Wednesday, September 23, 2009

Preventing Card Skimming Attacks

Credit and debit-card skimming scams have proliferated in recent years and the PCI Security Standards Council’s (PCI SSC) new guidelines hope to help retailers combat skimmers. But are they enough? The PCI Council’s guidelines focus on risk assessments and self-evaluation forms to help retailers evaluate their overall susceptibility. The guidelines also instruct retailers on how to educate employees that handle the POS devices, as well as how to prevent and identify device compromise.

According to Chris Paget, a security researcher, PCI SSC’s guidelines fail to address key problems that arise with malicious merchants stealing the data and with POS equipment that was tampered at the factory. The latter refers to supply chain attacks, which require a great deal of coordination and were previously thought only be possible with the involvement of a nation state. Security experts believe that terminals should have, at a minimum, intrusion protection technology that disables the hardware if opened; encryption technology; and a way to sound an alarm if an event occurs. Additionally, customers and not merchants should be the ones to swipe their card at the scanner…

Card-Not-Present Fraud in China Set to Increase Dramatically

The Chinese online payment market is predicted to increase dramatically and so is the card-not-present (CNP) fraud. According to Retail Decisions and Chinabank Payment, the online payment market will total $78.7 billion, while by 2012, estimates suggest the market will total $244 billion. If the past six months is any indication then China will be in for a rough ride. For example, in the past six months there has already been a 60 percent growth in CNP fraud for China’s airline industry. Chinese airlines and other industries must adopt more rules and sophisticated fraud detection tools if they hope to battle this increasingly prevalent problem.

ACH Internet Bill Payments May Displace Traditional Checks In 2010

According to Digital Transactions, Internet based e-check traffic is approaching the transaction volume of traditional paper-based bill payments. If the current rate continues web-based check payments could surpass paper checks in 2010. Internet bill payments amounted to 94% of the paper based alternative during the second quarter. This compares to 62% in 2005, 64% in 2006, 65% in 2007 and 78% in 2008, according to NACHA’s findings. Additionally, back office conversion, which allows retailers or their processors to convert checks to ACH transactions in their back offices, posted a 288% gain from 2008’s second quarter.

Warning - ACH & Small to Medium Businesses are Being Targeted by CyberCriminals

Brian Krebs of the Washington Post stated the Financial Services Information Sharing and Analysis Center had indicated Eastern European cyber gangs are stealing millions from small to medium businesses through online banking fraud. Unfortunately, many of the victims fail to report the crime out of fear that they won't be able to recover losses from their bank. The victims suffered from malicious software being planted on company owned Microsoft Windows PCs, which allowed fraudsters to obtain sensitive online bank information. The fraudsters then wire money to accomplices in the United States who then wire the money to the fraudsters overseas. The fraudsters’ use of the ACH network has become of critical concern because of the lack of controls it employs. For example, if I conduct a large fraudulent transaction with a credit card then a red flag will pop up, but if I did the same transaction with an ACH payment it would go undetected.

In a dramatic example, Dwelling House Savings and Loan Association failed after cyberthieves siphoned off $3 million in an ACH scam.

Friday, June 12, 2009

Tips for Small Businesses to Avoid Cash Reserves

How to prevent healthy business growth from becoming detrimental risk

As if the recession is not enough to deal with, for small and medium businesses that are growing during these hard times you need to be aware that your credit card processor may view your growth as a potential indicator that you are at risk of going under and institute cash reserves. Unfortunately the industry has learned from experience that some merchants, about to go under, commit fraud by processing bogus orders to bolster cash flow; which is seen by the processor as a spike in sales from the merchant. In a time where bankruptcies and business closures are rising it is only natural that processors are nervous.

An unfortunate byproduct of this negative behavior is that legitimate merchants showing too much growth over a short timeframe can also be branded as being at “risk”. For those of you that may not understand the way the relationship between merchants and processors works, the processor is on the hook to pay for any consumer losses, chargebacks, if a merchant goes out of business and cannot, or decides not to, cover those losses.

