Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Fraud

100 Percent of Retailers Disclose Cyber Risks

According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest U.S. retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007.

Since major retail security breaches began making national headlines in 2013, retailers have become acutely aware of the growing cyber threat and cyber-related risks. Between new point-of-sale systems and evolving digital channels, the industry faces unique vulnerabilities: Retailers are responsible for safeguarding consumer data as well as their own, in addition to protecting against potential gaps in security related to third-party suppliers and vendors.

2016 marks the 10th anniversary of our retail risk factor analysis, and throughout the decade, we’ve seen the retail landscape undergo a dramatic evolution in response to the recession, new and maturing e-commerce channels and evolving consumer preferences,” said Doug Hart, partner in BDO’s Consumer Business practice. “Retailers over the years have proven to be in tune with the industry-wide issues and trends that could pose risks to their businesses, and they are clearly not tone deaf when it comes to reacting to the urgency of cybersecurity

The following chart ranks the top 25 risk factors cited by the 100 largest U.S. retailers:

Top 20 Risks for Retailers 2016 2015 2014
General Economic Conditions #1 100% #1 100% #1 100%
Privacy Concerns Related to Security Breach #1t 100% #4t 99% #8 91%
Competition and Consolidation in Retail Sector #3 98% #1t 100% #3 98%
Federal, State and/or Local Regulations #4 96% #1t 100% #2 99%
Natural Disasters, Terrorism and Geo-Political Events #5 94% #7 96% #13 87%
Implementation and Maintenance of IT Systems #6 93% #4 99% #7 92%
U.S. and Foreign Supplier/Vendor Concerns #6t 93% #6 98% #4 96%
Legal Proceedings #6t 93% #9t 95% #8t 91%
Labor (health coverage, union concerns, staffing) #9 91% #7t 96% #5 94%
Impediments to Further U.S. Expansion and Growth #10 90% #12t 92% #17 78%
Dependency on Consumer Trends #11 88% #9 95% #6 93%
Consumer Confidence and Spending #12 87% #15 89% #8t 91%
Credit Markets/Availability of Financing and Company Indebtedness #13 85% #11 94% #11 89%
Failure to Properly Execute Business Strategy #14 82% #12 92% #11t 89%
Changes to Accounting Standards and Regulations #15 76% #14 90% #13t 87%
International Operations #16 73% #17 86% #15 80%
Loss of Key Management/New Management #16t 73% #19 80% #16 79%
Marketing, Advertising, Promotions and Public Relations #18 66% #25 68% #24 64%
Consumer Credit and/or Debt Levels #19 62% #27 65% #23 65%
Joint Ventures #20 61% #21 76% #18 74%

Additional findings from the 2016 BDO Retail Risk Factor Report:

Cyber Risks Include Compliance Measures

As the cyber threat looms larger, retailers are bracing for new and emerging cybersecurity and data privacy legislation. Risks associated with cyber and privacy regulations were cited by 76 percent of retailers this year. This is in line with the findings from the 2016 BDO Retail Compass Survey of CFOs, in which nearly 7 in 10 retail CFOs said they expected cyber regulation to grow in 2016. These concerns have been highlighted by President Obama’s recently unveiled Commission on Enhancing National Cybersecurity and continued debate in Congress over information sharing between the government and private industry.

Retailers have not escaped regulatory scrutiny. The industry is also subject to Europay, Mastercard and Visa (EMV) standards that bolster credit card authentication and authorization. Industry analysts estimate that just 40 percent of retailers are compliant with EMV standards despite the Oct. 1, 2015 deadline.

“Mandating EMV chip-compliant payment systems is an important first step in shoring up the industry’s cyber defenses, but it’s just the tip of the iceberg,” said Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group and Head of International BDO Cybersecurity. “Online and mobile transactions remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked and provide an access point to retailers’ networks. New forms of malware can also compromise retailers’ IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some juncture; the real question is what mechanisms have been put in place to mitigate the impact.”

E-Commerce Ubiquity Drives Brick & Mortar Concerns

Impediments to e-commerce initiatives also increased in ranking, noted by 57 percent of retailers in 2016, a significant contrast from 12 percent in 2007. In 2015, e-commerce accounted for 7.3 percent of total retail sales and is continuing to gain market share.

As e-commerce grows and businesses strive to meet consumers’ demand for seamless online and mobile experiences, retailers are feeling the effects in their physical locations. The recent wave of Chapter 11 bankruptcies and mass store closings among high-visibility retailers has raised concerns across the industry. Ninety percent of retailers are worried about impediments to growth and U.S. expansion this year. Meanwhile, risks associated with owning and leasing real estate jumped 14 percentage points to 54 percent this year.

Heightened worries over the impact of e-commerce on physical locations are far reaching, driving concerns over market competition for prime real estate and mall traffic to rise 19 percentage points to 46 percent. Meanwhile, consumer demand for fast shipping fueled an uptick in risks around the increased cost of mail, paper and printing, rising 10 percentage points from seven percent in 2015 to 17 percent this year.

General Economic Conditions Hold Weight

General economic risks have been consistently top of mind for retailers throughout all ten years of this survey. Even at its lowest percentage in 2008, this risk was still the second most cited, noted by 83 percent of companies.

Despite the fact that since 2013, general economic conditions have remained tied for the top risk, concerns about specific market indicators have receded.

For more information on the 2016 BDO Retail RiskFactor Report, view the full report here.

About the Consumer Business Practice at BDO USA, LLP

BDO has been a valued business advisor to consumer business companies for over 100 years. The firm works with a wide variety of retail and consumer business clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues.

Advertisements

The State of Cybersecurity in Healthcare Organizations in 2016

ESET and the Ponemon Institute have announced results of The State of Cybersecurity in Healthcare Organizations in 2016.

According to the study, healthcare organizations average about one cyber attack per month with 48% of respondents said their organizations have experienced an incident involving the loss or exposure of patient information during the last 12 months. Yet despite these incidents, only half indicated their organization has an incident response plan in place.

The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security,” said Stephen Cobb, senior security researcher at ESET. “The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management

Key findings of the survey:

78% of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

63% said the primary consequences of APTs and zero-day attacks were IT downtime

46% of respondents experienced an inability to provide services which create serious risks for patient treatment.

Hackers are most interested in stealing patient information

  • The most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records, according to 81% of respondents.

Healthcare organizations worry most about system failures

  • 79% of respondents said that system failures are one of the top three threats facing their organizations
  • 77% cyber attackers
  • 77% unsecure medical devices

Technology poses a greater risk to patient information than employee negligence

  • 52% of respondents said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things increase security vulnerabilities for patient information
  • 46% of respondents also expressed concern about the impact of employee negligence
  • 45% cited the ineffectiveness of HIPAA mandated business associate agreements designed to ensure patient information security

DDoS attacks have cost organizations on average $1.32 million in the past 12 months

  • 37% of respondents say their organization experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months. These attacks cost an average of $1.32 million each, including lost productivity, reputation loss and brand damage.

Healthcare organizations need a healthy dose of investment in technologies

  • On average, healthcare organizations represented in this research spend $23 million annually on IT
  • 12% on average is allocated to information security
  • Since an average of $1.3 million is spent annually for DDoS attacks alone, a business case can be made to increase technology investments to reduce the frequency of successful attacks

Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

29% of Consumers Don’t Trust Retailers With Securing Their Data

Global Consumers: Concerned and Willing to Engage in the Battle Against Fraud,” is the second in a two-part series conducted by ACI Worldwide and Aite Group. Among other findings, only slightly more than 50% of consumers feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches

  • 29% do not trust retailers (e.g., stores, online shopping sites, restaurants, etc.) to protect stored personal and financial data against hacking attempts and data breaches.    
  • 58% think financial institutions (large multinational institutions, community banks and credit unions) do a better job of protecting their data than do retailers, or for that matter, government agencies and law enforcement.  
  • Only 55% feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches, compared to 62% who believe that online shopping websites adequately protect this information.  

Mobile Customer Engagement

  • 77% are “very interested” in being contacted about suspicious activity on their cards or accounts via a phone call, email or text message.  
  • 73% prefer that their banks not post transactions to their cards until they respond to fraud alerts. 

Consumer Awareness

  • 42% do not recall receiving any anti-fraud information from their financial institution.
  • 32% think theft by a computer hacker is the greatest fraud risk. 

Prepaid Card Implications

  • In many countries, prepaid card usage and the rate of fraud on such cards correlates. China and India have the highest rates of prepaid card fraud at 17% and 18%, respectively, and very high consumer use rates at 93% and 91%, respectively. 
  • Conversely, in countries with use rates of 70% or less, such as Australia, Canada, New Zealand and the United States, fraud rates are 4% or less, indicating that the fraud rate may rise as more consumers use prepaid cards.  

Consumer distrust is exacerbated by the widely publicized retail data breaches over the past year,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.

Retailers have their work cut out for them – to change consumer perception that shopping, be it online or in-store, is unsafe,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.

Consumers want to engage in the battle against fraud. Financial institutions must take a proactive role in not only engaging customers in fraud-alerting activities, but educating them on preventative measures to take to most effectively combat it,” Shirley Inscoe, analyst, Aite Group. 

Communication is key when it comes to financial institutions making customers aware of the tools available to fight fraud. This can have a big impact in customer satisfaction and loyalty,” Shirley Inscoe, senior analyst, Aite Group. 

Most Americans feel EMV chip cards make their debit or credit card transactions more secure

NXP Semiconductors has announced the results of its ‘Security Matters: Americans on EMV Chip Cards’ survey.

To gain further understanding of how confident Americans are in the security of EMV chip card technology and debit/credit card purchases in general, NXP polled more than 1,000 American adults on credit card usage, behavioural trends and consumer sentiment toward the electronic and cashless movement.

Attitudes towards Breaches and Retail Hacks
Overall sentiment reveals that while consumer confidence in credit card technologies remains high, Americans continue to demand better solutions that protect identity, personal information and financial data. With recent reports of compromises in security at Target, Neiman Marcus, PF Chang’s and other retailers, Americans are more likely to pay in cash following a security breach at large retailers, with 37% of the millennial age group (18 to 34 years of age) being the most likely to convert to cash. For example, 80% of Americans are confident in their financial institution and the security of their financial accounts, as well as the security and protection of their credit/debit cards (73%).

