Fighting Off the e-Threats

To keep a step ahead of the bad guys on the Internet, Ezzie Schaff tries to greet them coming and going. Schaff is vice president of risk management for jewelry retailer Ice.com, where the average order value is close to $200, and he’s come to realize that it’s best to engage criminals at multiple points—wherever they try to steal customer identities, for instance, or use that information to make fraudulent purchases. Because if he doesn’t, the thugs will win and consumer confidence in online retailing will sink.

“Twenty-four hours a day, seven days a week, we’re constantly searching out new methods to prevent fraud,” Schaff says. His methods so far include using software that monitors the web to find spoofed Ice.com domains before criminals can use the brand in e-mail phishing schemes that try to steal customer account information,

and using a system that flags suspicious transactions and requires the credit-card-wielding would-be purchaser to answer questions that only the authentic credit card holder is likely to know.

On constant alert

Ice.com has already used its risk management tools and policies to thwart one attempted phishing project before it could do any damage using its brand, and it has identified and halted more than 300 orders suspected of fraud this year alone, Schaff says. But though Ice.com has so far avoided an effective fraud attack, it isn’t taking anything for granted. “It’s never happened yet, because we’re on our toes constantly,” Schaff says.

Welcome to the new age of cybercrime. The Internet is no longer just a place for garden-variety crime in which criminals use stolen credit card accounts to make fraudulent purchases, or usually honest consumers dishonestly deny they made a transaction, or whiz kids get their kicks by proving they can crack into consumer databases.

The web has become a base for organized criminals who use the open nature of the web and e-mail systems to steal, or phish for, consumer account information while posing as legitimate retailers and banks, mimicking well-known web sites like eBay.com. They sell the information they gather to other criminals or use it themselves to make fraudulent transactions. Though top of mind recently among many retailers and fraud-fighters, e-mail phishing is only one of several new-age forms of cybercrime. Criminals are also finding ways to plant malicious software onto web sites and computers to capture information, including keystrokes that enter passwords, for use in future fraudulent transactions. Ken Leonard, CEO of ScanAlert Inc., a company that tests web sites for network holes that can let hackers steal information, says that 30% of his clients have network vulnerabilities when they first sign up for service. “The hackers are very busy,” he says.

Evidence is mounting that the new age of cyber- crime is having an impact on retail e-commerce. Research and advisory firm Gartner Inc. reports that one out of three online shoppers in a survey of 5,000 U.S. adults is buying fewer items due to concerns about online fraud, and that 75% are more cautious about where they shop online.

Another study released this summer by the Cyber Security Industry Alliance found that 48% of consumers are avoiding shopping online due to fears that criminals might steal their personal financial information.

Nervous consumers

“Consumers are rightfully nervous and that will definitely impact online commerce,” says Avivah Litan, vice president and research director at Gartner and author of its online fraud study. She adds that retailers can’t take for granted that surging growth in online transactions will continue. “Security by retailers will have to tighten up,” she says. “They need to spend more on security and prove to consumers that their sites are secure.”

The Anti-Phishing Working Group, a security watchdog organization that monitors phishing

and other forms of cybercrime and works on related security measures, estimates that 2,000 to 3,500 people per day fall victim to e-mail phishing scams, out of 75-100 million phishing e-mails sent every day. The total value of losses is estimated from $500 million to more than $1 billion, according to multiple studies.

Dave Jevans, chairman of The Anti-Phishing Working Group, narrows it down to $750 million to $1 billion. The average loss incurred by individual victims is about $1,200, he says. Gartner’s survey shows losses of a slightly different scale: in the 12 months prior to the May 2005 survey, 1.2 million consumers lost $929 million due to phishing e-mails, for an average of $775.

Whatever the precise number, criminals are stepping up their efforts to make the losses even bigger. In the 12 months ended in May, 73 million consumers received e-mail phishing attacks, up 28% from 57 million during the 12-month period ended in April 2004, according to the Gartner report.