This being said, it should be understood that a spike in sales is not the only reason a processor may want to implement reserves, there are a number of factors that are looked at. The point is if you are one of the lucky few merchants experiencing growth you can take proactive steps that could help you avoid the reserves scenario.

Is China Serious about Cybercrime

Domestically

As hacking hits home, China has vowed to fight cybercrime by making examples out of a few cyber criminals but is it enough? China’s antiquated cybercrime criminal code has recently made advances to help address the burgeoning problem that has started to affect small to large domestic businesses. In the past few years, Chinese hackers have started to demand money from small Chinese businesses or else… Typically, the hackers will initiate a DDoS attack against a business and then demand ransom to restore the system back to health. As a result, China has shown that they are putting forth some effort to combat this growing cyber crime problem…

Internationally

China has been called by experts, “The world’s malware factory” and for good reason. The country has developed into a major source of online attacks and zero-day attacks, which focus on unknown software vulnerabilities. In another article, “In China, $700 puts a Spammer in Business”, a valuable tool for spammers and a big problem for security professionals around the world is called bullet proof hosting. Usually, a web hosting providers will shut down a web site quickly, if large amounts of bulk emails are sent out and directing people to your site. However, with bulletproof hosting spammers don’t have to be concerned about being shut down because of spam complaints. The Chinese registers simply ignore the take-down requests, which cause a grey area for international cooperation. It should be noted that there are several major bullet proofing servers around the world but the vast majority are located in China. If the Chinese are truly serious about combating cybercrime they must address all aspects of internet security. It is true that actions speak louder than words…

The Grass May be Greener in Asia

Despite the financial crisis, Asia has continued to boom and companies are experiencing enormous gains in the region. For example, Alibaba and eBay have shown that resilience, localization and determination are key factors for success. Jack Ma’s Alibaba increased 2008 revenue by a substantial 39% with a net profit increase of 25%. Within this time period Alibaba posted a 41% increase in paying members and a 38% increase in registered users.

Alibaba’s Jack Ma also believes that 2009 is a year of investment. Alibaba has set strategic goals of aggressively pursuing growth through localized versions of Alibaba in Japan, South Korea and India while also expanding its presence in the U.S. and Britain. Alibaba is not alone. eBay has also begun to push its localization strategy deeper into Asia through numerous strategic alliances with companies such 99bill.com and Gmarket. South Korea’s market leader, Gmarket, has just begun to offer its services on eBay’s existing South Korean market platform. eBay hopes that the synergy will be able to provide it with a valuable potential platform for further expansion within Asia. As companies around the world push further into Asia investors may want to do the same…

Telephone Relay Fraud

Not sure what a telephone relay is? A telephone relay is a tool used to help the hearing impaired make phone calls to businesses and other entities that may not have a tele-typing device to communicate with them. The hearing impaired can contact a special operator that will stand in the middle of the conversation to “speak” the words of the caller to the receiver. Unfortunately, the service has become a new weapon for fraudsters to commit fraud.

The exploit of the service is that the caller and origin of the call are protected from disclosure to the receiver by law, which allows scammers to hide their identity. The scam being employed is a variant of an overpaying scam where the fraudster places a call through the telephone relay service. The customer then explains that the delivery service they prefer to use doesn’t accept credit cards and asks the business to wire money to the shipper and to charge their credit card for the total plus shipping. The business ends up burned on both ends through the loss of goods and whatever funds were transferred to the shipper/fraudster. Importantly, companies must educate their employees on this type of attack and to take all precautions even if they feel bad for the customer.