However, once a security breach at a major store occurs, consumers automatically turn to less convenient forms of payment (64%) – such as cash – to complete a purchase.

Credit Card Protection Technology
Respondents were asked a number of questions pertaining to security, confidence in financial institutions and credit cards, purchasing habits, geographic location, gender and general understanding of current magnetic strip and EMV technology. When asked specifically about the underlying technologies of a credit or debit card, Americans responded favourably, with 69% stating that EMV chip cards are making their debit and credit card transactions more secure, with only 5% feeling chip cards make their transactions less secure. When asked about the tap and pay feature available on some EMV chip cards, the most common concern expressed was an increased risk of theft (61%), followed by 37% expressing concerns about being charged incorrectly for purchases.

Security and Personal Information

  • 69% of Americans feel EMV chip cards make their debit or credit card transactions more secure
  • 28% believe they are much more secure
  • 31% of men believe they are much more secure compared to 24% of women

Security of finances

  • 73% of Americans are confident in the security of their credit/debit cards or their financial accounts (80%) with their primary financial institution
  • 33% are very confident in the security of their accounts, compared to 26% feeling very confident in the security of their credit/debit cards
  • 64% of Americans say they are more likely to pay in cash after hearing about security breaches at large retailers
  • 36% say they are not more likely to pay in cash
  • 37% of 18 to 34 year olds say they are much more likely compared to 27% of 35 to 54 year olds and 23% of those 55+
  • 5% believe chip cards make their transactions less secure

From this survey, we see a high consumer awareness of EMV chip card security and readiness to adopt secure technologies that protect credit and debit card purchases,” said Brintha Koether, Director Payments at NXP Semiconductors. “We recognize the sensitivity and loss of trust consumers immediately feel after learning of a major security breach. We have seen how secure chip technology employed outside the U.S. drastically reduces fraud as well as builds consumer confidence in card transactions, financial institutions and retailers

For full NXP Retail Hacks survey click NXP Study.

Hidden Dangers of a Data Breach an Infographic

A third of Canadians are victims of financial fraud

Canadians are taking steps to protect themselves against fraud, according to a survey by the Chartered Professional Accountants of Canada.

The group’s annual look at this issue found:

  • 72% of Canadians shred their banking and credit card statements;
  • 68% are very uncomfortable giving out personal or financial information through email;
  • 61% are very uncomfortable giving out this information on the phone;
  • 59% cover the keypad when entering their PIN number at a retailer or a bank machine;
  • 56% are very uncomfortable logging in to their banking or investment website using a public Wifi network;
  • 51% notify their bank and credit card company when they travel abroad.

The survey also reveals that, despite these efforts:

  • 29% of respondents report being victims of some form of financial fraud
  • 43% know someone who has been a fraud victim

The most common types of fraud reported by victims surveyed were credit and debit card fraud.

The CPAC is an umbrella group for the Canadian accounting profession. Reprinted from the Toronto Star.

Increasing Security and Reducing Fraud with EMV Chip and PCI Standards an Infographic

When data is exposed, it puts your customers and your reputation as a business at serious risk. EMV chip technology combined with PCI Security Standards offer a powerful combination for increasing card data security and reducing fraud.

EMV – The perspective of a QSA who has worked on both sides of the Atlantic

With the spate of cyber attackers on US retailers recently Coalfire’s European MD, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where Chip and Pin technology is more widely deployed.

Working in both the US and Europe gives us a good perspective on the payment security landscape.  The US has a much higher rate of credit card usage than most European countries, loyalty schemes and reward incentives are much more mature and embedded in consumer culture.  In Europe card usage is increasing but the type of card varies by country.  In the UK credit card use is moving in a similar direction to the US and includes a high rate of debit card usage; cards are quickly replacing cash. The UK now has lots of innovative mobile tech trying to disrupt the card market as well.   Germany is very different, credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system.  However both of Europe’s large economies moved away from using the magnetic stripe years ago.

EMV or Chip and Pin as it is more commonly referred to in the UK has been in heavy use since 2006 which has helped lower the impact of brick and mortar retail breaches significantly.  It doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.

With retailers adopting more of the security controls detailed in the Payment card industry data security standard and with widespread adoption of Chip and Pin for authenticating customers huge losses from face to face retailers are less common.

Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently.  If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases.

Where transactions are authenticated using EMV’s Chip and Pin verification method less data is transmitted to the processor.  If this data is stolen it is harder to be used fraudulently.  It’s not impossible but a lot harder.  EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University.  These typically attack the card reader and try to grab the Pin as it is sent to the smart card on the Chip for verification.

For US retailers minimizing exfiltration possibilities should be a high priority, lock down and monitor the outbound connections.

The fraud bubble has been squeezed attackers focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholder not present transactions.  As the cost of implementing attacks against the smart card declines Europe serves to be a good learning ground for the US.  If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.

Article written by Andrew Barratt

Twitter:     @Andrew_barratt

LinkedIn:  http://www.linkedin.com/in/andrewbarratt

RSA’s September 2013 Online Fraud Report featuring a review of “education in the cybercriminal world”

RSA‘s September 2013 Online Fraud Report discusses the improvement in cybercriminal skills and how education offered online with support of tutors, course work and counselling is increasing the threat to businesses and people alike.

RSA have seen an increase in ads by established criminals advertising courses they commonly carry out via Skype videoconferencing. To add value, “teachers” are offering interesting fraud courses, following those up with individual tutorials (Q&A sessions) after students join their so-called schools.

Fraud-as-a-Service (FaaS) strives to resemble legitimate business models, fraudster trade schools further offer ‘job placement’ for graduates through their many underground connections with other experienced criminals. Interestingly, some of the “teachers” go the extra mile and vouch for students who show “talent” so that they can join the underground communities they would otherwise not be able to access.

Some cybercrime professors even enforce a rigid absentee policy:

  • Students must give a 2 hour advanced notice if they cannot attend.
  • Students who fail to notify ahead of time are fined 50% of the fee, and rescheduled for the next class.
  • Students who fail to pay absentee fees will forfeit the entire deposited fee.

The following section presents some examples of cybercrime schooling curriculums exposed by RSA fraud analysts.

Beginners’ cybercrime classes

The first level is designed for beginners, teaching the basics of online financial fraud. The Cybercrime Course Curriculum:

  • The Business of Fraud – Credit cards, debit cards, drop accounts, how all it works, who are the clients, prices, risks
  • Legal Aspects – How to avoid being caught by the authorities. What can be used against you in a court of law? Building Your Business Where to find clients? How to build a top-notch fraud service
  • Transaction Security – How to avoid getting scammed and shady escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)

Courses in card fraud

Criminals further offer the much in demand payment card fraud classes – one course per payment card type. Card Fraud Course Curriculum:

  • The Business – Drops, advertising, accomplices, chat rules and conventions
  • Legal Security – Dealing with law enforcement: who is accountable for the crime in organized groups, what can be collected as evidence
  • Building Your Business – Invaluable tips that will help develop your service to top level, and help acquire customers
  • Security of Transactions – Common patterns of rippers/ripping, how to identify scams, how to use escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)
  • Price per course 2,500 Rubles (about $75 USD) Both courses 4,000 Rubles (about $120 USD)

Anonymity and security course

Stressing the importance of avoiding detection and maintaining anonymity, this course teaches a fraudster the art of avoiding detection, and how to erase digital “fingerprints”. The tutoring vendor offers practical lessons in configuring a computer for complex security and anonymity features. This course includes a theoretical and a practical section, with a duration estimated at four hours. Anonymity Course Curriculum:

  • Configuring and using Anonymity tools – Antivirus and firewall, Windows security(ports and ‘holes’), virtual keyboards, shutting off browser logging, eliminating history/traces on the PC, applications for permanent data removal, data encryption on the hard drive, Anonymizer applications, VPN – installation/configuration, using SOCKS – where to buy them, hiding one’s DNS server, dedicated servers, TOR browsers, safe email mailboxes, using disposable email, using a cryptic self-destruct flash drive, creating cryptic self-destruct notes, extra advanced topic – tools for remotely liquidating a hard drive
  • Botnets – Independent study (online document/site link provided)
  • Using Chat Channels – Using ICQ, Skype, Jabber, registering Jabber on a safe server, OTR/GPG encryption in a Jabber chat, passing a key and chatting on a secure channel via Jabber
  • Legal – Electronic evidence one might be leaving behind, and that can be used against fraudsters by law enforcement
  • Price per course – 3,300 Rubles (about $99 USD) $35 – additional charge for installing VPN

Mule Herding Course Curriculum:

  • Theory section (2-3 hrs.) – Fundamentals – opening a mule-recruitment service, legal and practical security measures, finding accomplices and partners
  • Practical section (3-5 hrs.) – Receive a prepared transaction to handle, and earn 10% on this initial transaction (if one succeeds). If the student fails, a second transaction will be offered, at a cost of 1,500 Rubles ($45 USD) and no percentage earned.
  • Upon successful completion of the test, fraudsters receive official confirmation by public notice from the lecturer in the community. This part is only open to students who have completed the theory section, and have set up the anonymity and security tools and have the additional tools required for the transaction

One-on-one tutorials and consultations

With a money-back guarantee promised to students, one crime school offers personal one-on-one tutorials and problem solving sessions via Skype. Special tutorial topics:

  • Banking and Credit Cards – “Black and white” credit, fake documents, banking algorithms and security measures (Russian Federation only)
  • Debit Cards – The finer details of working with debit cards and setting up a service (Russian Federation only)
  • Registering and using Shell Corporations – Legal issues and practical problems in using Shell Corporations for fraud (Russian Federation only)
  • Legal Liability Issues – Your legal rights, practical advice on interaction with law enforcement agencies, counselling services even while under investigation (Russian Federation only)
  • Setting up Anonymity – Practical help in setting up anonymity, and answers to questions from the course (any country)
  • Price 2,000 Rubles (about $60) per hour

The school of carding

Approaching the subject that is highest in demand in the underground, vendors have opened schools for carding – teaching the different ways to use payment cards in fraud scenarios. One vendor offers classes on a daily basis, at two levels of expertise, and indicates that he gives his personal attention to each student. The vendor also assures his students that his resources (compromised data) are fresh, personally tested by him, and never before made available on any ‘public’ lists.