The relatively new phenomenon of phishing attacks, however, is not necessarily consumers’ biggest worry regarding online security, the Gartner study says. It notes that nearly twice as many consumers worry more about thieves stealing private credit reports and other sensitive financial data from consumer databases. In a major recent attack, criminals broke into computer records of more than 40 million credit accounts held at the Tucson, Ariz., credit card processing center of CardSystems Solutions Inc. Security vulnerabilities in the processor’s network allowed criminals to access cardholder data for MasterCard, Visa and other credit card accounts.

While consumers may worry more about hacked databases, criminals are quick to link together multiple forms of cybercrime—often starting with e-mail phishing. CardSystems said it took immediate action to fix its network security breach. But within days after the breach was publicized, consumers began receiving phishing attacks purportedly from legitimate credit card companies advising them to re-submit their account information to guard against fraudulent use of their accounts. Phishers were clearly playing off consumers’ fears that were raised by the thefts.

Beyond naiveté

Key to the motivation and success driving the criminal element is the scale of the Internet: with millions of targets that can be instantly hit through e-mail, criminals need only a tiny percentage of responses to reap substantial rewards. And because they can change their targets and attacks so easily and quickly, they can usually avoid having their own identities and locations discovered by authorities before moving on to new attacks.

To security experts, the state of cybercrime has evolved to the point where consumers and retailers must take several levels of precaution and maintain constant guard against fraud, carrying the same level of wariness of anyone who lives with common street crime. “The Internet was built on a foundation of trust, but today that’s pretty naïve,” says Craig Spiezel, director of industry and business strategy for the technology care and safety group at Microsoft Corp. “But there’s no silver bullet to fight fraud. The web retailer needs to have solutions across the board.”

Moreover, it isn’t only the largest retailers and brand names that need to guard against phishing and other forms of fraud, experts say. With the biggest targets like eBay, PayPal and banks taking steps to stop fraud, criminals are looking at other, less-guarded targets. “Fraud acts like an air bubble; you push it here, it goes there,” says Ori Eisen, CEO and founder of risk management firm The 41st Parameter and a former director of anti-fraud efforts for American Express Co. and VeriSign Inc. “We need to run faster today just to stay ahead of the bad guys.”

Some say the threat of cybercrime and the damage it can do to brands and consumer confidence are even greater for smaller retailers. “A small retailer has an even bigger concern because just one bad incident could cause it to lose credibility,” says Jeffrey Neuburger, chair of the technology, media and communications department at Brown Raysman Millstein Felder & Steiner LLP, a New York law firm that represents online retailers.

Neuburger, noting a recent lawsuit brought against Bank of America by a customer victimized by a phishing attack that had used the bank’s brand, warns that the spread of phishing attacks could lead to legal liability for retailers who don’t take the necessary precautions to prevent them. “I don’t think the Bank of America case will go far, but the trend is that as these issues become more serious, retailers are in an area of potential liability,” he says. “Retailers have to take reasonable precautions under the theory of negligence.”

To guard against phishing and related “pharming” attacks, which spoof web site domain names and try to get consumers to enter account information on fraudulent sites that appear to be legitimate, experts encourage retailers to look to certain crime-fighting areas:

• consumer and employee education to maintain a clear distinction between legitimate and illegitimate e-mail and web sites;
• technology, including web monitoring software and services, that identify when a brand’s identity is being stolen and used to create a fictitious web site;
• sharing of fraud and fraud-fighting information among retailers;
• technology to prevent criminals from making online purchases with stolen financial account information.

Clear communications

Consumer and employee education starts with procedures for clearly stating on a retailer’s web site its policies about communicating with customers. Standard retail policy should be that merchants never ask customers to enter account information by linking to a site through an e-mail message, experts say.

Yet the popularity of e-mail as a marketing tool still leaves some retailers with their guard down. “You need to educate marketing and IT departments how not to send e-mails that look like phishing, like sending e-mail that’s not from your own domain name or sending e-mail that asks customers to click a link in the e-mail to update their account information,” Jevans says. “We’ve seen quite of lot of retailers doing that. But if they keep sending e-mail that looks like phish, they’re training their customers to respond to phish.”

