Blackberry has got your back in an emergency–or, at least, they’ve developed an app for that. READ MORE
Kris Covino, CTO and co-founder of Date.com once received an e-mail that appeared to come from the United Kingdom. The writer explained that he had encountered a lot of fraudulent activity on Date.com, and asked for advice on how to detect fraudulent behavior. Covino wanted to be helpful. “I responded with information on some anti-fraud databases, places to check if a photo of a supposed Date.com user had been used in online scams, and an online discussion group about scams,” he says. “It was pretty comprehensive and I sent it off…but something about it bothered me.” So Covino checked the sender’s e-mail address against Date.com’s database of known frauds, and it matched up with a known scammer in Nigeria. “The scammers had proactively contacted me to find out how they could disguise themselves better!” Covino says. Not only that, at the same time he was answering the e-mail, the company’s customer service staff was fielding phone calls in which the caller claimed to be a Date.com user who’d been banned from the site, and asking for detailed information on how to avoid being banned in the future. There’s no question that in the past few years cybercrime has taken on new dimensions. “Ten years ago, it was teenagers with pony tails sitting in their garages,” says Fred Rica, principal at PricewaterhouseCoopers. “We now see a high level of organization, a high level of sophistication, and a high level of funding. Whether it’s coming from a nation-state, or organized crime, or somewhere else, they seem to have a lot of resources at their disposal.” And they operate across international borders. “We found many crime rings employed multiple teams that focused on different parts of a fraud operation,” Covino says. “For example, one team located in the U.S. would register free user accounts, but when it came time to input stolen credit card numbers to create fake pay accounts — which is illegal here — that was done from offshore. Then yet another team located predominantly in a few specific regions would use those accounts to perpetrate romance scams within our community.” Romance scams might include getting to know a Date.com member by e-mail or chat over a period of months, and then asking him or her to cash a check, for example. Cyber-gangs prey on small companies “If you ask a small business about safety, the response is often: ‘Who would hack me? I have nothing of value,’” reports Dirk Morris, CTO and founder of Untangle, an open-source security gateway for small businesses. They’re wrong. Organized cybercriminals are after two things that every company, large and small, has. The first is computers, which, if vulnerable, can be used as part of a botnet, sending out spam or performing other tasks without their users’ knowledge. The second is personally identifiable information, such as credit card or Social Security numbers, but also log-ins and passwords that could give the cybercriminals access to users’ accounts. In fact, organized cybercrime often targets small companies rather than larger corporations. “It’s just too easy to exploit small or medium-sized businesses,” says Ron Plesco, president and CEO of the National Cyber Forensics & Training Alliance. “Large corporations have more funds to remediate and mitigate. Small businesses don’t, and the bad guys know it. They’re concentrating on small businesses, and have been for the past year.” How you can avoid being a victim of cybercrime Here are some steps that can help. Get the best security you can afford. You can’t match a large company’s security arsenal, and that’s okay. All you need is enough to make your company an unappealing target. “If the door to your house is locked, you have an alarm sign in the window, and a sign that says ‘Beware of the dog,’ a thief will probably go on to the next house,” Rica explains. It works the same with cyber-gangs: if you make it difficult to gain access, they’ll go bother someone else. Know your network patterns. It’s smart to review logs and usage on a periodic basis. For instance, by examining logs, Covino was able to determine that a user who appeared to be in the United Kingdom was actually in Nigeria when the scammer’s proxy server stopped working for a few moments, revealing the user’s actual location. Know your customers’ patterns. “You have to understand your customer base and have some information about how they use the site,” Covino says. “It’s impossible to fight this without some of that information.” Just as important, be aware of what user behaviors should be taken as red flags. For Modern Tribe, which sells Jewish themed t-shirts and other Judaica, that turned out to be large orders for t-shirts with overnight delivery and a shipping address that didn’t match the credit card billing address. The first time the company received such an order, it billed the credit card number and sent out the t-shirts for overnight delivery — and received an irate phone call a few days later from the credit card’s owner who had not authorized the charge. By then, it was too late to stop or recover the shipment, so Modern Tribe wound up eating the cost of the t-shirts and expedited shipping. However, there was a second order in process that also involved a large number of t-shirts, expedited delivery, and a shipping address that didn’t match the card’s billing address. “We immediately suspected that the second order was also fraudulent, so we looked into it, and when it turned out to be false, we were able to stop it,” says Jennie Rivlin, Modern Tribe’s founder. Since then, she says, her firm has received many such orders, but since they know the pattern, they can take extra steps to make sure an order is real before filling it. “We have had some larger orders where the billing and shipping address didn’t match, so we contacted the customers and it turned out to be fine,” Rivlin says. “But it was well worth taking that extra precaution.”
