Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

January 2013

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

Advertisements

EU Commission proposes a comprehensive reform of the Data Protection rules

This week the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and to boost Europe’s digital economy.

The press release states:

Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,” said EU Justice Commissioner Viviane Reding, the Commission’s Vice-President. “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights in the future. They include a policy Communication setting out the Commission’s objectives and two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Key changes in the reform include:

  • A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.

The official press release was a short summary of what will be debated by the politicians. For a more detailed summary, based upon the January 2012 release and other research read my May 2012 post “Proposed European wide Data Protection Act – a review“.

As for the politicians debating the Act before passing it to law it is worth while reading the post “The Information Commissioner provides an update on the European Data Protection Act“.

It is disappointing that the delays will see the revised Act and the improvements in Data Protection and Privacy not being enforced until 2015.

.

RSA’s January Online Fraud Report 2013 including an excellent summary of Phishing in 2012

RSA’s January 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

The total number of phishing attacks launched in 2012 was 59% higher than 2011

It appears that phishing has been able to set yet another record year in attack volumes, with global losses from phishing estimated at $1.5 billion in 2012. This represents a 22% increase from 2011.

The estimated amount lost from phishing this year was affected by the industry median – the number of uptime hours per attack. The median dropped in 2012 (from 15.3 to 11.72 hours per attack, according to the Anti-Phishing Working Group), somewhat curbing the impact of losses overall. If attack medians had remained the same, estimated losses from phishing would have exceeded $2 billion.

There is no doubt phishing still continues to be a persistent threat to all organizations. The RSA Anti-Fraud Command Center is at the forefront of phishing attack shut down. To understand the magnitude of growth however, consider the following fact: at the end of 2011, RSA celebrated its 500,000th attack takedown; that number was achieved over seven years. In 2012 alone, RSA took down almost an additional 50% of that total volume!

The roster of countries most attacked by phishing throughout the year was not surprising; the same countries appeared on the shortlist of the most attacked, the UK, the U.S., Canada, Brazil and South Africa. In Latin America, Colombia and Brazil were the two most attacked countries.

There have been major increases in phishing attack volume in some countries, while slight declines were recorded for others. One of the most significant increases in 2012 phishing numbers occurred in Canada, where attacks increased nearly 400% in the first half of the year. There have been many speculations as to why the sharp increase, but the main reason is simply economics – fraudsters follow the money. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become as lucrative a target for cybercrime.

The list of top countries to have consistently hosted the most phishing attacks throughout 2012 remained nearly identical to 2011.

  1. U.S.
  2. UK
  3. Germany
  4. Brazil
  5. Canada
  6. France
  7. Russia
  8. Poland
  9. The Netherlands
  10. Japan

Phishing targets and tactics in 2012

The past year saw phishing diversify the top aims to include popular online retailers that were targeted via the usual web portals but also through the increasingly popular use of mobile apps for shopping. Other targets on phishers’ lists were airline companies, gaming platforms, mobile communication providers and webmail services.

It appears that malware writers are strong players in the world of phishing kit coding, responding to the demand in the underground and servicing phishers looking for off-the-shelf kit templates or custom written specialty kits. The top requests for phishing kit writers were, unsurprisingly, the login pages of U.S. based banks, credit card issuers and the dedicated login pages for business/corporate users of online banking/investments.

In terms of the tactics used by cybercriminals to launch their attacks, 2012 saw the use of rather simple hosting methods, mainly taking advantage of hijacked websites.

The most prominent trends noted came in the shape of using web shells and automated toolkits to hijack massive numbers of websites and smarter phishing kits containing custom plug-ins such as web-analytics tools. A proliferation of off-the-shelf codes written by black hat programmers, and the use of combined attack schemes to phish users and then redirect them to subsequent malware infection points were noted by RSA forensics analysts.

Global Phishing forecast for 2013

Phishing via Mobile The most prominent market trends relevant to the mobile channel have to do with the growth in mobile device usage in both our personal and work life and the pivotal role of mobile apps. RSA expects to see more phishing directed at mobile device users, particularly smartphones, as we move into 2013. Varying social engineering schemes will target users by voice (vishing), SMS (smishing), app-based phishing (rogue apps), as well as classic email spam that users will receive and open on their mobile devices.

Phishing via Apps Applications are the central resource for smartphone users, and that overall popularity of apps will become just as trendy with cybercriminals.

Nowadays, users download apps designed for just about any day-to-day activity, with the most prominent of those being gaming, social networking and shopping apps. To date, both Apple and Google have surpassed 25 billion app downloads each from their respective stores. In fact, according to research firm Gartner, this number will grow to over 185 billion by 2015.

In 2013 organizations will continue to aggressively tap into this growing market and respond by further moving products and services to this channel, delivering specialized small-screen adaptations for Web browsing, and developing native apps that supply mobile functionality and brand-based services to enable customers anywhere-anytime access.

Following user behavior trends (and money) in 2013, criminals will drive underground demand for threats and attack schemes designed for the mobile. Cybercriminals will focus on apps in order to deliver phishing, conceal malware, infect devices, and steal data and money from users of different mobile platforms.

Phishing via Social Media In 2008, slightly more than 20% of online users in the U.S. were members of a social network. That number has since more than doubled and stands at around 50% today.

Data collected last year from Fortune’s Global 100 revealed that more than 50% of companies said they have Twitter, Facebook, and YouTube accounts. Facebook membership, for example, has increased nearly 10 times since 2008, with over 7 billion unique visitors per month worldwide. Twitter shows that the number of members increased by a factor of five over the same period, boasting over 555 million regular users.

With the world turning into a smaller and more ‘social’ village than ever, cybercriminals are by no means staying behind. They follow the money, and so as user behavior changes, RSA expects cybercriminals to continue following their target audience (future victims) to the virtual hot-spots. According to a Microsoft research study, phishing via social networks in early 2010 was only used in 8.3% of attacks by the end of 2011 that number stood at 84.5% of the total. Phishing via social media steadily increased through 2012, jumping as much as 13.5% in one month considering Facebook alone.

Another factor affecting the success of phishing via social media is the vast popularity of social gaming; an activity that brought payments into the social platform. Users who pay for gaming will not find it suspicious when they are asked for credit card details and personal information on the social network of their choice.

Social media is definitely one way by which criminals get to their target audience, phishing them for access credentials (which are used for webmail at the very least and for more than one site in most cases), as well as stealing payment details they use online.