Other aspects of consumer and employee education include deploying standard operating policies like displaying “https” in web addresses and Secure Sockets Layer lock icons and third-party security seals to present a secure image. In addition, marketers should follow e-mail authentication methods under systems such as Microsoft’s SenderID, under which marketers register IP addresses authorized to send e-mail under its name.

Some retail executives say they’re planning to be more aggressive with consumer education related to fraud, even though they haven’t been subject to attacks. Joe Devine, CTO of Safeway.com, the online unit of supermarket chain Safeway Inc., says consumer education on phishing and related concerns will become more critical as customers follow the grocer’s lead in participating in more online communication with Safeway, even if they only shop in its stores. “We’re using the Internet to drive customer loyalty in our stores, whether or not they shop online, so they’ll have to log on and enter a password,” Devine says.

Safeway will educate customers about the types of e-mail correspondence they can expect from the grocer, and instruct them to never click a link in an e-mail to enter any account information even if the message appears to come from Safeway, he says.

Although Devine says he doubts criminals could ever hack into Safeway’s encrypted customer databases, they could still try to steal customers’ log-in and passwords in phishing attacks and attempt to use that information to break into other sites where customers keep financial account data.

In fact, criminals don’t even need to capture complete account information. Because many consumers use the same log-in and passwords for multiple web sites, criminals know that by simply learning the log-in and password that a consumer uses to enter any web site, they can use that same information to enter financial sites under the same consumer’s name, proceeding to capture more sensitive credit card account information. The spoils for the criminals can be as basic as a quick $10 for each consumer identity package they sell to other criminals.

The Anti-Phishing Working Group and TRUSTe, a web site security certification firm, conducted in June the first “Phish Fry” Consumer Education Summit. Indeed, even TRUSTe has had its logo used in phishing attacks, says executive director and president Fran Maier, who chairs the consumer education committee at the APWG. “We’re getting phished along with eBay and PayPal, so one of our responses has been to take a leadership role in consumer education,” she says.

Monitoring software

Consumer education goes only so far, though. Criminals will still try phishing attacks. To prevent those from getting off the ground, retailers can use software and outside services that monitor the Internet to learn whenever a new domain appears to mimic a retailer’s brand, giving the retailer the chance to warn customers of possible phishing e-mails from that domain and to alert government authorities who investigate phishing attacks. In some cases, such domains have been shut down before they were able to launch full-scale phishing attacks, experts say.

Ice.com, for example, uses in-house software to monitor the web for launches of any domains that appear to mimic its brand. In one case when it identified such a domain, which had devised a phony e-mail campaign to offer consumers fraudulent Ice.com coupons, the retailer responded by having its lawyer e-mail a cease-and-desist letter. “That was enough to stop it and the phishing site went down soon after,” Schaff says.

But he admits that the coupon caper turned out to be an easy one to halt. The site was based in the U.S., and Ice was able to simply e-mail an open letter to its IP address.

IRCE 2008 Conference Multi-Media CD-ROM

Not all phishing scams are as easy to stop, experts say, but a new industry of anti-phishing companies has emerged in recent years to identify suspicious new domain names and work with domain registrars and Internet site providers to deactivate phishing sites. The phish detectors also scan Internet chat rooms and other online sources to get tips on planned attacks against brands.

Among the companies offering such services are VeriSign Inc., MarkMonitor, Internet Identity, Brandimensions Inc. and NameProtect Inc. Information gathered in this way can help government agencies, including the F.B.I. and the Secret Service, act against organized cybercrime groups, Jevans says.

Although these monitoring services and enforcement actions are making life harder for phishers, they’re not an end-all to phishing threats, experts say. For one thing, many phishers use Internet servers based outside the U.S., where it can be difficult to get cooperation from registrars and authorities to deactivate phishing sites. In addition, foreign-based phishers often move to new servers frequently to avoid detection, experts say.