Supply Chain Attack Targets Chip and PIN

What was once regarded as the final solution to credit card and debit fraud has become a valuable lesson learned in the creativity, resources and capability for organized fraudsters to overcome fraud barriers. This is not another article talking about the shift in fraud from card present carding to cross border eCommerce fraud. According to US National Counter Intelligence, hundreds of chip and pin machines in stores and supermarkets across Europe have been rigged by fraudsters to send sensitive information overseas to fraudsters. The doctored machines were highly sophisticated and believed to have been infected when being built in China, before they left the production line. Security experts stated the scope of the crime was once only believed to be executed by a nation state’s intelligence service. What some may still regard as a full-proof system is anything but…

The Ill Will Effect on Business

In an article by Glenn Derene entitled "The Ill Will Effect: Who really likes their Telco Provider" in popular mechanics the author discusses a phenomenon called the “Ill Will Effect” and how it can have serious consequences for businesses.

In short the "Ill Will Effect" describes a market condition where consumers don't trust, or like, a company they are doing business with but feel they have little choice but to use them. At this point I am sure you are scratching your head to figure out what this has to do with eCommerce, but I think we can all gain some strategic insight from this article.

The article primarily focuses on telcos and cable companies and how individuals perceive and attach value to their brands. The author points out how some industries (i.e. telecoms and media) have benefitted from high initial establishment costs which limit competition and thus provide consumers with few options. This market dynamic has allowed these companies to be less worried about losing customers to competition, and subsequently suffer from poor customer service and brand risk.

The risk to the brand comes from consumers who may start to view their carrier companies as the “least evil” option. Once consumers become tired of the poor service they start looking for alternatives that provide similar services for similar costs. In this case large incumbents become vulnerable to smaller start ups that are more in-tune with consumer demands. Large incumbents that want to hold market share must protect their strategic positions by listening and addressing consumers’ concerns and demands.

Netflix, a little mail-in DVD online service, took Blockbuster by storm by offering a more convenient way to rent movies without late fees. Similarly, Skype has utilized low-cost VOIP to gain a substantial market share in the long-distance calling market.

All it takes is a disruptive technology and a small nimble firm with a bright motivated entrepreneur to take their big idea and turn an industry on its head. If you aren't willing to solve your customer's problems with your business model or an industry's business model, all it takes is one great idea to flash inside the head of an entrepreneur to remove the problem from your bottom line.

Finding Real Value in a Stolen Card

Criminals are obtaining more tools to sort through the massive amount of card data to determine which cards are good and bad. Several commercial sites have sprung up that offer services to cybercriminals to check balances and limits on cards. They even offer volume discount! It’s estimated by experts that about 25,000 debit and credit cards are checked daily. These sites provide valuable information to the crooks and the only obstacles are the ability to read Russian and pay with virtual currencies, such as Webmoney.

How can they do this?

Well, many of these sites are able to hack the credit card payment networks to conduct “pre-authorization requests”. As you know the preauth places a temporary hold on the account, to make sure there is enough money to pay the bill. This happens all the time from restaurants to hotels. The cybercriminal have no intent on settling the transaction, they just want to see how much money is available on the card.

The cybercriminals also have designed their sites to check the cards using legitimate high jacked merchant account numbers and using unrelated merchant names. There have been incidents where merchants have complained to state governments about customers calling saying, “I didn’t buy that! Why are you charging me?” However, the state has been unable to do anything because the merchants have not experienced any financial loss. The accounts are changed frequently and the criminals bank on companies using different financial processing systems that don’t share data.

2008's Record Year for Data Breaches

According to Verizon's 2009 Data Breach Investigations Report, the total number of consumer records compromised in 2008 exceeded the combined total from 2004 to 2007, which has resulted in cheaper black market credit card data. In terms of actual street price the value of stolen card information has dropped from $10 to $16 per record in mid-2007 to less than $.50 per record today.


The primary target for cybercriminals is still the retail and financial sector which represented 61% of the 285 million records compromised. According to the report, while the absolute number of attacks was smaller, the cyber criminals and methods utilized were very determined, very complex and extremely successful. 3 out of 4 data breaches came from an outside entity, not an insider.

