Posted by Andre Edelbrock on Thu, Mar 25, 2010
After a whirlwind few days in Las Vegas last week at the annual MRC conference, I'm back in my office catching up and thinking about all that happened. Having had a few days to reflect, I thought I would share some of my learnings from this year's conference.
To put my thoughts in perspective, this year's conference was very significant for Ethoca. We announced perhaps our biggest news ever: that we are offering a free card-not-present fraud detection service, and have begun accepting merchant applications for participation. (The application process is simply to ensure that we are protecting the integrity of Global Fraud Alliance data, and only letting legitimate online merchants in). A subset of Ethoca360 Signals (itself a newly announced service), we are offering the Negative Signals part at no charge forever as an introductory opportunity for merchants who sign up now.
Free Forever is a Big Deal
The free service is a big deal for Ethoca, because for the first time ever, it makes large scale collaboration possible in the fight against fraud by removing the most significant barrier to participation, namely price. Now the question becomes, if you can identify potential fraud by leveraging the bad payment experiences of fellow merchants, why wouldn't you?
We decided to make the Negative Signals service free forever for merchants who join now to accelerate much broader collaboration. Our thinking is that by giving away a high value production-grade service, many more merchants, payment processors and fraud solutions providers will jump in quickly, thus boosting the value to everyone, and that our upgrade service to full Ethoca360 Signals would also grow quickly and more than pay for what we give up by making Negative Signals free.
Besides, it just feels right to make this kind of collaborative information freely available as a community service. With the strong positive reaction we got from merchants, payment service providers (PSPs), card issuers, and fraud workbench/platform providers, we're confident that this is the right move at the right time.
A Highly Succcessful Conference
Having missed last year's conference due to my sister getting married in Mexico during the same week, I was pleased to accept credit (
) from Tom Donlea for boosting registrations to this year's conference by 20% by deciding to come back. OK, so maybe my return only boosted the total increase in attendance by one, but perhaps Ethoca sponsoring Governor Tom Ridge, the first US Secretary of Homeland Security as a keynote presenter last year had a carry-over effect.
Congratulations to Tom and all the MRC staff for putting on another great conference, that continues to grow and attract increased interest year-over-year from the e-commerce merchant community.
Big Trends
So what were my major observations and conclusions from this year's conference? There were two big ones in addition to getting confirmation that our free Negative Signals service was exactly the right thing to do:
- Collaboration to fight fraud is an idea whose time has come. Online merchants have never been more ready, nor the time more right than right now for working together to make the next great strides in minimizing the Total Cost of Fraud. After baby steps in data sharing, most now realize that we can't make further significant gains without large-scale collaboration to construct a 360 degree view of customer behavior and online reputation. After four years of missionary work and building out Ethoca's infrastructure to support the Global Fraud Alliance, it's gratifying to see this recognition taking hold.
- There are many widely held misconceptions about the advantages and disadvantages of data-sharing. We heard a number of shibboleths at the Data Sharing session on the last day of the conference, which made me realize that it's time to dispel the myths once and for all. One thing that we at Ethoca often forget is that just because we solved the problems doesn't mean that everyone else knows that.
To address the second issue, my next few blog posts will specifically address the numerous misconceptions about data sharing and shed some light on why large-scale global collaboration works.
It was great to see the MRC community come together again this year. Look forward to seeing you all again in 2011.
Posted by Andre Edelbrock on Fri, Sep 04, 2009
Vacation is supposed to be a time when you finally relax and break away from the demanding pressures of work-a-day life. But with the economy down, and many worried about doing enough to keep their jobs, the increase in computing mobility means that larger than ever numbers of people are taking work with them when they head for the beach. Be honest -- you took your laptop or Blackberry with you, and if nothing else, checked for email while you were away this summer, didn't you?
So maybe you weren't working as you sipped pina coladas on the beach and surfed not on the water, but on your PC. Maybe you were "just shopping", or watching the latest viral videos on YouTube.
So guess what? Ever on top of new trends, fraudsters have spotted a big new vulnerability to capitalize on. Adding another coined phrase to our fraud glossary, Fox News reports, “vacation hacking” is a new avenue for criminals to steal from those who rely on free wifi or unsecured networks while away from the office to get their internet fix.
Beach fraud
Ok, so you aren't one of those clueless tourists walking around with a sign on your back saying "Hack Me". You're a businessperson who's been around the block a few times, you've got AV software and a firewall -- not so easily taken. Really? Have you ever logged on at the airport, trying to squeeze in just a couple more emails before departure?
So-called "white-hat" hackers recently surveyed a number of large airports, discovering what they said was an alarming amount of hacker generated connections. Hackers are now identifying these airport wifi access points as their new hotspots and enticing busy road warriors unaware that they are at risk, to sign on to a hacker’s portal, not just willingly handing over their credit card info, but also leaving their laptop at risk and their information unprotected.
Data breaches, phishing, botnets, spam, fake portals, unsecured networks -- all can be used to steal personal information for fraudulent gain. But what can you do to stop it?
Is there any escape? Is any protection good enough?
Everyone will always tell you ways to make your environment more secure, and build a better barrier to keep the bad from getting in. But that doesn't help much when the bad gets in, nor does it deal with the root of the problem. Just ask Heartland Payment Systems, who thought they had a totally secured PCI DSS compliant environment.
