confused look back try asking it this way: “I know they’re our competitors but what if we had Bob over at ACME, and Sue over at Bit Co. working for us on this? Would it help?” 
I’m sure you’ve heard the saying “It takes a village.”
Fraudsters realized some time ago that working in a village with other villagers made their own lives better. Going it alone isn’t enough. Why not share the pain? Why not share the cost of fraud with others for your benefit and the benefit of everyone…all at the demise of the fraudster?
Let me know what he or she says.
Posted by Andre Edelbrock on Mon, Nov 17, 2008
The problem is that the ‘we’ is often the bad guys.
For example - criminals around the world are benefiting from being better organized and using the Internet to work together. In the UK, banking losses due to fraud soared to £301.7m in the first half of 2008 compared to £263.6m in the same period last year, according to the latest figures from UK banking association APACS. Card-not-present fraud (a category that includes e-commerce fraud as well as phone and mail order scams) rose 18% to reach £161.9m in that same period.
So with the good guys losing the battle of the organized to the bad guys, you and I as consumers and businessmen pay a price…literally as the APACS numbers show.
But all good things must come to an end. Banks and businesses have had enough. The power shift, in favor of the good guys, has begun, as in the same way the criminals have leveraged the power of organizing and the Internet, businesses and banks around the world are now working together to fight fraud head-on.
Watch the following video clip of Gilbert Fiorentino, CEO of TigerDirect, to see just how mad online retailers are getting, and what they're prepared to do about it.
Click this link if you can't see the embedded video above.
Watch what happens when hundreds organize…boom…new rules indeed.
Click here to read Seth Godin’s post on this.