Community

After posting this blog, someone sent me the following news piece:

The victim, Karen McCarthy, owner of Little & King, noticed directly before the fraud incident that her computer was infected with a computer virus, later confirmed to be a Zeus Trojan. The bank says that Mrs. McCarthy is responsible because the computer virus infected her machine, enabling the fraud to occur.

http://ow.ly/1bfwz

I'd like to consider awareness as one line of defense out of many. Certainly a lot can be done to promote awareness, but today's attack methods - drive by download, social network infection - are so far from the good old Phishing days, where you had an actual chance of educating people about the threat, that we can only consider it as one part of the equation.

It's like expecting people not to catch Swine Flu. Yes, you can educate people about that, but you also need government-funded vaccines, antibacterial gel distributed in public toilets, tight monitoring for any violent variants, etc. This discussion is similar to the one I pointed out in "Finger pointing in commercial banking": https://www.finextra.com/blogs/fullblog.aspx?blogid=3792

The main concern banks have with biometrics is the relatively high level of false rejections. Last I heard, you still have around 10% voice mismatch due to all sorts of reasons. If this goes down to fractions of a percent, then banks will probably look at it closely.

It's less about security concerns, can the system be beat or circumvented: by now banks realize that no single technology can stop all fraud. Card issuers have realized it long ago; they had to fight card fraud for ages, and the idea was to introduce multiple lines of defense. CVV2 checks in eCommerce were added a while ago and you'll be surprised but is still effective against some forms of attacks such as automatic BIN generation; Verified by Visa was launched a few years ago and half of the UK eCommerce is already VbV enabled; but as some articles pointed out recently, in itself VbV is not a silver bullet - which is why the issuers added an invisible line of defense where every VbV transaction is analyzed in real time and the vast majority of fraud attempts are intercepted. I did some math: the average eCommerce fraud level in 2009 was 40 basis points. VbV fraud levels were 11 basis points on average, for those issuers using the invisible monitoring.

So the bottom line is: don't look at any technology as a silver bullet. Consider the operational aspects as well: how many genuine people will be rejected? How will you validate their identity using another approach?

Account takeover using Telephony is massive in the UK. In an October meeting of the leading card issuers RSA held in London, every single issuer pointed to account takeover fraud as the number one trend; and most of it is done by calling the issuer and using a mix of social engineering and credentials collected via phishing.

Other than the facts mentioned in this blog, there are 2 additional things to consider: first, fraudsters who do not speak English can use a service running out of Moscow to call UK banks. The service operates 24/7, costs $7 per call, and all you need is the phone banking credentials (which you can phish).

Second, a new attack vector is called Chat in the Middle - see https://www.finextra.com/blogs/fullblog.aspx?blogid=3311

In this attack, fraudsters pop up a fake chat box after you click on a link in a standard phishing email, present themselves as the fraud department of the bank, and ask for your phone number. They'll ask you all the 'security questions' and then say that all is well in your account after all... Then use the stolen credentials to take over the account.

Technologies to stop these are biometrics (which still does not seem mature enough in terms of false rejections and ease of deployment), and Knowledge Based Authentication in which you're being asked multiple choice questions based on your background; the questions are built in a way that confuses fraudsters but is very 'top of mind' for the genuine users.

How about paying with your thumb? It's another thing you always carry with you.

A great example of turning an idea floating around for ages and having a laser focus execution is Better Place. For those not familiar with this American-Israeli startup, here’s a Financial Times article about the massive $350 million funding raised from HSBC to support the company’s ambitious plans. In a nutshell, what Better Place offers is spreading a national grid for charging electric car batteries at homes and offices, so when you go the office in the morning you plug your electric car to a charger in the parking lot; when you get home in the evening you plug your car to a charger near your house. This way you can drive your electric car for years without ever stopping in a gas station. If over the weekend you take the kids to a country ride and drive over 100 miles (160 km), then you’ll go to one of thousands of battery switching stations spread throughout the country; a robot will switch your battery in 2 minutes and you’re good to go.

The business model for Better Place is: you buy kilometers. Just like in mobile carriers, you subscribe to Better Place, get a subsidized car and the road equivalent of ‘air time’. Your gas bills will change to clean-tech energy bills (as the company guarantees that for every KW of power they take from the national power grid, they’ll produce a clean energy KW using technologies like solar panels and air turbines.

This is a dramatic game-changer for eco-friendly cars. Starting with a focus on the infrastructure instead of the vehicles (which was what car manufacturers did for decades) allows you to quickly bridge the gap between a utopian idea and reality.

If the execution is right, that is.

Two comments:

First, the reason companies like WoW ban secondary trade in virtual items is that they try to prevent an unstable in-game economy and inflation. They try to fight gold farming by making it illegal. Second Life’s whole economy is based on trading Linden Dollars for real dollars in-game, and they have a team of economists working hard to keep control of the virtual world’s financial system. A stable economy is important for trust, and allows in-game financial institutions such as banks, credit agencies and stock exchange markets to grow. Eve Online has virtual banks with assets that mimic real life financial institutions. But if someone just prints money by paying a sweat shop a cent for a virtual dollar, it skews the virtual economy badly.

Not everyone agrees that banning virtual item trades is the right thing: Sony has a legal virtual item trading platform for Everquest: the argument is “if you can’t beat them, join them” and try to control the situation.

Second note is around balancing security and usability. From Zynga’s perspective, it’s probably right to keep fraud controls at bay and focus on offering a user friendly experience. As long as their account takeover fraud remains low, they can treat the fraud losses from fake applications as cost of doing business, at least until losses reach a painful level. Meanwhile they can prepare the defenses, but use them only when needed.

The real challenge is going to be defending against account takeover because this has a totally different impact on users: you don’t want to wake up and discover your chips gone with the wind or your reputation ruined because some crook signed in as yourself and lost games on purpose. Since authentication in social networks is quite exposed, this poses a serious problem that is more difficult to address than fighting fraudulent new accounts.

Today’s ATM skimming devices often come with a built in PIN pad – a touch pad that is glued on top of the ATM pad and effortlessly captures the PIN. When the notorious Chao, master manufacturer of ATM skimming devices was caught in Istanbul last year, they found over 2,000 fake PIN pads and 1,000 matching skimming devices.

Personally I cover my hand to avoid ‘low tech’ camera capture, but I also look carefully at the PIN pad to see any signs of tampering, is it a new pad, does it look too thick etc.

Uri Rivner

Great commentary, Robert. In my review of the reshipping scam I highlighted the scale of recruitment: this single scam, which is just one in hundreds, had 1,925 Americans applying for a job in Air Parcel, a company that doesn’t exist. It’s a tip of a very large iceberg. And it’s fueling the Dark Cloud – without mules it’s very difficult to monetize stolen goods or empty people’s online banking accounts.

I’d say “don’t be a mule” is something that needs to be conveyed nationally – unlike trying to educate people about specific cyber attacks, which is almost mission impossible given the fact it’s such a moving target, educating them for common sense and general awareness is probably not going to be a waste of time.

Uri Rivner

I think you're hit the nail on the head. The Dark Cloud is not only a financial industry problem; it rapidly becomes a consumer and corporate problem. Microsoft is fully aware of the risk that businesses will move a big chunk of their PCs to alternative OS; and that private users will start asking themselves whether it's time to consider that Mac thingy their neighbor said she used because it's safer.

What's your thoughts on customer education? Any ideas on how to do that?