Only part of the problem is lack of security. Another critical part of the problem is the value of what gets stolen. We must re-double efforts to make the stolen data worth less, if not worthless. Make it harder to use. Fully thwart attempts to convert data to cash. Increase the penalties and prosecution efforts such that the perpetrator of the biggest data breach in history faces more than a couple slaps on the wrist and a cushy job as informant for the secret service.
Become more aware of what makes us vulnerable, and stop depending on technical solutions that no one understands and which often increase complacency and therefore the probability of loss.
Simple solution: address the problem at its source
The solution as I see it is two-fold:
- Educate users about risk, and what to look out for -- what makes something suspicious and why you shouldn't hand over a social security number when someone calls asking for it, for example
- Stop financial fraud at source, by getting banks, card issuers, card processors, anti-fraud vendors and the targeted merchants all working together to provide a backstop when security fails
Simple right?
Take the poll
Let us know what you think. More security? Better fraud detection? Stiffer penalties? Simplicity? Less technology? Collaboration? Smarter users? What is going to help us gain control of things?
Take our poll, and after you hit the button, you'll see a graph of the compiled results. And, if your answer isn't on the list, give us your solution in the comments below.
Aren't you glad that summer vacation is almost over and you're back to work?
Posted by Andre Edelbrock on Tue, Jan 27, 2009
The high-profile revelations last week about the Heartland data breach are a stark reminder that incursions by hackers into financial systems, and the fraud that results, have become mainstream news events. And end-of-year reports for 2008 show the news about security breaches keeps getting more worrisome.
Perhaps the worst of it is their increasing frequency and size. As we discussed recently here, experts such as the Gartner Group’s Avivah Litan believe recession and fraud increases go hand-in-hand as skilled minds lose legit employment and go to the dark side.
But whatever the source, there is certainly more of it.
CIFAS in the UK reports there has been a 207% rise in facility takeover fraud (i.e., account takeover fraud) in 2008 where legitimate accounts are hijacked by various means: “…the sheer scale of the increase is truly alarming. Fraudsters are clearly adapting to current conditions. They know that lending criteria have become more stringent as a result of the credit crunch, and that application fraud is likely to be unsuccessful. They are, therefore, turning their attempts elsewhere…”
ITRC (the Identity Theft Resource Center in the US), starting its 10th year, reports data breaches jumped in 2008 by 47%. ITRC says in this report on 2008 breaches that the bigger number has a couple sources: “two things are happening - the criminal population is stealing more data from companies AND that we are hearing more about the breaches.”
Of course, the Heartland data breach news of last week, in the wake of the high-profile RBS and Hannaford breaches, and the massive TJ Maxx breach two years ago tells us this is a momentum-gaining dark trend no one wants to be caught up in.
Posted by Andre Edelbrock on Thu, Nov 20, 2008
Sales growth slowing…
Fresh data show that U.S. retail ecommerce grew 1% year-over-year in October, representing the sixth consecutive month this year of slowing growth rates.
The picture in the UK is not all that better as IMRG/Capgemini reported the latest figures for October show that month-on-month growth was 3.8% and year-on-year growth was 12.7% representing the lowest year-on-year growth since December 2004 – reflecting the suffering economy.
With more and more people hunkering down and less and less credit available, a turnaround to previous growth levels looks far off, and perhaps an overall decrease is in the cards.
Fraud activity on the rise… 
As Gartner security analyst Avivah Litan reports that in recent months, banking clients have been warning her of a spike in fraud, much of it based on the use of stolen financial data. “There’s been a marked increase in the number of attacks and the number of successful fraud attempts,” says Litan, due to publish a report in December. “This is the busiest my practice has ever been.”
We’ve also heard something very disturbing last week from one online businesses in that they are starting to see a rise in fraud from their good customers - commonly referred to as 1st party fraud. Good customers who are now turning to fraudulent activity in tough times by making false claims e.g., orders not being shipped or making up customer service complaints.
Shift in spend… 
Jonathan Penn, an analyst at Forrester Research, in September reported that the bulk of IT spend during the banking meltdown will go toward systems designed to keep former employees or disgruntled workers out of proprietary systems and to prevent business-killing data breaches. Often resulting in less for other areas of security.
This all adds up to…
Tough times ahead for online retailers as good customers spend less, fraud increases (now even the good customers getting in on the act!) and fraud managers being asked to do more with less. All attention shifts to the Fraud Manager. He or she is looked upon as the ultimate fighter in the battle to strike balance between revenue and fraud. He or she plays a big role in the profitability of your online business so you’d be wise to give him or her the your undivided attention.
Have a conversation…
Start by asking your Fraud Manager: “Are we doing everything possible with our available resources?”
Then ask: “What more could we do with the resources of others?”
If you get a confused look back try asking it this way: “I know they’re our competitors but what if we had Bob over at ACME, and Sue over at Bit Co. working for us on this? Would it help?” 
I’m sure you’ve heard the saying “It takes a village.”
Fraudsters realized some time ago that working in a village with other villagers made their own lives better. Going it alone isn’t enough. Why not share the pain? Why not share the cost of fraud with others for your benefit and the benefit of everyone…all at the demise of the fraudster?
Let me know what he or she says.