Posted by Andre Edelbrock on Fri, Sep 10, 2010
|
|
| Facilitated collaboration, with formally structured protocols, makes legal and ethical data sharing possible. Doing it requires a system that makes sure all the participants can benefit from one another’s transaction experiences while not passing around the data itself. |
Last week, I participated in a roundtable session on ‘data sharing’ at the Merchant Risk Council’s inaugural European e-Commerce Payments and Risk Conference in Amsterdam. It was a great opportunity to exchange insights with other industry leaders from many countries.
Data sharing is great!
Imagine if there were no restrictions on what we could share to stop fraud. Walmart and Amazon would tell each other when they caught a fraudster, what email was used, his IP location, what was attempted to be purchased, when it happened, dollar value, name, credit card number, etc. No fraudster would ever succeed at stealing more than once or twice, and we'd have good enough pattern recognition and linked data that in many cases, we'd stop them before they tried to use a compromised card, account or data the first time.
That's the real promise and power of data sharing.
But Sharing Data? Yikes!
Unfortunately, we live in the real world, and companies don't just hand each other their customer and sales data. The reality is that sharing has its limits, and it's those limits that allow so much fraud to slip through our fingers. It's the fear of what the term 'data sharing' implies that often prevents us from doing anything at all.
In our discussions with merchants, card issuers, bank, payment processors, acquirers and the like we found that 'data sharing' implies informality and lack of structure, which immediately raises concerns about privacy, security, data integrity and trust. The term also raises legal concerns about what data, if any, can be shared. This is particularly true in Europe, which has stricter controls and regulations around privacy and varies by jurisdiction. Legal authorities and governments often assume that ‘data sharing’ means that account information is simply passed around between private parties with no regard for the individual's rights.
(For more on this see discussion in FinExtra about "unauthorized access" -- which is exactly the fear that sharing conjures up, and part of the reason that the Data Protection Act exists.)
When we collaborate, we can share experiences and knowledge without sharing the data
"What", you say?! That's some fancy verbal gymnastics. But, there is much truth that if we think about data sharing and the value it can provide differently, and expand the concept to one of collaboration where independent management, structure and governance are applied, we can escape the trap that everyone thinks data sharing is a great thing in theory, but few want to subscribe to it in practice.
Ethoca prefers the term 'facilitated collaboration', with a full set of formally structured protocols to make legal and ethical data pooling possible. It’s a system that makes sure all the participants can benefit from one another’s transaction experiences while not passing around the data itself. That means things like the strictest conformance to PCI across all PII, highly secured access, the management, auditing and certification of data integrity by independent authorities, access to information and anonymized experiences not the data itself.
Ethoca has already proved that facilitated collaboration can work on a large scale. Our strict protocols build trust among the participants. The merchants, issuers and other stakeholders know the data can't be mined for marketing purposes or accessed for any purpose other than fraud/risk management. The information is hashed and encrypted so that even Ethoca security experts can’t see personally identifying information. Participants also get large benefits, being able to leverage one another’s payment and fraud experiences and stop ecommerce fraud that they’d never catch otherwise.
So is the difference between ‘sharing’ and ‘collaboration’ only a matter of semantics? No. As my colleague Darryl Green wrote recently, collaborative fraud prevention is the future – and trust is the key.
We'd love to hear about your experiences with data sharing. Why has it worked or not worked for you? What value would you get from facilitated collaboration versus data sharing? Please share your feedback in the comments below.
Posted by Andre Edelbrock on Tue, Jun 08, 2010
The U.S. Federal Trade Commission estimates that six times as much revenue is lost to "fear of fraud" as to actual fraud
|
How making online shopping safer means a more profitable online environment for all
Beyond the total cost of fraud you may face today, there is an even bigger challenge: many potential customers are afraid to buy online. They don’t think it’s safe.
In fact, six times as much revenue is lost each year to fear of fraud than to actual fraud, according to the U.S. Federal Trade Commission.
