Yesterday, I was giving a webinar with the Head of the RSA FraudAction Research Labs, Etay Maor. He shared some interesting intelligence about Citadel, one of the latest ZeuS offspring. The RSA research labs performed analysis on the Trojan and translated some language in its “user agreement,” which says, “Important: Our software does not work on Russian-language systems. If a Russian or Ukrainian layout is detected, the bot terminates. This is done to prevent installs on CIS systems. You may disagree, but that’s taboo for us.” This is indicative of a couple of things: It underscores the fact that many of the cybercrime … Continue Reading →

Everyone heading to Wikipedia on January 18 to get the latest factoid on Pippa Middleton had an unpleasant surprise.  In protest of another PIPA, the proposed U.S. Senate legislation known as the Protect IP Act, and the companion bill in the House, the Stop Online Piracy Act (SOPA), Wikipedia and a host of other online sites shut down for 24 hours.  These bills are designed to stem online piracy, and would give the U.S. Justice Department the ability censor foreign sites that harbor pirated material. The bills would also require payments providers, online advertisers, and ISPs to cut ties with the offending sites.  The challenge is that … Continue Reading →

Yet another sign that the bad guys do their homework is manifest in the increasing sophistication of auction triangulation fraud. At the first annual Threatmetrix user conference this week, a fraud investigator from a large e-commerce site walked attendees through some of the latest scams hitting his site. One of the most interesting cases involved auction triangulation. Auction triangulation takes place when a criminal posts an item for sale on an online auction site for substantially less than the retail ticket price of the item. Let’s say it’s a MacBook Pro. An innocent consumer goes to the auction site and … Continue Reading →

I was speaking with the fraud-prevention head of a large U.S. financial institution yesterday, and I asked him about the root causes of the biggest pain points for his bank. He named two of the usual suspects — corporate account takeover and debit card fraud. He also said that child identity theft is on the rise, and that it’s currently a threat flying below the radar. In short, criminals acquire the Social Security number (SSN) of a minor and use it to transact on the minor’s behalf. When these minors come of age and try to apply for credit, they … Continue Reading →

MasterCard is the latest network to add its weight behind EMV (Europay, MasterCard, and Visa) in the United States. While details remain scant, a number of industry sources say that MasterCard issued an August 31 bulletin to member banks announcing an initiative related to EMV at the ATM. The initiative will push ATM owners to equip their ATMs to facilitate EMV by April 2013. After that date, the ATM owner will bear the liability for EMV-capable cards that are skimmed when transacting at an ATM that does not support EMV. The 2013 time frame seems quite aggressive — that’s a blink of … Continue Reading →

Freakonomics recently asked me to contribute to a quorum discussion on the rise of hacking and cybercrime.  The premise was this: Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches? You can read the full debate on the Freakonomics site. The following is my response to that question. Hacking and malware attacks are on the rise, and that trend will only continue to grow. Many of the headlines about data breaches over the last several months reflect the concerted effort … Continue Reading →

While it’s been a long time coming, it looks like EMV is finally headed for the U.S. market. In a recent Aite Group survey of 76 card security risk management executives, the majority of respondents said they believe that EMV will come to the United States sometime in the next five to 10 years.  The survey also tracked emerging bullishness relative to EMV’s prospects. When Aite Group asked a similar population the same question in 2009, 36% believed that EMV would never make it to the United States.  Today, only two years later, the portion that doubts EMV’s chances is … Continue Reading →

The updated Federal Financial Institutions Examination Council (FFIEC) guidance on online fraud mitigation has finally been released. My first reaction: Why did this take more than six months to finalize? The preliminary draft of this guidance was published on the National Credit Union Administration (NCUA) website last December, and a side-by-side comparison reveals very few changes. With all of the activity and commentary on the preliminary draft, I expected to see a more adjustments to this iteration. The only significant changes are as follows: The recommendation that institutions consider offering multifactor authentication to retail customers has been removed from that section and added … Continue Reading →

I opened an email from my bank the other day. It was a standard marketing piece, advertising the bank’s credit card rewards program. Working in the fraud prevention field makes me cautious at best about these types of communications, and paranoid at worst. I read through to the end of the email, where it said “If you are concerned about the authenticity of this email, click here.” “Click here”? Really?  The last thing a bank should be encouraging customers to do is “click here” if they have concerns about the authenticity of any email. According to Panda Security, 73,000 new malware threats were released … Continue Reading →

Finovate Spring 2011 has come and gone.  For those of you unfamiliar with Finovate, it’s the conference version of speed dating.  Over a two-day period, 64 companies are given seven minutes apiece to demo innovations in financial technology.  There were a few overarching themes among the presentations this spring — most notably a variety of flavors of merchant-funded rewards. Here are my thoughts on highlights and lowlights of the two days: Silver Tail Systems:  Silver Tail gave an interesting demo of their Web behavior analytics solution. The company was founded by a PayPal alum who brings a wealth of knowledge … Continue Reading →