RSA’s Conclusion

Phishing attack numbers have been increasing annually, and although phishing is one of the oldest online scams, it seems that web users still fall for it which is why it still remains so popular with fraudsters.

With the heightened availability of kits, cybercriminals’ awareness of the latent potential in stolen credentials, and the enhanced quality of today’s attacks, the forecasted outlook for 2013 calls for yet another record year riddled with hundreds of thousands of phishing attacks worldwide.

As of January 1, 2013, the RSA Anti-Fraud Command Center has shut down more than 770,000 phishing attacks in more than 180 countries.

Phishing Attacks per Month

In December, RSA identified 29,581 attacks launched worldwide, marking a 29% decrease in attack volume from November, but a 40% increase year-over-year in comparison to December 2011.

The overall trend in attack numbers showed a steady rise in volume throughout the year, reaching an all-time high in July, with 59,406 attacks detected in a single month, 52% more than 2011’s peak of 38,970 attacks.

Number of Brands Attacked

In December, 257 brands were targeted in phishing attacks, marking a 10% decrease from November. Of the 257 targeted brands, 49% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide banks continued to be the most targeted, absorbing 79% of total attack volume in December. It is not surprising that fraudsters prefer large financial institutions over smaller ones as the potential “victim rate” rises in conjunction with the size of the bank’s customer base. Moreover, information regarding security procedures at larger institutions can be more easily located in open-source searches.

Top Countries by Attack Volume

The U.S. was targeted by the majority of, or 46%, of total phishing volume in December. The UK accounted for 19% of attack volume, while India and Canada remained third and fourth with 8% and 5% of attack volume.

Top Countries by Attacked Brands

U.S. brands were the most targeted again in December, with 28% of total phishing attack volume, followed by UK brands which were targeted by 10% of attacks. Brands in Canada, Australia, India and Brazil were each targeted by 5% of phishing volume.

Top Hosting Countries

In December, the U.S. remained the top hosting country for phishers, hosting 53% of global phishing attacks. Germany and the UK were the second top hosting countries accounting for 5% of hosted attacks.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.

.

Top 20 Most Trusted Companies for Privacy – 2012

Ponemon has released is list of the Top 20 most trusted companies and how they ranked in 2012 and 2011.

Top 20 Most Trusted Companies for Privacy (2012 Rank, 2011 Rank) is below

  1. American Express (1, 1)
  2.  Hewlett Packard (2, 2)
  3.  Amazon (3, 5)
  4.  IBM (4, 3)   /  US Postal Service (4, 6)
  5.  Procter & Gamble (6, 6)
  6.  USAA (7, 11)
  7.  Nationwide (8, 8)
  8.  eBay (9, 4)
  9.  Intuit (10, 10)
  10.  Verizon (11, 12)
  11.  Johnson & Johnson (12, 7)  /  FedEx (12, 15)
  12.  WebMD (13, 9)
  13.  Weight Watchers (14, 17)
  14.  U.S. Bank (15, 16)
  15.  Disney (16, 13)
  16.  Microsoft (17, NR)
  17.  United Healthcare (18, NR)
  18.  VISA (18, 16)
  19.  AT&T (19, 19)
  20.  Mozilla (20, NR)

*NR = Not rated in the stated year

The full article is here.

.

The Information Commissioner provides an update on the European Data Protection Act

David Smith the UK’s Deputy Commissioner of the Information Commission has commented on the progress of the Revise European Data Protection Act.

Put simply, the proposals could prove to be one of the biggest changes to data protection this country has ever seen. Against that backdrop it is no surprise that we’ve been monitoring events in Europe closely, looking at how the initial reform proposals, published by the European Commission in January 2012, might be brought into law.

The process by which this proposal might become UK law is not a simple one, as our overview of the whole process shows. The crucial next step is for the European Parliament and the Council of the European Union to look at this separately before coming together to approve a final text. 

The European Parliament is where the MEPs sit, some 736 of them from across Europe. Much like our own Parliament, the MEPs will sit on several committees. There are five committees directly involved in looking at the data protection reforms: JURI (legal), ITRE (industry), IMCO (internal market and consumer protection), EMPL (employment) and LIBE (civil liberties). LIBE is the ‘lead’ committee. All committees will submit their own amendments before negotiating a consolidated Parliament view which is expected in late April. 

While that is happening, the council are also looking at the reforms. The council is made up of relevant ministers of each member state with responsibility for the issue at hand, although for practical purposes much of the work is done by government officials. For the data protection reform, the UK’s Ministry of Justice takes charge of the regulation, but works closely with the Home Office on the issue of the directive that will apply to law enforcement agencies. The subgroup of the council dealing with this issue is called DAPIX (Data Protection and Information Exchange) and is chaired by the Presidency of the Council – currently Ireland. The ICO has a key role in advising the Ministry of Justice throughout these discussions. 

At the time of writing, the parliamentary committees are well advanced in considering their compromise amendments on both parts of the package. The council, however, has not finished its first round of amendments. Nevertheless, with a timetable to adopt the new rules by the end of June – the end of the Irish Government’s presidency – this is one of the top priorities. The presidency is scheduling in more meetings to ensure that the negotiations can be completed as quickly as possible, to try to keep everything on track. 

Once both the parliament and the council have their consolidated views in what is known as the ‘First Reading’, they will need to negotiate, possibly over the summer if things go well, to get an agreement on the text. Failing this, they will move to the ‘Second Reading’ and further negotiations. 

Some of that negotiation will be around whether the reforms are in the form of a regulation, which will apply directly in every EU Member State, or a directive, which will need to be transposed in a more flexible way into national law. The proposal is for a general regulation with a directive specifically for the criminal justice sector. However there is speculation that this directive will be put on the back burner. This coupled with a move, which we and other data protection authorities are resisting, to confine the regulation to the private sector and develop a new directive to cover the public sector leave the outcome uncertain. Currently both the proposed regulation and the proposed directive allow two years for implementation following their coming into force. However experience suggests that because of its direct effect, implementation of any regulation will, in practice, come more quickly than implementation of any directive. 

In total, this means that the reform process will have taken around six years since the European Commission started its reflections on the matter. While this sounds like a long time we must remember that there are 27 Member States around the negotiating table; that’s at least 12 more than those negotiating our current framework which resulted in the Data Protection Act 1998! Even then the timescale is ambitious. Not many people expect agreement in June this year, but there is an imperative to get a package adopted by 2014 when the European Parliament and the commission are due for re-appointment. 

