Tag Archives: Anti-Phishing Working Group

About 1751 days ago Computer Security

New Tools for Stopping E-commerce Fraud

our beautiful site

Javed Ikbal is in the IT security business. But it wasn’t until his credit card number was stolen in the Frankfurt, Germany, airport last summer that he realized how vigilant companies have to be about keeping online transactions safe. Ikbal, who runs a Boston area IT security consulting firm, says whoever stole his credit card used it to buy $1,700 in merchandise online from Circuit City, the home electronics retailer. However, Circuit City flagged the transaction because the order didn’t include his phone number, came from a computer logged onto the Internet through a German IP address, and was supposed to be mailed to Illinois, even though Ikbal’s billing address is nowhere near there. Based on those warning signs Circuit City called Ikbal, who alerted the retailer it was a bogus order on a stolen card number. Even though it involves a large business, Ikbal uses the example to show how stopping e-commerce fraud is feasible for even a very small online merchant or other company handling financial transactions online. Measures to stop e-commerce fraud are out there and many of them are cheap — or even free, such as checking the country of origin of an online order against the buyer’s credit card billing address, he says. That’s important because many small businesses can’t or won’t spend a lot on security, says Ikbal, a principal of zSquad, in Plainville, Mass., a firm that creates and audits corporate IT security plans. “They think they have a firewall or that their hosting service will provide security,” he says. “Even for companies that make $10 million a year or more, we find shocking lapses in security.” Protecting the online store According a December 2007 report on e-commerce fraud from The Aberdeen Group, a Boston technology researcher, companies that are most successful at reducing their risk of fraud and simultaneously make customers feel safe do the following to protect online transactions: Monitor and authenticate transactions in real- or near-real time Check that customers are who they say they are, either when they open an account or during a purchase transaction Use encryption, either SSL or EV SSL, a newer version of SSL that requires certification requests to go through a more rigorous identity check and authentication process before being approved Create and enforce security policies and educate customers about safe online behaviors Create marketing to explain how safe their website is for shopping, banking, etc. Ikbal also suggests companies do the following: Warn users to upgrade buggy Web browsers. Shoppers who use older Web browsers, such as Internet Explorer 4 or 5, put themselves and online merchants in danger of being hacked because of known security breaches in those programs, Ikbal says. Since Web servers automatically detect the browser someone uses to log on, a company can redirect anyone with an older browser to a special page on the website that notifies them they need to upgrade before they can continue, Ikbal says. “They could make viewing it a condition for establishing an account,” he says. “It costs nothing. You just have to program your website to respond according.” Set strict credit card policies and stick to them. Require that the address a buyer inputs for an order matches the one the credit card processor has on file for that individual. Also require that anyone making a purchase enter three- or four-digit CCV security code found on the back of the credit card. When an order is placed, the merchant can send the data to the card processor to see if it’s a match. If it’s not “the order shouldn’t be denied, but the merchant should call the person and ask about it,” Ikbal says. Check IP location of incoming orders. Companies that process orders in real time — if they’re selling software buyers pay for and download for example — can use an IP location service such as IP2Location or Akimai to instantly identify a visitor’s geographical location. The cost is usually 30 or 40 cents per transaction or less, Ikbal says. Online merchants who don’t process orders in real time can manually look up IP addresses. “If someone sells only in the US, they should be careful if they see a transaction coming from Eastern Europe or North Korea, which are hotbeds of fake credit card transactions,” Ikbal says. SIDEBAR: Create a Security Policy One of the cheapest things a small business can do is create a security policy and post it online, according to security experts. Security policies aren’t hard to come by. The Anti-Phishing Working Group, a five-year-old industry association, posts links to security policies at several large companies on its website including: eBay, whose consumer education section includes instructions for recognizing fake eBay websites and a spoof e-mail tutorial. Citibank, which maintains a series of pages explaining, among other things, how customers can avoid getting spoofed by hoax e-mail and steps to take if they do. US Bank, which maintains a section called “E-mail Fraud: Information and Help.” Companies can also point customers to the following Anti-Phishing Working Group documents: How to Avoid Phishing Scams and What To Do If You’ve Given Out Your Personal Financial Information.

