Community

Hi Ketharaman - thanks for the comment! You're right that UX consistency is important. However today there are a lot of controls in place that disrupt the UX due to all sort of security and risk policies: you're accessing from a new and untrused device, or from out of the country, or you're moving much more than you normally do (well, in these troubled times of social distancing moving irregular sums of money online for the first time is actually pretty expected as you cannot use checks or cash). In those cases there is a 'user escalation' - a transaction can be blocked, or you might need to approve it using a one time code, or someone from the bank may need to contact you. These user escalations are normally not very effective: criminals find ways around them, and honest people just get bothered. The idea of using invisible layers of visibility such as device intelligence and behavioral biometrics is to get a firm understanding of whether this activity is good or bad without any change to the UX. So, completely friction free. This can over-ride more crude controls and actually improve the UX, and it's also much more effective in terms of catching fraud. 

With regards to APP fraud, the banks are now using a clever combination of payee name verification, device intelligence, behavioral biometrics and risk-based messaging to the users, in addition to education. It's always a mix of controls and technology that can fight sophisticated attacks...

Hats off for the FBI, Justice Dept. and international law enforcement. SpyEye was a gargantuan operation and the arrest of Harderman made more ripples in the fraud underground than any prior hit on key members of the dark economy. Panin did have a gift for designing sleek UIs, though, and paved the way to a lot of modern Trojans with groovy graphics. Anyway - well done, folks.

Forgot to mention: my colleague Oren Kedem added some other findings in a Dark Reading article: http://www.darkreading.com/while-brazilians-watch-world-cup-bank-fraudsters-are-at-work/d/d-id/1297223

Agree with the comments. I recently blogged about this... 

https://www.finextra.com/blogs/fullblog.aspx?blogid=8133

Bottom line: security must be balanced with usability, otherwise it defeats its purpose. Having too much security is like having a car with breaks that won't let you move much. You'll say thank you very much, and just pick up another car. I call it 'choosing the path of least security' which is our human nature, as opposed to the implied conclusion in the WHICH report which is that people appreciate security much more than they appreciate ease of use. 

Hats off for the arrests. I wrote a commentary on this heist here.

Yes, it is better to use a passphrase than a password. Using 'brute force' attacks against a long passphrase - say, 20 characters - takes too much time. And you can memorize it better. But lets also understand that if everyone moves to pass phrases, rainbow tables will be calculated for common phrases, and common words used in various combinations.

So for example the following passphrase "Doctor Livingstone I presume" is far better than R9x$k32(; - and far more memorable - from a brute force perspective. On the other hand, it's more likely that a rainbow table entry will be created for such a trivial passphrase (to save you time, evil hackers, the hash for this passphrase is: 8c3561cda2c346758895f42084bff6e2d5369ff4).

So when creating a passphrase, avoid obvious choices such as "Me Tarzan You Jane" or "Live Long And Prosper". But you can 'salt' it easily with some other characters: for example, "Live!Long and Prosper" adds a bit more cracking difficulty and isn't too hard on the memory.

One correction: in the original post I said Nimkey triggers every EU country but France; in fact it's every country but Lichtenstein. I've made the correction in the actual text, but wanted to draw people's attention to this as Holicim, the cement company hit by Nimkey, was able to recover 600,000 out of 1,600,000 stolen permits - and these 600,000 were moved to the Lichtenstein registry. See here.

This can't be a coincidence.

Quick update: turns out Nimkey related incidents are already happening. I wasn't aware of it when writing this:

http://uk.reuters.com/article/idUKLDE6AT1XP20101201

The scale of the theft is really big: in the February phishing attack there were 250,000 permits worth 3 million euros that were stolen. Here we talk about 1.6 million carbon permits stolen from just ONE cement company in Romania.

That's 25 million dollars in a single hit. Out of that, 9.5 million were still not traced to the final destination.

Matt – fair enough. I related more to the discrepancy between the build up and what was actually delivered. And, in a way, to the discrepancy between the magnitude of the leak to the actual media nuggets coming out of it. I’m just saying my expectations were several orders of magnitude higher: I expected a 10 on the Richter scale, and instead got a dozen or so of 5ers or 6ers.

But that’s just my impression, and I welcome folks to say what they think about the recent leaks. As well as on this ZeusiLeaks series idea. I know you have to go through the hassle of logging in to comment, but your opinion counts!

One note: several people asked me what RSA eCommerce Transaction Monitoring data is all about, so I’m providing an explanation below. Since it’s now summer time, and people tend to doze off easily, I am NOT recommending it except for those who really want to get some deep dive on eCommerce (online shopping) fraud and how programs like Verified by Visa and MasterCard SecureCode handle it.

***

The data relates to online shopping at eCommerce merchants representing 70% of 3D Secure traffic in either low-cost-holidays or auto insurance, using cards that belong to 3 of the Top 5 UK issuers, during April 2010.

It doesn’t talk about bottom-line fraud, only attempted fraud. The vast majority of these eCommerce fraud attempts are stopped by a combination of visible defences such as Verified by Visa and MasterCard SecureCode, with invisible defences such as transaction monitoring and real-time data sharing between the card issuers.

Here it’s important to note a common misconception about these online authentication schemes. From time to time you read research reports saying these programs, designed a decade ago, offer little resistance to today’s sophisticated fraud tools. But the reality is that eCommerce protection is far more effective than people think. According to the UK payments administration report, Internet card spending has risen by almost 200% over the last five years to £55.6 billion. At the same time, eCommerce fraud grew only 31% to £153.2 million.

Let us translate these figures to basis points (100 basis points equals 1% of the spending). In 2004, eCommerce fraud amounted to 63 basis points. In 2009, it amounts to 28 basis points.

The main difference between 2004 and 2009 is the adoption of Verified by Visa and MasterCard SecureCode by UK merchants. In 2004 it was a fraction of eCommerce; today roughly half of eCommerce is protected by these schemes.

But that’s only part of the story. In 2004 the card issuers had to handle the eCommerce fraud using the same tools that stop face-to-face fraud: neural networks relying on a relatively flat set of data points. But in 2009, almost all the UK card issuers deployed sophisticated behind-the-scenes dedicated eCommerce transaction monitoring tools that look at factors such as the IP address and geo-location of the transaction and the user’s device fingerprints. They also share fraud data in real-time, and make sure the findings of one fraud department – say, that a certain Internet Café IP address is used for a growing amount of eCommerce fraud transactions – are shared instantly (and anonymously) with every other fraud department in the country.

As a result, the combination of visible cardholder authentication and invisible monitoring is quite lethal to fraud. RSA powers most of the Verified by Visa / MasterCard SecureCode services as well as the behind-the-scenes eCommerce transaction monitoring for the majority of US and UK banks; RSA data shows that the combination of a merchant using 3D Secure and an issuer deploying state-of-the-art eCommerce fraud detection systems brings fraud levels in the UK to 11 basis points on average, with many issuers experiencing far lower rates. That’s bottom-line losses; in terms of attempted fraud, that’s far higher.

So let us do some math: 28 basis points is the average in UK, and 11 is the average for 3D Secure. About half of the eCommerce in the UK runs through 3D Secure, and this means that websites NOT protected by it suffer from an average of 45 basis points, or four times the level of fraud protected by 3D Secure. That’s MASSIVE.