That number is consistent with surveys and research by other organizations as well. VeriSign says half of Internet users avoid buying online, for fear of their financial information being stolen. And of those who have been victims of fraud:
- 12% don’t shop online any longer
- 25% shop less frequently
- 19% spend less when they do shop online
And according to figures from a CyberSource 2009 survey:
- 71% of consumers are concerned with the level of risk when shopping over the web, an increase of 5% over 2008
- 24% of consumers (the largest grouping of answers) say it is merchants’ responsibility to make online shopping safe
Making online shopping safer -- It's within your control
Trust seals can and do increase the perception of safe shopping for many. They, however, can only go so far, and with constant media attention paid to massive data security breaches such as those perpetrated against Heartland Payment Systems, TJ Maxx, Hannaford Supermarkets and many others, not to mention the myriad tales of unscrubbed and unprotected data on used hard drives, archival tapes full of social security numbers and other personally identifiable information falling off the back of trucks, consumers are rightly fearful that no matter what they or merchants do to protect their data, there are weak links in the security chain that put them at risk.
In fact, there are 3 elements to making Internet shopping not only as safe as it can be, but truly the safest form of shopping. First, merchants need to implement proper security precautions, especially PCI compliance. Second, compliance needs to be regulated and certified (and advertised by the accompanying trust marks). Finally, merchants need to ensure that in the event security is breached, that minimal harm comes to the consumer. The best way to do that is through collaboration with other merchants, as well as card issuers, fraud vendors, payment service providers - in fact, all the stakeholders in ecommerce.
The Global Fraud Alliance is that third and critical piece in making internet shopping safer. It provides a shield against misuse of breached and compromised data, by enabling merchants to gain insight into each other's payment experiences in real time, without compromising the privacy or security of their data.
Ethoca has recently made a very important contribution to safe shopping by making Ethoca360 Negative Signals freely available to any merchant that signs up for service during the introductory period. And, not just free to sign up, but free forever. Merchants need only apply and start actively using the service during the introductory period to ensure this lifetime benefit. This service is also being made available through partners such as 41st Parameter's FraudNet technology, GB Group's URU identity service, and the IMRG ISIS (Internet Shopping Is Safe) program. This network is rapidly growing to include other payment service providers and fraud merchants, and in the very near future will include many other in the U.S., Canada, U.K., and throughout Europe.
A safer online environment means a more profitable online environment
The more merchants collaborating against fraud, the safer the Internet will be, and the more customers will shop online.
Doing your part is simple, and most importantly, it will start saving you money right away, no matter what fraud tools or services you already use. That's because Ethoca360 Negative Signals is designed to be an additive service, compatible with all 3rd party offerings. This is simply smart business for members of the Global Fraud Alliance. Increasing the consumers willingness to shop online means more business for everyone.
We invite you to join.
Posted by Andre Edelbrock on Wed, Jan 27, 2010
Last week, the BBC reported that bank anti-fraud systems are blocking donations to Haitian relief following the earthquake that has brought the small, impoverished country literally to its knees.
Although it is a well-known technique of fraudsters to use stolen cards at charitable sites to make "micro-donations" to test whether a card is still active and usable, using an indiscriminate block to refuse legitimate donations in a time of extreme need is surely an immoral and insensitive use of technology, and a severe unintended consequence of a security measure taken to protect the banks' own interests. I'm sure they did not mean to stop money from getting to the relief effort, but the reality is, we can do a lot better.
Anti-fraud solutions for card-not-present fraud are infinitely more sophisticated than this today. It's relatively easy to identify risk both statistically and behaviorally (preferably in combination), and in extreme situations override rules can be programmed quickly. It might be an extra expense for the bank to contact the card customer and do a live fraud check, but especially in this case where the world is trying to reach out with an empathetic hand, that's exactly what they need to do, because automatic transaction blocks to the Red Cross are going to leave banks with yet another big raspberry on their collective faces.
So, let's call for some common sense. It's bad enough when a sledgehammer rule costs you a bit of profit by falsely rejecting a legitimate customer; it's devastating when it could cost lives and prevent help from getting to where it's needed.
Please, if you haven't contributed yet, consider making a donation to Haitian relief. This link connects you directly to the Red Cross, and lists several legitimate charities that are participating in the direct immediate support that is desperately needed.
http://www.redcross.ca/article.asp?id=000043&tid=016
Posted by Andre Edelbrock on Fri, Sep 04, 2009
Vacation is supposed to be a time when you finally relax and break away from the demanding pressures of work-a-day life. But with the economy down, and many worried about doing enough to keep their jobs, the increase in computing mobility means that larger than ever numbers of people are taking work with them when they head for the beach. Be honest -- you took your laptop or Blackberry with you, and if nothing else, checked for email while you were away this summer, didn't you?