School of Carding – Basic Curriculum:

  • Current Working BINs – Credit card BIN numbers that have been verified as successful in carding scenarios.
  • Websites for Clothing, Electronics, etc. – Which merchants make the best targets for carding?
  • Tips and Tricks – Extra insights from personal experience.
  • Price $25 USD

School of Carding – Advanced Curriculum

  • BINs and Banks – Recommended BIN numbers that give best results in carding
  • Tested sites – A list of tested e-commerce sites recommended for carding clothing, electronic goods, and more.

Phishing Attacks per Month

RSA identified 33,861 phishing attacks launched worldwide in August, marking a 25% decrease in attack volume from July. Based on this figure, it is estimated phishing resulted in an estimated $266 million in losses to global organizations in August.

US Bank Types Attacked

U.S. nationwide banks remained the most targeted with two out of three phishing attacks targeted at that sector in August while U.S. regional banks saw an 8% increase in phishing attacks.

Top Countries by Attack Volume

The U.S. remained the most targeted country in August with 50% of the total phishing volume, followed by the UK, Germany and India which collectively accounted for approximately 30% of phishing volume.

Top Countries by Attacked Brands

In August, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, Australia and India.

Top Hosting Countries

Four out of every ten phishing attacks were hosted in the U.S. in August. Canada, the Netherlands and the UK collectively hosted 25% of phishing attacks.

Previous 3 RSA Online Fraud Report Summaries

.

RSA’s August 2013 Online Fraud Report featuring a review of “phish lockers”

RSA’s August 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

RSA researchers have been increasingly witnessing the activity of highly targeted Trojans, dubbed ‘Phish Lockers’, used at the hands of cybercriminals to steal credentials. The Trojans are deployed as a means to present online users with a phishing page that is generated by malware, while locking the desktop, hence the name.

This type of malware is not defined as a banking Trojan in the traditional sense. It is basic malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit or otherwise able to actively monitor online activity, keylog or perform web injections.

Phish lockers were observed attacking banks in Latin America earlier this year, where local pharming is a very common attack method. However, the lockers are now starting to show up in new regions, attacking one or more banks at a time.

Much like most banking Trojans, phish lockers are activated by trigger. When an infected user logs into a website contained on the malware’s trigger list, the Trojan becomes active. However, unlike banking Trojans, phish lockers don’t have a classic configuration file. Most of the information is hardcoded into the malware and therefore cannot be changed on the fly. The malware is compatible with all major browsers including Internet Explorer, Firefox, Chrome, and Opera.

The first visible action that the user will see is the browser window being shut down, then the desktop’s START button disappearing (a common occurrence with ransomware, for example). Based on the URL initially typed into the browser, the Trojan will pop-up a corresponding web form that looks exactly like legitimate web page, but is actually a phishing page.

The phish locker malware usually comes with a few hardcoded web forms, each requiring a relevant set of credentials from infected bank customers. Usually, the information requested by the malware corresponds with phishing attacks targeting the particular bank. For example, if the bank uses out-of-band SMS for transaction verification, the form might have a request for the user’s mobile number.

When banking Trojans infect user machines, they are present on the device and can log a user’s keystrokes and steal documents, certificates, cookies and other elements dictated by the botmaster. Banking malware regularly sends logs of stolen information to its operator, using pre-defined domains as communication resources. Phish lockers on the other hand, are not designed to carry out such complex activity and use basic methods to transmit stolen data such as email.

In order to facilitate sending emails from the infected PC, the malware’s author programmed it to use Extended SMTP, predefining a sender and a few recipients that will act as a fallback mechanism in case the data gets intercepted or the mailbox blocked/closed for some reason.

Yet another differentiator that separates banking Trojans from phish lockers is the mode of activity. While banking malware steals and listens for data at all times when the browser is open, the locker closes the browser altogether, and then does the stealing. Once the information from the locker’s web forms is sent, the malware remains inactive and does not carry out any other malicious activity on the PC, allowing the user to regain control.

RSA’s conclusion

It is rather interesting to see Trojans of this type, which are considered very basic when compared to most banking Trojans in the wild. It is even more interesting to see them appearing in geographies where banking security is considered to be very advanced.

This phenomenon may be linked with the trend towards privatization of banking Trojans. This has created a barrier for many cybercriminals as they are denied access to purchase more advanced malware kits to launch attacks. This could be perhaps be pushing some cybercriminals to write and deploy simple malicious codes that will at least get their dirty work done.

Phishing Attacks per Month

RSA identified 45,232 phishing attacks launched worldwide in July, marking a 26% increase in attack volume in the last month.

US Bank Types Attacked

National banks continue to be the most targeted by phishing within the U.S. banking sector with 74% of attacks in July while credit unions were targeted by one out of every ten attacks last month.

Top Countries by Attack Volume

The U.S. remained the country most attacked by phishing in July, targeted by 58% of total phishing volume. Germany endured the second highest volume of phishing at 9%, followed by the UK at 8%. India, France, Canada, South Africa and Italy were collectively targeted by 15% of phishing volume.

Top Countries by Attacked Brands

U.S. brands were once again most affected by phishing in July, targeted by 28% of phishing attacks. Brands in the UK, India, Italy and China together endured one-quarter of phishing attack volume.

Top Hosting Countries

The U.S. remained the top hosting country in July with 45% of global phishing attacks hosted within the country, followed by Canada, Germany, and the UK. To date, RSA has worked with more than 15,300 hosting entities around the world to shut down cyber attacks.

Previous 3 RSA Online Fraud Report Summaries

RSA’s July 2013 Online Fraud Report featuring the Carberp Trojan Code

RSA’s July 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

Be it internal disagreements within the Carberp team, or law enforcement pressure following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving their Trojan code publicly available following a failed attempt to sell it. Reminiscent of the ZeuS Trojan’s source code leak, we can expect a few things to happen following the incident. But before doing so, let’s review the events that followed the ZeuS leak in 2011.

An attempt to sell the ZeuS source code in an underground forum for, according to some estimates, as high as $100,000 started in early 2011. Following the failed sale, Slavik, the developer of ZeuS, handed over the code to a cyber rival, Gribodemon, the notorious SpyEye developer. The underground, abuzz with the news, keenly awaited the release of a merged, mighty SpyEye-ZeuS variant. Before one could be released, the ZeuS code was leaked and made publicly available.

As predicted by many, different offspring began appearing, built on top of the ZeuS v2.0.8.9 codebase, and included Ice IX and Odin (both appearing in 2011), and most considerably, Citadel making its appearance in early 2012.

As opposed to Ice IX, that mainly fixed bugs in the ZeuS code, Citadel was a major leap forward in terms of the malware’s functionality. Citadel not only repaired bugs in ZeuS, but deployed clever security measures to protect the malware and its infrastructure, as well as provided numerous new plug-ins to boost the Trojan’s functionality. In terms of a Fraud-as-a-Service (FaaS) business offering, Citadel became a lucrative commercial operation, offering its “customers” a CRM, paid tech support and constant version updates. In fact, Citadel was so successful that botmasters started replacing/upgrading existing bots with the malware.

Starting in mid-2012, RSA researchers began noticing the slow demise of commercial Trojan offerings. In April, the Ice IX business shut down with the disappearance of its developer; SpyEye then made its exit in May; and in a surprising turn of events, Citadel’s spokesperson – “Aquabox”, was banned from the only forum he was selling on (following a quarrel over customer support).

So, if history repeats itself, what are we to expect? With the above in mind, the following may transpire:

We’ll see a proliferation of Carberp-based attacks. While this is likely less probable, the leak could spawn an entire business of low-level developers recompiling Carberp and offering it for sale “as is,” with no further feature developments or bug fixes. To demonstrate, the ZeuS code that once sold for $3,000 to $5,000 is now readily available for as low as $11 in the underground. In terms of Trojan operation and feature set, Carberp is far more complex than ZeuS and less organized for the untrained cybercriminal, making it less appealing for would-be botmasters (or script kiddies). Not to mention the major weaknesses reported in the Carberp server-side, that make it “easier to hack than SpyEye” according to one security researcher. With the abundance of ZeuS and ZeuS-based malware – according to RSA’s Anti-Fraud Command Center (AFCC), this malware’s share is over 83% of all Trojan attacks and at very cheap prices, it would be surprising to see Carberp make a big impact in this strong market segment.

The Carberp code spawns a commercial offspring and/or offerings. This scenario is more likely. As mentioned previously, Carberp is an extremely sophisticated piece of malware, boasting bootkit functionality. As a result, it is more likely that the code will be picked up by a cybercrime gang looking to develop the next big thing in malware. With the trend towards privatizing malware development operations, the underground is currently lacking a (true) commercial Trojan; this vacuum may provide the right time and place for such an offering. Development may continue in closed, private groups, which develop the software for their own criminal purposes.

RSA conclusion
There’s never a dull moment in cybercrime and the Carberp code leak only adds fuel to that fire. The complexity of Carberp makes it less appealing as an “as-is” offering, but organized professional cybercrime teams may see the opportunity to be the first to finally offer a new, commercial Trojan based on the Carberp code, in the now very privatized underground.

RSA FraudAction Research Labs continues to investigate and analyze the code and will publish its findings as those are made

Phishing Attacks per Month

RSA identified 35,831 phishing attacks launched worldwide in June, marking a 3% drop in attack volume from May, and a 31% decline year-over-year in comparison to June 2012

US Bank Types Attacked

Nationwide banks remained the most targeted by phishing in June, with 76% of phishing volume directed at them. Regional banks saw a 6% decrease in volume while credit unions witnessed a 3% increase.

Top Countries by Attack Volume

The U.S. remained the country enduring the highest volume (55%) of phishing attacks in June – a 5% increase from May. The UK was the second most targeted at 10% of volume, followed by Canada, South Africa, India, and the Netherlands.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing at 25% of volume, followed by the UK and India. Other countries’ brands that were targeted heavily by phishing in June include Australia, Italy, China, Canada and France.

Top Hosting Countries

The U.S. remained the top hosting country in June, having hosted 45% of global phishing attacks, followed by Canada that hosted 9% of attacks. Chile and Turkey were both introduced as top hosts for phishing, each hosting 3% of phishing attacks for the month.