Crucially, the ICO has been involved throughout, and from several angles. It is extremely important that we, as the responsible regulator, pay attention at this crucial point in negotiations to what the proposals say, understand how they might affect the UK and use what influence we have to achieve a sensible outcome for individuals and businesses alike.

We recently published some of our thoughts on the latest developments which we passed to MEPs and other stakeholders. This builds on our initial analysis which we published last year to provide a core reference point explaining our views on the reforms.

In summary the Act is coming in 2013 but it is imperative that the Act comes because at the moment there are so many things missing that are essential for example mandatory disclosure of breaches and compulsory data officers for all companies over 250 employees. 

Lets hope they resolve it soon.

2013 looks like being a bigger year than 2012 as the ICO starts catching up with the backlog of breaches

2013 has started as 2012 finished off with UK Information Commissioner (ICO) coming down hard on those who breach the Data Protection Act.

So far this January 3 organisations have fallen foul of the ICO:

  1. Sony Computer Entertainment Europe Limited
  2. Mansfield District Council
  3. Prospect Trade Union

Sony Computer Entertainment Europe Limited

Sony Computer Entertainment Europe Limited fined £250,000 after the April 2011 hacking of the Sony PlayStation Network Platform (PSN). That breach resulted in millions of Sony customers having their data stolen including:

  • Names
  • Addresses
  • Email addresses
  • Dates of birth
  • Account passwords
  • Customers’ payment card details were also at risk.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.

“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.”

Mansfield District Council. The council had several incidents of housing benefit claimants personal data being disclosed to the wrong landlord. The ICO has issued a formal undertaking to Mansfield District Council.

Prospect Trade Union. Prospect unfortunately sent two files containing personal details of approximately 19,000 members of the union to an unknown third party email address in error. The ICO has issued a formal undertaking to Prospect.

Both Prospect and Mansfield District Council have agreed “Formal Undertaking”. An undertaking is a detailed and document agreement between the ICO and the organisation that breached the Data Protection Act, specifically how those that have breached the Act will improve their Data Protection regime.

The Sony hack was widely reporting and was a result of an external attack whilst the other two, Prospect and Mansfield District Council were both the result of avoidable human error.

Want to know who was caught in 2012? Read my post 2012 was a big year for the Data Protection Act with record fines and breaches, see the full 2012 list here.

Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals

Europol’s Situation Report for Credit Card Fraud 2012 summaries fraudulent activity for credit cards across Europe is a very interesting read. It explains how the criminals act and with what types of techniques and why the Law Enforcement Agencies struggle to catch them.

A summary of the Europol report is below.

  • The criminal market of payment card fraud within the European Union (EU) is dominated by well-structured and globally active organised crime groups (OCGs). Criminal networks have managed to affect non-cash payments in the EU to the extent that protection measures are very expensive and need to be implemented on a global level. Consequently, the use of payment cards can be inconvenient and no longer fully secure for EU cardholders.
  • Payment card fraud is a low risk and highly profitable criminal activity which brings organised crime groups originating from the EU a yearly income of around €1.5 billion euros. These criminal assets can be invested in further developing criminal techniques or can be used to finance other criminal activities or start legal businesses.
  • The EU is increasingly exposed to the threat of illegal transactions undertaken overseas and should develop more efficient solutions to help law enforcement authorities (LEAs) combat the fraud. Europol, gathering intelligence on fraudulent overseas transactions affecting the EU, as requested by competent authorities of Member States (MS), is not entitled to cooperate with non-EU police forces or request specific measures to help combat and prevent fraud against the EU.
  • The majority of illegal face-to-face card transactions affecting the European Union take place overseas, mainly in the United States. The EU should take urgent measures to promote the EMV standard as a global solution against the counterfeiting of payment cards. As full EMV implementation will take time, a temporary solution could be applied, namely the implementation of GeoBlocking, blocking overseas transactions using EU-issued cards unless they have been activated in advance.
  • Common European legal solutions for the security of on-line retail payments (internet, mobile), as well as the mandatory reporting of financial data breaches, should be considered to prevent fraud affecting EU citizens. Prevention and combating card-not-present (CNP) fraud requires specific regulations on the customer’s identification (3D secure protocol) and security of the on-line payment environment. The role of the European Central Bank and Europol is crucial to present the problems and propose specific solutions.

Security of non-cash means of payment is a key factor in the economic stability of the European Union

According to statistics, the total number of payment cards issued in the EU in 2011 reached 726,906,710

The value of legitimate non-cash transactions with EU cards exceeded 3000 billion euros. From a security perspective, EU industry has taken an important step forward by fully implementing the EMV (chip-embedded cards) standard for card-present (CP) transactions, and is advanced with the protection of on-line transactions through the strong identification of customers (3D secure).

Banking institutions are profit-making businesses, so reducing the illegal income of criminals is not always a priority for them when introducing new banking products or services.

Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards. With the current global nature in which the banking sector and non-cash transactions operate, security measures in place on a regional (EU) level are not sufficient and have been exploited by criminal networks.

The illicit activities and fraudulent transactions of OCGs performed outside the EU have affected the security and convenience of non-cash payments in Europe and have consequently caused substantial losses to the EU economy.

This report is based mainly on data provided by law enforcement agencies from EU Member States and some cooperating non-EU States. The figures and latest trends were identified based on information from

  • The European Central Bank
  • European Payments Council
  • European ATM Security Team (EAST)
  • Card schemes
  • Fuel Industry Card Fraud Investigation Bureau (FICFIB)
  • “Some” card issuers (note: why not all?)

Since criminals affect both physical transactions with payment cards (shops, ATMs), and the internet environment, for the purpose of this report payment card fraud is divided into card-present (CP) fraud and card-not-present (CNP) fraud.

The implementation of EMV (Chip and PIN) technology in the European Union is seen as the key driver to reducing domestic payment card fraud. It should be stressed that cardholders’ confidential data is more secure on a chip-embedded payment card than on a magnetic strip card. Chip-embedded cards support dynamic authentication, requiring dynamic values for each transaction, and cannot be easily copied. The EMV card is considered to be well protected against skimming.

As the EU banking industry migrates to the EMV environment, losses caused by illegal domestic transactions in the EU have gradually decreased since 2008. However, at the same time, the level of illegal transactions overseas has seen a sharp increase. In 2011, almost all fraudulent face-to-face transactions with EU cards took place overseas. This phenomenon is determined by the level of technical protection of EU payment card terminals, ATM and Point-of-Sale (POS) terminals are fully EMV compliant. In response, criminal networks have targeted the weak points of the system and have undertaken criminal activities using non-EMV compliant terminals overseas. Due to this phenomenon, and the lack of specific agreements on reimbursement of losses caused by less protected terminals, the majority of the loss burden caused by this fraud is on the EU card issuers, which are specific banks in the EU.

