Posted by Andre Edelbrock on Thu, Nov 20, 2008
Sales growth slowing…
Fresh data show that U.S. retail ecommerce grew 1% year-over-year in October, representing the sixth consecutive month this year of slowing growth rates.
The picture in the UK is not all that better as IMRG/Capgemini reported the latest figures for October show that month-on-month growth was 3.8% and year-on-year growth was 12.7% representing the lowest year-on-year growth since December 2004 – reflecting the suffering economy.
With more and more people hunkering down and less and less credit available, a turnaround to previous growth levels looks far off, and perhaps an overall decrease is in the cards.
Fraud activity on the rise… 
As Gartner security analyst Avivah Litan reports that in recent months, banking clients have been warning her of a spike in fraud, much of it based on the use of stolen financial data. “There’s been a marked increase in the number of attacks and the number of successful fraud attempts,” says Litan, due to publish a report in December. “This is the busiest my practice has ever been.”
We’ve also heard something very disturbing last week from one online businesses in that they are starting to see a rise in fraud from their good customers - commonly referred to as 1st party fraud. Good customers who are now turning to fraudulent activity in tough times by making false claims e.g., orders not being shipped or making up customer service complaints.
Shift in spend… 
Jonathan Penn, an analyst at Forrester Research, in September reported that the bulk of IT spend during the banking meltdown will go toward systems designed to keep former employees or disgruntled workers out of proprietary systems and to prevent business-killing data breaches. Often resulting in less for other areas of security.
This all adds up to…
Tough times ahead for online retailers as good customers spend less, fraud increases (now even the good customers getting in on the act!) and fraud managers being asked to do more with less. All attention shifts to the Fraud Manager. He or she is looked upon as the ultimate fighter in the battle to strike balance between revenue and fraud. He or she plays a big role in the profitability of your online business so you’d be wise to give him or her the your undivided attention.
Have a conversation…
Start by asking your Fraud Manager: “Are we doing everything possible with our available resources?”
Then ask: “What more could we do with the resources of others?”
If you get a confused look back try asking it this way: “I know they’re our competitors but what if we had Bob over at ACME, and Sue over at Bit Co. working for us on this? Would it help?” 
I’m sure you’ve heard the saying “It takes a village.”
Fraudsters realized some time ago that working in a village with other villagers made their own lives better. Going it alone isn’t enough. Why not share the pain? Why not share the cost of fraud with others for your benefit and the benefit of everyone…all at the demise of the fraudster?
Let me know what he or she says.
Posted by Andre Edelbrock on Mon, Nov 17, 2008
The problem is that the ‘we’ is often the bad guys.
For example - criminals around the world are benefiting from being better organized and using the Internet to work together. In the UK, banking losses due to fraud soared to £301.7m in the first half of 2008 compared to £263.6m in the same period last year, according to the latest figures from UK banking association APACS. Card-not-present fraud (a category that includes e-commerce fraud as well as phone and mail order scams) rose 18% to reach £161.9m in that same period.
So with the good guys losing the battle of the organized to the bad guys, you and I as consumers and businessmen pay a price…literally as the APACS numbers show.
But all good things must come to an end. Banks and businesses have had enough. The power shift, in favor of the good guys, has begun, as in the same way the criminals have leveraged the power of organizing and the Internet, businesses and banks around the world are now working together to fight fraud head-on.
Watch the following video clip of Gilbert Fiorentino, CEO of TigerDirect, to see just how mad online retailers are getting, and what they're prepared to do about it.
Click this link if you can't see the embedded video above.
Watch what happens when hundreds organize…boom…new rules indeed.
Click here to read Seth Godin’s post on this.
Posted by Andre Edelbrock on Mon, Nov 03, 2008
Red Flag Rules Delayed
Red Flag Rules apply to FIs and creditors with covered accounts (e.g., mortgage loans, automobile loans, credit cards). However, the broad language of the regulations has created enough uncertainty regarding their applicability to certain businesses to push the FTC to extend the compliance deadline to May 1, 2009.
Vague, Sweeping Language of Rule Leaves Many Uncertain
The unanswered question is whether it applies to oil companies, department stores, utilities, phone companies, all financial institutions of any size (from single branch community banks and credit unions on up), municipalities (water and sewage use contracts), waste management providers (many neighborhoods contract independently to have their garbage collected by their choice of company where residents sign individual contracts and hand over credit information to be approved for monthly billing), grocery stores, car dealers, appliance stores (6 months no interest layaway plans) — basically anyone who offers card credit or monthly billing or lease or store credit or a loan?
And as large a net as that casts, we wonder what about employers whose HR systems contain much of the same sensitive data. Will who has access to those systems come under scrutiny as well? And what about the ease with which those who aren’t “officially” allowed to see the data are able to view it? Any of these individuals could be singled out by identity thieves as targets for “social engineering” scams. Does that put their employer at risk for a creative ID theft lawsuit based on the regulation? — i.e. the one thing we know for sure is that the introduction of Red Flag Rules has created a sense there is open-ended risk of unknown size, with large costs for compliance and management (the same complaints that were thrown up when Sarbanes-Oxley was introduced).
Better Stewardship of Sensitive Personal Information
Regardless of the applicability of the Rules, what all these businesses have in common is that they maintain sensitive personal information that must be safeguarded. So even if you are small fry thinking the FTC isn’t targeting you, if it gets in the news that your company was part of the chain that lead to a stolen identity, you could be sued civilly and may be prosecuted legally, and you’ll lose in the court of public opinion, and in legal costs and long term reputation loss, which depending on the magnitude of the matter, could be business ending.
But back to the Rules…simply put the Rules focus on the holder of that sensitive personal information putting in place a program (and keeping it current) to ultimately prevent identity thieves from using peoples’ personally identifying information to open new accounts and misuse existing accounts. The program is to comprise three key components: identify, detect and respond to instances of identity theft.
Think like the criminal
Understand the Identity Thief
Arguably understanding the patterns of identity theft means you first need to start by thinking like the criminal. You know your data and your systems, and you should know where the vulnerabilities are. You have inside knowledge (note that most identity theft is suborned or supported by insiders), so if you were a criminal, what are the weakest points that you’d attack?
How would you the get names, SSNs, dates of birth, addresses and phone numbers stored in your systems? What social engineering techniques could you use i.e. who would you target and how would you ask for help in getting the data, and what makes him/her a likely candidate to either help directly or by being duped into helping?
What’s Your Potential Liability
Once you understand the vulnerabilities by which you can be compromised, build policies based on monitoring and disrupting the processes by which sensitive personal information can or might be accessed. Once you know how big your exposure is, you need to estimate the probability of a successful breach, and you should then allocate appropriate funds for compliance and dealing with potential losses.
And whether or not the Red Flag Rules are applicable to your company, you’d be wise to put in place a focused program to prevent and counteract identity theft…because it’s just as important for your company to avoid a loss at the hands of a stolen identity as it is for you to ensure your company is not the path to profit for identity thieves at the expense (loss) of the victim…one that may turn out to be a new or existing customer.
Related Articles