Previous 3 months of RSA Online Fraud Report Summaries

The RSA June 2013 Online Fraud Report Summary

The RSA April 2013 Online Fraud Report Summary

The RSA March 2013 Online Fraud Report Summary

Outside of London Slough is the largest fraud centre but is still smaller that the Top 10 London zones

CIFAS, the UK’s Fraud Prevention Service have revealed emerging hotspots of fraud activity in the UK during the first six months of 2013. While fraud remains at its most concentrated within the area of densest population (the boroughs of Greater London), some other, perhaps more surprising, areas have been shown to be fraud epicentres during the first half of the year.

In particular, postal districts around Slough, Luton, St Albans, Leicester and Coventry are areas where fraudulent activity has been most prevalent, as opposed to larger urban centres such as Birmingham, Manchester, and Glasgow.

London: the capital of fraud

With the highest population levels of the UK, it is unsurprising that London is the area where the highest number of confirmed frauds has been committed during the first half of 2013. 

CIFAS Communications Manager, Richard Hurley, comments: That fraud is at its most prevalent in London is not surprising. This has been the case for many years. A larger population means more individuals who may consider making fraudulent applications, but it also means that there are more potential victims for an organised identity criminal. The top ten postal areas, however, show a divergence of locations within the Greater London boroughs: from Wembley and Enfield to East Ham and Barking, and from Woolwich and Thamesmead to Croydon. This shows that any notion that fraud is concentrated solely within a specific area of London is not true and that fraud can, and will, take place anywhere 

Greater London  Break down of areas  
Postal area Name No. of confirmed frauds
E6 East Ham District 840
SE18 Woolwich District 751
IG11 Barking 740
EN3 Enfield 722
CR0 Croydon 691
SE1 South Eastern Head District 647
SE28 Thamesmead District 629
E7 Forest Gate District 575
E16 Victoria  Docks & North Woolwich District 570
HA0 Wembley 564

Other fraud hotspots are not the most populous UK centres

Outside the postal areas that fall within the Greater London boroughs, however, there are some notable clusters of activity – and these are not to be found in other large centres of population within the UK. Instead, the SL1 and LU1 postal areas (Slough and Luton) are the areas with the highest levels of fraud, while the Coventry and Leicester postcode areas both feature more than once in the top ten areas outside London (four times and twice respectively).

Richard Hurley concludes: What these figures prove is that fraud will take place anywhere. While Coventry and Leicester, for example, are populous cities, it is surprising to see these areas identified as having higher levels of fraud than other, much larger, cities. This demonstrates that fraud is no longer a crime that can simply be thought of as occurring in the largest cities. But it also presents a challenge to individuals and organisations based in these areas. It is vital that both work together with a view to diminishing the risks, not least to ensure that individuals understand what precisely constitutes fraud. For example, it is important that individuals and organisations share the responsibility of ensuring that personal data is protected from identity fraudsters who might be targeting these areas

Rest of the UK
Postal area Name No. of confirmed frauds
SL1 Slough 441
LU1 Luton 377
AL10 Hatfield 368
CV1 Coventry 334
LE2 Leicester 334
CV3 Coventry 314
NN1 Northampton 301
LE3 Leicester 299
CV2 Coventry 272
CV6 Coventry 242

The growing threat of insider fraud not a top security priority for organizations

ponemonAn Attachmate sponsored Ponemon Survey indicates the growing threat of insider fraud is not a top security priority for organizations which is proving to be a costly mistake.

On average, organisations experience approximately one fraud event per week, according to information from the second annual Attachmate and Ponemon Institute survey, “The Risk of Insider Fraud

However, only 44% of respondents say their organisation views insider fraud prevention as a top security priority, a perception which has declined since 2011.

The average cost of a data breach in a 2011 study was $194 per lost or stolen record

The survey reveals some alarming data security trends:

  • On average, it takes 87 days to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud.
  • 79% of respondents say that in their organization a privileged user has or is very likely to alter application controls to access or change sensitive information and then reset the controls.
  • 73% of respondents, an employee’s malfeasance has caused financial loss and possibly brand damage.
  • 81% say they already had an employee use someone else’s credentials to gain elevated rights or to bypass separation-of-duty control
  • 48% of respondents say that BYOD has resulted in a significant increase in fraud risk
  • 77% of respondents say the lack of security protocols over edge devices presents a significant security challenge and risk

This data demonstrates the invisibility of employee actions across an enterprise,” said Larry Ponemon, chairman and founder of Ponemon Institute. “While organizations may have policies and procedures to thwart insider fraud, it doesn’t mean employees will remain compliant, particularly with the rise of Bring Your Own Device (BYOD) practices

Data security and insider threats continue to be a challenge for organizations, particularly as BYOD brings complexity to enterprise risk management,” said Christine Meyers, director of Attachmate’s enterprise fraud management solutions. “Next-generation enterprise fraud management solutions, such as Attachmate Luminet, are able to correlate cross-channel activity, score risk and provide a screen-by-screen replay of what actually occurred. Add to that the proven deterrence factor that arises from being able to see and monitor use and abuse, and you can see why customers choose to deploy this technology for fraud detection

Fraud statistics

  • On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months
  • More than one-third say that employees’ use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26% it is very likely to occur
  • 61% rate the threat of insider risk within their organization as very high or high
  • 23% say insider fraud incidents existed six months or longer before being discovered and 9% could not determine when they occurred.
  • 55% of organizations say their organization does not have the ability/intelligence to determine if the off site employee’s non-compliance is due to negligence or fraud

Threats from BYOD, Mobility & Edge Devices

For the first time the study asks questions about the effect Bring Your Own Device (BYOD), mobility and edge devices have on the risk of insider fraud. We define BYOD as the employees’ use of their personally owned mobile devices (typically smart phones, tablets and laptops) for both work and non-work activities.

An edge device is a physical device that can pass packets between a legacy network (like an Ethernet network) and an ATM network, using data link layer and network layer information. An edge device does not have responsibility for gathering network routing information. It simply uses the routing information it finds in the network layer using the route distribution protocol. An edge router is an example of an edge device.

Edge devices and BYOD make it difficult to identify insider fraud

58% agree that BYOD makes it more difficult for the security or compliance department to have complete visibility of employees’ access and computing activities. The majority of respondents (78%) do not agree that employees’ access and possible misuse of edge devices is completely visible to the security or compliance department (100% – 32% of strongly agree/agree responses).

The study defined insider fraud as the malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors. Typically, the objective of such attacks is the theft of financial or information assets, which include customer data, trade secrets and intellectual properties. Sometimes, the most dangerous insiders are those who possess strong IT skills or have access to an organization’s critical applications and data.

With this research, we want to reiterate that organizations are not immune,” said Meyers. “The threat of insider fraud is a growing risk that can result in tangible financial loss to businesses. And the longer an organization takes to address it, the more costly it can become

The insider fraud survey includes results from more than 700 individuals at leading global organisations.

.

More Than 12 Million Identity Fraud Victims in 2012, study finds

Javelin Strategy & Research have released their 2013 Identity Fraud Report with some startling results the scariest being “one in four consumers who receive a data breach letter will become the victim of identity fraud.”

This means the days when a breached organisation would try to keep a breach quiet with the hope that it would go away have gone because the odds are far too high to ignore financial impacts that follow Identity Theft. 

This past year was one where there were both successes and setbacks for consumers, institutions and fraudsters,” said Jim Van Dyke, CEO of Javelin Strategy & Research, in a prepared statement. “Consumers and institutions are now starting to act as partners detecting and stopping fraud faster than ever before. But fraudsters are acting quicker than ever before and victimizing more consumers. Consumers must take data breach notifications more seriously and maintain vigilance to safeguard personal information, especially Social Security numbers

Key findings from the study include:

–  $21 billion was stolen in 2012. Higher than in recent years but considerably lower than the $47 billion in 2004

–  Almost 1 in 4 consumers who received a breach notification letter became a victim of identity fraud.

This underscores the need for consumers to take all notifications seriously. Not all breaches are created equal. The study found consumers who had their Social Security number compromised in a data breach were 5 times more likely to be a fraud victim than an average consumer

–  The stolen information was misused for a variety of fraud types, for example credit cards, loans and mobile phone bills and on average was misused for an average of 48 days during 2012 which is down from 55 days in 2011 and 95 days in 2010.

More than 50% of victims were actively detecting fraud using financial alerts, credit monitoring or identity protection services and by monitoring their account

–  15% of all fraud victims changed their online behavior and avoid smaller merchants

While credit card numbers remain the most popular item revealed in a data breach, in reality other information can be more useful to fraudsters. Personal information such as online banking login, username and password were compromised in 10% of incidents and 16% of incidents included Social Security numbers

It’s not just online fraud or data breaches. More than 1.5 million consumers were victims of familiar fraud, which is fraud when victims know the fraudster. Lower income consumers were more likely to be victims of familiar fraud. The information most likely to be taken via familiar fraud includes name, Social Security number, address and checking account numbers

Javelin have produced some guidance for consumers called the “Seven Safety Tips to Protect Consumers”

Javelin Strategy & Research recommends that consumers work in partnership with institutions to minimize their risk and impact of identity fraud by following a three-step approach: Prevention, Detection and Resolution™.

Prevention

1. Keep personal data private—Secure your personal and financial records behind a password or in a locked storage device whether at home, at work and on your mobile device. Familiar fraud is a serious issue with 12 percent of fraud victims knowing the perpetrator personally. Other ways to secure information include: not mailing checks to pay bills, shredding documents, monitoring your accounts weekly, and protecting your computer and mobile device with updated security software. Use a trusted and secure Internet connection (not a public Wi-Fi hotspot) when transmitting personal or financial information, and direct deposit payroll checks.

2. Look for security features—When paying online be sure you have a secure connection. Two ways you can denote a secure connection are to look for “https” and not just http at the start of the merchant’s web address or a bright green box and padlock graphic in the address bar of most browsers. Check for either one of these before entering personal or payment information.

