Behavioral Patterns: Does Paul Allen Routinely Shop at the Dollar Store?

On March 28th USA Today reported on the news that co-founder of Microsoft, Paul Allen, experienced what too many people have been subject to before: identity theft. Sources say that Brandon Lee Price, a U.S. soldier in Pittsburgh, has been charged with changing the address (via phone) on the bank account owned by Allen and attempting to redirect funds to a personal account. With the goal of wiring $15,000 to himself, Price then called Citibank to report a lost debit card and had a replacement sent to his home in Pittsburgh. Although most of actual crime committed happened off-line, as Price then made purchases at a GameStop and Family Dollar store, he is allegedly being charged with both wire fraud and bank fraud.

My question to you is: are traditional monitoring and end point protection tools enough to keep ourselves safe? Due to the number of breaches and attacks we continue to see publicized, it’s become apparent that these tools clearly aren’t cutting it. Behavioral analysis – whether it be online or off-line – is helpful in determining typical behavior for an individual user or person. We should be able to monitor if patterns seem to be in line with the norm.

In the case of Paul Allen’s identity theft, has he had any previous purchasing patterns in Pittsburgh? Does he typically shop at GameStops and Dollar Stores? Determining whether a change of address to Pittsburgh or whether he has ever shopped at either of these stores might help determine whether or not these activities were really his. It’s all about identifying what is normal for any specific person, and in this case – these would be atypical for his normal profile.

When it comes to online behavior, this is exactly why Silver Tail Systems’ behavioral analytics have been so successful. By monitoring behavior per user or per population, we are able to identify whether access to or usage of debit cards, credit cards, pin numbers, accounts, etc. is abnormal and outside of a person or population’s typical profile. Cybercriminals are getting more provocative and disruptive by the day. No one is immune – not even Paul Allen. It’s important for financial and e-commerce institutions to make sure they are protecting their users as thoroughly as possible, both online and off-line, and behavioral analysis is an important piece in that puzzle.

March 30, 2012 Posted by Laz | behavior analysis, Fraud, Online Fraud | Cost of fraud, credit cards, Online Fraud | Leave a Comment

$114B Lost to Cybercrime in a Year…and This Number is Low!

I was thrilled to see the article by Franz-Stefan Gady talking about the cost of cybercrime.  It is clear that cybercrime is currently under measured.  When I was at eBay, I encountered many consumers who were too embarrassed to report thousands of dollars that they sent to criminals.  And now that I am working more with large enterprises, I hear them talk about how their losses to cybercrime are factored into their cost of doing business and, therefore, not calculated.

If, as an industry, we are going to be able to combat these threats with the priority they deserve, we need to understand the full impact of the threat against both consumers and enterprises.  To be honest, I’m not sure of the best way to do that.  It is possible to do much more detailed reporting on a per-consumer or per-enterprise basis.  But that would be expensive.  Some sort of sampling would be required and that would probably make the measurement problem a bit more tractable.  The main issue is how large of a sample you’d need to get accurate results since cybercrime may only impact a very small subset of people/organizations.  Luckily, I’m not a statistician and can leave that computation to those of you smarter than me!

It would be great to see the cybersecurity community take this measurement task in hand.  While it is lower priority than fighting some of the large emerging threats, it is not much lower in priority in my opinion.  Only by understanding the true impact of cybercrime can we determine the best approach to addressing it.

September 26, 2011 Posted by Laura Mather | Cost of fraud, Fraud, information security, Investigation | Cost of fraud, Fraud, information security, Investigation | Leave a Comment

Enterprise Mobile Security: How are You Enforcing it Among Employees?

A recent article in SC Magazine on risky mobile behaviors routine in business, focuses on the weakness of enterprise organizations and their policies around mobile device usage. With the rise in corporate functionality and data available online – and now through mobile devices – there is a new inherent threat that these functions will be abused through mobile devices.

It’s become apparent that today’s employees are extremely mobile, always connected and demanding 24×7 access to the corporate network, applications and data via a variety of device types—from  laptops to smartphones—irrespective of location. The problem enterprises face today is how to give their employees both flexibility and mobility, while securing the enterprise.

As the mobile device population continues to grow and with the recent rise in man-in-the-mobile attacks, retailers, banks and credit card providers all need to be aware of the potential dangers associated with making online purchases. No to mention, with the security of the Android platform coming under fire in early March, security professionals are now recognizing the iPhone as an additional concern. This concept of securing the business and freeing the user is a model that many organizations today are trying to achieve, but leaves fraud protection specialists like me extremely concerned.

My worry is that mobile technology is advancing much more quickly than any technology we’ve seen before and the security measures required to maintain a level of safety are not able to keep up with the advances. Many users, application developers and companies have yet to really understand that man-in-the-mobile is a very real security threat, as apparent from this latest report from McAfee and Carnegie Mellon University.

My recommendation is that if a company wants to enable access of corporate data from personal devices, proper security procedures are necessary to make sure that users’ sensitive information is not compromised. This includes monitoring all transactions that occur on the internal website – whether through mobile or through a web browser – and making sure any anomalous activity is identified as soon as it occurs.  With the future of computing moving at a daunting pace, and as more and more mobile devices operate on the Web, the same foundational Web security principles still apply (like monitoring, encryption, anti–virus, etc.,). My hope is that security providers can work together to educate customers and ensure they have the tools they need to ensure they are better protected.