Moreover, phishing may be the criminal tactic getting most publicity these days, but it’s only one way criminals are stealing information to support fraudulent web transactions. Other types of attacks, which may work in association with phishing scams, place malicious software onto unsuspecting retailers’ web sites and consumers’ computers. Such software, for example, can turn computers into zombies that are used to send e-mail spam, which can include phishing attacks; or to conduct keylogging to monitor a consumer’s keystrokes in an attempt to steal log-on, password and other personal account information. “There’s no one system that can protect against all kinds of attacks,” Litan says.

Leonard of ScanAlert notes that the PCI security standards imposed by the credit card industry will have a positive effect by forcing merchants to test their web site security infrastructure at least every quarter, and to maintain strict policies about guarding and providing authorized access to customer data. “We demand daily testing for the Hacker Safe certification, but even quarterly would help retailers,” he says. “There are 10-15 new general network vulnerabilities discovered every day.”

Finding cooperation

In addition to education and technology, experts say that the good guys need to do a better job of cooperating and sharing information and best practices in fighting fraud, a move needed to counteract the practice of the bad guys to quickly share information on fraud techniques and vulnerable web sites. “We share data on suspected criminal activity with other retailers because we’ve found some of the same people hitting us with unauthorized charges also hitting other Internet retailers, especially in our product category,” says Schaff of Ice.com. “If we can get this cooperation to catch on with more Internet retailers, we’ll all be better off.”

In addition to cooperation fostered by the Anti-Phishing Working Group and TRUSTe, the Merchant Risk Council brings retailers together to share war stories and fraud-fighting techniques.

Guarding the door

In spite of efforts to halt crime at the front end through technology, education and industry cooperation, retailers also need to complement systems designed to block phishing and other types of attacks with methods to halt use of stolen information to make online purchases, experts say. Here, too, a new breed of anti-fraud technology is emerging to alert retailers when a would-be purchaser appears to be using stolen account information to complete a transaction.

At Ice.com, a web-based consumer authentication system from IDology Group is helping the retailer identify hundreds of suspect shoppers and interrupt potentially fraudulent transactions before crime can occur.

Before it started using the IDology system, Ice.com had to cancel more than 5% of high-risk orders, but it has since cut that to under 1% with zero chargebacks, Schaff says. “In the past, we had no way of knowing if they were legitimate,” he says. But with IDology’s web-based IDlive identity-checking system, the retailer is now able to verify the identity of nearly all orders, he says. And with only a small handful that still need further checking, Ice.com staff can personally contact customers for verification, he adds.

Ice.com began using the IDlive system several months ago to authenticate the identity of buyers in orders determined by an in-house order management system to be high-risk, such as orders over $200 with different billing and ship-to addresses. It processes about 1,000 orders per month through the IDlive system, which is hosted by IDology, Schaff says.

After its in-house order management system has placed high-risk orders into a queue, a member of the 20-person Ice.com risk management staff telephones or e-mails the customer to explain that the retailer needs proof of identification before processing the order. By placing the customer’s name and all or part of the customer’s Social Security number into the IDlive system, which consolidates information from thousands of public records, the retailer receives three questions based on the customer’s personal records. The questions, about such personal histories as past home addresses or past jobs, are designed to be known only by the true person the online customer claims to be.

Ice.com then enters the customer’s answers into the IDlive system and waits a few seconds for an authentication of the customer’s identity.

Positive reaction

The IDlive system can be set up to automatically interact with an online customer, who fills out a pop-up form of questions and waits for an approval, but Ice.com wanted to conduct the process manually to directly learn how customers would react, Schaff says. “So far they’ve been pleasantly surprised that we’re doing this,” he says, adding that customers say they appreciate Ice.com’s taking steps to prevent fraudulent use of their identities.

IDology’s IDlive service connects with a database of more than 4,000 sources of public records, including Social Security numbers, to verify that an online customer is the true holder of the credit card account being used for a purchase, says vice president and chief marketing officer Raye Croghan. She adds that the system can check specific details needed by particular types of retailers, such as when online wine sellers need to check a purchaser’s age.