Tuesday, April 7, 2009

FBI Ramps Up Probes of Financial, Mortgage Fraud

Red Bank, April 7, 2009/The FraudBlog Newsletter/- FBI probes into financial and mortgage fraud are growing at exponential rates. John Pristole, FBI Deputy Director, said that the bureau has more than 2,000 open investigations into mortgage fraud and about 566 corporate-fraud investigations. Corporate and financial-institution failures have forced the FBI to focus on accounting fraud, insider trading and financial-statement manipulation. The director has expressed concern that the amount of fraud that has begun to surface has actually put a strain on the FBI’s resources for investigating white-collar crime.

Credit Card Details Freely Available on Web

Red Bank, April 7, 2009/The FraudBlog Newsletter/- Details of up to 19,000 Visa, Mastercard and American Express customers were found publicly available on the web. Speculation is fraudsters posted the data with the intent to sell it to other fraudsters. Numerous internet security experts have voiced concern that it was a rare event to have such a complete set of credit card data to be publicly posted for anyone to access.

Bill Me Later finds a Diamond in the Rough

Red Bank, April 7, 2009/The FraudBlog Newsletter/- Bill Me Later will soon allow consumers and businesses to pay their federal taxes through Metavante Corp.'s Link2Gov subsidiary. If the deal goes through, Metavante should gain additional transaction volume and Bill Me Later should gain an increase in loan volume. This partnership will grant Bill Me Later access to the huge and potentially lucrative deep tax-payment market. Taxpayers will have to pay 2.49% of the payment amount in the form of a convenience fee. Metavante plans to enable tax payments by Bill Me Later customers to state, county and municipal governments at an unspecified date.

The Tax Man comes to eBay

Red Bank, April 7, 2009/The FraudBlog Newsletter/- Last year, Congress passed legislation requiring third party payment processors like PayPal, Google Checkout and Amazon to report individuals and businesses that received at least $20,000 a year from credit/debit-card payments from more than 200 transactions. Importantly, this required disclosure is part of the Housing Assistance Tax Act of 2008 and will be in effect in 2011.

Hacking, Why Not?

Red Bank, April 4, 2009/The FraudBlog Newsletter/- Recent congressional hearings have shown evidence that terrorists are more involved than previously believed in cybercrime. In short, evidence suggests terrorists are actively training new recruits on how to hack into computer systems, perform phishing operations and to move money using stolen credit cards and bank accounts. In his jailhouse manifesto, Imam Samudra (linked to the Bali terrorist bombing), urged his Muslim radical comrades to declare holy war not on the battlefield, but rather in cyberspace. Imam describes how America's computer infrastructure and networks are vulnerable to hacking, credit card and money laundering.

Thursday, March 19, 2009

American Express enhances Advanced Address Verification Service (AAV)

Advanced Address Verification (AAV) goes beyond AVS and checking the billing address on file with what the cardholder provided to also check the shipping address, email and phone number. This service is only available on American Express and due to its recent changes in March 2009 may or may not be supported by your gateway.

How Good Is It?

AAV+ is a real-time solution for merchants doing e-commerce, mail order or phone orders. AAV+ is not the same as AVS. AVS is checking the billing address on file with the Issuing Bank, AAV+ is checking the shipping address, email and phone number on file. The service is provided exclusively by American Express and is intended to check the billing and shipping address when the two addresses are different.

The Fraud Practice Releases their Semi Annual Guide to Alternate Payments

Alternative Payments aren’t necessarily always an alternative anymore.

NEW JERSEY, March 17, 2009/Business Wire/- Alternative payments represent only a fraction of e-commerce total sales today but according to Javelin Strategy and Research, about 1/3 of all online retail transactions ($268 billion) are predicted to be alternative payments by 2013. The explosive growth of alternative payments can be attributed to consumer and regional preferences. As every sale counts in these economic times, it is now more critical than ever that e-merchants understand and offer payment choices based on consumer and regional preferences.