Europol note “there has been no specific solution to this problem proposed by the card industry”

There are several countries operating as a substantial market for illegal transactions with counterfeit EU cards. The problem of illegal transactions in the US has been reported to Europol by all 27 EU Member States. There are also other locations where criminal groups with EU origins are cashing counterfeit cards.

The top six locations are:

  1. United States
  2. Dominican Republic
  3. Colombia
  4. Russian Federation
  5. Brazil
  6. Mexico

This trend has led to a situation in which, even after huge investments by the EU banking industry to install hardware and software to accept EMV cards, the problem has become even bigger, as it is extremely difficult to prevent and investigate crimes committed outside of EU borders.

The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant.

As a short term solution, in October 2010 Europol and the European Central Bank recommended that all SEPA (European-issued) cards should be EMV (chip-embedded) only. The first Member State to follow this recommendation is Belgium, where debit cards have chips embedded and the magnetic strip is no longer active. This solution, called GeoBlocking, in practical terms limits the possibility to misuse debit cards in regions without Chip and PIN verification. The implementation of GeoBlocking has been extremely positive from a security point of view with significant falls in skimming incidents and skimming-related losses (a decrease to almost zero in Belgium).

It should be stressed that there are some constraints to such solutions. The baseline for branded cards is that the cards are accepted globally. From this perspective the chip-only cards are not in line with this policy. The use of GeoBlocked cards is also less convenient for card holders as the card must be activated every time before travelling to non-EMV compliant countries. According to a research poll carried out by EAST, 60% of customers would be in favour of the GeoBlocking solution, including 28% of respondents who would be happy to contact their banks to activate the magnetic strip on their cards, and 12% who would like to hold a chip-only card.

This compromise is the price that card issuers and card holders pay as a result of the criminal activities of organised networks. It can be concluded that organised criminal groups have already managed to affect the EU payment card market to the extent that the use of cards is not cheap for card issuers and is less convenient for cardholders.

Investigations into card-present (CP) fraud
Industry reported an increasing number of incidents against ATMs in the EU were 20,244 in 2011 compared to 12,383 in 2010.

The statistics include all types of attacks against ATMs, including

  • skimming
  • using stolen cards
  • physical traps to obtain cash

According to reports provided by EU law enforcement authorities, organised crime groups adjust their profiles and criminal techniques relatively quickly and smoothly. Not only can they produce skimming devices to bypass the latest anti-skimming technology but they also explore new possibilities, including cash traps, prepaid cards or malware, as a source of cash and card data.

Most criminal structures operate internationally so cross-border cooperation is a key to final success. Taking into account that suspects use specific countermeasures, corrupt police officers and hire the best lawyers, investigative measures in such cases are very difficult. The criminals’ use of sophisticated technical equipment forces investigative teams to cooperate closely with forensic experts, who can decode information and analyse seized electronic storage devices. Unfortunately, in most of these cases, investigative measures focus on the criminal activities taking place in the European Union. Law enforcement agencies and judicial authorities, being limited by legal provisions, time frames and financial restrictions, can rarely investigate fraudulent transactions performed overseas.

In practical terms, investigative measures rarely lead to dismantling the whole criminal structure. Judicial authorities press charges mainly for the part of the criminal activities that are performed in the EU, which is usually considered as the preparatory stage and not always associated with any financial losses. Consequently, in the majority of such cases the sentences are relatively lenient and suspects can leave jail on bail. Even if some criminals from an OCG are arrested for a period of time they can be easily replaced by others so that the criminal group is still active.

In June 2011 a global operation, ’Night Clone’ was brought to a successful conclusion with almost 70 suspects arrested in the EU and overseas. The operation had a very big impact and for several months, illegal activities of many other OCGs ceased.

Card-not-present (CNP) fraud
Payment card data is the ideal illicit internet commodity as it is internationally transferable. Europol, in its report on Internet Facilitated Organised Crime concluded that organised crime groups clearly benefit from globalisation, using foreign payment card data to purchase goods and services on-line. Credit card information and bank account credentials are the most advertised goods on the underground economy’s servers.

According to Europol’s intelligence, in 2011 around 60% of payment card fraud losses, totalling 900 million euros, were caused by card-not-present (CNP) fraud.

Within the major card-not-present fraud investigations supported by Europol, the main sources of illegal data were data breaches, often facilitated by insiders and malicious software. In most of these cases the quantity of compromised card details is substantial, reaching hundreds of thousands or millions, enabling criminals to sell the bulk data on the internet.

So far most of the credit card numbers misused in the EU have come from data breaches in the US. However, since 2010, Europol have observed a growing number of financial data breaches against EU-based merchants and card processing centres. Most of the investigations into these breaches are based on information on illegal transactions carried out using compromised cards, as the reporting of such attacks by the affected companies is still a weak point.

A major problem in the EU is the lack of proper regulations for reporting data breaches to police authorities. Law enforcement agencies, even if aware of a breach, have difficulties finding information on, and links to, the point of compromise, stolen data and illegal transactions. The lack of legal provisions on reporting data breaches is not the only problem. One of the key factors making industry reluctant to report incidents to law enforcement authorities is the lack of trust in investigative possibilities as well as the need to maintain the reputations of the respective private entities. On the other hand, the lack of reporting leads to a small number of international investigations and a low level of prioritisation of such cases within LEAs. The problem ends up with the situation where, despite a dynamic increase in CNP fraud, it is not reflected in the statistics of cases reported and investigated by EU police forces. Consequently, since the problem is not reflected in police statistics, this phenomenon is not prioritised and it is difficult to initiate international cooperation in such cases.

From the security perspective, as with the security of face-to-face transactions, there is a lack of common global standards on the protection of card-not-present transactions. Major investments by EU industry have been made in the 3D secure protocol (MasterCard secure code; verified by VISA). However, despite this strong 3D secure verification, it is not a worldwide solution and, even on the EU level, not all on-line transactions are protected with it.

Investigations into CNP fraud and its initial stage data breach is typically very demanding. As identified by Verizon, such cases are usually quite large and complex, often involving numerous parties, inter-related incidents, multiple countries, and many affected assets. In addition to that, as stated earlier, the majority of such cases are not reported to LEAs, as industry mainly focuses on preventive measures rather than relying on the outcome of investigations. The results of internal inquiries are used to improve security measures and rarely focus on the identification of individuals responsible for the breaches.