3. Think before you share—Before providing any sensitive information, question who is asking for the information. Why do they need it? How is the information being used? Do not provide the information if you are unsure about the legitimacy of the request. Be careful when clicking on links that then take you to a page asking for personal information. If an organization asks you for your Social Security number to validate your identity, request another question.

Detection

4. Be Proactive—There are many different levels of identity theft protection and consumers should work in partnership with institutions on identity theft prevention. By setting up alerts that can be sent via e-mail and to a mobile device and monitoring accounts online at bank and credit card websites, consumers can take a more proactive role in detecting identity fraud and stopping misuse. In 2012, 50 percent of fraud was first detected by the victims.

5. Enlist others—There are a wide array of services available to consumers who want extra protection and peace of mind including payment transaction alerts, credit monitoring, credit report fraud alerts, credit freezes and database scanning. 3 out of every 5 identity fraud victims did not know the source of their fraud, but many services will now provide alerts directly to a consumer’s smartphone. Some services can be obtained for a fee and others at no cost to the consumers who are victims of a data breach. These services can monitor credit reports, public records and online activity for signs of fraudulent use of personal information.

Resolution

6. Take any data breach notification seriously—If you receive a data breach notification, take it very seriously as you are at a much higher risk according to the 2013 Identity Fraud Report. If you receive an offer from your financial institution or retailer for a free monitoring service after a breach, you should take advantage of the offer, closely monitor your accounts and put a fraud alert on your credit report.

7. Don’t wait. Report problems immediately—If you suspect or uncover fraud, contact your bank, credit union, wireless provider or protection services provider to take advantage of resolution services, loss protections and methods to secure your accounts. A fast response can enhance the likelihood that losses are reduced, and law enforcement can pursue fraudsters so they experience consequences for their actions.

.

Card Not Present (CNP) Fraud Fall 57% Since 2010

FICO a  provider of analytics and decision management technology, has released data showing that card issuers using their FICO® Falcon® Fraud Manager have dramatically cut card-not-present (CNP) fraud losses from credit cards over the last two years, from £28 million in April 2010 to less than £12 million in March 2012

CNP fraud, which includes illegitimate online, mail order and phone transactions, is the most prevalent type of card fraud, accounting for about three-quarters of card fraud in the FICO® Falcon® Fraud Consortium for Europe, which includes 44 million active credit cards. 

“CNP fraud is now the top focus for card fraud across the region, as issuers look for new technology and best practices to stop the most widespread form of card fraud,” said Martin Warwick, FICO’s Fraud Chief in Europe, the Middle East and Africa. 

“FICO’s advanced fraud technology is enabling users to outperform the market. For comparison, industry-wide figures from Euromonitor show only modest declines in CNP fraud from 2010 to 2011, with the largest fall at just 6 percent in the UK.”

 Card Not Present fraud was behind

  • 72% of all accounts victimised by fraud
  • 74% of all card fraud losses in the FICO Falcon Fraud Consortium
  • This was higher than in last year’s data, where the figures were 69% and 72%, respectively

“Criminals are migrating to the easiest way of using compromised cards, which today is the internet,” said Warwick. “For example, fraud as a percentage of internet sales in the UK is 22 basis points (0.22 percent), which is double the rate for credit card transactions overall. In addition, 3D Secure protocols are moving the liability on losses from the retailer to the issuer.

“This puts great pressure on card issuers to resolve the CNP fraud problem, and it’s why issuers are looking at new capabilities in FICO Falcon, such as merchant profiling. As shown in the fraud map of Europe we released last year, countries with the strongest fraud detection systems have reduced fraud relative to countries that are lagging on the technology adoption curve.”

During the analysis window, April 2010 to March 2012, only about 1% of cards studied were victimised by fraud, according to FICO.

FICO’s data comes from card issuers in Germany, the UK, Ireland, the Netherlands, Poland and Switzerland.

.

RSA’s January Online Fraud Report 2013 including an excellent summary of Phishing in 2012

RSA’s January 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

The total number of phishing attacks launched in 2012 was 59% higher than 2011

It appears that phishing has been able to set yet another record year in attack volumes, with global losses from phishing estimated at $1.5 billion in 2012. This represents a 22% increase from 2011.

The estimated amount lost from phishing this year was affected by the industry median – the number of uptime hours per attack. The median dropped in 2012 (from 15.3 to 11.72 hours per attack, according to the Anti-Phishing Working Group), somewhat curbing the impact of losses overall. If attack medians had remained the same, estimated losses from phishing would have exceeded $2 billion.

There is no doubt phishing still continues to be a persistent threat to all organizations. The RSA Anti-Fraud Command Center is at the forefront of phishing attack shut down. To understand the magnitude of growth however, consider the following fact: at the end of 2011, RSA celebrated its 500,000th attack takedown; that number was achieved over seven years. In 2012 alone, RSA took down almost an additional 50% of that total volume!

The roster of countries most attacked by phishing throughout the year was not surprising; the same countries appeared on the shortlist of the most attacked, the UK, the U.S., Canada, Brazil and South Africa. In Latin America, Colombia and Brazil were the two most attacked countries.

There have been major increases in phishing attack volume in some countries, while slight declines were recorded for others. One of the most significant increases in 2012 phishing numbers occurred in Canada, where attacks increased nearly 400% in the first half of the year. There have been many speculations as to why the sharp increase, but the main reason is simply economics – fraudsters follow the money. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become as lucrative a target for cybercrime.

The list of top countries to have consistently hosted the most phishing attacks throughout 2012 remained nearly identical to 2011.

  1. U.S.
  2. UK
  3. Germany
  4. Brazil
  5. Canada
  6. France
  7. Russia
  8. Poland
  9. The Netherlands
  10. Japan

Phishing targets and tactics in 2012

The past year saw phishing diversify the top aims to include popular online retailers that were targeted via the usual web portals but also through the increasingly popular use of mobile apps for shopping. Other targets on phishers’ lists were airline companies, gaming platforms, mobile communication providers and webmail services.

It appears that malware writers are strong players in the world of phishing kit coding, responding to the demand in the underground and servicing phishers looking for off-the-shelf kit templates or custom written specialty kits. The top requests for phishing kit writers were, unsurprisingly, the login pages of U.S. based banks, credit card issuers and the dedicated login pages for business/corporate users of online banking/investments.

In terms of the tactics used by cybercriminals to launch their attacks, 2012 saw the use of rather simple hosting methods, mainly taking advantage of hijacked websites.

The most prominent trends noted came in the shape of using web shells and automated toolkits to hijack massive numbers of websites and smarter phishing kits containing custom plug-ins such as web-analytics tools. A proliferation of off-the-shelf codes written by black hat programmers, and the use of combined attack schemes to phish users and then redirect them to subsequent malware infection points were noted by RSA forensics analysts.

Global Phishing forecast for 2013

Phishing via Mobile The most prominent market trends relevant to the mobile channel have to do with the growth in mobile device usage in both our personal and work life and the pivotal role of mobile apps. RSA expects to see more phishing directed at mobile device users, particularly smartphones, as we move into 2013. Varying social engineering schemes will target users by voice (vishing), SMS (smishing), app-based phishing (rogue apps), as well as classic email spam that users will receive and open on their mobile devices.

Phishing via Apps Applications are the central resource for smartphone users, and that overall popularity of apps will become just as trendy with cybercriminals.

Nowadays, users download apps designed for just about any day-to-day activity, with the most prominent of those being gaming, social networking and shopping apps. To date, both Apple and Google have surpassed 25 billion app downloads each from their respective stores. In fact, according to research firm Gartner, this number will grow to over 185 billion by 2015.

In 2013 organizations will continue to aggressively tap into this growing market and respond by further moving products and services to this channel, delivering specialized small-screen adaptations for Web browsing, and developing native apps that supply mobile functionality and brand-based services to enable customers anywhere-anytime access.

Following user behavior trends (and money) in 2013, criminals will drive underground demand for threats and attack schemes designed for the mobile. Cybercriminals will focus on apps in order to deliver phishing, conceal malware, infect devices, and steal data and money from users of different mobile platforms.

Phishing via Social Media In 2008, slightly more than 20% of online users in the U.S. were members of a social network. That number has since more than doubled and stands at around 50% today.

Data collected last year from Fortune’s Global 100 revealed that more than 50% of companies said they have Twitter, Facebook, and YouTube accounts. Facebook membership, for example, has increased nearly 10 times since 2008, with over 7 billion unique visitors per month worldwide. Twitter shows that the number of members increased by a factor of five over the same period, boasting over 555 million regular users.

With the world turning into a smaller and more ‘social’ village than ever, cybercriminals are by no means staying behind. They follow the money, and so as user behavior changes, RSA expects cybercriminals to continue following their target audience (future victims) to the virtual hot-spots. According to a Microsoft research study, phishing via social networks in early 2010 was only used in 8.3% of attacks by the end of 2011 that number stood at 84.5% of the total. Phishing via social media steadily increased through 2012, jumping as much as 13.5% in one month considering Facebook alone.

Another factor affecting the success of phishing via social media is the vast popularity of social gaming; an activity that brought payments into the social platform. Users who pay for gaming will not find it suspicious when they are asked for credit card details and personal information on the social network of their choice.

Social media is definitely one way by which criminals get to their target audience, phishing them for access credentials (which are used for webmail at the very least and for more than one site in most cases), as well as stealing payment details they use online.

RSA’s Conclusion

Phishing attack numbers have been increasing annually, and although phishing is one of the oldest online scams, it seems that web users still fall for it which is why it still remains so popular with fraudsters.

With the heightened availability of kits, cybercriminals’ awareness of the latent potential in stolen credentials, and the enhanced quality of today’s attacks, the forecasted outlook for 2013 calls for yet another record year riddled with hundreds of thousands of phishing attacks worldwide.

As of January 1, 2013, the RSA Anti-Fraud Command Center has shut down more than 770,000 phishing attacks in more than 180 countries.

Phishing Attacks per Month

In December, RSA identified 29,581 attacks launched worldwide, marking a 29% decrease in attack volume from November, but a 40% increase year-over-year in comparison to December 2011.

The overall trend in attack numbers showed a steady rise in volume throughout the year, reaching an all-time high in July, with 59,406 attacks detected in a single month, 52% more than 2011’s peak of 38,970 attacks.