Most merchants view the alternative payment market as a limited competitive field with few real differentiators between the players. More often than not, merchants investigating alternative payments are limiting their discussion to ACH, PayPal, Amazon and Google Checkout. In fact there are a number of payment options and a rapidly growing number of service providers offering them. The Fraud Practice’s Guide to Alternate Payments identifies 8 categories of alternative payment solutions with over 100 service providers offering their services globally. The categories include credit card payments, ACH & bank payments, payment aggregators, credit-term providers, cash alternative providers, advertising/promotional providers, mobile payment providers and invoicing payment providers.

Not all alternative payment options will produce the same results, determining the right alternative payment options for your company means evaluating payment options based on regional support, consumer preference, customer base and return on investment (ROI).

Regional Support: There is no one payment option that is equally effective in all regions worldwide. Credit cards are accepted worldwide but while they have dominated the US and Western European eCommerce markets, they have not shown the same dominance in emerging markets such as Africa, South America, Asia and Eastern Europe. In these markets a merchant needs to support other payment options otherwise they will be limiting their potential customer base to only a small fraction of the overall population.

Consumer Preference: It is not enough to simply find an alternate payment method that is supported in the region you are doing business in; the payment method needs to be one that consumers in the region recognize, trust and want to use. In Germany credit cards are present and used, but they are not the preferred payment method. In Germany the preferred payment method is direct debit, Elektronisches Lastschriftverfahren.

Customer Base: The best alternative payment option has little value if the supported customer base isn’t large enough to warrant the effort to integrate and support it. Evaluating a customer base should be done on two levels, potential and current. Consider China, 93% of the 1.3 billion person population has access to direct debit while according to China Daily there were just over 100 million credit cards in circulation in China as of June 2008. In contrast there were over 596 million mobile phone subscribers as of June 2008. In terms of potential the ranking would be direct debit, mobile phones than credit cards. In terms of current use the ranking would be direct debit, credit cards than mobile phones. Mobile payments offer excellent potential in China, but it is not the current preferred choice for paying for services in China. Does this mean you should not be looking at mobile payments? Not at all, in some regions mobile payments are the dominate payment method and 3 out the 5 top five alternate payment providers are working on plans to support mobile payments.

Return on Investment (ROI): The reasons why a merchant may implement alternative payments vary from access to markets, cost reduction, easier supportability to consumer preference. In a majority of cases, merchants are able to show a favorable ROI on integrating alternative payments in a timeframe that is more tactical than strategic. This is primarily attributed to increased sales from new consumer populations, lower costs than traditional credit cards and better fraud protection.

The Fraud Practice has created the Guide to Alternate Payments to help merchants, service providers and financial institutions to make more informed decisions on which alternative payment solutions and providers they should be considering. A Guide to Alternative Payments is a prepared research document, 60 pages in length, intended for organizations looking to gain an understanding on eCommerce alternative payment options. The Guide goes beyond a general market assessment to provide information businesses need to assess solution options and service providers. The Guide also includes easy-to-understand reference tables on regional service providers (over 80 service providers), preferences and capabilities. Readers should expect to gain:
  • An introduction to the types of solution options available and the service providers that offer them.
  • An in-depth understanding of the market dynamics, vertical market preferences, regional preferences and reasons to implement these services.
  • A discussion on emerging markets where alternative payments are flourishing
  • A general introduction to the capabilities and services provided by the major players in each of the 8 solution option groups.

While the Guide is available for purchase, The Fraud Practice has added descriptions of the 8 alternate payment categories on their free public fraud library. The Fraud Library contains valuable information for merchants seeking information on fraud prevention techniques and eCommerce payments. Thousands of merchants have already turned to The Fraud Practice Fraud Library when they have sought, or needed expert advice on simple and complex Card Not Present (CNP) issues.

Will Economic Downturn lead to Increased Fraud?