As far as investigations into illegal on-line card transactions affecting the EU are concerned, they are mainly concerned with:

  • illegal ordering of high value goods on the internet
  • combating networks of mules set up to receive and transfer goods ordered on the internet
  • illegal transactions – purchases of services from travel companies/airlines
  • physical transactions with counterfeit credit cards – with data sourced from the internet
  • investigations into OCGs from the Baltic states and South East of Europe
  • the proper coordination of information – where possible, data breaches should be linked to illegal transactions
  • assets seizure – the network of mules shall be determined in order to localise the entry/exit points of goods

EU Member States reported many constraints and challenges faced during such investigations. The lack of legal provisions for reporting on-line incidents and data breaches, which are usually of an international nature, creates problems in individual cases under the responsibility of the respective MS, including the possibility to connect illegal transactions reported by other countries and decisions on the place of final prosecution. The global dimension and protection of financial and personal data is a major problem as far as the efficiency and time-frames of investigations are concerned. From a practical perspective, the involvement of Russian-speaking, well organised and hermetic structures cause huge problems with regards to infiltrating individuals and collecting evidence on their criminal activities. Since the majority of criminal activities are on-line, the best solution is to task specialised cybercrime teams with such cases.

As there is still little experience on such card-not-present fraud cases where data breaches and illegal transactions make EU companies and consumers the key targets the role of Europol is crucial, to analyse information and spread strategic and operational information, ultimately ensuring the efficiency of investigative measures.

Europol Summary of Credit Card Fraud in 2012
The financial crisis has had a big impact on the approach of private financial services companies and LEAs. Currently, all decisions are thoroughly scrutinised and assessed from an economic and ‘priority’ perspective.

Private industry focus on products and services which bring profit in the first instance. Such companies can accept a certain level of fraud without making any effort to identify the individuals responsible for that fraud. From the law enforcement perspective it is increasingly suggested that, since losses caused by payment card fraud can be easily covered by private industry, there is no point in investing resources on investigations. The problem is even bigger as investigations must be performed on an international level, so the investment must be higher and comes with no guarantee of final success or seizure of assets.

All that leads to the dangerous situation in which the illegal income for members of organised crime groups, reaching 1.5 billion euros a year, is not identified and recovered. It seems that the EU response to the payment card fraud problem is not harmonised or fully supported by all actors card schemes, card issuers, processing centres, law enforcement agencies and judicial authorities.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

Proper coordination of information processing and reporting to the involved countries is critical for efficient investigations. A centralised database is very important to link members of criminal networks, fraudulent incidents and investigations. Europol, having a specialised team with an existing operational database and a newly-created technical platform, can play an important role in such cases.

The missing links that remain are the legal solutions on cooperation with non-EU States and the communication of data with non-EU States and the communication of data with Private Industry.

You may also with to read

.

2012 saw a 5% increase in fraud

CIFAS (Credit Industry Fraud Avoidance System) is a not-for-profit membership association representing the private and public sectors.  CIFAS is dedicated to the prevention of fraud, including staff fraud, and the identification of financial and related crime. CIFAS operates two databases:

  1. National Fraud Database (NFD)
  2. Staff Fraud Database (SFD)

CIFAS’s analysis of fraud trends during 2012 reveals a 5% increase in the overall level of fraud, when compared with 2011. While the rate of the increase has slowed, further key findings present a more complex picture of the true state of the economic crime landscape in the UK:

  • Nearly 250,000 confirmed frauds were identified during 2012 by CIFAS Members, the highest number of frauds ever recorded by CIFAS Members and over 150,000 cases had an identifiable victim.
  • The continued blight of Identity Fraud accounts for over 50% of all frauds recorded in 2012.
  • The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.
  • Conversely, frauds committed by the genuine account holder or applicant have all declined: the most notable being the decrease in fraudulent misuse of an account (Misuse of Facility fraud) which fell in 2012 by over 15% from the record levels seen in 2011. There has also been a fall in proven false insurance claims and instances of individuals submitting false details or documents in support of an application. 

The 5% increase in fraud levels recorded during 2012 serves as a reminder of the economic trials currently facing UK businesses and consumers. Nearly 250,000 frauds were identified in 2012. This represents a smaller rate of increase from the 9% surge recorded in 2011, but still constitutes the largest number of confirmed frauds ever recorded in a single year by organisations participating in the CIFAS national fraud data sharing scheme.

CIFAS Head of Communications, Kate Beddington-Brown, comments:

 “Fraud is frequently described as a victimless crime, but this is far from the truth. Whether it is an individual being impersonated, or public and private organisations losing funds due to fraudulent applications and transactions, the net effect is that the economic squeeze gets worse. Fraud acts as an impediment to business recovery and damages cashflow for us all; as losses incurred inevitably get passed on to society at large. The increase in fraud levels, therefore, might be seen as organisations getting better at rooting out fraud, but the implications are clear: increased fraud levels mean that organisations and individuals face a bigger problem than ever before.”

Identity crime: the fraudster’s biggest weapon

The fraudulent use of identity details (either those of an innocent victim or completely fictitious ones) is the biggest and most perturbing fraud threat. 50% of all frauds identified during 2012 relate to the impersonation of an innocent victim or the use of completely false identities.

Furthermore, Facility (or Account) Takeover Fraud – where a fraudster gains access to and hijacks the running of an account (e.g. theft of security details through computer hacking, interception of post details, social engineering through popular websites etc) rocketed by 53% compared with the previous year. This means that those frauds where the criminal requires identity details accounted for almost 2 in 3 (65%) of all frauds in 2012. The number of victims of both types of fraud has when combined also risen by 24% from the levels in 2011; underlining the very real cost of these crimes.

Kate Beddington-Brown notes:

 “These increases serve as a warning and a challenge to organisations and consumers equally. Organisations have invested heavily in updating and refreshing their security processes recently, ensuring that extra steps are taken to validate the identity of people with whom they are dealing. In spite of this, however, identity crimes have continued to rise – demonstrating that far more must be done. Equally, for individuals, It is obvious that fraud relating to personal data is an immense criminal trade so, fundamentally, we all have to do all we can to ensure that we also protect ourselves from becoming a victim, as well as demanding that the organisations we deal with take their security responsibilities seriously”

Frauds by account holders in decline

As problematic for organisations and the economy at large is fraud committed by the actual account holder. One piece of apparent good news, therefore, is that all frauds which come under this first party fraud heading declined in 2012: including misuse of facility fraud (where a legitimately obtained account is used fraudulently by the account holder) which decreased by 15% from the levels of 2011.