Number of Brands Attacked

In December, 257 brands were targeted in phishing attacks, marking a 10% decrease from November. Of the 257 targeted brands, 49% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide banks continued to be the most targeted, absorbing 79% of total attack volume in December. It is not surprising that fraudsters prefer large financial institutions over smaller ones as the potential “victim rate” rises in conjunction with the size of the bank’s customer base. Moreover, information regarding security procedures at larger institutions can be more easily located in open-source searches.

Top Countries by Attack Volume

The U.S. was targeted by the majority of, or 46%, of total phishing volume in December. The UK accounted for 19% of attack volume, while India and Canada remained third and fourth with 8% and 5% of attack volume.

Top Countries by Attacked Brands

U.S. brands were the most targeted again in December, with 28% of total phishing attack volume, followed by UK brands which were targeted by 10% of attacks. Brands in Canada, Australia, India and Brazil were each targeted by 5% of phishing volume.

Top Hosting Countries

In December, the U.S. remained the top hosting country for phishers, hosting 53% of global phishing attacks. Germany and the UK were the second top hosting countries accounting for 5% of hosted attacks.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.

.

Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals

Europol’s Situation Report for Credit Card Fraud 2012 summaries fraudulent activity for credit cards across Europe is a very interesting read. It explains how the criminals act and with what types of techniques and why the Law Enforcement Agencies struggle to catch them.

A summary of the Europol report is below.

  • The criminal market of payment card fraud within the European Union (EU) is dominated by well-structured and globally active organised crime groups (OCGs). Criminal networks have managed to affect non-cash payments in the EU to the extent that protection measures are very expensive and need to be implemented on a global level. Consequently, the use of payment cards can be inconvenient and no longer fully secure for EU cardholders.
  • Payment card fraud is a low risk and highly profitable criminal activity which brings organised crime groups originating from the EU a yearly income of around €1.5 billion euros. These criminal assets can be invested in further developing criminal techniques or can be used to finance other criminal activities or start legal businesses.
  • The EU is increasingly exposed to the threat of illegal transactions undertaken overseas and should develop more efficient solutions to help law enforcement authorities (LEAs) combat the fraud. Europol, gathering intelligence on fraudulent overseas transactions affecting the EU, as requested by competent authorities of Member States (MS), is not entitled to cooperate with non-EU police forces or request specific measures to help combat and prevent fraud against the EU.
  • The majority of illegal face-to-face card transactions affecting the European Union take place overseas, mainly in the United States. The EU should take urgent measures to promote the EMV standard as a global solution against the counterfeiting of payment cards. As full EMV implementation will take time, a temporary solution could be applied, namely the implementation of GeoBlocking, blocking overseas transactions using EU-issued cards unless they have been activated in advance.
  • Common European legal solutions for the security of on-line retail payments (internet, mobile), as well as the mandatory reporting of financial data breaches, should be considered to prevent fraud affecting EU citizens. Prevention and combating card-not-present (CNP) fraud requires specific regulations on the customer’s identification (3D secure protocol) and security of the on-line payment environment. The role of the European Central Bank and Europol is crucial to present the problems and propose specific solutions.

Security of non-cash means of payment is a key factor in the economic stability of the European Union

According to statistics, the total number of payment cards issued in the EU in 2011 reached 726,906,710

The value of legitimate non-cash transactions with EU cards exceeded 3000 billion euros. From a security perspective, EU industry has taken an important step forward by fully implementing the EMV (chip-embedded cards) standard for card-present (CP) transactions, and is advanced with the protection of on-line transactions through the strong identification of customers (3D secure).

Banking institutions are profit-making businesses, so reducing the illegal income of criminals is not always a priority for them when introducing new banking products or services.

Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards. With the current global nature in which the banking sector and non-cash transactions operate, security measures in place on a regional (EU) level are not sufficient and have been exploited by criminal networks.

The illicit activities and fraudulent transactions of OCGs performed outside the EU have affected the security and convenience of non-cash payments in Europe and have consequently caused substantial losses to the EU economy.

This report is based mainly on data provided by law enforcement agencies from EU Member States and some cooperating non-EU States. The figures and latest trends were identified based on information from

  • The European Central Bank
  • European Payments Council
  • European ATM Security Team (EAST)
  • Card schemes
  • Fuel Industry Card Fraud Investigation Bureau (FICFIB)
  • “Some” card issuers (note: why not all?)

Since criminals affect both physical transactions with payment cards (shops, ATMs), and the internet environment, for the purpose of this report payment card fraud is divided into card-present (CP) fraud and card-not-present (CNP) fraud.

The implementation of EMV (Chip and PIN) technology in the European Union is seen as the key driver to reducing domestic payment card fraud. It should be stressed that cardholders’ confidential data is more secure on a chip-embedded payment card than on a magnetic strip card. Chip-embedded cards support dynamic authentication, requiring dynamic values for each transaction, and cannot be easily copied. The EMV card is considered to be well protected against skimming.

As the EU banking industry migrates to the EMV environment, losses caused by illegal domestic transactions in the EU have gradually decreased since 2008. However, at the same time, the level of illegal transactions overseas has seen a sharp increase. In 2011, almost all fraudulent face-to-face transactions with EU cards took place overseas. This phenomenon is determined by the level of technical protection of EU payment card terminals, ATM and Point-of-Sale (POS) terminals are fully EMV compliant. In response, criminal networks have targeted the weak points of the system and have undertaken criminal activities using non-EMV compliant terminals overseas. Due to this phenomenon, and the lack of specific agreements on reimbursement of losses caused by less protected terminals, the majority of the loss burden caused by this fraud is on the EU card issuers, which are specific banks in the EU.

Europol note “there has been no specific solution to this problem proposed by the card industry”

There are several countries operating as a substantial market for illegal transactions with counterfeit EU cards. The problem of illegal transactions in the US has been reported to Europol by all 27 EU Member States. There are also other locations where criminal groups with EU origins are cashing counterfeit cards.

The top six locations are:

  1. United States
  2. Dominican Republic
  3. Colombia
  4. Russian Federation
  5. Brazil
  6. Mexico

This trend has led to a situation in which, even after huge investments by the EU banking industry to install hardware and software to accept EMV cards, the problem has become even bigger, as it is extremely difficult to prevent and investigate crimes committed outside of EU borders.

The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant.

As a short term solution, in October 2010 Europol and the European Central Bank recommended that all SEPA (European-issued) cards should be EMV (chip-embedded) only. The first Member State to follow this recommendation is Belgium, where debit cards have chips embedded and the magnetic strip is no longer active. This solution, called GeoBlocking, in practical terms limits the possibility to misuse debit cards in regions without Chip and PIN verification. The implementation of GeoBlocking has been extremely positive from a security point of view with significant falls in skimming incidents and skimming-related losses (a decrease to almost zero in Belgium).

It should be stressed that there are some constraints to such solutions. The baseline for branded cards is that the cards are accepted globally. From this perspective the chip-only cards are not in line with this policy. The use of GeoBlocked cards is also less convenient for card holders as the card must be activated every time before travelling to non-EMV compliant countries. According to a research poll carried out by EAST, 60% of customers would be in favour of the GeoBlocking solution, including 28% of respondents who would be happy to contact their banks to activate the magnetic strip on their cards, and 12% who would like to hold a chip-only card.

This compromise is the price that card issuers and card holders pay as a result of the criminal activities of organised networks. It can be concluded that organised criminal groups have already managed to affect the EU payment card market to the extent that the use of cards is not cheap for card issuers and is less convenient for cardholders.

Investigations into card-present (CP) fraud
Industry reported an increasing number of incidents against ATMs in the EU were 20,244 in 2011 compared to 12,383 in 2010.

The statistics include all types of attacks against ATMs, including

  • skimming
  • using stolen cards
  • physical traps to obtain cash

According to reports provided by EU law enforcement authorities, organised crime groups adjust their profiles and criminal techniques relatively quickly and smoothly. Not only can they produce skimming devices to bypass the latest anti-skimming technology but they also explore new possibilities, including cash traps, prepaid cards or malware, as a source of cash and card data.

Most criminal structures operate internationally so cross-border cooperation is a key to final success. Taking into account that suspects use specific countermeasures, corrupt police officers and hire the best lawyers, investigative measures in such cases are very difficult. The criminals’ use of sophisticated technical equipment forces investigative teams to cooperate closely with forensic experts, who can decode information and analyse seized electronic storage devices. Unfortunately, in most of these cases, investigative measures focus on the criminal activities taking place in the European Union. Law enforcement agencies and judicial authorities, being limited by legal provisions, time frames and financial restrictions, can rarely investigate fraudulent transactions performed overseas.

In practical terms, investigative measures rarely lead to dismantling the whole criminal structure. Judicial authorities press charges mainly for the part of the criminal activities that are performed in the EU, which is usually considered as the preparatory stage and not always associated with any financial losses. Consequently, in the majority of such cases the sentences are relatively lenient and suspects can leave jail on bail. Even if some criminals from an OCG are arrested for a period of time they can be easily replaced by others so that the criminal group is still active.

In June 2011 a global operation, ’Night Clone’ was brought to a successful conclusion with almost 70 suspects arrested in the EU and overseas. The operation had a very big impact and for several months, illegal activities of many other OCGs ceased.

Card-not-present (CNP) fraud
Payment card data is the ideal illicit internet commodity as it is internationally transferable. Europol, in its report on Internet Facilitated Organised Crime concluded that organised crime groups clearly benefit from globalisation, using foreign payment card data to purchase goods and services on-line. Credit card information and bank account credentials are the most advertised goods on the underground economy’s servers.

According to Europol’s intelligence, in 2011 around 60% of payment card fraud losses, totalling 900 million euros, were caused by card-not-present (CNP) fraud.

Within the major card-not-present fraud investigations supported by Europol, the main sources of illegal data were data breaches, often facilitated by insiders and malicious software. In most of these cases the quantity of compromised card details is substantial, reaching hundreds of thousands or millions, enabling criminals to sell the bulk data on the internet.

So far most of the credit card numbers misused in the EU have come from data breaches in the US. However, since 2010, Europol have observed a growing number of financial data breaches against EU-based merchants and card processing centres. Most of the investigations into these breaches are based on information on illegal transactions carried out using compromised cards, as the reporting of such attacks by the affected companies is still a weak point.