Not all fraud increases in an economic downturn

Red Bank, March 2 - There have been a number of recent articles outlining how the economic downturn will result in increased fraud, which I believe have inaccurately portrayed the real fraud risks in an economic downturn. I am currently compiling a definitive article on the topic for broader release (internal fraud, friendly fraud, first and third party fraud, organized fraud) but would offer some counter arguments for feedback to some of the assumptions and predictions that are being presented in the press today.


In a recent article from The Wall Street Journal entitled "Small Businesses Face More Fraud in Downturn" the author makes the case that in an economic downturn there is a higher incidence of employee fraud. This actually is not entirely true, while there may be more attempts, the number of successful fraud cases decreases. In terms of underwriting risk, employee or internal fraud is more likely in times of boom than in bust. Why? Because employers aren't typically paying as close attention to the books and as long as cash flow is good the focus is on closing business.


What we are seeing in the press is how these fraud cases tend to be more exposed in bust times. Consider the recent investment ponzi scams that have come to light with Madoff and Stanford, these are not fraud scams that were perpetrated in a bust economy, they happened in the boom, and came to light in the bust. In times of economic downturns businesses are sharpening their pencils and digging into costs, expenses and cash flow and this tends to uncover internal fraud that may have been overlooked.


In another article found on Security Watch and written by Fortify Software the author theorizes that online fraud will increase by 33% in 2009 because fraudsters are being impacted by the ongoing economic credit crunch and will be selling card data for less money. In short their premise is that the fraudsters in the card reselling segment are experiencing higher competition for card data and are having to push more inventory to get the same financial yield. They cite the economic recession for the reduction in average cost for a stolen identity(card, cvv and expriration date). These identities have dropped from $15.00 18 months ago to $2.00 last October. While I can understand making a correlation to increased fraud due to increased and cheaper supplies of card data, I don't really buy the idea that this correlates to the economic rescission. The card data reselling market has become competitive, and the availability of compromised data is high, which means there is higher supply than demand today. I am not an economist, but I would be more inclined to believe that price points on compromised cards are falling due to simple supply and demand over the idea that the downturn in the economy is hurting the sales of card resellers.

Legislation in the works that could affect Future Trends in Fraud

New legislation may provide fraudsters with legal loopholes

Red Bank, Feb. 19/The FraudBlog Newsletter/ - The current economic crisis is affecting all of us, but could it also be creating new loopholes for fraudsters to exploit? You may be surprised to learn that some recent discussions could have a very tangible impact on fraud trends down the road.

According to the USA Today Article entitled "Job credit checks called unfair" by Thomas Frank on 2-13-2009, five states are considering laws that would restrict credit checks by employers. Amid the financial crisis U.S. states and government officials are calling to stop employers from unfairly screening out employees who can't pass a credit check. For many industries that have jobs with access to money this is a necessary step to lower risk from employees with access to money such as tellers, cashiers and finance officers. According to the Society for Human Resource Management about 43% of U.S. employers currently check job applicants for overdue payments on anything from mortgages and rent to credit cards and student loans. While there is no correlation of employee performance to bad credit, there is implicit risk of employees with financial problems potentially being more susceptible to committing some form of internal fraud if they have the access to financial resources. How real is this issue? If you recall our August 2008 newsletter, we reported 5 cases of employee fraud in that month alone, with 4 of those cases being embezzlement through the use of a company credit card (all cases were over $100,000 in losses) and one case of an employee perpetrated data breach.

Senator Chris Dodd is pushing legislation in the CARD ACT to change when application information can be posted into a consumer's credit file. His argument is based on his belief that the policies of credit card issuers to post information on application attempts, instead of account activations, causes card issuers to change the consumers risk exposure thus producing higher fees and rates charged to the consumer. Dodd stated, "Too many families are starting to rely upon on short-term, high-interest credit card financing to meet basic needs".