A substantial proportion of these frauds still bear the hallmarks of ‘money mule’ activity (where a criminal recruits another party to use his or her account on the fraudster’s behalf), but the decrease is encouraging in terms of consumer behaviour.

Kate Beddington-Brown notes:

“Organisations have invested effort into identifying possible victims of money mule operations and ensuring that their customers are educated about the dangers of misusing accounts, and these figures seem to demonstrate that this message is being heard. Any requests to receive and transfer funds on behalf of a person or organisation should be viewed with suspicion and reported, ultimately, to Action Fraud.”

Misuse of an account, however, is still the second largest type of fraud identified in 2012 and therefore increased attention must also be paid to ensuring that individuals are aware of this.

Kate Beddington-Brown explains:

“In these difficult economic times, the motivation to attempt fraud or the vulnerability to being duped into doing so – is perhaps understandable. Organisations, however, must do all that they can, to ensure that consumers are aware that committing fraud can have very serious consequences: from withdrawal of services to criminal charges. If organisations and consumers alike can stamp out this kind of fraud, extra effort can then be dedicated to preventing those criminals who are responsible for the rise in identity crime.”

CIFAS Chief Executive, Peter Hurst, concludes: “With the cost of living increasing, pay levels frozen for many, benefit changes taking effect and a sluggish economy, it is unsurprising that fraud has increased. Prevention remains better than cure, however, and it is time for all organisations and consumers to start reviewing their approaches to preventing fraud rather than just dealing with its effects. Investment in proper fraud prevention systems and approaches, from online security to data sharing, and education are the cornerstones of such an approach and without them the only thing that is guaranteed is an ever increasing fraud losses to organisations and society at large.”

CIFAS’s summary of  identified fraud cases in 2011 and 2012:

  2011 2012 % Change
Fraud cases identified 236,516 248,325 +5.0%

CIFAS’s summary of the types of fraud undertaken is below:

Fraud Type 2011 2012 % Change
Identity Fraud – Total 113,259 123,589 +9.1%
Application Fraud – Total 43,263 39,868 -7.8%
False Insurance Claim 396 279 -29.5%
Facility Takeover Fraud 25,070 38,428 +53.3%
Asset Conversion 532 337 -36.7%
Misuse of Facility 53,996 45,824 -15.1%
Victims of Impersonation 96,611 112,179 +16.1%
Victims of Takeover 25,250 38,686 +53.2%

You might also want to read

.

Want to be PCI DSS compliant? Here are 5 mistakes to avoid.

Charles Denyer a QSA with NDB has produced a list of 5 Mistakes all people striving for PCI DSS compliance must avoid. 

  1. Not conducting a formal Readiness Assessment.  It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important! 
  2. Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon.  Remember, setting expectations for PCI compliance is a must, no questions about it. 
  3. Failing to understand PCI Scope.  Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance. 
  4. Not conducting Remediation efforts.  As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance.  What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few.  A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here!  Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment. 
  5. Failing to recognize the importance of policies and procedures.  Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures?  Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point?  Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures.  As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.

Supporting point 3 there is a good white paper “8 ways to reduce the scope of PCI DSS” here.

2012: “A year of Identity & Fraud” a review by Experian

Experian, a global information services company has posted two summaries of its research and blogs for 2012. I have taken the information that relates to Identity theft and fraud and consolidated it into one post.

In March, Experian revealed its latest research which estimated £1.02 billion worth of online shopping transactions were abandoned the previous year by UK consumers frustrated by old and inefficient identity measures. One in five of these abandoned transactions were not taken elsewhere as individuals cancelled their shopping attempt altogether, resulting in £214 million worth of net lost revenue for UK retailers.

The study, which was conducted for Experian by the International Fraud Prevention Research Centre and included survey data as well as insights from online retailers and the Office of National Statistics, revealed that 44% of UK shoppers had abandoned at least one online shopping transaction in the last year having become frustrated with the length and complexity of certain older forms of identity verification.

Older forms of online identity verification, typically complex, standalone systems drawing on single sources of information to corroborate identity information, are unable to validate as many individuals electronically as modern services. As a result, genuine customers might be forced to call a contact centre, submit physical documents through the post or visit the store or branch to confirm identity. Alternatively, the organisation might choose to accept a lower level of proof, and risk higher levels of fraud, in order to minimise customer inconvenience.

In April, Experian revealed that fraudulent applications for mortgages increased by 8% in the previous year. This was the fifth year in a row in which the rate of mortgage fraud has increased. 34 in every 10,000 applications for mortgages were found to be fraudulent in 2011, compared to just 15 in every 10,000 in 2006.

The overall rate of fraud at point of application across the UK’s financial services sector increased by 4% in 2011, to just over 17 in every 10,000 applications. In addition to record mortgage fraud figures, this overall increase was also driven by growth in insurance and current account fraud. 93% of attempted mortgage fraud in 2011 was down to individuals misrepresenting their personal information on applications. Typically these first party frauds involved falsifying employment status or financial information, and most commonly attempting to hide an adverse credit history.

Experian’s demographic insight revealed that Mosaic groups Terraced Melting Pot (young, poorly educated individuals living in small towns) and Suburban Mindsets (predominantly middle aged, middle and skilled working class individuals) were both responsible for around 15% of first party mortgage fraud cases in 2011. The young, well educated professionals of the Liberal Opinions were also prone to attempting first party mortgage fraud, being responsible for 13% of cases.

Nick Mothershaw, UK&I director of identity & fraud at Experian, comments: “About 70 per cent of financial services application fraud in the UK fraud is down to first parties misrepresenting their circumstances, and the products such as mortgages and insurance that have seen fraud soar over the last year have a significant first party fraud element to them. This kind of fraud tends to originate from financially stressed segments of society.”

  • Insurance fraud. Insurance fraud rates reached 11 in every 10,000 applications and claims in 2011, an increase of 23% over the last year. 89% of insurance fraud was first-party led with the Terraced Melting Pot, Suburban Mindsets and Liberal Opinions demographics responsible for the most instances. Combined they accounted for 43% of cases.
  • Current accounts. The rate of current account fraud increased to 36 frauds in every 10,000 applications in 2011, up from 23 in every 10,000 in 2010. 60% of current account fraud in 2011 was committed by first-parties, almost a quarter (23%) of which was down to the Terraced Melting Pot demographic. The remaining 40% of current account fraud attempts were down to third-party identity fraudsters seeking to open accounts as a springboard to obtain other, more lucrative credit products, or for money laundering purposes.
  • Automotive and credit card fraud rates fall. Not all financial products saw fraud rates increase in 2011. Credit card fraud continued to fall, from 19 in every 10,000 applications in 2010 to 12 in every 10,000 in 2011. The rate at which fraudsters target new credit cards is almost a quarter of the level recorded in 2006, when 45 in every 10,000 applications were fraudulent.  Automotive finance providers have also seen fraud rates fall. 23 in every 10,000 applications were found to be fraudulent in 2011, down from 38 in every 10,000 during 2010. 85% of these frauds were first party.

In May, Experian revealed that Slough had overtaken London to become the identity fraud capital of the UK. The Berkshire town recorded 25 identity fraud attempts for every 10,000 households, with residents targeted at around four times the UK national average (seven households in every 10,000). Residents of London, Gravesend, Birmingham, Luton, Manchester and Leicester were also targeted at twice the national average rate. London as a whole experienced 22 attempts for every 10,000 households, although attempts were not spread evenly across the capital.

Substantial hotspots for identity fraud activity were found in and around London’s Olympic neighbourhoods. Financial service providers detected 78 incidents for every 10,000 households in East Ham, as residents were targeted at more than 11 times the national rate. Woolwich and Stratford also experienced significant identity fraud activity, recording 46 and 43 identity fraud attempts respectively for every 10,000 households.

Whilst the instances of fraud across all financial products remained at a constant level between 2010 and 2011 (six in every 10,000 applications were found to be fraudulent), the data shows that there was a surge in identity theft via current accounts and mortgages during this period, with rates doubling (from six to 14 in every 10,000 applications) and quadrupling (from one to four in every 10,000) respectively.

Identity fraud attempts on credit cards fell from 17 to four in every 10,000 applications.

Fraudsters turn their attention away from the wealthy.

  • For the first time, young people renting small flats from local councils or housing associations represent the demographic most likely to be targeted by identity fraudsters. This group, known in Experian’s Mosaic classification as Upper Floor Living, saw its identity fraud risk score increase by 47% to 256 in 2011. Its constituents are two-and-a-half times more likely than the average UK resident to be targeted.
  • Almost as high on the identity fraud danger list are the Terraced Melting Pot (risk score 242), a group of mostly young people with few qualifications that who work in relatively menial, routine occupations, and live close to the centres of small towns or, in London, in areas developed prior to 1914. The Terraced Melting Pot saw its risk score increase by 75% in 2011.
  • Previously, the wealthy Alpha Territory demographic – representing the wealthiest sections of society living in fashionable London neighbourhoods – were most likely to be targeted. The risk score for this group halved in 2011 (from 301 in 2010 to 149) as fraudsters turned their attentions to younger and less affluent sections of society.

In June, Experian revealed that the financial services industry saw a 16% quarter-on-quarter jump in fraud rates in the period January to March 2012, driven primarily by a significant surge in current account fraud. 19 in every 10,000 applications for financial services were found to be fraudulent in the first three months of 2012, up from 16 in the last quarter in 2011. 44 in every 10,000 current account applications were detected as being fraudulent during the first quarter of 2012, 23% higher than Q4 2011.

The current account extended its position as the most targeted financial product, recording the busiest period for current account fraud ever recorded by Experian. Experian’s data shows that the majority (62%) of current account fraud in 2011 was committed by first-party perpetrators, which typically involves an individual painting a knowingly false portrait of their personal circumstances to obtain services to which they are not entitled. 38% of current account frauds were due to individuals attempting to hide adverse credit histories when opening current accounts or applying for overdrafts.

A further 39% of current account fraud involved product or payment abuse, which included people knowingly attempting to make payments with insufficient funds in their accounts. Attempted insurance fraud increased by 37% quarter-on-quarter, to reach its highest point since late 2009. 13 in every 10,000 applications and claims were detected as being fraudulent during Q1, up from 10 in Q4 2011. 58% of insurance fraud involved some form of product abuse, most significantly the provision of false payment information.

A 56% increase in identity fraud attempts pushed credit card fraud up from 10 cases in every 10,000 applications in the final three months of 2011 to 14 in the first quarter of 2012. Attempted identity frauds on cards leapt from five to eight in every 10,000 applications over the same period.

Nick Mothershaw, UK director of identity & fraud services at Experian, comments: “Experian’s data shows further growth in current account fraud during the first quarter of 2012, mostly emanating from individuals providing false information attempting to open new accounts or obtain overdrafts or making payments they knowingly couldn’t afford. The threat of identity fraudsters seeking to open accounts in the names of unsuspecting third parties, for money laundering or as a springboard to attempt fraud on more lucrative credit products, also remains.  Credit cards have seen a resurgence in identity fraud, while a growing number of financially stressed individuals consider misrepresenting their personal or payment information when applying for insurance, contributing to a significant fraud upswing in the first quarter of 2012.” 

  • Automotive finance. Fraud attempts in the automotive finance sector have declined significantly, down 34% on the previous quarter. There were 18 attempted frauds in every 10,000 applications in the first quarter of 2012, the majority of which were individuals attempting to hide an adverse credit history when applying for automotive finance.
  • Loans. The number of fraudulent loan applications has continued to decrease, reaching the lowest point ever recorded by Experian. Four in every 10,000 applications were discovered to be fraudulent in Q1 2012, 38% lower than the previous quarter. Attempting to hide an adverse credit history continues to be the preferred modus operandi in more than half of attempted loan fraud.
  • Mortgages. Attempted mortgage fraud fell by 5% quarter-on-quarter, with 35 in every 10,000 applications uncovered as fraudulent during the first three months of 2012. Attempting to hide an adverse credit history, misrepresenting employment status and falsifying financial information were the most commonly used tactics employed by mortgage fraudsters during Q1.
  • Savings accounts. Savings account fraud rates were 18% lower in the first quarter of this year than the preceding three months. 12 in every 10,000 applications were found to be fraudulent, with identity fraudsters responsible for more than 80% of cases.

In July, it was reported that fraudsters had traded 12 million pieces of personal information online in 2012, representing a threefold increase on corresponding figures for 2010. Experian data indicated that consumers had an average of 26 separate online logins, but just five different passwords across them all.

Experian advised people to change their passwords on a regular basis and try to make them more complex to keep fraudsters from cracking them.

The full story can be found here.

In August, a special investigation revealed that fraudsters were stealing identities in order to take out multiple mobile phone contracts and walk away with valuable handsets. One man returned from a holiday to discover fraudsters had taken out nine contracts in his name.

Experian said around 200 victims were contacting the company each month for help to restore credit histories that had been damaged by the “mobile communications fraud”.

George Hopkin’s original posts can be found here, part one and part two.

.

RSA’s December Online Fraud Report 2012 including an excellent piece on Ransomware

RSA’s December Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of their report is below. 

Ransomware is a type of Trojan/malware that can lock files on an infected machine and restrict access to the computer unless the user pays a “ransom” for the restrictions to be removed

Infection campaigns and methods used by Ransomware are identical to those used for any other malware/Trojan infection. For example, recent Ransomware campaigns infected users via the Blackhole exploit kit; another campaign relied on drive-by-downloads via malicious tags in news sites and forums. 

Ransomware campaigns can take on a variety of forms. One of the most common scams is using fake anti-virus programs, making a user believe their computer is infected with unwanted software that can only be removed by purchasing the attacker’s special anti-virus program. However, Ransomware campaigns can take on a number of forms including bogus messages from law enforcement or even a recent example in Australia where a medical clinic’s patient records were targeted unless the clinic paid the attackers $4,200. 

Although victims are promised their files will be unlocked once they pay the “fine”, in most cases the botmaster cannot control the infected bot and the files/computer will remain locked (depending on the malware’s function). 

In order for criminals to remain untraceable, Ransomware payments must be kept anonymous and these Trojans’ operators prefer prepaid payment cards/vouchers (available at retail locations in the US, Europe and now in Arabic-speaking countries as well). It appears that Ransomware is a flourishing business in the cybercrime arena since this type of malware has been proliferating, and attack numbers are on the rise. Ransomware is so popular that although this Winlock type malware can come as a standalone piece, nowadays it is often coupled with other Trojan infections to add monetization schemes to new and existing botnets. Ransom components are sold as ‘plugins’ for some of the well-known banking Trojans including Citadel, Carberp, ICE IX, Zeus, and SpyEye. 

New commercial Ransomware

A recent variant analyzed by RSA researchers revealed a new type of Ransomware, dubbed “Multi-Locker” by its operators. This malware appears to be a commercial creation, destined for sale to cybercriminals interested in launching infection campaigns to spread it. The Multi-Locker ransom and botnet administration control panel were written by a Russian-speaking blackhat, based on a peer’s existing code (the “Silent locker” Trojan). Much like other known Ransomware codes, the malware comes with adapted HTML lock pages designed to appear per each user’s IP address’ geo-location. The pages display in the corresponding language, naming the local national police and demanding ransom in the local currency ($/€/£/other) via prepaid cards/vouchers available in that country.

Multi-Locker is available to cybercriminals through a vendor in underground fraud communities. The malware was announced in the underground in the beginning of October 2012 and offered for sale at USD $899 per kit. In the ad, the vendor guarantees the locking of files on Windows-based machines running any version of Windows, from 2003 to Windows 8. 

Most ransom Trojans to date have been designed to accept prepaid cards or vouchers issued in the US and Europe. Multi-Locker’s vendors are adding their research regarding prepaid media used in Arabic-speaking countries and assure buyers that they will enrich their knowledge to enable them to easily cash out the funds at the end of the line. 

Multi-locker Botnet and control panel

Unlike the majority of ransom Trojans, the Multi-Locker Ransomware was designed with a main point of control that can manage some of the activity of infected bots. The basic control interface shows botmasters some basic statistics such as the total number of bots on that botnet and the payments that come in from each bot. The botnet interface parses each payment made according to the prepaid card type the victim provides.

The panel also displays the botnet’s conversion rate (how many successful infections/ locks out of the entire campaign) at any given moment by showing the total number of lock pages loaded versus the number of bots (that ratio hovering around 20%). 

New features coming soon: DNS-Locker

The most interesting module this Trojan offers is apparently yet to come: DNS Internet Locker. The DNS Locker will be a restriction that will take over the Internet browser, forcing to only display the Ransomware Operator’s HTML lock page, demanding payment for the browser to be released. 

The vendor is very boastful about having researched solutions online and having found none that can help infected users find a way to rid their machines from the malware, adding that even starting the computer in sage mode will not remedy the lock, guaranteeing the future DNS Locker will work on even the newest versions of Windows. 

RSA’s Conclusion

Ransomware were first seen coming from Russia 2005-6 and have since evolved in terms of tactics and scope. Ransomware Malware is particularly lucrative to botmasters operating out of Eastern Europe as almost all were written by Russian-Speaking coders and sold by Russian-Speaking vendors in the Fraud Underground.

Ransomware’s success rate may differ in each country/geography, according to the number of users who decide for the unlocking of the PC. Unfortunately the numbers for this type of attack continue to grow as online users are not very aware of the threat and may attempt to resolve the issue on their own by providing payment to the botmasters.

Phishing Attacks per Month

In November, RSA identified 41,834 unique phishing attacks launched worldwide, making a 24% increase in attack volumes from October. The growth in attacks in November is mostly attributed to the online holiday shopping season as fraudsters try to leverage this time of year to lure victims.

Number of Brands Attacked

In November, 284 brands were targeted in phishing attacks, marking a 6% decrease from October. Of the 284 brands attacked 45% endured 5 attacks or less.

US Bank Types Attacked

Nationwide banks continued to be the most targeted by phishing in November, experienced nearly 80% of all attack volumes.

Top Countries by Attack Volume

In November the US was targeted by 42% of total phishing volume. The U.K accounted for 20% of the attack volume, with India emerging as the third most targeted by volume with 7% of all global attacks. India replaced Canada who saw a significant decrease, from 27% of total attack volumes in October to just 4% in November.

Top Countries by Attacked Brands

In November, the countries that featured the greatest number of targeted brands were the U.S. (30%), still leading by a wide margin, followed by the UK with 11%. Though absorbing a relatively small number of attacks in November, Brazilian brands ranked third of the most targeted with 6%, attesting to the diversity of attacked brands in the country.

Top Hosting Countries

Despite a 6% drop in the month prior, the U.S. continues to be the top hosting country for phishing attacks; one out of every two attacks in November was hosted in the U.S. France was the second top host, accounting for 7% of phishing attacks in November, most of which were hosted by a single ISP.

You might also want to read “What will fraud look like in 2013?”

Previous RSA Online Fraud Report Summaries:

  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.
  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: