Posted by Keegan Johnson on Wed, Aug 25, 2010
KISS (Keep it Small, Stupid) Proves an Effective Fraud Strategy
The NY Times reported this weekend on an unusual case of credit card fraud filed by the FTC in a Chicago federal court involving more than 1 million cardholder accounts and over 100 fake merchant accounts over a period of at least 4 years. It’s a sign of how much the internet and automation have changed the fraud game, enabling massive scams by employing the KISS (Keep It Small, Stupid) Principle.
The suit claims that more than $10 million was stolen by placing just a single fraudulent charge for less than $10 on more than 1 million different credit and debit cards. Card-not-present transactions (i.e. online sales) were recorded by 16 shell companies operating under more than 100 different merchant IDs. The fake companies, set up with bogus websites and phone numbers to look real when they applied for merchant accounts, were created using stolen identities, and the money was quickly moved out of the US to bank accounts in several different east European countries.
The interesting vulnerability exposed is how easy it is to fly under the radar if you make everything plausible and seemingly random, and don’t do anything to stand out. Criminals carefully set up fake companies with familiar sounding names so that nothing would stand out on the cardholder statements. By only attacking each card once, and for a small amount, it’s a safe bet that the majority of consumers didn’t even notice. The one dumb error was posting a number of transactions for as little as 20 cents. According to the FTC, there were more complaints about the 20-cent charges than the 9 dollar ones because they appeared odd – again, it’s about plausibility.
There were incredibly few complaints of any sort though, because it took nearly a million transactions before the FTC had enough complaints registered to start an investigation. The lesson: KISS.
You can read the full stories here:
My main point for this article was to focus on a throwaway comment from Gartner analyst, Avivah Litan. She is quoted:
“If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase — called a card-not-present transaction — the bank that hosted the merchant account that received the ill-gotten charges must make restitution.”
And the writer of the article draws the conclusion that because the acquiring bank is on the hook for the fraudulent charges, that the issuer has “little motivation to be greatly concerned about online fraud”.
Really? The acquirer is indeed stuck with many charges of between 20 cents and 9 dollars, since none of the merchant accounts were legitimate, but is there really no cost to issuers in this case?
On the contrary, our analysis shows that it costs the card issuing bank an average of $15 per transaction in labor and paper trail costs (getting consumers to file affidavits, issuing chargebacks, etc), plus fees assessed by the card scheme for each chargeback. More, in fact, than the maximum $10 charge that the acquirer had to eat.
Across more than 1 million fraudulent transactions in this single case, that’s over $15 million – not exactly chicken feed, and certainly not “little motivation” to seek a solution.
The takeaway is this: CNP fraud is a pernicious problem, and it affects, inconveniences and costs everyone involved. Merchants for sure, but also issuers and cardholders.
The $15 in overhead costs may not compare to a $500 loss taken by a merchant of electronics goods, for example, but the issuers are getting hurt on each and every fraud. Consider that if a bank the size of JPMorgan Chase could eliminate these costs, that would represent by our guesstimates a savings of $1.5 – 2.5 million annually – a savings that is pure profit to the bottom line. I’d argue that that’s plenty of motivation for any issuer, and it is an achievable target with more industry collaboration.
And, that would be good for everybody.
Posted by Andre Edelbrock on Fri, Sep 04, 2009
Vacation is supposed to be a time when you finally relax and break away from the demanding pressures of work-a-day life. But with the economy down, and many worried about doing enough to keep their jobs, the increase in computing mobility means that larger than ever numbers of people are taking work with them when they head for the beach. Be honest -- you took your laptop or Blackberry with you, and if nothing else, checked for email while you were away this summer, didn't you?
So maybe you weren't working as you sipped pina coladas on the beach and surfed not on the water, but on your PC. Maybe you were "just shopping", or watching the latest viral videos on YouTube.
So guess what? Ever on top of new trends, fraudsters have spotted a big new vulnerability to capitalize on. Adding another coined phrase to our fraud glossary, Fox News reports, “vacation hacking” is a new avenue for criminals to steal from those who rely on free wifi or unsecured networks while away from the office to get their internet fix.
Beach fraud
Ok, so you aren't one of those clueless tourists walking around with a sign on your back saying "Hack Me". You're a businessperson who's been around the block a few times, you've got AV software and a firewall -- not so easily taken. Really? Have you ever logged on at the airport, trying to squeeze in just a couple more emails before departure?
So-called "white-hat" hackers recently surveyed a number of large airports, discovering what they said was an alarming amount of hacker generated connections. Hackers are now identifying these airport wifi access points as their new hotspots and enticing busy road warriors unaware that they are at risk, to sign on to a hacker’s portal, not just willingly handing over their credit card info, but also leaving their laptop at risk and their information unprotected.
Data breaches, phishing, botnets, spam, fake portals, unsecured networks -- all can be used to steal personal information for fraudulent gain. But what can you do to stop it?
Is there any escape? Is any protection good enough?
