Behavioral Patterns: Does Paul Allen Routinely Shop at the Dollar Store?

On March 28th USA Today reported on the news that co-founder of Microsoft, Paul Allen, experienced what too many people have been subject to before: identity theft. Sources say that Brandon Lee Price, a U.S. soldier in Pittsburgh, has been charged with changing the address (via phone) on the bank account owned by Allen and attempting to redirect funds to a personal account. With the goal of wiring $15,000 to himself, Price then called Citibank to report a lost debit card and had a replacement sent to his home in Pittsburgh. Although most of actual crime committed happened off-line, as Price then made purchases at a GameStop and Family Dollar store, he is allegedly being charged with both wire fraud and bank fraud.

My question to you is: are traditional monitoring and end point protection tools enough to keep ourselves safe? Due to the number of breaches and attacks we continue to see publicized, it’s become apparent that these tools clearly aren’t cutting it. Behavioral analysis – whether it be online or off-line – is helpful in determining typical behavior for an individual user or person. We should be able to monitor if patterns seem to be in line with the norm.

In the case of Paul Allen’s identity theft, has he had any previous purchasing patterns in Pittsburgh? Does he typically shop at GameStops and Dollar Stores? Determining whether a change of address to Pittsburgh or whether he has ever shopped at either of these stores might help determine whether or not these activities were really his. It’s all about identifying what is normal for any specific person, and in this case – these would be atypical for his normal profile.

When it comes to online behavior, this is exactly why Silver Tail Systems’ behavioral analytics have been so successful. By monitoring behavior per user or per population, we are able to identify whether access to or usage of debit cards, credit cards, pin numbers, accounts, etc. is abnormal and outside of a person or population’s typical profile. Cybercriminals are getting more provocative and disruptive by the day. No one is immune – not even Paul Allen. It’s important for financial and e-commerce institutions to make sure they are protecting their users as thoroughly as possible, both online and off-line, and behavioral analysis is an important piece in that puzzle.

March 30, 2012 Posted by Laz | behavior analysis, Fraud, Online Fraud | Cost of fraud, credit cards, Online Fraud | Leave a Comment

E-Commerce Exploitation on the Rise

Earlier this month, Elinor Mills from CNET wrote an article about logic flaws in e-commerce software that can easily be exploited to cause inconsistencies between the merchants and the CaaS (Cashier-as-a-Service) systems.

Basically, a cybercriminal looking to take advantage of an online merchant can trick the system by sending slightly different messages to each party – allowing them to “swap items after payment is made, reuse previous payment proof for a new item, pay himself or herself to get valid proof of payment to fool the merchant, self-sign a proof of payment, or add more items to the cart while the cashier is processing the payment.”

As we know, e-commerce is a green field for cybercriminals and this could pose a potential nightmare – particularly as the market for online shopping continues to grow exponentially. During my days of fighting fraud at one of the largest online retailers, fighting fires reactively became the norm, but the key is to be proactive and not wait until your customers are the ones telling you something bad has happened.

In today’s fast-paced environment this is of course easier said than done. However, a plethora of technologies exist to improve online security, including encryption, authentication, anti-virus, digital certificates, real-time monitoring and more. In my opinion, real-time monitoring is imperative for fraud prevention. It allows teams to rapidly identify normal vs. abnormal behavior and immediately identify and stop malicious activity. Not only does this enable organizations to prevent significant damage, but it also allows them to recognize the same attack in the future. Any other opinions on security essentials for e-commerce? Would love to hear them!

April 26, 2011 Posted by Laura Mather | Fraud, information security | credit cards, online security | Leave a Comment

Heartland response – Minimizing the damage of breached data

Bruce Schneier often talks about the response to data breaches, like the recent Heartland incident.  In a recent post, Bruce discussed how data breach notification laws encourage companies to improve their security.

While I’m all for encouraging companies to improve their security and see how breach notification laws can help with that, now that a breach has occurred, the next step should be to try to minimize the subsequent damage.

One method for minimizing data loss might be a bit controversial, but could also have a major impact on identifying the use of the stolen cards.  Here’s the idea (try not to judge it until you read the rest of the post): The credit card companies that cancel the impacted cards should privately publish the canceled card numbers to merchants.

This probably needs more explanation.  If the credit card companies had a certain set of merchants where they had very good working relationships – maybe some of the large online merchants, for example – they could give those merchants the list of card numbers that had been canceled.  Then those merchants could look for the canceled cards being used and flag that activity – and anything associated with it – as suspicious.  Since it is likely the bad actors will use the cards in batches and they won’t know which cards were canceled versus which were not, this is one way the credit card companies could help minimize the damage to the merchants.

Some people may be concerned about the privacy of credit card companies sending out credit card numbers.  There are three things to keep in mind about this.  First, the credit card numbers they would send out would not have any other information associated with them – they would just be card numbers.  Second, since the cards themselves would have been canceled, they are no longer owned by any person but are, instead, owned by the credit card companies themselves.  So there shouldn’t be any privacy concerns.  Third, I am not advocating that the card numbers be published on the internet for everyone to see.  Instead, they should be delivered via a secure mechanism only to merchants that are well known, trusted, and are interested in using them to take action.

What would be the right way to make this collaboration happen?

January 27, 2009 Posted by Mike Eynon | Data Loss, Online Fraud | collaboration, credit cards, Data Loss, Online Fraud, security | 4 Comments