IDology charges a one-time application fee of $100 plus per-transaction fees of 25 to 85 cents depending on volume, Croghan says. Other vendors providing similar forms of identity authentication include Verid Inc. and StikeForce Technologies Inc.

Also on the prevention front, eBay and PayPal have developed anti-fraud software that checks for inconsistencies in their regular users’ transactions and flags them for review. “EBay and PayPal have done a lot of sophisticated work in fighting phishing attacks,” says Jevans.

Vendors that offer similar software and services include Cyota Inc., The 41st Parameter and Retail Decisions. “These systems can detect patterns and then detect anomalies in customer behavior, such as when a customer usually makes three purchases a month for $50 each, then suddenly makes a $10,000 purchase,” Litan says.

Another security company, PassMark Security Inc., has developed a system under which a consumer chooses an image that gets recorded with her personal information when she opens an account. Each time (or occasionally, depending on the account provider) the customer prepares to make an online transaction, the system requires her to identify the chosen image.

EBay and PayPal have also distributed for free to 1 million customers a toolbar with technology from WholeSecurity Inc. that alerts consumers when they go to a suspicious site or receive an e-mail that appears to be phishing. The toolbar flashes red if a user finds himself on a spoofed web page or if incoming e-mail has the characteristics of a phishing e-mail mimicking the eBay or PayPal brand. It flashes green if all appears legitimate, or gray if legitimacy is unclear.

WholeSecurity’s Phish Finder system automatically transmits a message with details of suspected phish e-mails and spoofed web sites to a management console on an eBay back-end server, says John Ball, product manager at WholeSecurity, where risk managers can decide whether to pursue the site operator. They can also forward details of the phish e-mails and spoofed web sites to WholeSecurity’s Phish Reporting Network, where the information is shared with other subscribers, including Microsoft Corp. and Visa.

Other security systems, such as from Quova Corp. and MaxMind, use geolocation technology to identify from where a consumer or suspected e-mail is operating.

Deployed either separately or as part of risk management systems from companies like eFunds Corp.,CyberSource Corp. and Retail Decisions, geolocation can alert a merchant whenever a credit card is being used from a location not typically used by the authentic cardholder, such as a country known for a high rate of online fraud.

Ever vigilant

Efforts to overcome phishing and other methods of fraud may never be completely successful, experts say, because the business case—the ease of launching and changing attacks and the size of potential rewards—is too attractive to too many criminals. But there is reason to have hope, Jevans says, particularly as ISPs, retailers and law enforcement agencies cooperate in sharing information and using the latest fraud-prevention tools. “There may never be a complete technological solution, but we can make online fraud a lot harder to do,” he says.

The trick is to never let down your guard, says Schaff of Ice.com. In addition to using technology and active risk management staff to catch phishers wherever they pose a threat, Ice uses Ambrion Software to conduct constant internal tests of its web site firewalls and e-mail filters and also retains an outside auditing firm to conduct manual audits of its security systems. “Criminals are getting more sophisticated, but we, too, can be trend-setters,” Schaff says. l

paul@verticalwebmedia.com

Help from Congress

With a number of bills addressing data security and identity theft submitted in the U.S. Congress, among those attracting most attention are legislation introduced this year by Sens. Diane Feinstein (D-Calif.), Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.).

Feinstein has introduced the Notification of Risk to Personal Data Act, which requires companies holding consumer data to notify consumers whenever their data has been breached. The bill requires companies to produce a detailed description of data that may have been compromised and imposes a penalty of $1,000 per individual that a company failed to notify, or up to $50,000 per day.

Schumer and Nelson have introduced an identity theft prevention bill, the Comprehensive Identity Theft Prevention Act, that would create an office of identity theft in the Federal Trade Commission, require data providers to register with the FTC, and require additional safeguards to prevent fraudulent access to data.

The bills are in committee awaiting hearings.