Online fraud: the search for the missing link

Trusteer's release on the connection between phishing and individual's loss of log in information is quite interesting; what's needed for the financial technology and security now is to create an actual correlation between these two events (everyday online consumer behavior and criminal activity) and the final "missing link" of actual transactional fraud. Theories over the correlation between consumer behavior and fraud abound, yet empirical correlation has thus far been entirely elusive. As the founder of the company that has conducted over 20,000 phone-based interviews to determine the actual correlation between consumer victim behavior and transactional fraud (based on an ever-expansion of original US Federal Trade Commission methodology), I know well the limits of research. My conclusion thus far is that there is much damage being done in both the cyber and traditional realms, yet education and prioritization remains challenging for security professionals due to limits on research data. It's not clear to me how Trusteer made their calculations, but the findings seem within the realm of distinct possibility. Note that our data show the average ID fraud victim (of both new and existing account activity) suffering nearly US $5000 in fraud and $496 and 30 hours of personal impact. A key limiting factor is that fully 65% of victims cannot confidently correlate crime #1 (how the data was accessed) with crime #2 (how the fraud was conducted). Bankers, consumers and third party experts must continually adapt to the latest threats, and we're in the middle of releasing a trio of related reports (Bank Safety Scorecard, Web App threats, and integration of OWASP standards) on how to do this. Note that our web apps report will show that nearly half of all top US banks are not encrypting various aspects of customer web communication forms. Each year we continue to learn more and more about this crucial correlation, and 2010 will be no exception. Yet the missing link is empirical evidence between how the data was accessed and how the criminals misused the data for financial gain.