It’s depressing but true that most of the e-mail directed to your company is e-mail you don’t want. Overall, about 70 percent of the e-mail most businesses receive is spam, but that percentage can vary widely, depending on how well-known your business is, how available its e-mail addresses are, and how often employees submit their e-mail addresses on other websites. For a visible company with widely available e-mail addresses, the percentage can be much higher — 95 percent or even more. “At one company we worked with 99.7 percent of the e-mail received was spam,” notes Peter Firstbrook, research director at Gartner. Spam overall continues to grow, experts say, driven by a simple economic reality: spamming is a pretty good way to make money. “The spam industry, if you can call it that, has evolved over time,” notes Bill Kasje, vice president of development for spam solution Abaca. “There are now development programs for spammers and people and organizations who specialize in different areas of enabling spam. There are people who control botnets and rent time on their botnets to spammers.” A “botnet” is a group of computers that have been taken over by malware, usually without their owners’ knowledge, and can be set to secretly send out spam or perform other tasks. “Spam exists because it continues to provide real economic benefit to spammers,” Kasje says. Spam-fighting tools have grown more sophisticated as well, with two important weapons now available in the never-ending fight against spam — these should be components of whatever ant-spam solution you choose: Reputation Filter: A reputation filter examines the behavior of a website, automatically blocking those that send spam so that not only e-mail, but even mail connections are blocked; Tarpit: A tarpit slows down an incoming message, forcing the sending server to wait and retry after a few minutes. A legitimate e-mail application will do this, but spam generally won’t, since reaching the largest number of addresses in the shortest time is essential to spammers’ success. When it comes to fighting spam, there used to be three viable options, Firstbrook says: using a hosted anti-spam service, using a gateway device to block spam, or installing spam-blocking software. Though software solutions such as SpamAssassin remain quite popular, the need to constantly maintain the software and update information means software may not be the best approach for a small company, according to Firstbrook. Instead, he recommends either a gateway device that filters all incoming e-mail, or a hosted service, which filters your e-mail at its servers, and passes legitimate messages along. Gateway device The advantage of a gateway is that it may give you better control over spam filtering, and may provide some peace of mind if, for security reasons, you’re uncomfortable having your mail on someone else’s servers. On the other hand, you’re responsible for the hardware, and for providing enough bandwidth to handle ever-growing mail volumes. If you’re considering a gateway device, here are some questions to ask: How frequently do you update? Gateway devices generally come with a connection to the maker’s servers, which automatically download new spam definition lists. You should find out how often these new definitions go out. Spammers often use the window between when a vulnerability is discovered and when that hole is closed to launch as much spam as they can. Real or virtual gateway? These days, virtualization means never having to buy specific hardware, so it might make sense to consider using virtualization to create a virtual email gateway instead. What if I increase bandwidth? Limited bandwidth can act as a tarpit, discouraging spam because access to your system is too slow. Therefore, it’s best to make sure spam is under control before increasing that bandwidth. “I’ve talked to companies that scaled up their bandwidth to help handle spam volume — and their spam percentage immediately went up,” Firstbrook says. Hosted anti-spam service The argument for a hosted anti-spam service is that these services can respond to new spam threats instantly, with no delay while new information downloads to your gateway. They take most of the hassle out of fighting spam because you no longer have to worry about maintaining hardware or increasing bandwidth to handle e-mail. On the negative side, their system may not integrate quite as seamlessly with your e-mail application as a hardware solution would. If you’re interested in using hosted anti-spam, here are some questions to ask the provider: What are your guarantees? Does the provider offer a service level agreement (SLA) or other form of guarantee? If you can get one, an SLA provides added assurance that the service will work, and keep working. Is it customizable? Some services allow you to separately set filtering levels for messages that contain sexual words compared with, say, messages bearing business propositions from Nigeria. Given the particulars of your business, this might be handy: a medical practice, for instance, might not want to aggressively filter out messages mentioning body parts. What if I need other services later? Many anti-spam services have ancillary products such as archiving of (non-spam) e-mails, backup e-mail systems in case you are unable to use your usual e-mail software and other services. Even if you don’t need any of these right now, it’s a good idea to plan for the possibility that you might need them in the future, and negotiate option prices for the possible purchase of ancillary products at the same time as you make your original deal. “If you wait two years after you sign your contract, they’ll be less motivated to offer you a good deal,” Firstbrook says. SIDEBAR: Popular Spam-Fighting Products Here are some popular gateway appliances that fight spam: IronPort, now part of Cisco, provides gateway appliances for large corporations, but its lower-end boxes are both effective and affordable for small businesses. Secure Computing, recently acquired by McAfee, uses multi-layered techniques for added safety. Abaca’s gateway security comes with a 99 percent accuracy guarantee. There are also some hostedanti-spam services: Postini, now owned by Google, offers low-cost and flexible spam solutions for even the smallest of companies, with the ability to scale as your company grows. MessageLabs, recently acquired by Symantec, can both block spam and enforce company policy. The site keeps a monthly tally of spam percentage overall (69.7 percent in October). Microsoft Exchange Hosted Filtering (formerly FrontBridge) blocks both inbound and outbound spam, as well as disaster recovery.
“Never listen to the guy in the pickup who says he’ll take your old equipment away for free,” says Gina Chiarella, COO of e-waste disposal company We Recycle!, Inc. “That’s the quickest way for your data to end up on a flea market table.” Getting rid of old technology can be hazardous, since there’s very likely sensitive data still on it. Even if you’ve erased and reformatted, computer hard drives contain loads of data you don’t want to let outside of your firewall – e-mails, contracts, planning documents, employees’ personal information, credit cards, and much more reside on these hard drives. Besides identity theft, data loss may leave you or your company liable under federal laws such as HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley or under state laws. Criminal penalties include fines and prison terms up to 20 years. Not to mention the civil suits that can result. As many as 150 million computers are trashed each year, often without having their hard drives erased. According to the U.S. Department of Defense standards, secure deletion requires three complete rewrites on the drive before it’s considered clean. But some of the newer forensic data mining technologies could potentially retrieve material that’s been treated to even higher levels of erasure. If the wrong people were to gain access to it, they could hurt a business very seriously. The best way to eliminate data “Software that overwrites the whole drive, as the DoD recommends, is the best way to eliminate any data left on it,” said Chiarella. “If companies want to dispose of equipment that contains highly sensitive data and they don’t trust simply erasing, even when that erasure is considered secure, then they can go all the way and take it to a disposal company that uses a mechanical shredder and have the drives destroyed completely.” If you intend to reuse or recycle the drive yourself, there is excellent software that will do data erasure securely. Any program used for erasing a hard drive should follow the DoD’s clearing and sanitizing standard. A couple of the best are Darik’s Boot and Nuke, a free open source application, or Eraser, also free, from Irish software maker Heidi, Ltd. Beginning with Mac OS 10.3, Apple enhanced its security by introducing the Secure Empty Trash feature, which follows the DoD standards, and overwrites data seven times. If that’s not secure enough for you, then download the free program Permanent Eraser from Edenwaith Software, which overwrites your data 35 times. Disposing of hardware The problems of e-waste are even more complicated than just data security – the EPA estimates that over 220 million tons of old computers and other tech hardware are trashed yearly in the United States. E-waste contains high amounts of dangerous chemicals like mercury, cadmium, lead, and other toxins and carcinogens, and is often illegally exported to other countries where the material may not be disposed of properly. With too little oversight and regulation, much of this toxic waste ends up in places like Nigeria and China, where local populations now have high incidences of birth defects, infant death, cancer, and other illnesses. So what can a small or mid-sized business do when it needs to eliminate old equipment responsibly? “We recommend organizations deal with a licensed vendor to dispose of their technology,” said Robert Johnson, executive director of the National Association for Information Destruction (NAID), an international trade association for companies providing information destruction services. “A company interested in the quality and security of its data destruction needs to personally inspect the facilities of any disposal firm before dealing with them. Ask about how they manage their own business, and most importantly find out specifically how they dispose of the e-waste.” “When getting rid of tech equipment,” said Chiarella, small and mid-sized businesses “should also look at the website of the manufacturers of their equipment to see if they offer a ‘take back’ program for old equipment. OEMs do very good due-diligence to carefully and completely dispose these dangerous materials.” Sony, Apple, HP, Dell, and Lenovo, as well some other companies, all have programs to take back their products and recycle the materials — but just for safety, make sure you pull the hard drive for secure erasing or destruction. Check the company websites to find out if this is an option for your equipment. Also check with the Electronics Take Back Coalition for more information on companies offering this service. But while doing the right thing ecologically, make sure it’s done securely and carefully. Dealing securely with the disposal of your equipment and data destruction is something you can’t afford to scrimp on. “Cutting corners,” said Chiarella, “is never a good idea with data security. The fee that is associated with managing data destruction is far less than your cost of exposure of that data.”
“Never listen to the guy in the pickup who says he’ll take your old equipment away for free,” says Gina Chiarella, COO of e-waste disposal company We Recycle!, Inc. “That’s the quickest way for your data to end up on a flea market table.” Getting rid of old technology can be hazardous, since there’s very likely sensitive data still on it. Even if you’ve erased and reformatted, computer hard drives contain loads of data you don’t want to let outside of your firewall – e-mails, contracts, planning documents, employees’ personal information, credit cards, and much more reside on these hard drives. Besides identity theft, data loss may leave you or your company liable under federal laws such as HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley or under state laws. Criminal penalties include fines and prison terms up to 20 years. Not to mention the civil suits that can result. As many as 150 million computers are trashed each year, often without having their hard drives erased. According to the U.S. Department of Defense standards, secure deletion requires three complete rewrites on the drive before it’s considered clean. But some of the newer forensic data mining technologies could potentially retrieve material that’s been treated to even higher levels of erasure. If the wrong people were to gain access to it, they could hurt a business very seriously. The best way to eliminate data “Software that overwrites the whole drive, as the DoD recommends, is the best way to eliminate any data left on it,” said Chiarella. “If companies want to dispose of equipment that contains highly sensitive data and they don’t trust simply erasing, even when that erasure is considered secure, then they can go all the way and take it to a disposal company that uses a mechanical shredder and have the drives destroyed completely.” If you intend to reuse or recycle the drive yourself, there is excellent software that will do data erasure securely. Any program used for erasing a hard drive should follow the DoD’s clearing and sanitizing standard. A couple of the best are Darik’s Boot and Nuke, a free open source application, or Eraser, also free, from Irish software maker Heidi, Ltd. Beginning with Mac OS 10.3, Apple enhanced its security by introducing the Secure Empty Trash feature, which follows the DoD standards, and overwrites data seven times. If that’s not secure enough for you, then download the free program Permanent Eraser from Edenwaith Software, which overwrites your data 35 times. Disposing of hardware The problems of e-waste are even more complicated than just data security – the EPA estimates that over 220 million tons of old computers and other tech hardware are trashed yearly in the United States. E-waste contains high amounts of dangerous chemicals like mercury, cadmium, lead, and other toxins and carcinogens, and is often illegally exported to other countries where the material may not be disposed of properly. With too little oversight and regulation, much of this toxic waste ends up in places like Nigeria and China, where local populations now have high incidences of birth defects, infant death, cancer, and other illnesses. So what can a small or mid-sized business do when it needs to eliminate old equipment responsibly? “We recommend organizations deal with a licensed vendor to dispose of their technology,” said Robert Johnson, executive director of the National Association for Information Destruction (NAID), an international trade association for companies providing information destruction services. “A company interested in the quality and security of its data destruction needs to personally inspect the facilities of any disposal firm before dealing with them. Ask about how they manage their own business, and most importantly find out specifically how they dispose of the e-waste.” “When getting rid of tech equipment,” said Chiarella, small and mid-sized businesses “should also look at the website of the manufacturers of their equipment to see if they offer a ‘take back’ program for old equipment. OEMs do very good due-diligence to carefully and completely dispose these dangerous materials.” Sony, Apple, HP, Dell, and Lenovo, as well some other companies, all have programs to take back their products and recycle the materials — but just for safety, make sure you pull the hard drive for secure erasing or destruction. Check the company websites to find out if this is an option for your equipment. Also check with the Electronics Take Back Coalition for more information on companies offering this service. But while doing the right thing ecologically, make sure it’s done securely and carefully. Dealing securely with the disposal of your equipment and data destruction is something you can’t afford to scrimp on. “Cutting corners,” said Chiarella, “is never a good idea with data security. The fee that is associated with managing data destruction is far less than your cost of exposure of that data.”
Q. Scammers have been downloading software from my website using stolen PayPal accounts. What can I do? Jerry Montealto Ecommercemax Solutions, Winnetka, Calif. Those PayPal accounts may have been swiped with the identity-theft technique known as phishing. Unfortunately, it’s your business that’s on the hook. PayPal’s seller-protection policy covers only physical goods, leaving digital dealers, who must refund scammed customers, out of luck. PayPal is considering extending coverage to digital goods this year, says spokesperson Amanda Pires. Your best bet is to beef up security. A number of tools let vendors vet orders before granting approval. For example, most shopping cart software can be customized to flag certain orders for rejection or further review. Companies such as Cybersource, based in Mountainview, Calif., also offer souped-up antifraud services. Rates vary, but prices start at $495 a month, plus 12 cents per transaction. How can you tell if a transaction looks hinky? First, check a map. Flag any order with a shipping address more than 50 miles away from a billing address (a must even for downloadable orders), says Doc Vaidhyanathan, VP of Product Marketing & Corporate Development for Arcot Systems, based in Sunnyvale, Calif. Computer IP addresses are also revealing. Last year, for example, online novelty store ThinkGeek experienced a surge in fraudulent credit card orders from computers in Singapore and Nigeria. So director William Vandais set the site to reject orders from those countries. The site also weeds orders from places with small upticks in fraud for manual review. Once you’ve directed an order to step out of line, give it the once-over. For example, make sure that the information on the order form matches that on the shopper’s PayPal account. Check that orders from repeat customers aren’t out of the ordinary: a guy who shells out $50 a pop suddenly slapping down $1,000, say. If an order still smells phishy, call the account holder for verbal authorization, explaining the fraud problem. “You don’t want to make it difficult for people to buy your merchandise,” says Vandais. “But you can’t give it away, either.” You should also estimate how much you spend on refunds each quarter and set aside funds to cover that loss. A few bad orders are going to sneak in no matter how many bouncers you station at the door. Q. I sell lampshades to niche retailers. Recently, some big chains have approached me. Should I sell to them under private label? Brandon Grinwis A’Homestead Co., Lapaze, Ind. The public doesn’t know from private. If your shades are sold under one name at Wal-Mart and another at Lamps Unto My Feet, consumers won’t get that it’s the same product. As a result, private-label deals have proliferated along with big-box stores, allowing manufacturers to play the field without coming off as a cheap date. But beware: A rose by any other name smells. At least it will to your existing customers if you try to keep them in the dark, says Todd Maute, vice president of marketing at Daymon Worldwide, a marketing firm based in Stamford, Conn., that specializes in private labels. Maute recommends telling your niche customers if you plan to go mass market, assuring them that the private label will protect your brand’s equity. You can further reassure them by adding value to the products you sell to specialty clients. Mary Swaab, CEO of Colorlab Cosmetics, based in Rockford, Ill., sells $5 lipsticks in plain silver tubes to mass retailers that package them as in-house brands. Swaab sells the same lipsticks to such high-end stores as Saks Fifth Avenue for $11 each. But Saks also gets colorful packaging and the Colorlab logo. Before signing a deal, determine whether the mass market is for you. Two years ago, Mark Dwight, CEO of San Francisco-based bag maker Timbuk2, backed out of an agreement to sell messenger bags at CompUSA stores under his own label. Sales were great, he says, but his $6 million business couldn’t handle the slim margins and CompUSA’s insatiable hunger for product. Dwight has turned down private-label offers as well; instead he is pursuing a larger share of the specialty market under the name Timbuk2. “The magic and the value of what you are creating in your business is in your brand,” he says. Looking for answers? Stumped by a thorny business problem? Let Inc. help. Send your questions to Askinc@inc.com.
If you sell your products online, you’re vulnerable to “chargebacks” — disputed credit card charges. Buyers usually win disputes. Visa and MasterCard have threatened fines and account termination for sellers whose chargebacks exceed either 1% of transactions or 2.5% of monthly sales. How can you thwart chargebacks? Here are some tips from the experts. Ship only to credit card billing addresses. California Computer Center’s monthly chargebacks dropped from seven to three after it stopped shipping to third-party addresses. CEO Kaveh Jabeli believes the remaining chargebacks come not from scammers but from “frustrated” customers. Beware of certain shipping destinations. Jabeli says that the Nigerian city of Lagos is “known for fraud.” Display strict return policies. Michael Lee, CEO of MSL Computers Inc., in College Point, N.Y., charges a 15% “restocking” fee for returns. Take American Express. Merchants report that fighting chargebacks with Visa and MasterCard can be nightmarish, since it means massaging two banks: yours and the customer’s. AmEx, by contrast, handles disputes directly. “AmEx opens a case and acts as a mediator,” notes Jabeli. Copyright © 2001 G+J USA Publishing