So maybe you weren't working as you sipped pina coladas on the beach and surfed not on the water, but on your PC. Maybe you were "just shopping", or watching the latest viral videos on YouTube.
So guess what? Ever on top of new trends, fraudsters have spotted a big new vulnerability to capitalize on. Adding another coined phrase to our fraud glossary, Fox News reports, “vacation hacking” is a new avenue for criminals to steal from those who rely on free wifi or unsecured networks while away from the office to get their internet fix.
Beach fraud
Ok, so you aren't one of those clueless tourists walking around with a sign on your back saying "Hack Me". You're a businessperson who's been around the block a few times, you've got AV software and a firewall -- not so easily taken. Really? Have you ever logged on at the airport, trying to squeeze in just a couple more emails before departure?
So-called "white-hat" hackers recently surveyed a number of large airports, discovering what they said was an alarming amount of hacker generated connections. Hackers are now identifying these airport wifi access points as their new hotspots and enticing busy road warriors unaware that they are at risk, to sign on to a hacker’s portal, not just willingly handing over their credit card info, but also leaving their laptop at risk and their information unprotected.
Data breaches, phishing, botnets, spam, fake portals, unsecured networks -- all can be used to steal personal information for fraudulent gain. But what can you do to stop it?
Is there any escape? Is any protection good enough?
Everyone will always tell you ways to make your environment more secure, and build a better barrier to keep the bad from getting in. But that doesn't help much when the bad gets in, nor does it deal with the root of the problem. Just ask Heartland Payment Systems, who thought they had a totally secured PCI DSS compliant environment.
Only part of the problem is lack of security. Another critical part of the problem is the value of what gets stolen. We must re-double efforts to make the stolen data worth less, if not worthless. Make it harder to use. Fully thwart attempts to convert data to cash. Increase the penalties and prosecution efforts such that the perpetrator of the biggest data breach in history faces more than a couple slaps on the wrist and a cushy job as informant for the secret service.
Become more aware of what makes us vulnerable, and stop depending on technical solutions that no one understands and which often increase complacency and therefore the probability of loss.
Simple solution: address the problem at its source
The solution as I see it is two-fold:
- Educate users about risk, and what to look out for -- what makes something suspicious and why you shouldn't hand over a social security number when someone calls asking for it, for example
- Stop financial fraud at source, by getting banks, card issuers, card processors, anti-fraud vendors and the targeted merchants all working together to provide a backstop when security fails
Simple right?
Take the poll
Let us know what you think. More security? Better fraud detection? Stiffer penalties? Simplicity? Less technology? Collaboration? Smarter users? What is going to help us gain control of things?
Take our poll, and after you hit the button, you'll see a graph of the compiled results. And, if your answer isn't on the list, give us your solution in the comments below.
Aren't you glad that summer vacation is almost over and you're back to work?
Posted by Andre Edelbrock on Wed, Sep 02, 2009
Quiet congratulations to the authorities' for finally catching up with their man - Albert Gonzalez - and getting indictments handed down by the grand jury in two of the largest deliberate data breaches in history at Heartland Payment Systems and Hannaford Bros.
Gonzalez, going by the alias Segvec, was also indicted in breaches at 7-11 and 2 other unnamed national retailers, as investigations continue into whether he might have been the linchpin in a number of other systems intrusions. In a path of financial havoc rivalling the damages of Hurricane Katrina and Bernie Madoff combined, we wonder how many more shoes there are to drop, as Gonzalez is already being held on charges stemming from the TJX breach in 2007, the previous largest breach on record before Heartland came to light.
Low Key Celebrations
Perhaps a sigh of relief is in order, but not too much more in the way of celebration. Loud hurrahs and back-slapping would be inappropriate, lest we be lulled into complacency, and thinking this means the internet is safe again.
In fact, if you didn't feel a little uneasy about the inequality of armaments between the criminals and those defending against them, remember that Gonzalez pulled off his elaborate heist literally while authorities were watching. His crew deployed the worms that siphoned data from Heartland and others, while he was acting as an informant, after he had already been caught acting as an administrator for a prominent carding site called Shadowcrew.