Everyone will always tell you ways to make your environment more secure, and build a better barrier to keep the bad from getting in. But that doesn't help much when the bad gets in, nor does it deal with the root of the problem. Just ask Heartland Payment Systems, who thought they had a totally secured PCI DSS compliant environment.
Only part of the problem is lack of security. Another critical part of the problem is the value of what gets stolen. We must re-double efforts to make the stolen data worth less, if not worthless. Make it harder to use. Fully thwart attempts to convert data to cash. Increase the penalties and prosecution efforts such that the perpetrator of the biggest data breach in history faces more than a couple slaps on the wrist and a cushy job as informant for the secret service.
Become more aware of what makes us vulnerable, and stop depending on technical solutions that no one understands and which often increase complacency and therefore the probability of loss.
Simple solution: address the problem at its source
The solution as I see it is two-fold:
- Educate users about risk, and what to look out for -- what makes something suspicious and why you shouldn't hand over a social security number when someone calls asking for it, for example
- Stop financial fraud at source, by getting banks, card issuers, card processors, anti-fraud vendors and the targeted merchants all working together to provide a backstop when security fails
Simple right?
Take the poll
Let us know what you think. More security? Better fraud detection? Stiffer penalties? Simplicity? Less technology? Collaboration? Smarter users? What is going to help us gain control of things?
Take our poll, and after you hit the button, you'll see a graph of the compiled results. And, if your answer isn't on the list, give us your solution in the comments below.
Aren't you glad that summer vacation is almost over and you're back to work?
Posted by Andre Edelbrock on Wed, Sep 02, 2009
Quiet congratulations to the authorities' for finally catching up with their man - Albert Gonzalez - and getting indictments handed down by the grand jury in two of the largest deliberate data breaches in history at Heartland Payment Systems and Hannaford Bros.
Gonzalez, going by the alias Segvec, was also indicted in breaches at 7-11 and 2 other unnamed national retailers, as investigations continue into whether he might have been the linchpin in a number of other systems intrusions. In a path of financial havoc rivalling the damages of Hurricane Katrina and Bernie Madoff combined, we wonder how many more shoes there are to drop, as Gonzalez is already being held on charges stemming from the TJX breach in 2007, the previous largest breach on record before Heartland came to light.
Low Key Celebrations
Perhaps a sigh of relief is in order, but not too much more in the way of celebration. Loud hurrahs and back-slapping would be inappropriate, lest we be lulled into complacency, and thinking this means the internet is safe again.
In fact, if you didn't feel a little uneasy about the inequality of armaments between the criminals and those defending against them, remember that Gonzalez pulled off his elaborate heist literally while authorities were watching. His crew deployed the worms that siphoned data from Heartland and others, while he was acting as an informant, after he had already been caught acting as an administrator for a prominent carding site called Shadowcrew.
End of the Beginning?
So, unlike many, we do not believe this heralds the beginning of the end for big time cybercrime -- rather just the opposite: it signals the end of the beginning. It will only get worse from here. How do we know?
Gonzalez is not the world's only smart hacker, and although authorities say there are few in his skill range, we believe there are many who are even smarter and who will learn from his mistakes. There are plenty of his kind working in crime hotspots all over the world. Not only are they well-trained, they are among the world's best mathematicians and scientists, often living in a climate where criminal behavior is tolerated, even respected -- where it is regarded as a legitimate tax-paying business, and even directly supported in some cases by the state.
Birth of a Hacker Hero
Gonzalez has shown the next generation of hackers how to win, and how to win big. Nevermind the arrogance and hubris which pushed him to take dumb chances that allowed him to be caught. He wrote the blueprint for others to follow.
His brazen finger-in-the-eye crime makes him a hacker hero, energizing the whole hacker community to go him one better. His primary misstep was getting too cocky, repeatedly going back to the same well as he perpetrated the biggest credit card scams in history under the noses of the Secret Service. If he had not already been known to law enforcement, and acting as an informer, is it possible he may have escaped detection entirely? Had he been a little less greedy, or a little less in-your-face with his tactics and scale of assault, might we still be looking for him for years to come?
Copycats Will Multiply
The hacker community is well-connected and well organized. Despite getting caught, Gonzalez's work is still impressive, and many will emulate his tactics. They will learn from both his success and his failure. The next big-time hacker, will be a little less full of bravado, and a little more cautious. They will evolve their M.O. a little more frequently, and run just below the radar.
So, while some see the catching of Gonzalez as a major blow to the fraudsters, I view it differently. Segvec is a harbinger of the increasing sophistication of attack on the horizon, and portends accelerating and increasingly deceptive attempts to commit CNP fraud against retailers to convert stolen data to cash.
Are you ready for what's coming?