A major problem in the EU is the lack of proper regulations for reporting data breaches to police authorities. Law enforcement agencies, even if aware of a breach, have difficulties finding information on, and links to, the point of compromise, stolen data and illegal transactions. The lack of legal provisions on reporting data breaches is not the only problem. One of the key factors making industry reluctant to report incidents to law enforcement authorities is the lack of trust in investigative possibilities as well as the need to maintain the reputations of the respective private entities. On the other hand, the lack of reporting leads to a small number of international investigations and a low level of prioritisation of such cases within LEAs. The problem ends up with the situation where, despite a dynamic increase in CNP fraud, it is not reflected in the statistics of cases reported and investigated by EU police forces. Consequently, since the problem is not reflected in police statistics, this phenomenon is not prioritised and it is difficult to initiate international cooperation in such cases.

From the security perspective, as with the security of face-to-face transactions, there is a lack of common global standards on the protection of card-not-present transactions. Major investments by EU industry have been made in the 3D secure protocol (MasterCard secure code; verified by VISA). However, despite this strong 3D secure verification, it is not a worldwide solution and, even on the EU level, not all on-line transactions are protected with it.

Investigations into CNP fraud and its initial stage data breach is typically very demanding. As identified by Verizon, such cases are usually quite large and complex, often involving numerous parties, inter-related incidents, multiple countries, and many affected assets. In addition to that, as stated earlier, the majority of such cases are not reported to LEAs, as industry mainly focuses on preventive measures rather than relying on the outcome of investigations. The results of internal inquiries are used to improve security measures and rarely focus on the identification of individuals responsible for the breaches.

As far as investigations into illegal on-line card transactions affecting the EU are concerned, they are mainly concerned with:

  • illegal ordering of high value goods on the internet
  • combating networks of mules set up to receive and transfer goods ordered on the internet
  • illegal transactions – purchases of services from travel companies/airlines
  • physical transactions with counterfeit credit cards – with data sourced from the internet
  • investigations into OCGs from the Baltic states and South East of Europe
  • the proper coordination of information – where possible, data breaches should be linked to illegal transactions
  • assets seizure – the network of mules shall be determined in order to localise the entry/exit points of goods

EU Member States reported many constraints and challenges faced during such investigations. The lack of legal provisions for reporting on-line incidents and data breaches, which are usually of an international nature, creates problems in individual cases under the responsibility of the respective MS, including the possibility to connect illegal transactions reported by other countries and decisions on the place of final prosecution. The global dimension and protection of financial and personal data is a major problem as far as the efficiency and time-frames of investigations are concerned. From a practical perspective, the involvement of Russian-speaking, well organised and hermetic structures cause huge problems with regards to infiltrating individuals and collecting evidence on their criminal activities. Since the majority of criminal activities are on-line, the best solution is to task specialised cybercrime teams with such cases.

As there is still little experience on such card-not-present fraud cases where data breaches and illegal transactions make EU companies and consumers the key targets the role of Europol is crucial, to analyse information and spread strategic and operational information, ultimately ensuring the efficiency of investigative measures.

Europol Summary of Credit Card Fraud in 2012
The financial crisis has had a big impact on the approach of private financial services companies and LEAs. Currently, all decisions are thoroughly scrutinised and assessed from an economic and ‘priority’ perspective.

Private industry focus on products and services which bring profit in the first instance. Such companies can accept a certain level of fraud without making any effort to identify the individuals responsible for that fraud. From the law enforcement perspective it is increasingly suggested that, since losses caused by payment card fraud can be easily covered by private industry, there is no point in investing resources on investigations. The problem is even bigger as investigations must be performed on an international level, so the investment must be higher and comes with no guarantee of final success or seizure of assets.

All that leads to the dangerous situation in which the illegal income for members of organised crime groups, reaching 1.5 billion euros a year, is not identified and recovered. It seems that the EU response to the payment card fraud problem is not harmonised or fully supported by all actors card schemes, card issuers, processing centres, law enforcement agencies and judicial authorities.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

Proper coordination of information processing and reporting to the involved countries is critical for efficient investigations. A centralised database is very important to link members of criminal networks, fraudulent incidents and investigations. Europol, having a specialised team with an existing operational database and a newly-created technical platform, can play an important role in such cases.

The missing links that remain are the legal solutions on cooperation with non-EU States and the communication of data with non-EU States and the communication of data with Private Industry.

You may also with to read

.

2012 saw a 5% increase in fraud

CIFAS (Credit Industry Fraud Avoidance System) is a not-for-profit membership association representing the private and public sectors.  CIFAS is dedicated to the prevention of fraud, including staff fraud, and the identification of financial and related crime. CIFAS operates two databases:

  1. National Fraud Database (NFD)
  2. Staff Fraud Database (SFD)

CIFAS’s analysis of fraud trends during 2012 reveals a 5% increase in the overall level of fraud, when compared with 2011. While the rate of the increase has slowed, further key findings present a more complex picture of the true state of the economic crime landscape in the UK:

  • Nearly 250,000 confirmed frauds were identified during 2012 by CIFAS Members, the highest number of frauds ever recorded by CIFAS Members and over 150,000 cases had an identifiable victim.
  • The continued blight of Identity Fraud accounts for over 50% of all frauds recorded in 2012.
  • The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.
  • Conversely, frauds committed by the genuine account holder or applicant have all declined: the most notable being the decrease in fraudulent misuse of an account (Misuse of Facility fraud) which fell in 2012 by over 15% from the record levels seen in 2011. There has also been a fall in proven false insurance claims and instances of individuals submitting false details or documents in support of an application. 

The 5% increase in fraud levels recorded during 2012 serves as a reminder of the economic trials currently facing UK businesses and consumers. Nearly 250,000 frauds were identified in 2012. This represents a smaller rate of increase from the 9% surge recorded in 2011, but still constitutes the largest number of confirmed frauds ever recorded in a single year by organisations participating in the CIFAS national fraud data sharing scheme.

CIFAS Head of Communications, Kate Beddington-Brown, comments:

 “Fraud is frequently described as a victimless crime, but this is far from the truth. Whether it is an individual being impersonated, or public and private organisations losing funds due to fraudulent applications and transactions, the net effect is that the economic squeeze gets worse. Fraud acts as an impediment to business recovery and damages cashflow for us all; as losses incurred inevitably get passed on to society at large. The increase in fraud levels, therefore, might be seen as organisations getting better at rooting out fraud, but the implications are clear: increased fraud levels mean that organisations and individuals face a bigger problem than ever before.”

Identity crime: the fraudster’s biggest weapon

The fraudulent use of identity details (either those of an innocent victim or completely fictitious ones) is the biggest and most perturbing fraud threat. 50% of all frauds identified during 2012 relate to the impersonation of an innocent victim or the use of completely false identities.

Furthermore, Facility (or Account) Takeover Fraud – where a fraudster gains access to and hijacks the running of an account (e.g. theft of security details through computer hacking, interception of post details, social engineering through popular websites etc) rocketed by 53% compared with the previous year. This means that those frauds where the criminal requires identity details accounted for almost 2 in 3 (65%) of all frauds in 2012. The number of victims of both types of fraud has when combined also risen by 24% from the levels in 2011; underlining the very real cost of these crimes.

Kate Beddington-Brown notes:

 “These increases serve as a warning and a challenge to organisations and consumers equally. Organisations have invested heavily in updating and refreshing their security processes recently, ensuring that extra steps are taken to validate the identity of people with whom they are dealing. In spite of this, however, identity crimes have continued to rise – demonstrating that far more must be done. Equally, for individuals, It is obvious that fraud relating to personal data is an immense criminal trade so, fundamentally, we all have to do all we can to ensure that we also protect ourselves from becoming a victim, as well as demanding that the organisations we deal with take their security responsibilities seriously”

Frauds by account holders in decline

As problematic for organisations and the economy at large is fraud committed by the actual account holder. One piece of apparent good news, therefore, is that all frauds which come under this first party fraud heading declined in 2012: including misuse of facility fraud (where a legitimately obtained account is used fraudulently by the account holder) which decreased by 15% from the levels of 2011.

A substantial proportion of these frauds still bear the hallmarks of ‘money mule’ activity (where a criminal recruits another party to use his or her account on the fraudster’s behalf), but the decrease is encouraging in terms of consumer behaviour.

Kate Beddington-Brown notes:

“Organisations have invested effort into identifying possible victims of money mule operations and ensuring that their customers are educated about the dangers of misusing accounts, and these figures seem to demonstrate that this message is being heard. Any requests to receive and transfer funds on behalf of a person or organisation should be viewed with suspicion and reported, ultimately, to Action Fraud.”

Misuse of an account, however, is still the second largest type of fraud identified in 2012 and therefore increased attention must also be paid to ensuring that individuals are aware of this.

Kate Beddington-Brown explains:

“In these difficult economic times, the motivation to attempt fraud or the vulnerability to being duped into doing so – is perhaps understandable. Organisations, however, must do all that they can, to ensure that consumers are aware that committing fraud can have very serious consequences: from withdrawal of services to criminal charges. If organisations and consumers alike can stamp out this kind of fraud, extra effort can then be dedicated to preventing those criminals who are responsible for the rise in identity crime.”

CIFAS Chief Executive, Peter Hurst, concludes: “With the cost of living increasing, pay levels frozen for many, benefit changes taking effect and a sluggish economy, it is unsurprising that fraud has increased. Prevention remains better than cure, however, and it is time for all organisations and consumers to start reviewing their approaches to preventing fraud rather than just dealing with its effects. Investment in proper fraud prevention systems and approaches, from online security to data sharing, and education are the cornerstones of such an approach and without them the only thing that is guaranteed is an ever increasing fraud losses to organisations and society at large.”

CIFAS’s summary of  identified fraud cases in 2011 and 2012:

  2011 2012 % Change
Fraud cases identified 236,516 248,325 +5.0%

CIFAS’s summary of the types of fraud undertaken is below:

Fraud Type 2011 2012 % Change
Identity Fraud – Total 113,259 123,589 +9.1%
Application Fraud – Total 43,263 39,868 -7.8%
False Insurance Claim 396 279 -29.5%
Facility Takeover Fraud 25,070 38,428 +53.3%
Asset Conversion 532 337 -36.7%
Misuse of Facility 53,996 45,824 -15.1%
Victims of Impersonation 96,611 112,179 +16.1%
Victims of Takeover 25,250 38,686 +53.2%

You might also want to read

.