End of the Beginning?
So, unlike many, we do not believe this heralds the beginning of the end for big time cybercrime -- rather just the opposite: it signals the end of the beginning. It will only get worse from here. How do we know?
Gonzalez is not the world's only smart hacker, and although authorities say there are few in his skill range, we believe there are many who are even smarter and who will learn from his mistakes. There are plenty of his kind working in crime hotspots all over the world. Not only are they well-trained, they are among the world's best mathematicians and scientists, often living in a climate where criminal behavior is tolerated, even respected -- where it is regarded as a legitimate tax-paying business, and even directly supported in some cases by the state.
Birth of a Hacker Hero
Gonzalez has shown the next generation of hackers how to win, and how to win big. Nevermind the arrogance and hubris which pushed him to take dumb chances that allowed him to be caught. He wrote the blueprint for others to follow.
His brazen finger-in-the-eye crime makes him a hacker hero, energizing the whole hacker community to go him one better. His primary misstep was getting too cocky, repeatedly going back to the same well as he perpetrated the biggest credit card scams in history under the noses of the Secret Service. If he had not already been known to law enforcement, and acting as an informer, is it possible he may have escaped detection entirely? Had he been a little less greedy, or a little less in-your-face with his tactics and scale of assault, might we still be looking for him for years to come?
Copycats Will Multiply
The hacker community is well-connected and well organized. Despite getting caught, Gonzalez's work is still impressive, and many will emulate his tactics. They will learn from both his success and his failure. The next big-time hacker, will be a little less full of bravado, and a little more cautious. They will evolve their M.O. a little more frequently, and run just below the radar.
So, while some see the catching of Gonzalez as a major blow to the fraudsters, I view it differently. Segvec is a harbinger of the increasing sophistication of attack on the horizon, and portends accelerating and increasingly deceptive attempts to commit CNP fraud against retailers to convert stolen data to cash.
Are you ready for what's coming?
Posted by Andre Edelbrock on Tue, Aug 25, 2009
It's not often we have an opportunity to "brag on" our board members, but today it's a personal privilege for me to do just that. First Secretary of Homeland Security and Ethoca director, Governor Tom Ridge, has completed his long awaited book "The Test of Our Times: America Under Siege and How We Can Be Safe Again". Scheduled for release on September 1, it promises to a super bestseller.
The book is Secretary Ridge’s account of his up-close and personal journey immediately following the attacks of September 11, 2001 – through his days as White House Homeland Security Director – his leadership of the Department of Homeland Security – and his experiences following that historic endeavor. He praises the unsung heroes of that journey, lays out the challenges and the victories along the way and offers his views on how we can achieve a better, safer world.
Tom is one of those rare men who truly deserves the accolade "American hero," although he also is a man of genuine humility who would be first to pass that mantle on to others he feels more deserving of recognition. He brings a unique perspective to our board, both as an accomplished businessman in his own right, and as a pre-eminent authority in the global threats of terrorism, cybercrime and financial fraud, and the connections between them.
We know his book will prove a riveting fireside read, and a popular first telling of the history of 9/11, and we wish him the best of success in his upcoming launch. And, we promise we'll be among the first to offer a review in the days following the book's release.
Online Retail Fraud Risk Insights from Secretary Ridge
Read what Secretary Ridge had to say about managing online retail fraud risk in an era of globalization, East European cybercrime gangs, and unparalleled data security breaches.
Download a copy of his keynote address to the 2009 Merchant Risk Council conference.
Posted by Paul Paetz on Thu, May 28, 2009
Thinking and Awareness Needed to Stop Crime, Not Just Tech
Recently, a targeted crime spree hit Staten Island with 250 Sovereign Bank customers caught up in a never-ending technological arms race between criminals and the rest of us. This time it wasn’t the latest hacker sitting at a far away computer in the middle of the night. Rather it was a small gang that used skimming technology and video cameras to compromise the accounts and make off with over $500,000. But for the alertness of Microsoft “evangelist”, Sean Siebel who spotted the scam while doing his own personal banking, it probably would have been millions lost before detection.
According to banks, skimmers are rarely spotted in the wild, yet after seeing Sean on the news, another New Yorker spotted another skimmer at a Chase branch. The branch manager hadn’t heard of the scam.
We see national news headlines about breaches and individual customer information being stolen by faceless entities in far-away lands. We assume these scams require tech prowess and amazing skill, but it usually turns out to be as simple as a mirror and hidden video camera. Many times the response to these attacks is to add more features and functionality to our technology. In the case of credit cards, the focus has been on Chip and PIN, especially in Europe. Soon, even more sophisticated 2-factor authentication is coming through cards with built-in single use PIN generators.
Unfortunately, as this story shows, even the most advanced technology is easily subverted by cheap tools you could purchase at Best Buy or download for free, together with a small amount of ingenuity. 
The problem is that we place too much trust in the technology, and not enough in being alert, observant and careful. In fact, the more we rely on technology to do our thinking for us, the more complacent and vulnerable we become.
The lesson: if your security approach is purely based on a better technology mousetrap, you are a breach waiting to happen. Don’t forget to educate your people, understand the risks you face, and always assume that the criminals will find a way around whatever technology barriers you erect.
Posted by Andre Edelbrock on Thu, Mar 05, 2009
A new article on Finextra highlights the rampant growth in financial fraud with research from Gartner Group stating that 7.5% of Americans were hit in 2008.
Much of this growth is due to the explosion in data breaches, in scope, scale and number. See my blog entry there exploring how data breaches show up weeks or months later as increases in online credit card fraud, and what we should do about it.
Posted by Andre Edelbrock on Tue, Jan 27, 2009
The high-profile revelations last week about the Heartland data breach are a stark reminder that incursions by hackers into financial systems, and the fraud that results, have become mainstream news events. And end-of-year reports for 2008 show the news about security breaches keeps getting more worrisome.
Perhaps the worst of it is their increasing frequency and size. As we discussed recently here, experts such as the Gartner Group’s Avivah Litan believe recession and fraud increases go hand-in-hand as skilled minds lose legit employment and go to the dark side.
But whatever the source, there is certainly more of it.
CIFAS in the UK reports there has been a 207% rise in facility takeover fraud (i.e., account takeover fraud) in 2008 where legitimate accounts are hijacked by various means: “…the sheer scale of the increase is truly alarming. Fraudsters are clearly adapting to current conditions. They know that lending criteria have become more stringent as a result of the credit crunch, and that application fraud is likely to be unsuccessful. They are, therefore, turning their attempts elsewhere…”
ITRC (the Identity Theft Resource Center in the US), starting its 10th year, reports data breaches jumped in 2008 by 47%. ITRC says in this report on 2008 breaches that the bigger number has a couple sources: “two things are happening - the criminal population is stealing more data from companies AND that we are hearing more about the breaches.”
Of course, the Heartland data breach news of last week, in the wake of the high-profile RBS and Hannaford breaches, and the massive TJ Maxx breach two years ago tells us this is a momentum-gaining dark trend no one wants to be caught up in.
Posted by Andre Edelbrock on Fri, Dec 12, 2008
WE ARE IN VIOLENT AGREEMENT!!!
The future success of security is dependent upon everyone collaborating through the sharing information about attacks and defenses. The Urban Institute’s Justice Policy Center report is bang on when they highlight the crime trend increasing as one of the fastest growing industries, and importantly how well it will continue to organize over the next five to 10 years.
Yes, ‘security managers need to do more collaborative work, sharing information about attacks and defenses’, as the report advises. There are, however, many around the world are already taking that advice by facing this harsh reality head-on, in full-force together – specifically by sharing information about attacks and defenses as the report highlights. The ones working together see it (i.e., crime) the same way the authors of the report do, in that everyone – except the criminals - stand to make the greatest gains in improving the quality and timing of intelligence and increasing the effectiveness of their jobs through the sharing of information and resources with each other.
It’s great to see continuing thought leadership and coverage on collaboration from the team at Dark Reading. We have enjoyed our conversations with them (specifically Kelly Jackson Higgins) about the efforts of the Global Fraud Fighting Community - we know our good work is of great interest to them and their readers. And now with Tim’s article and this report we have further proof that everyone already collaborating is heading in the right direction.
P.S. I must say that we hadn’t thought of the terms ‘honeypots’ and ‘honeynets’ to describe the central collection of data. We’ll throw that around the hive (aka community) to see if either ‘stick’.