About 1751 days ago E-Commerce

New Tools for Stopping E-commerce Fraud

our beautiful site

Javed Ikbal is in the IT security business. But it wasn’t until his credit card number was stolen in the Frankfurt, Germany, airport last summer that he realized how vigilant companies have to be about keeping online transactions safe. Ikbal, who runs a Boston area IT security consulting firm, says whoever stole his credit card used it to buy $1,700 in merchandise online from Circuit City, the home electronics retailer. However, Circuit City flagged the transaction because the order didn’t include his phone number, came from a computer logged onto the Internet through a German IP address, and was supposed to be mailed to Illinois, even though Ikbal’s billing address is nowhere near there. Based on those warning signs Circuit City called Ikbal, who alerted the retailer it was a bogus order on a stolen card number. Even though it involves a large business, Ikbal uses the example to show how stopping e-commerce fraud is feasible for even a very small online merchant or other company handling financial transactions online. Measures to stop e-commerce fraud are out there and many of them are cheap — or even free, such as checking the country of origin of an online order against the buyer’s credit card billing address, he says. That’s important because many small businesses can’t or won’t spend a lot on security, says Ikbal, a principal of zSquad, in Plainville, Mass., a firm that creates and audits corporate IT security plans. “They think they have a firewall or that their hosting service will provide security,” he says. “Even for companies that make $10 million a year or more, we find shocking lapses in security.” Protecting the online store According a December 2007 report on e-commerce fraud from The Aberdeen Group, a Boston technology researcher, companies that are most successful at reducing their risk of fraud and simultaneously make customers feel safe do the following to protect online transactions: Monitor and authenticate transactions in real- or near-real time Check that customers are who they say they are, either when they open an account or during a purchase transaction Use encryption, either SSL or EV SSL, a newer version of SSL that requires certification requests to go through a more rigorous identity check and authentication process before being approved Create and enforce security policies and educate customers about safe online behaviors Create marketing to explain how safe their website is for shopping, banking, etc. Ikbal also suggests companies do the following: Warn users to upgrade buggy Web browsers. Shoppers who use older Web browsers, such as Internet Explorer 4 or 5, put themselves and online merchants in danger of being hacked because of known security breaches in those programs, Ikbal says. Since Web servers automatically detect the browser someone uses to log on, a company can redirect anyone with an older browser to a special page on the website that notifies them they need to upgrade before they can continue, Ikbal says. “They could make viewing it a condition for establishing an account,” he says. “It costs nothing. You just have to program your website to respond according.” Set strict credit card policies and stick to them. Require that the address a buyer inputs for an order matches the one the credit card processor has on file for that individual. Also require that anyone making a purchase enter three- or four-digit CCV security code found on the back of the credit card. When an order is placed, the merchant can send the data to the card processor to see if it’s a match. If it’s not “the order shouldn’t be denied, but the merchant should call the person and ask about it,” Ikbal says. Check IP location of incoming orders. Companies that process orders in real time — if they’re selling software buyers pay for and download for example — can use an IP location service such as IP2Location or Akimai to instantly identify a visitor’s geographical location. The cost is usually 30 or 40 cents per transaction or less, Ikbal says. Online merchants who don’t process orders in real time can manually look up IP addresses. “If someone sells only in the US, they should be careful if they see a transaction coming from Eastern Europe or North Korea, which are hotbeds of fake credit card transactions,” Ikbal says. SIDEBAR: Create a Security Policy One of the cheapest things a small business can do is create a security policy and post it online, according to security experts. Security policies aren’t hard to come by. The Anti-Phishing Working Group, a five-year-old industry association, posts links to security policies at several large companies on its website including: eBay, whose consumer education section includes instructions for recognizing fake eBay websites and a spoof e-mail tutorial. Citibank, which maintains a series of pages explaining, among other things, how customers can avoid getting spoofed by hoax e-mail and steps to take if they do. US Bank, which maintains a section called “E-mail Fraud: Information and Help.” Companies can also point customers to the following Anti-Phishing Working Group documents: How to Avoid Phishing Scams and What To Do If You’ve Given Out Your Personal Financial Information.

About 1873 days ago Computer Security

New Ammo to Battle Online Fraud

When it comes to protecting customers online, small businesses can’t act small. Customers expect them to use the same safety measures employed by larger businesses. That’s why Terence Johnson didn’t wait for a customer at Scribendi, the Canadian editorial services company where he’s vice president of technology, to fall victim to a “phishing” expedition before upgrading his website security. Last year, Johnson upgraded to a newer security protocol called extended validation secure socket layer, or EV SSL, an improvement to existing SSL that requires certification requests to go through a more rigorous identity check and authentication process before being approved. EV SSL is one of a handful of measures security experts and industry analysts suggest companies of all sizes take to combat phishers, identity thieves, and others out to steal valuable personal information from unwitting Internet users. Acting before you need to is one way to keep the bad guys at bay, according to a December 2007 report on e-commerce fraud from The Aberdeen Group, a Boston technology researcher. According to Carol Baroudi, the Aberdeen Group analyst who wrote the report, all types of businesses that sell something or conduct financial transactions online can also prevent fraud if they: Authenticate new customers while they’re creating an account Add layers of user authentication, geo-location and device authentication Establish and enforce security policies Use anti-fraud directories Continuously educate themselves and customers on new types of security threats and protections Consortium created EV SSL to combat fraud A consortium of more than two dozen Web browser and security technology companies formed the CA/Browser Forum to develop and introduce EV SSL in February 2007. Since then, approximately 4,000 websites have been certified to use the protocol, says Tim Callan, vice president of SSL product marketing at Verisign, a consortium member. Seventy-five percent of those websites are VeriSign customers, and of that number, 80 percent are small businesses, Callan says. The thinking behind EV SSL: increasing the hoops parties need to jump through to be certified will weed out undesirables who create fake websites, and at the same time, make consumers feel safer when they visit legitimate online establishments, Callan says. To that end, when someone using Microsoft Internet Explorer 7.0 visits an EV SSL-certified Web site it turns the browser’s URL address bar green, much the way a green traffic light signals it’s OK to proceed. Upcoming releases of Firefox and Opera Web browsers are expected to work with EV SSL, according to industry reports. Appleisn’t part of the consortium and EV SSL doesn’t work with its Safari browser. EV SSL isn’t cheap. VeriSign charges $995 per server per year, with volume discounts, and a second version with even stronger server cryptography costs $1,499 a year per server. It’s not cheap, but it is worth it, says Johnson, the technology guru at Scribendi, in Chathan, Ontario, which has provided editing services to authors and other clients for 10 years and has a staff of 100. Customers appreciate businesses that go out of their way to provide them with security, Johnson says. And it pays off. In the four months after Scribendi started using EV SSL, the number of orders from Internet Explorer users who visited the website increased 27 percent from the four months immediately prior. “That’s an indication that people are learning to recognize” what it means, Johnson says. As New York City apartment dwellers know to use more than one lock on their doors, Websites should use more than one security system, business owners, security experts and others say. In addition to EV SSL, Scribendi uses security tools from the company’s Internet service provider, encrypts transmissions of manuscripts and other documents that editors are working on and authenticates payments in real time, Johnson says. “When it comes to security, being a small business doesn’t count,” he says. “You have to use the best tools you can.” SIDEBAR: Resources to Learn about EV SSL Here are some resources small businesses can use to learn more about EV SSL and other measures for stopping e-commerce fraud: EV SSL FAQ — Everything you wanted to know about EV SSL, from the CA/B Forum, the volunteer consortium of 27 security companies and 4 Web browser makers that created the security protocol. A primer on e-commerce security issues — published by Ecommerce-Digest.Com, an online publication that covers the Internet security industry. E-commerce white papers — A collection of research papers and other documents explaining online fraud and security measures used to combat it, from ZDNet, the technology trade publisher. The Anti-Phishing Working Group — A five-year-old industry association with 3,000 member companies that documents phishing activity and shares best practices for stopping it.

About 2451 days ago Data Security

The Basics: What is Phishing?

It used to be that so-called “phishers” only focused on large international financial institutions — such as Barclays Bank or Citibank — when sending out fraudulent e-mails that tried to imitate the look and feel of correspondence from those firms in order to scam customers. But now law enforcement authorities warn that phishers are invoking the names of local banks and smaller financial firms in their e-mail scams. Phishing is a scam that attempts to lure recipients of the phony e-mails into going to a fake Web site and keying in account or password data — information which then becomes the basis for identity theft. There were 255,000 reports of identity theft in the U.S. last year, according to the U.S. Federal Trade Commission, and phishing scams were a leading cause. But the recipient isn’t the only one vulnerable in these scams — the business’ brand and reputation is also harmed. That’s why business leaders need to be aware of the growing threat from phishing and the need to take steps if their firms become targets, such as notifying authorities and warning customers. What is Phishing? Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials, according to the Anti-Phishing Working Group (APWG), an industry and law enforcement association dedicated to combating phishing. While immediate concern is often focused on the individual receiving the spoofed e-mail claiming to be a legitimate request for personal information, targeted companies are affected in a number of ways. Who are the Targets? Damaged caused by phishers makes consumers wary of an otherwise respected brand. Financial institutions including Barclays Bank — which McAfee, the security software maker, refers to as BarcPhish — are the most prevalent phishing targets. PayPal and eBay are also heavily hit. Security firm SophosLabs estimates that over 75 percent of all phishing e-mail targets PayPal and eBay users, coaxing recipients to log into their accounts on a hijacked site where scammers can grab account info and other personal data. More, recently, however, the APWG has been tracking phishing attempts invoking the names of smaller financial institutions, such as Sky Financial and LaSalle Bank. The number of hijacked brands is on the rise, according to the APWG. In July, there were 154 brands targeted, up from 130 the previous month. The number of new phishing sites also increased to 14,191 from 10,047 in June, the group says. To put the threat to your business in perspective, phishing accounts for less than 0.3 percent of all e-mails sent, according to Kaspersky Lab. What Can a Company Do? Halting fraudulent e-mails is a challenge yet to be solved. Many companies that become targets focus on educating customers on how to look for warning signs. They also notify customers about what types of messages they should and shouldn’t expect to receive from the institution. One of the easiest steps a company can take to combat phishing is by posting a statement on the company website to notify customers that phishing e-mails are being sent illegally and to advise them what type of legitimate correspondence the company sends. Some companies make it a policy to only communicate with customers through paper mail, instead of e-mail and others say they never e-mail to ask a customer to input bank account and password information. Education in-house also helps reinforce safety. Visiting sites set up by phishers can often install keyloggers and other malicious programs to unknowing users. Having programs reside on office, or home computers can spread threats from personal identity — which is serious in itself — to corporate data breaches. Even if they haven’t yet been targeted, some financial firms may want to warn customers about phishing red flags, such as e-mails with links to sites that ask for highly detailed information. On the surface, these e-mails to businesses and individuals often look convincing, use official sounding descriptions, logos from actual companies or banks, and a convenient link to help you get sort out a problem or address another concern. “Is somebody asking me to confirm my account detail including username, password and credit card info?” asks Shane Coursen, Kaspersky Lab, senior technical consultant. “If so, this is the first and most obvious sign that the e-mail is a fraud.” Companies should tell their customers that, Instead of replying or clicking on the link, the best thing to do is to forward the e-mail to the company. Most importantly, tell them not to click on any link.