2012: “A year of Identity & Fraud” a review by Experian

Experian, a global information services company has posted two summaries of its research and blogs for 2012. I have taken the information that relates to Identity theft and fraud and consolidated it into one post.

In March, Experian revealed its latest research which estimated £1.02 billion worth of online shopping transactions were abandoned the previous year by UK consumers frustrated by old and inefficient identity measures. One in five of these abandoned transactions were not taken elsewhere as individuals cancelled their shopping attempt altogether, resulting in £214 million worth of net lost revenue for UK retailers.

The study, which was conducted for Experian by the International Fraud Prevention Research Centre and included survey data as well as insights from online retailers and the Office of National Statistics, revealed that 44% of UK shoppers had abandoned at least one online shopping transaction in the last year having become frustrated with the length and complexity of certain older forms of identity verification.

Older forms of online identity verification, typically complex, standalone systems drawing on single sources of information to corroborate identity information, are unable to validate as many individuals electronically as modern services. As a result, genuine customers might be forced to call a contact centre, submit physical documents through the post or visit the store or branch to confirm identity. Alternatively, the organisation might choose to accept a lower level of proof, and risk higher levels of fraud, in order to minimise customer inconvenience.

In April, Experian revealed that fraudulent applications for mortgages increased by 8% in the previous year. This was the fifth year in a row in which the rate of mortgage fraud has increased. 34 in every 10,000 applications for mortgages were found to be fraudulent in 2011, compared to just 15 in every 10,000 in 2006.

The overall rate of fraud at point of application across the UK’s financial services sector increased by 4% in 2011, to just over 17 in every 10,000 applications. In addition to record mortgage fraud figures, this overall increase was also driven by growth in insurance and current account fraud. 93% of attempted mortgage fraud in 2011 was down to individuals misrepresenting their personal information on applications. Typically these first party frauds involved falsifying employment status or financial information, and most commonly attempting to hide an adverse credit history.

Experian’s demographic insight revealed that Mosaic groups Terraced Melting Pot (young, poorly educated individuals living in small towns) and Suburban Mindsets (predominantly middle aged, middle and skilled working class individuals) were both responsible for around 15% of first party mortgage fraud cases in 2011. The young, well educated professionals of the Liberal Opinions were also prone to attempting first party mortgage fraud, being responsible for 13% of cases.

Nick Mothershaw, UK&I director of identity & fraud at Experian, comments: “About 70 per cent of financial services application fraud in the UK fraud is down to first parties misrepresenting their circumstances, and the products such as mortgages and insurance that have seen fraud soar over the last year have a significant first party fraud element to them. This kind of fraud tends to originate from financially stressed segments of society.”

  • Insurance fraud. Insurance fraud rates reached 11 in every 10,000 applications and claims in 2011, an increase of 23% over the last year. 89% of insurance fraud was first-party led with the Terraced Melting Pot, Suburban Mindsets and Liberal Opinions demographics responsible for the most instances. Combined they accounted for 43% of cases.
  • Current accounts. The rate of current account fraud increased to 36 frauds in every 10,000 applications in 2011, up from 23 in every 10,000 in 2010. 60% of current account fraud in 2011 was committed by first-parties, almost a quarter (23%) of which was down to the Terraced Melting Pot demographic. The remaining 40% of current account fraud attempts were down to third-party identity fraudsters seeking to open accounts as a springboard to obtain other, more lucrative credit products, or for money laundering purposes.
  • Automotive and credit card fraud rates fall. Not all financial products saw fraud rates increase in 2011. Credit card fraud continued to fall, from 19 in every 10,000 applications in 2010 to 12 in every 10,000 in 2011. The rate at which fraudsters target new credit cards is almost a quarter of the level recorded in 2006, when 45 in every 10,000 applications were fraudulent.  Automotive finance providers have also seen fraud rates fall. 23 in every 10,000 applications were found to be fraudulent in 2011, down from 38 in every 10,000 during 2010. 85% of these frauds were first party.

In May, Experian revealed that Slough had overtaken London to become the identity fraud capital of the UK. The Berkshire town recorded 25 identity fraud attempts for every 10,000 households, with residents targeted at around four times the UK national average (seven households in every 10,000). Residents of London, Gravesend, Birmingham, Luton, Manchester and Leicester were also targeted at twice the national average rate. London as a whole experienced 22 attempts for every 10,000 households, although attempts were not spread evenly across the capital.

Substantial hotspots for identity fraud activity were found in and around London’s Olympic neighbourhoods. Financial service providers detected 78 incidents for every 10,000 households in East Ham, as residents were targeted at more than 11 times the national rate. Woolwich and Stratford also experienced significant identity fraud activity, recording 46 and 43 identity fraud attempts respectively for every 10,000 households.

Whilst the instances of fraud across all financial products remained at a constant level between 2010 and 2011 (six in every 10,000 applications were found to be fraudulent), the data shows that there was a surge in identity theft via current accounts and mortgages during this period, with rates doubling (from six to 14 in every 10,000 applications) and quadrupling (from one to four in every 10,000) respectively.

Identity fraud attempts on credit cards fell from 17 to four in every 10,000 applications.

Fraudsters turn their attention away from the wealthy.

  • For the first time, young people renting small flats from local councils or housing associations represent the demographic most likely to be targeted by identity fraudsters. This group, known in Experian’s Mosaic classification as Upper Floor Living, saw its identity fraud risk score increase by 47% to 256 in 2011. Its constituents are two-and-a-half times more likely than the average UK resident to be targeted.
  • Almost as high on the identity fraud danger list are the Terraced Melting Pot (risk score 242), a group of mostly young people with few qualifications that who work in relatively menial, routine occupations, and live close to the centres of small towns or, in London, in areas developed prior to 1914. The Terraced Melting Pot saw its risk score increase by 75% in 2011.
  • Previously, the wealthy Alpha Territory demographic – representing the wealthiest sections of society living in fashionable London neighbourhoods – were most likely to be targeted. The risk score for this group halved in 2011 (from 301 in 2010 to 149) as fraudsters turned their attentions to younger and less affluent sections of society.

In June, Experian revealed that the financial services industry saw a 16% quarter-on-quarter jump in fraud rates in the period January to March 2012, driven primarily by a significant surge in current account fraud. 19 in every 10,000 applications for financial services were found to be fraudulent in the first three months of 2012, up from 16 in the last quarter in 2011. 44 in every 10,000 current account applications were detected as being fraudulent during the first quarter of 2012, 23% higher than Q4 2011.

The current account extended its position as the most targeted financial product, recording the busiest period for current account fraud ever recorded by Experian. Experian’s data shows that the majority (62%) of current account fraud in 2011 was committed by first-party perpetrators, which typically involves an individual painting a knowingly false portrait of their personal circumstances to obtain services to which they are not entitled. 38% of current account frauds were due to individuals attempting to hide adverse credit histories when opening current accounts or applying for overdrafts.

A further 39% of current account fraud involved product or payment abuse, which included people knowingly attempting to make payments with insufficient funds in their accounts. Attempted insurance fraud increased by 37% quarter-on-quarter, to reach its highest point since late 2009. 13 in every 10,000 applications and claims were detected as being fraudulent during Q1, up from 10 in Q4 2011. 58% of insurance fraud involved some form of product abuse, most significantly the provision of false payment information.

A 56% increase in identity fraud attempts pushed credit card fraud up from 10 cases in every 10,000 applications in the final three months of 2011 to 14 in the first quarter of 2012. Attempted identity frauds on cards leapt from five to eight in every 10,000 applications over the same period.

Nick Mothershaw, UK director of identity & fraud services at Experian, comments: “Experian’s data shows further growth in current account fraud during the first quarter of 2012, mostly emanating from individuals providing false information attempting to open new accounts or obtain overdrafts or making payments they knowingly couldn’t afford. The threat of identity fraudsters seeking to open accounts in the names of unsuspecting third parties, for money laundering or as a springboard to attempt fraud on more lucrative credit products, also remains.  Credit cards have seen a resurgence in identity fraud, while a growing number of financially stressed individuals consider misrepresenting their personal or payment information when applying for insurance, contributing to a significant fraud upswing in the first quarter of 2012.” 

  • Automotive finance. Fraud attempts in the automotive finance sector have declined significantly, down 34% on the previous quarter. There were 18 attempted frauds in every 10,000 applications in the first quarter of 2012, the majority of which were individuals attempting to hide an adverse credit history when applying for automotive finance.
  • Loans. The number of fraudulent loan applications has continued to decrease, reaching the lowest point ever recorded by Experian. Four in every 10,000 applications were discovered to be fraudulent in Q1 2012, 38% lower than the previous quarter. Attempting to hide an adverse credit history continues to be the preferred modus operandi in more than half of attempted loan fraud.
  • Mortgages. Attempted mortgage fraud fell by 5% quarter-on-quarter, with 35 in every 10,000 applications uncovered as fraudulent during the first three months of 2012. Attempting to hide an adverse credit history, misrepresenting employment status and falsifying financial information were the most commonly used tactics employed by mortgage fraudsters during Q1.
  • Savings accounts. Savings account fraud rates were 18% lower in the first quarter of this year than the preceding three months. 12 in every 10,000 applications were found to be fraudulent, with identity fraudsters responsible for more than 80% of cases.

In July, it was reported that fraudsters had traded 12 million pieces of personal information online in 2012, representing a threefold increase on corresponding figures for 2010. Experian data indicated that consumers had an average of 26 separate online logins, but just five different passwords across them all.

Experian advised people to change their passwords on a regular basis and try to make them more complex to keep fraudsters from cracking them.

The full story can be found here.

In August, a special investigation revealed that fraudsters were stealing identities in order to take out multiple mobile phone contracts and walk away with valuable handsets. One man returned from a holiday to discover fraudsters had taken out nine contracts in his name.

Experian said around 200 victims were contacting the company each month for help to restore credit histories that had been damaged by the “mobile communications fraud”.

George Hopkin’s original posts can be found here, part one and part two.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: