All posts by Alvin Cameron

Fraud and Data Protection is a Process Not a Software Program-Part 2

Every day thieves are able to gain valuable data from an assortment of different company’s. This is done when someone mistakenly clicks on a link in a phishing email message, they or their company receives. This action can install various types of malware that allows access to a company’s system. Some company’s and institutions have unscrupulous or disgruntled employee’s that help the thieves with obtaining the needed information to steal data. Hackers use a number of other proven ways to break into systems and gain access to sensitive data. Security software can only protect from known problems not from new viruses or intrusion programs the thieves are continually developing or adapting.

Examine two ways of how a simple mistake can lead to devastating results for the companies involved. The first case will examine ACH losses and in the second portion of this part of the series, Part 3, I will address a similar type of problem that is little known and gets little if any press but is perpetrated against one of the most vital industries in the world.

Many cases of ACH fraud happen when an employee or company receives a phishing or similar type of email and someone attempts to view the contents of the email. There have been a number of these emails that use enticing titles to make a party curious enough to view the contents, while other emails look like legitimate business correspondence. Once opened or viewed the attachment or link will install a malware program that now allows the thieves to view or receive information that can lead to losses. Obtaining account numbers and passwords is the main goal and will now allow the perpetrator to pretend to be an employee and give the thief the ability to use this information to steal in a number of different ways. Bank wires, payroll, and paying bogus companies for services not performed.

Few companies or individuals understand that banking rules for companies differ from individuals in the amount of time they have to report possible fraudulent ACH transactions. Banking rules allow only 2 days for companies but up to 60 days for individuals. It is imperative for companies to take steps to protect a company’s information from even simple mistakes that can be made.

The simplest way to do this is to have a separate system or laptop that only contains the information and ability to receive and send financial information. This system or laptop should not have direct internet access or have the ability to receive emails or use programs that do not relate specifically to handling the company’s financial needs. This system should be locked up, in the case of a laptop, and locked down in case of a larger system when not directly being used by authorized personnel for financial transactions.

The minor cost in taking these steps can save any company or organization time and money.

Al Cameron

Fraud and Data Protection is a Process Not a Software Program-Part 1

In December 1999, the Wall Street Journal ran an article about generals, admirals, and other military personnel who experienced identity theft and fraud. An invisible party was able to secure enough information to obtain credit cards in the names of these unsuspecting individuals. In turn, this thief ordered thousands of dollars in merchandise with these fraudulent new cards. To make matters worse, this party used the Internet to inform other online thieves how they could steal using this technique. Twelve years later the only thing that has changed is the magnitude of people that are subject to having their identity stolen and the number of attacks companies are suffering. Losses have multiplied many fold since these early days.

Recent history has shown that almost nothing can be completely protected. According to daily articles and reports companies have lost millions of pieces of data to hackers and thieves. Payment processors have had malicious code unknowingly placed on their system that has given the thieves the ability to steal millions of more pieces of personal data. Medical facilities, government agencies, third party email providers, as well as companies and merchants of every type are subject attacks by hackers and thieves from around the world. Sharing information and programs on how to steal data is readily available

Losses and the cost for companies and consumers involved are in the billions of dollars. The easier you make it for people to pay for something without proper controls the easier it is for the thieves to steal and use that same information and techniques. The fine line is how all companies can make it non-intrusive for their customers to purchase the goods or services that are being sold but recognize the non legitimate customers. The more control you require a purchaser to participate in, the less likely they will use that payment method or purchase goods or services from a company.

I believe fraud and data protection systems need to be developed with more granular level reviews, or losses will continue to increase.

In Part 2, I will examine one of many common ways thieves steal millions from under protected companies and systems.

Al Cameron

E-Shoplifting- One Year Later

This year, thousands of consumers worldwide will use the Internet to make their holiday purchases. Online merchants are looking to capture shoppers and their money. Holiday season 2000 will tell the world whether e-companies understand the “Rubik’s Cube Syndrome.”

Similar to the Rubik’s cube, there are three levels of understanding companies should have when they decided to sell via the Internet. First, all sides should be examined for the problems and solutions to the puzzle of profitability. Second, e-companies that attempted to solve the puzzle themselves but realized assistance was needed to succeed. Similar to people that bought the book to assist in solving the Rubik’s Cube, these companies required assistance from qualified companies to assist with problems and strategies. Third, most companies tried to change sales strategies, personnel, and business models — much like the people who kept twisting the Rubik’s Cube in hopes to get the colors matched up.

During the 1999 holiday season, online merchants faced problems attempting to sell their merchandise online. Fulfillment was the number one problem. At the same time, people were creating more sinister stories. The theft of thousands of credit cards numbers from different online merchants that did not have the proper security measures to protect customers’ private information. Statistics show over 2 million credit card numbers were compromised when corporate systems were hacked.

During the last holiday season, I authored an article concerning credit fraud. Few took seriously the ever-growing problem. Most companies were concerned with sales. Few concerned themselves with protecting sales from e-commerce fraud. Fraud has — and will continue to cause – online merchants problems until they take proper precautions.

The government has stepped-up efforts in fighting Internet fraud. Large e-commerce companies have admitted credit card fraud is a problem. An E-Commerce Times article stated that Microsoft spin-off Expedia.com reported quarterly losses of $4 to $6 million in losses to cover fraudulent credit card purchases. The problem of attempted and actual credit card fraud is getting worse for online merchants. Online merchants face 12-times more fraudulent activity than brick-and-mortar operations.

Credit card companies have tightened rules for online merchants who accept credit cards. Many companies will be unable accept credit cards because of new rules. More companies will join this growing number following this holiday season if not properly prepared. Some companies have halted online business because of their inability to stop online losses and their inability to accept payment by credit card.

Most companies still rely on “guessware” software to tell them the validity of an online order. Few online merchants have taken the steps time or hired the personnel to take the steps needed to lower the risk of losing sales. If your company is relying on “guessware” software or the traditional address verification system (AVS), a few minor precautions have been taken to protect online investments. “Guessware” software is programs used to assist online merchants with verifying information provided by the purchaser. It places different values on information supplied during ordering. Points are assigned for discrepancies such as providing a wrong phone number for an area or stating you are a US citizen but your Internet Protocol Address (IP) originates from Europe.

The Internet is changing the way business is done. The speed of the Internet has replaced traditional selling methods. As a result, loss prevention has taken on a completely new meaning. It is no longer necessary for a thief to come to your building to steal or harm your business. With the Internet, today’s new age thieves can get your company to deliver goods to any address. Soon, there will be no need for thieves to fence their stolen goods in dark alleys or smoky backrooms. Most of the stolen items will be sold through public auction sites or chat rooms. Until more secure verification techniques are enabled, making an online purchase is as easy as obtaining credit over the Internet. The process is simple — use someone else’s credit information, obtain a credit line, and start placing fraudulent orders. Total time needed — less than five minutes.

Most businesses mistakenly believe that there is little risk in pursuing sales in a business-to-business (B2B) environment. Eventually, a breaking news story will report the theft of tires, batteries, or even engines from a B2B merchant. New age thieves can order a boxcar full of lumber and have it delivered to a location of their choice with stolen documents and credit information. Although business-to-consumer (B2C) sales have a slightly higher loss rate than B2B sales, the higher price merchandise is found in B2B. Whether your company is developing a B2B or B2C strategy, take the security measures to protect online investments. If new B2B companies do not believe online theft happens, the best example is a stolen car hidden in a shipping container at the docks waiting to go overseas.

As companies consider selling goods and services via the Internet, someone must make sure there are tools and training opportunities in place to protect and assist in the apprehension and prosecution of online thieves. Loss prevention specialists with online expertise are very rare. Where will this new breed of employee come from? If a company employs loss prevention specialists for brick-and-mortar protection, they should start learning what the Internet is and how it might affect losses. If a company does not employ loss prevention specialists, a suggestion is to use a department to protect assets and accounts, and the credit department is best suited. From the directors to the newly trained credit specialists, their ability and desire to protect company assets is unmatched.

Articles state the credit manager’s future role will not only diminish but may completely disappear. These individuals were taught to ask the tough questions and make the hard decisions. When working with the Internet, questions are tougher to answer and the decisions are more difficult to make. Credit managers look beyond the sale of goods and services. Credit managers protect the sale. The skills needed to protect online sales are now being developed. Traditional ways of verifying credit will be but a memory, as high-speed approvals become the norm. High-speed approvals mean higher risks for companies. Credit managers who adapt to the Internet will become invaluable resources for their companies. The largest companies with in-house loss prevention departments will need the credit department expertise when beginning Internet sales. Never before has there been a greater need to combine the expertise of granting credit and preventing loss.

The e-commerce explosion has created new ways to do traditional jobs. Because of this, credit managers and loss prevention specialists who wish to invest the time and effort to re-educate themselves can be at the forefront of a new generation of employees that companies will employ.

Whether your company pays for training or education, the time to start learning about online theft is now. Begin exploring the Internet for fraud related sites. Subscribe to free newsletters to get up-to-the-minute reports on all types of fraud and Internet security problems worldwide. Allow employees time each day to navigate the Internet and keep current with the latest news. The time invested in learning about Internet security will save companies more than wages being paid. Take as many seminars possible. Not only are the seminars on Internet fraud insightful, but also they provide an invaluable opportunity to network with other Internet specialists.

A great difficulty in managing Internet Security is un-learning the way credit and loss prevention has been conducted. Remember that new age thieves are working at the speed of the Internet, and credit and loss prevention departments must anticipate the moves thieves make. Companies will not be able to stop all the attempts at Internet theft, but they can make it more difficult. Once your company has taken the appropriate steps to improve Internet security, online merchants must understand fighting Internet fraud is a process not a program.

Consumers are taking advantage of shopping online. All over the world, people spend significant time shopping. Think of the Internet as the world’s largest open-air market. Items worldwide can be purchased with a click of a mouse. What once was available to the few, now can be purchased by the many. Some basic personal and credit information, the item is yours within a few minutes. Even the basics of life are obtainable through the Internet. Click and you shall receive.

There are many people and businesses using the Internet to purchase goods and services. Thousands more are exploring the technological freedom to do comparative shopping and purchase from merchants worldwide. Many of these customers will state they worry about having their credit information compromised by some unknown party or company. E-commerce companies are trying to convince the online shopper that their site is secure. It is advisable to take more precautions when giving credit information while making hotel reservations or purchasing items over the phone, rather when ordering via the Internet.

Many e-commerce companies are safe and are beginning to take measures to assure thieves will not obtain your credit information. This extra effort made by companies follows daily articles written about hackers stealing credit information. Some e-commerce companies, such as Digital River, were concerned about security from the day they started managing Internet transactions. Similar to most brick-and-mortar companies, some online merchants found tighter security was needed.

The consumer shares the responsibility to take precautions when ordering online. If you are new to online shopping, the first thing you should do is order from secure sites. An easy way to tell is to look for a padlock or a key on the screen. If the padlock is open or the key is broken, it is not a secure site. If unsure, send the company an e-mail requesting how to secure a transaction. If do not receive a reply, find a similar merchant that offers a secure shopping environment. Use a single credit card for all Internet purchases and make sure to keep track of purchases. Purchase confirmation e-mails should be kept in a special e-mail folder. Use one piece of credit information for all purchases. Make sure to use only the billing address on the credit card statement. Using consistent information will assist the merchant in verifying and fulfilling orders.

Treat online purchasing like any new shopping experience. You would not travel overseas and shop at an open-air market without making sure your cash or credit cards were secured. Today, people use the Internet. No pesky sales people, no lines, and you can still negotiate to get a lower price. Find what you want, when you want it. With just a few simple precautions, buying over the Internet can be fun and exciting.

Al Cameron

Does your Protection System Really Protect.

Proper protection of personal and company data is paramount to making a companies or institutions bottom line more secure. Reports have shown that hundreds of millions of dollars have been lost to thieves because of data break-ins and fraud over the last few years. Protecting this data from the ever changing ways that thieves use to steal and use the information is not an easy task nor is it inexpensive.

The best way to protect the people and companies is to know and understand each company and persons’ purchasing patterns. Then program the protection system that is being used for protecting the data to reflex each separate pattern. This will then allow automatic detection of purchases or transactions that do not fit known patterns and appropriate action can be taken to halt most losses.

Companies are concerned with the ease of which their customers are able to use the credit available to them. Many companies would rather risk losses than upsetting a good customer. This philosophy allows thieves from around the world to obtain goods and services by exploiting the levels of protection that many companies have in place. Most companies utilize a proprietary system or an outside fraud detection system that are available from many different companies. Almost every system uses similar types of rules and heuristics. Because of this, if thieves gain enough knowledge to steal from one system they can adapt their methods to steal from most if not all of the protection systems.

Protection systems are normally built to protect specific types of information, financial, medical, ecommerce, trucking, or one of a number of areas companies are involved doing business in. Each of the systems use traditional rules and information protection packages designed for their particular association. As the news reports have shown us over the last several years any type of system are vulnerable to attack as well as loss of the data systems are suppose to protect.

Utilizing a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies in recognizing separate transactions has increased advantages in stopping fraudulent transactions over the standard fraud system. Utilizing this type of system could better serve to protection multiple types of companies as well as recognizing the good customer from even the most sophisticate thief attempting theft.

Al Cameron

Data Protection: Is Your Data Getting the Proper Protection.

There has been an increase in data protection law suits and customer complaints over the last several years regarding how personal information and corporate data is managed and protected. Nearly everyday there are new instances of data breaches occurring all over the world and heavily discussed in the media. . This brings up the question of “Is Your Company or Personal Data getting the proper protection” from the companies and parties you are sharing it with?

Credit card numbers, social security numbers, medical information, and banking information are probably the most written about at this time. How safe is this information? It is only as safe as each company or institution makes it. Data breaches and information theft takes place at the neighborhood corner store, medical facilities, financial institutions, and even government data centers. Sometimes this information is stolen by hacking, disgruntled employees, or even someone in the organization that is just greedy.

Most consumers and employees trust their information to organizations when we read the agreements and “see” the part that information is secure and will be protected. What this really says is “you are required to provide the information to do business with us and we will do our best to protect it.” If an occurrence or breach takes place it now becomes a matter of how the agreement should be interpreted. Over the years it has been shown that the legal system has interpreted agreements differently which only adds to the confusion. Was there a guarantee of protect or only a promise to do the best job possible.

It has been my experience that most organizations take fraud fighting seriously but many do not have the budget or personnel to take the proper steps to protect the information to meet the full extent of their customers’ expectations or perceptions 100% of the time. Most systems do a reasonable job, tracking and capturing information. However, since most organizations have little or no exposure to losses beyond their employees’ time, it is extremely difficult to convince executive management investment is needed to increase the security measures to enhance data protection… This brings up the original question, “Is Your Companies or Personal Data getting the proper protection.”

Until proper security and risk association practices becomes part of the original business and technical processes companies currently utilize as they plan for accepting new payment methods or reviewing older payment methods, losses will continue to plague everyone, and this includes monetary losses as well as data losses. Today’s thieves will continue to utilize sophisticated methods and technological advances to test and steal whatever they can, creating the paradox of how much protection data and information should companies be required to give.

Al Cameron

Beating the Cybercrooks-Assisting Law Enforcement

So, the invisible shoplifter has stolen your product? You may be faced with a credit card chargeback and lost merchandise. You will probably communicate with an angry credit cardholder. The real cardholder demands answers to questions such as: “Why did you take the charge?” “Why didn’t you verify the person ordering was me?” “What are you going to do to make things right?” “I want my money back today.” “You may have had no way of knowing that the order was being shoplifted.” “All the checks and balances showed a good order.” “Have the Internet shoplifters gotten away?”

Here are my suggestions.

1.After reassuring the cardholder that the matter will be taken care of, request they file a police report.

2.Since the crime was the actual use of stolen credit card information or a stolen credit card itself, the victim is the credit cardholder. The fraudulent use of a credit card used in ordering merchandise or services over the Internet is a federal felony.

Since the parties that are ordering the merchandise using stolen credit card information cannot be seen, they believe they will not be found. And falsely believe, they are safe. Unless law enforcement officials become involved or the Internet shoplifters give you their real name and address, they are safe.

If your company has the proper computer programs, tracing most Internet shoplifters is not difficult. A necessary item is software that captures the IP (Internet Protocol) address where the order originated and the exact time of day the order was placed. Without this capability, the only information you and the law enforcement officials have is the information the Internet thief provided. With the IP and the time of the order, the ability to trace the Internet thief’s real identity increases. Obtaining the domain name and the domain administrator’s name can be done with locating programs for sale or are available on the Internet.

After law enforcement officials obtain the proper domain information, they need to supply most domain administrators with court documents to obtain phone numbers and other personal information connected to the account. This information can lead law enforcement officials to the Internet thief. I strongly encourage supplying law enforcement personnel with the IP and time of order information.

Additionally, the cardholder and merchants face problems when trying to find the Internet shoplifter or file a police report. Is your local law enforcement capable or interested in investigating this type of crime? Many law enforcement departments do not have the manpower or expertise to handle Internet crimes. Large and small communities have the same problems — too many crimes not enough resources. According to the Secret Service Web page, crimes committed over the Internet now affect every crime investigated by the Secret Service. The rate crimes are being committed is growing as fast as the sale of computers.

Law enforcement has special units addressing Internet crimes. These new units and investigators tax their resources based on the ever-increasing number of crimes. These crimes are being committed with a faster and better tool. A tool people can hide behind and feel safe. No gun is needed to steal a credit card or check information. No mask is needed to hide their features, only an Internet connection. After the Internet shoplifter receives the stolen merchandise, they can fence the items over the same phone line they used to steal the products.

How can law enforcement or e-commerce merchants expect to manually review every Internet transaction? The Internet enables anyone to attempt to get something for nothing. People, who may never consider going into your brick-and-mortar store to steal, may try to steal from your e-commerce Web site. The shear volume of Internet crime is over-whelming. Additionally; most crimes committed over the Internet are considered white-collar crimes. Serious consequences are non-existent. Hundreds of other crimes law enforcement deals with take priority over Internet crimes, and most merchants are unable to supply law enforcement with enough information to carry out a proper investigation. This creates a negative response for future Internet crime victims when attempting to file a report and seek help from their local law enforcement. It is similar to your wallet be stolen by a pickpocket on the subway. You can report it, but do not expect the police to do anything. No face, no fingerprints, no witnesses, and no wallet.

Merchants that who want to do business on the Internet need to do more than build a Web site. They need to make sure the software used for their Web site captures enough information to assist in the location of Internet shoplifters. Merchants need to provide information that law enforcement needs to investigate the crime. Merchants must also prioritize providing information as quickly as possible. Information and relationships with law enforcement result in arrests and convictions of Internet thieves. Law enforcement officials are surprised at the ease they could solve a case of Internet fraud with the proper information.

The fraud team at Digital River has assisted law enforcement by providing information quickly. The following information was obtained through a survey of law enforcement agencies worldwide. Below are the results and comments:

In April 2000, the Digital River Fraud Department sent out an inquiry to the law enforcement agencies we assisted in the last 18 months. The inquiry consisted of five questions to help us determine if our assistance was beneficial and how to better assist them in the future. Our sample consisted of 70 inquiries. Our response rate was 45%. Our assistance yielded a 59% capture rate; 25% have not been captured; and 16% are still pending.

Perpetrators Caught:19

Perpetrators Not Caught:8

Out of the Country (4)-

Unable to locate suspect (4)-

Pending:5

Total:32

Comments from the different law enforcement agencies:

Law Enforcement Agency Comment
Pittsburgh, Pennsylvania Explanation/Documentation very helpful. Able to determine suspect was not involved in homicide.
Spokane, Washington Suspect up to $50,000 using two aliases. US Postal Service taking over as primary investigator.
Phoenix, Arizona Perpetrator caught in joint effort between FBI and Tucson Police.
Tuscaloosa, Alabama Four arrests made on one suspect; two arrests on another. Information was used to get information directly off suspect’s hard-drive.
St. Paul, Minnesota Interpol, Bureau of Criminal Apprehension and local law enforcement used information provided to capture suspect in Argentina.
Mitchell, South Dakota Pleased private business is interested in assisting law enforcement.
State of Missouri Information given was helpful.
Chattanooga, Tennessee Information given was helpful.
Sarasota, FL

 

Information requested received and suspect pled out in court and was convicted.
United Kingdom Cooperation resulted in the successful arrest of two offenders.
Anchorage, Alaska Information given was “perfect.”
Schofield Barracks, Hawaii Information provided was helpful. Investigation involved about $40,000 in fraudulent credit card charges on government credit cards.
Hackensack, NJ

 

The use of IP Address was of great help. Most companies do not track this type of information.
Lincoln, NE

 

Working with US Postal Service inspectors as well as an investigator at the Sheriff Department. One suspect is out of state and other cannot be found. Confident an arrest will be issued
Palmyra, NJ Information given was helpful.
Incline Village, NV No suspect identified YET
Clarksville, TN

 

If information had not been provided so quickly would not have able to move with investigation.
Marion, OH Digital River was easy to work with.
Northbrook, IL

 

Fraud originated outside of US. Victim instructed to contact Detroit Police due to jurisdiction.
Flint, MI

 

Fraud originated outside of US and could not be pursued.
Canada Information was helpful and more than expected. Case sent to Latvia for suspect identification.

 

Internet shoplifters take chances due to the ability to steal on the Internet without the old risks. They can watch television and, at the same time, shoplift a computer from the comfort of their own home. Most Internet shoplifters believe what they are doing is harmless. It is law enforcement’s advantage most Internet shoplifters do not understand that they leave a type of “electronic fingerprint.” Remember that local shoplifters may strike your company if your brick-and-mortar store is considered an easy target, but Internet shoplifters will attempt to make you their victim if your Web site is an easy place to steal.

Alvin D Cameron

Are You Prepared for the Holiday Season – A Look at Losses

In a little over a week the holiday selling season will begin. Merchants are so anxious to make sales they are not even waiting for what many people consider the official “Black Friday” to begin. Many national merchants will be open at midnight on Friday with a few even opening at 10:00 PM on Thanksgiving.

Millions of people will be standing in line to get the best deals possible. Merchants will have extra people in place to help handle the needs of the people that are trying to make purchases. Will merchants provide adequate protection for the payment methods the people are using?

I have made purchases at many of the national merchants and when things get busy at the registers validation of the signature on the receipt to the signature on the card being used seems to be forgotten. During the holiday season it is especially important for merchants and individuals to take extra precautions to protect themselves.

A large percentage of many retailers income, comes in the 5-6 weeks between Thanksgiving and Christmas. A look at some of the statistics from the LexisNexis True Cost of Fraud Study will provide how important it is for merchants and consumers alike to take precautions especially during the holiday season. It should be noted that the statistics are from 2008 and fraudulent activity has continued to grow.

1) Merchants are paying $100 billion in fraud losses due to unauthorized transactions and fees/interest associated with chargebacks, nearly ten times the cost incurred by banks. Far surpassing bank costs of approximately $11 billion in 2008, merchant fraud losses also amounted to more than 20 times the total value of consumer losses (approximately $4.8 billion). Factoring in the additional cost of lost/stolen merchandise, U.S. retail merchants are suffering a total industry-wide fraud loss of $191 billion.

2) One in five merchants experienced an increase in unauthorized transactions associated with identity fraud, which this study attributes to economic conditions and increased criminal sophistication.

3) Changing consumer payment methods requires a dynamic fraud management strategy. Credit card crimes continue to rise sharply, but alternative payments represent a troubling new source of losses for large merchants.  Credit cards are linked to nearly half of all fraudulent transactions for all merchants, and 50% of large retailers saw an upsurge in credit card fraud in 2008. Fraudsters are taking note of nontraditional payment methods: 29% of large retailers already reported an increase in alternative payments fraud during 2008.

4) Friendly fraud accounts for more than one-third of the total fraud for online-accepting merchants.

Consumers are faced with having their credit card information captured by a skimming apparatuses, loss of the data captured by the point of sale machine, system break-ins that can lead to large number of consumers facing identity theft. Once a credit vessel is compromised the thieves are able to easily use the information either by make a physical card or using the information online to drain the monetary value of that credit vessel.

Merchants should have a verification system that is followed for every purchase. Merchants who only rely on the point of sale machine validation are doing themselves and their customers a disservice. I have been involved in a number of investigations where if the POS terminal gave a validation of the card being used, the sale must be good. One major retailer sold thousands of dollars in gift cards in three days to parties who had skimmed charge cards in another state and then made cloned cards to make the gift card purchases. This is a very common way thieves use stolen credit card information.

Because of the increase in sales and the work involved in processing the data in the sales, it may take several days or even several weeks for a cardholder to find out that their card has been compromised. At this time of the year it takes thieves only a few hours or even a few minutes to use up a credit line associated with a payment method. Taking a few simple precautions can continue to make the holiday season a joyous one.

 

Al Cameron

612-367-7679