Posted by Paul Paetz on Thu, May 28, 2009
Thinking and Awareness Needed to Stop Crime, Not Just Tech
Recently, a targeted crime spree hit Staten Island with 250 Sovereign Bank customers caught up in a never-ending technological arms race between criminals and the rest of us. This time it wasn’t the latest hacker sitting at a far away computer in the middle of the night. Rather it was a small gang that used skimming technology and video cameras to compromise the accounts and make off with over $500,000. But for the alertness of Microsoft “evangelist”, Sean Siebel who spotted the scam while doing his own personal banking, it probably would have been millions lost before detection.
According to banks, skimmers are rarely spotted in the wild, yet after seeing Sean on the news, another New Yorker spotted another skimmer at a Chase branch. The branch manager hadn’t heard of the scam.
We see national news headlines about breaches and individual customer information being stolen by faceless entities in far-away lands. We assume these scams require tech prowess and amazing skill, but it usually turns out to be as simple as a mirror and hidden video camera. Many times the response to these attacks is to add more features and functionality to our technology. In the case of credit cards, the focus has been on Chip and PIN, especially in Europe. Soon, even more sophisticated 2-factor authentication is coming through cards with built-in single use PIN generators.
Unfortunately, as this story shows, even the most advanced technology is easily subverted by cheap tools you could purchase at Best Buy or download for free, together with a small amount of ingenuity. 
The problem is that we place too much trust in the technology, and not enough in being alert, observant and careful. In fact, the more we rely on technology to do our thinking for us, the more complacent and vulnerable we become.
The lesson: if your security approach is purely based on a better technology mousetrap, you are a breach waiting to happen. Don’t forget to educate your people, understand the risks you face, and always assume that the criminals will find a way around whatever technology barriers you erect.
Posted by Andre Edelbrock on Mon, Nov 03, 2008
Red Flag Rules Delayed
Red Flag Rules apply to FIs and creditors with covered accounts (e.g., mortgage loans, automobile loans, credit cards). However, the broad language of the regulations has created enough uncertainty regarding their applicability to certain businesses to push the FTC to extend the compliance deadline to May 1, 2009.
Vague, Sweeping Language of Rule Leaves Many Uncertain
The unanswered question is whether it applies to oil companies, department stores, utilities, phone companies, all financial institutions of any size (from single branch community banks and credit unions on up), municipalities (water and sewage use contracts), waste management providers (many neighborhoods contract independently to have their garbage collected by their choice of company where residents sign individual contracts and hand over credit information to be approved for monthly billing), grocery stores, car dealers, appliance stores (6 months no interest layaway plans) — basically anyone who offers card credit or monthly billing or lease or store credit or a loan?
And as large a net as that casts, we wonder what about employers whose HR systems contain much of the same sensitive data. Will who has access to those systems come under scrutiny as well? And what about the ease with which those who aren’t “officially” allowed to see the data are able to view it? Any of these individuals could be singled out by identity thieves as targets for “social engineering” scams. Does that put their employer at risk for a creative ID theft lawsuit based on the regulation? — i.e. the one thing we know for sure is that the introduction of Red Flag Rules has created a sense there is open-ended risk of unknown size, with large costs for compliance and management (the same complaints that were thrown up when Sarbanes-Oxley was introduced).
Better Stewardship of Sensitive Personal Information
Regardless of the applicability of the Rules, what all these businesses have in common is that they maintain sensitive personal information that must be safeguarded. So even if you are small fry thinking the FTC isn’t targeting you, if it gets in the news that your company was part of the chain that lead to a stolen identity, you could be sued civilly and may be prosecuted legally, and you’ll lose in the court of public opinion, and in legal costs and long term reputation loss, which depending on the magnitude of the matter, could be business ending.
But back to the Rules…simply put the Rules focus on the holder of that sensitive personal information putting in place a program (and keeping it current) to ultimately prevent identity thieves from using peoples’ personally identifying information to open new accounts and misuse existing accounts. The program is to comprise three key components: identify, detect and respond to instances of identity theft.
Think like the criminal
Understand the Identity Thief
Arguably understanding the patterns of identity theft means you first need to start by thinking like the criminal. You know your data and your systems, and you should know where the vulnerabilities are. You have inside knowledge (note that most identity theft is suborned or supported by insiders), so if you were a criminal, what are the weakest points that you’d attack?
How would you the get names, SSNs, dates of birth, addresses and phone numbers stored in your systems? What social engineering techniques could you use i.e. who would you target and how would you ask for help in getting the data, and what makes him/her a likely candidate to either help directly or by being duped into helping?
What’s Your Potential Liability
Once you understand the vulnerabilities by which you can be compromised, build policies based on monitoring and disrupting the processes by which sensitive personal information can or might be accessed. Once you know how big your exposure is, you need to estimate the probability of a successful breach, and you should then allocate appropriate funds for compliance and dealing with potential losses.
And whether or not the Red Flag Rules are applicable to your company, you’d be wise to put in place a focused program to prevent and counteract identity theft…because it’s just as important for your company to avoid a loss at the hands of a stolen identity as it is for you to ensure your company is not the path to profit for identity thieves at the expense (loss) of the victim…one that may turn out to be a new or existing customer.
Related Articles