June 1, 2011 Posted by Laura Mather | Detection, education, Prevention, risk management | Cost of fraud, Detection, Prevention | Leave a Comment

The ROI of prevention vs. policy

Most websites and e-commerce businesses understand that there is an element to their transactions that involves professional fraud.  I’m not talking about the people who forget that they signed up for an online service and therefore do a chargeback on their credit card for their subscription.  Instead I’m talking about the criminal element that understands how to take advantage of a website for financial gain.

There are several ways to make money on websites.  For example, if the website represents a financial institution, you could steal the password for someone’s account and try to move the money to your own account (or the account of a trusted partner).  If the website sells goods you could steal someone’s password and send yourself “gifts” (which you would likely later sell).  Or you could buy a stolen credit card, open a new account and send things to yourself, knowing that it is unlikely that the site would detect that they will not be paid for the goods until after they have arrived at your door.

By accepting that some part of their business is going to be fraudulent, many of these websites create policies of how to handle the fraud once it is reported and clean up the incidents after they occur.  That’s a simple enough formula.

What if you could change the game, though?  What if you could detect the fraud as it is occurring and either prevent it from happening or take action quickly enough that your incurred losses are significantly reduced?  It seems like that is a no brainer.  Most websites would say “Of course I’d want to change my model such that I could prevent the fraudulent event from happening.”  Moving from this ideal to the reality can be tricky though.

The major complication comes from the fact that it can be difficult to justify the cost of implementing a new system.  In a hypothetical case, say there is already a system in place that costs $20k/month to deal with the fraud and absorb the fraud losses, and a prevention system will cost $200k to install and $4k/mo to use.  Given that the prevention system is so expensive, it can be difficult to justify spending money on the prevention system.  This is mis-leading for 2 reasons. First, as the bad guys are essentially “allowed” to perpetuate fraud (because the website does not try to prevent fraud but only tries to find it after the fact), the fraud will continue to grow and the website will become known as an easy target. Second, it’s important to consider the long term implications to the company.  A prevention system will significantly decrease the fraud losses experienced by the website and, given that customers will have many fewer negative experiences that they associate with the website’s site and brand, it is likely that the website will have improved customer loyalty and trust which often equates to more active customers and, therefore, a higher bottom line.  In the end, all of this can add up to a much higher return than focusing on cleaning up the damage after it has been done.

January 15, 2009 Posted by Laura Mather | Cost of fraud, Fraud, Online Fraud, Prevention | Cost of fraud, Fraud, policy, Prevention, ROI | Leave a Comment

To lock or not to lock, that is the question

Many websites believe they have the problem of password guessing solved.  They do what is called “account locking”: if the customer enters an incorrect password X number of times – sequentially – the website locks them out.  The lockout can be for a specified amount of time or until they contact customer support to get their account unlocked.

I don’t have quantitative data on the number or percent of websites that use this approach, but I am encouraged to see that researchers and others are beginning to understand the deficiencies of using this as a security mechanism.  There are two main reasons why account locking doesn’t help with password guessing: negative customer experience and horizontal password guessing attacks.

The customer experience of account locking is important to consider.  Because security experts have encouraged people to have different passwords for all of their online accounts, consumers now must remember dozens of passwords.  When logging in to a particular website, it would not be uncommon for the average person to have to try several different passwords before they remember the one that is correct for that site.  In the case of account locking, it is likely that the consumer will get locked out of their account when they are trying their various passwords and this results in a negative customer experience.

The responses consumers have to getting locked out can vary.  On one extreme, the customer waits until the lockout period has ended (sometimes you know how long you are locked out, but a lot of times you don’t).  In the middle of the extremes, the customer either calls customer support or, in the case of a bank, goes to a brick and mortar branch of the bank to perform their transaction.  On the far end of the extreme, the customer decides to take their business somewhere else.

Although I have not seen hard data on the cost of account locking to websites and especially financial institutions, I’m guessing that the cost of the customer support calls, branch visits, and customer attrition are not negligible.

One bank tried a unique approach to avoid using password lockout. This was a bank implemented a CAPTCHA (the fuzzy numbers in the box you must type in to prove you are human and not a computer) for every login. They implemented the feature without any user testing thinking this would eliminate password guessing. They ended up with so much negative push back from their customers, they had to take the feature off. This was a clear case where the true cost of the solution (extreme negative customer experience, in this case) ended costing more than the problem (password guessing).

The second problem with account locking is that it doesn’t protect against horizontal password guessing attacks.  It’s true that if I decide I want to access Joe Smith’s account and I know Joe Smith’s userID, I can try lots of passwords on his account – and probably get locked out.  But what if I just want to get access to as many accounts as possible?  For example, say the limit for password tries before lockout is 5, I could try 4 passwords on lots of accounts.  If I did this for one day and then waited until the next day to try 4 new passwords on the same accounts, I might have a decent success rate.  And if I’m a smart bad guy and I know the most popular passwords on the Internet (see our earlier blog post on how most bad guys already know this), then I will probably be even more successful.

In security, it’s always important to balance a negative customer experience with the amount of protection  gained.  In the case of account locks, I would say that there is more inconvenience being foisted onto consumers than the security increase warrants.  That doesn’t mean that websites shouldn’t protect against password guessing – they should.  But it would be better to do so in such a way that the system detects actual password guessing and responds to that.  This way the consumer is not inconvenienced and the bad guy is not able to take advantage of the system.

January 13, 2009 Posted by Sherrick Murdoff | Cost of fraud, Fraud, Online Fraud | Cost of fraud, password, password guessing, Prevention | 2 Comments