Fraud

Christmas Wish

By Adrian Lane

When there is good news in holiday retail, we usually hear. In this economic climate, it's headline news. When there is bad news, we don't hear much. The news from PayPal, according to PC Magazine's article on Record Breaking Black Friday, was that total transactions were way up -- in some cases by 20%. What they are not disclosing is the total dollar volume. In fact, most of the quotes I saw from individual retailers are along the lines of "We did well", but we don't know how low their expectations were, and I have yet to see hard sales numbers. Which is annoying because they have the data, so I typically assume the worst.

As I was reading the reports I started to wonder what the fraud rates were this year. I am willing to bet the fraud curve would see higher growth than total online sales. If we see a 10-20% uptick in online transactions, did we see a 20-30% increase in fraud? If mobile transactions -- the new greenfield for attackers -- are up 140%, did we see exploitation of this new medium? It dawned on me that, with all of this commerce tracked and analyzed so closely, most fraud data should be available immediately, and fraud rates should be confirmed within a week or two. If retailers share holiday sales numbers with analysts, why not the fraud data?

I know most credit card processing houses and companies like First Data have reasonably sophisticated fraud detection tools, and I am told that PayPal and eBay have incredibly advanced analysis capabilities. I would love to see even a generic breakdown of rates of ecommerce fraud, credit card fraud and fraud rates by location. I don't need specifics, but trends would be nice -- something like the a percentage they were certain was fraud, what percentage was suspect, and what sort of after-the-fact complaints are coming in. It's a big part of the payment processors' business, so I know they are watching closely and tracking the activity. Come on, all I want for Christmas is a little forensics! It's the season of sharing. I know they have the data, but I guess I should not hold my breath in anticipation.

–Adrian Lane

Burden of Online Fraud

By Adrian Lane

One of my favorite posts of the last week, and one of the scariest, is Brian Krebs' Washington Post article on Businesses Are Reluctant to Report Online Fraud. This is not a report on a single major bank heist, but instead what many of us have worried about for a long time in Internet fraud: automated, distributed and repeatable theft. The worry has never been the single million-dollar theft, but scalable, repeatable theft of electronic funds. We are going to be hearing a lot more about this in the coming year. The question that will be discussed is who's to blame in these situations? The customer for having almost no security on their small business computer and being completely ignorant of basic security precautions? The bank, both for having crummy authentication and fraud detection, with an understanding the security threats as part of their business model? Is it contributory negligence? This issue will gain more national attention as more businesses have their bank say "too bad, your computer was hacked!" Let's face it, the bank has your money. They are the scorekeeper and if they say you withdrew your money, the burden of proof is on you to show they are wrong. And no one wants to make them mad for fear they might tell you to piss off. The lines of responsibility need to be drawn.

I feel like I am the last person in the U.S. to say this, but I don't do my banking on line. Would it be convenient? Sure, but I think it's too risky. My bank account information? Not going to see a computer, or at least a computer I own because I cannot afford to make a mistake. I asked a handful of security researches I was having lunch with during Defcon -- who know a heck of a lot more about web hacking than I do -- if they did their banking online. They all said they did, saying "It's convenient." Me? I have to use my computer for research, and I am way too worried that I would make one simple mistake and be completely hosed and have to rebuild from scratch ... after my checking account was cleaned out. In each of the last two years, the majority of the people I spoke with at Black Hat/Defcon ... no, let's make that the overwhelming majority of the people I have spoken with overall, had an 'Oh $&(#' moment at the conference. At some point we said to ourselves "These threats are really bad!" Granted, many of the security researchers I spoke with take extraordinary precautions, but we need to recognize how badly the browsers and web apps we use every day are fundamentally broken from a security standpoint. We need to acknowledge that out of the box, PCs are insecure and the people who use them are willfully ignorant of security. I may be the last person with a computer who simply won't budge on this subject. I even get mad when the bank sends me a credit card that has ATM capabilities as a convenience for me. I did not ask for that 'feature' and I don't want the liability. While the banks keep sending me incentives and encouragements to do it, I think online banking remains too risky unless you have a dedicated machine. Maybe banks will start issues smart tokens or some additional security measures to help, but right now, the infrastructure appears broken to me.

–Adrian Lane

New Identity Theft Stats

By Rich

One of my biggest annoyances in the industry is the lack of good metrics for making informed decisions, and the overuse of crappy metrics (like ROI) that drive poor decisions. Of those valid metrics that wistfully dance with rainbows, unicorns, and pony-unicorns in my happiest dreams, those that correlate real-world fraud with real-world incidents stand alone on the peak of the rainbow bridge to metrics nirvana. I've written about our need for fraud statistics, not breach statistics, but often feel like I'm just banging my head against the hard, thick walls of big money.

Thanks to Debix, today there's a bit of rainbow light at the end of the turn el (have I killed that analogy yet? Really? Even with the unicorns?). As many of you know, since they sponsored a contest here at Securosis, Debix is an identity theft prevention company. They place credit locks with the credit agencies for you, and route all new account requests through their call center for routing to you for approval or disapproval.

Today they released some very interesting statistics. Since they pass a lot of credit query traffic through their call center, they closely track new account fraud attempts against their client base. Many of their clients enroll as a protective measure after data breaches, so for those customers they an also track at least of the breach origins (nothing says that's the only time they've been a victim). Some of this information is based on my briefing with them, and is not available in the report.

• According to this report from the Identity Theft Resource Center, new credit account fraud is 57% of financial identity theft.
• Many of the 259,761 accounts included in the study were the result of major incidents involving lost backup tapes.
• There were 30,618 authorization attempts for new credit lines.
• Of those, 380 were fraudulent (and stopped).
• There were 4 incidents of new account creation that circumvented the Debix controls (all detailed in the report).

This gives us a bit of meat to work with. The fraud rate is about 1.25% of new accounts, which is about the average. Since most of the participants were exposed due to lost backup tapes, it shows either that those losses are not resulting in increased fraud, or that the bad guys are holding onto the information for greater than the (public) 1 year of protection.

Debix also added a new feature recently that may lead to more interesting results. When you decline to open a new account, you have the option to immediately route your case to a private investigator on their staff, who collects the information and engages law enforcement. While I doubt we'll get hard numbers out of that, we might get some good anecdotes on the fraud origins.

On our call Debix committed to providing more statistics down the road (all anonymized of course). We gave them a few suggestions, including some ways to add controls to their analysis, and I'm really looking forward to seeing what numbers pop out in the coming years. Ideally we'll see more stats like this coming out of the credit agencies and financial institutions, but I'm not holding my breath.

(Full disclosure: I have no business relationship with Debix, but am currently enrolled with them with a free press/pundit account).

–Rich