The most critical aspect of his plan is that the bill would prohibit providing information about newly opened accounts before they are activated by customers. If this policy were implemented it could create an increase in credit card fraud applications. For example, a fraudster could open 10 credit card accounts, but waits to activate them until they receive all of the cards. The second through the tenth issuer would have no idea the fraudster had already opened the other accounts when they processed these applications. This could lead to significant increases in Identity Theft per case losses.

Layoffs? Watch Out.

Don't learn the hard way about what a disgruntled employee is capable of doing.

Red Bank, Feb. 2/The FraudBlog Newsletter/- While it isn't easy to do layoffs and it is uncomfortable for most managers to perform; don't let your discomfort be the cause of a potential hack or malware attack from a disgruntled employee. As ZDNet's Larry Dignan reported, Fannie Mae almost learned the hard way what a disgruntled employee could do to a company. In this case a contractor, who had root access to their servers, was let go recently but his root level access was not removed. This individual planted malware that would have shut down all of their systems. The impact would have been enormous.

The following is not intended to be a complete list. It is a starting point for managers to start thinking about protecting their company's exposure in the sensitive area of payments and fraud. If you are letting people go that work in your payments and fraud departments you should consider:

(Prior to them being notified) - perform an access assessment of the individual:

  • What access did they have to sensitive data?
  • How much do they know about your fraud settings and controls?
  • Are they aware of weak spots in your systems?

(When you notify them) -perform a formal notification:

  • Remind them of confidentiality agreements and their obligations.
  • Have them sign off on the access assessment.
  • Shut off their access to any corporate systems that have sensitive data or are a part of payment processing.

(After they have left) - perform audits:

  • Look at anything they may have accessed in the weeks leading up to their departure for signs of abuse, misuse or unauthorized access.
  • In the event of a hack, malware attack or complaint of credit card data breach, you should perform a cursory review of these personnel as part of your investigation.

I got you once, and I will get you again!

"If a fraudster or fraud ring can successfully perpetrate fraud, you can pretty much assume they will continue to do so until you stop them." D.Montague

Red Bank, Oct. 30 2008/The FraudBlog Newsletter/- While the article, "The Hackers Mindset - I did nothing Wrong" by Jon Swartz of USA Today is not new news, it can provide good insight into the makeup of a cybercriminal. It focuses primarily on the TJX hackers and provides the typical definition of a cybercriminal as being young, male and very computer savvy. However typical, I found the background story on Gonzales having been caught before so engrossing I decided to test the profile myself.

So I thought I would take a look at a couple of other major cyber crime cases. In the past 60 days there have been three very public and big cyber crime cases. In these cases the cybercriminal was young, all under 30, male and they were very computer savvy. (Albert Gonzales - TJX Breach, Ehud Tenenbaum - Direct Cash Management Breach, Vladimir Tsastsin- EstDomain)

In all three of these cases the cybercriminal had been caught doing this before. In 2 of the 3 cases, Gonzales and Ehud Tenenbaum these individuals were actually given lighter sentences for their first transgression by working with law enforcement after being caught.

In all of these cases when the cybercriminal was later presented with a weakness in a business's fraud controls or security measures they exploited them. Regardless of the fact that they had been caught before, they believed they wouldn't get caught again. In all three cases they had escalated the scope and level of their schemes.

Lesson learned, they don't learn their lesson.

Use your ATM PIN only at ATMs or you'll pay the price!

Always save your PIN for ATM transactions only!

Red Bank, Sept. 1 2008/The FraudBlog Newsletter/- Every time I speak publicly, or when I tell people what I do for a living, I get asked this question. My answer has always been to use your credit card or your debit card, as a credit card, but save your pin for ATM transactions only. For us in the business we generally understand our rights and level of protection, but I would imagine few of us really understand the actual legal rights and limits for each payment type.

If fraudsters strike, you often have stronger protection with credit cards than with debit cards. With credit cards, under federal law, you're liable for no more than $50 if fraud occurs, though most issuers don't hold you liable for even that much. With debit cards, your maximum exposure is $50 if you report it within 48 hours. Report it after two days, and you could be liable for up to $500. Take longer than 60 days, and you could be responsible for the entire dollar amount of fraud.