About 2786 days ago Computer Security

Don’t Get Hooked

Everyone’s seen the subject lines in his or her inbox: “Chase Customer Service” or “EBay account suspension.” The subject lines are meant to prompt you to action, using formal business language to get you to go to a website to confirm who you are, change your member settings, or for some other reason that involves your personal information. It may appear as correspondence from eBay, a credit card company, or even your bank. But beware. These e-mails are not always as they appear, and taking action on them could cost you your identity. Phishing for information More and more frequently, these emails are phishing scams: e-mails characterized by the use of spam-like techniques to mass distribute fraudulent requests for information. The e-mails prompt unsuspecting users to go to a fraudulent websites to confirm personal information, update member settings, or something similar, in an effort to steal private information. The Anti-Phishing Working Group, an industry association focused on monitoring and eliminating this form of identity theft, has received over 110,000 reports on phishing this year. A study by Gartner reports that from May 2004 to May 2005 about 1.2 million Americans were victims of phishing fraud, with a total loss of $929 million. Defending yourself and your company against phishing scams requires that you and your employees recognize a few key traits these e-mails have in common, and set up safeguards to prevent falling victim. First, phishing e-mails generally reveal a few tell-tales signs that they are not from a legitimate business’s website, including: A large number of spelling errors, A salutation that addresses you as a “customer” or “member,” not by your name, Links that are not the exact businesses’ websites: google.xxxx.com, for example, and URLs that are only numbers after you click on a link, such as http://111.222.333.444, are likely fakes. Second, an ounce of prevention can do a world of good when it comes to protecting your critical information. There are several ways you and your company can prevent falling victim: Never respond to e-mails requesting information or to verify information. Avoid filling in forms on websites when prompted to do so from an e-mail. Ignore e-mails with forms inside them. Use an e-mail program with robust spam blocking features to weed out phishing messages. If you believe a message may be legitimate, call up the company. Type in the company’s homepage URL (obtained through a reputable search website) to verify problems. Have the latest security updates installed in your and your employees Web browsers. Employ optional browser plug-ins or toolbars to alert users that they are visiting a site reported to practice phishing. The next threat Phishing may be ubiquitous, but another scam, pharming, can do greater damage. It is similar to phishing, but rather than using some kind of e-mail lure, a hacker modifies a company’s DNS software, so a user is directed to a copy of the website he or she is seeking. If pharming becomes ubiquitous, hundreds, even thousands, of users could give up personal information to criminals during routine of online-banking or similar actions. Pharming and phishing share the same goal of redirecting an unsuspecting user to a fraudulent website, according to Joseph Steinberg, co-founder and CEO of Green Armor Solutions, a start-up selling visual cue software to help a user recognize an authentic site. Further, he adds, these techniques endanger not only financial institutions or hospitals, whose clients might have their identities stolen, but also any company with an internal online network of employees. To protect businesses, their employees, and their clients from pharming attacks, Green Armor has developed a software that institutions use to help their websites’ visitors determine that they are, in fact, at a legitimate website. Based on each different user’s information, the software generates simple, unique visual signals, which fake sites cannot replicate, and which a user quickly comes to recognize as associated with the legitimate institution’s website. “Historically, end users have had to authenticate themselves, while websites were never forced to authenticate themselves to end-users,” says Scott Chasin, CTO of Denver-based MX Logic, a provider of e-mail security solutions. Client-side solutions like Green Armor’s are a step in the right direction. However, according to Chasin, more technology needs to be developed along these lines. Even the Secure Sockets Layer (SSL) certification developed by Netscape that tags a website and promises an encrypted transfer of data, is not foolproof, he adds. Another layer of protection includes installing browser plug-ins that recognize fraudulent sites on individuals’ machines. There are also browser plug-ins that inform users they’ve been directed to a site in, for example, Eastern Europe, even though they were initially surfing a U.S. site. To prevent a pharmer from hacking into a domain name server (DNS), company’s can install software that prevents or detects unauthorized changes. Additionally, according to Chasin, some institutions are turning to “multifactor authentication,” which means requiring two or more elements to authenticate users. For example, a bank could require both a memorized password as well as a separate one coded on a physical token, like a card or keychain. No single solution works all of the time, Chasin warns. Rather, he recommends what he calls “defensive depth,” with multiple layers of defense along every node of information flow, from greater vigilance by end users to monitoring software on the server and password protection. “The more layers of defense you have, the more you can mitigate the risk,” he says.