When the Fraudster is Someone you Trust

Friendly fraud taken to new heights.

Red Bank, Aug. 15 2008/The FraudBlog Newsletter/- The number of articles related to internal fraud have been rising considerably over the past couple of months. If you are like most fraud managers, your focus has been on stopping the fraudster from coming in the door, and not paying attention to the fraudster lurking inside. It can be easy to overlook how easy it is for employees to copy down customer credit card information, to help a friend exploit a weakness in the companies systems or to directly steal from the company.

While I don't believe the individuals involved in these cases were criminals targeting these companies, I do believe they serve as a good example to putting in checks and balances to keep honest people honest...

To illustrate my point I have taken quotes from a recent case. These quotes were taken from the article "Former Sailor Gets 2 years for fraud with Navy Credit Card" by Austin Wright in the Virginia Post on August 10, 2008.

"I know that I'm a good person. I know that I made a bad decision," Gibbs said in court. "I'm aware of all my consequences.""Her supervisors encouraged this type of behavior," defense attorney David Price said in court. He elaborated after the sentencing that no one monitored what Gibbs and others were purchasing with the government-issued cards."For this to go on for as long as it did and for the amount of money that was involved - there's no excuse," Price said. "There are other people who didn't do their jobs right." Other cases in the news:

Customer Service Representative - An Alaska Airlines call center employee misused credit card data between August 2006 and June of 2008. When processing reservation changes, the employee allegedly diverted payments into her own personal bank account instead of the airline's. The fraud affects about 1,500 customers.

Receptionist - An Illinois Eye Center receptionist used patient information to obtain credit cards and then had the bills mailed to her home. Gast said the theft occurred from August until December of last year. Some of the victims didn't know their names had been used.
Mail Man - four counts of mail theft and one count of defrauding the U.S. Postal Service by using an agency credit card for personal use.

Administrative Assistant - charged more than $240,000 in personal expenses last year on a corporate credit card belonging to a pharmaceutical research and development company, a subsidiary of Johnson & Johnson. Federal prosecutors said she used the card to pay for a 1968 Ford Mustang and 1969 Chevrolet Camaro and to restore those vehicles. She also used company funds to pay for cosmetic surgery and a cruise vacation, a granite kitchen countertop, a residential air-conditioning unit and American Express gift cards..

Candidate for Sheriff - a candidate for the position of Navajo County sheriff, was arrested July 22 on charges of theft of a credit card and fraudulent use of a credit card, both felonies.
Bank Clerk - The clerk allegedly played a role in a conspiracy to embezzle funds from Sperry Marine Federal Credit Union by using other names to take out loans from the credit union.

Neighbor - Buellton California residents 47-year-old Karen Peterson and 49-year-old Debra Mangino are accused of stealing their one-time neighbor's mail and activating a credit card in his name.

Purchasing Agent - Navy sailor uses military credit card to steal hundreds of thousands of dollars from the government. Defense and prosecution lawyers agreed this could have been prevented through minimal oversight. From 2006 to 2007, she used the card to buy 162 notebook computers, 65 big-screen televisions and 22 digital cameras, items she and an unnamed co-conspirator sold for cash.

Father - A New York man says he used his son's Social Security number to obtain credit cards and loans from several banks, and from a firm that gave him loans to buy two cars. The crimes occurred between 1997 and 2005.

Credit Card Fraud Officer - A former senior Sussex Police officer who used his force credit card to buy goods for himself has been ordered to pay nearly £100,000. Sorority Sister - Danielle Sue All, 29, is believed to have charged more than $2,000 on a Purdue University sorority adviser's card reported missing Aug. 5.

Secret Service Informant - charged with breaking into the computer systems of nine of the nation's largest retail companies and stealing more than 40 million credit and debit card numbers.