Cyber security: Fraud rises as cybercriminals flock to online lenders

Cybercrime is becoming more automated, organized and networked than ever before, according to the ThreatMetrix Cybercrime Report: Q4 2016.


Cybercriminals are increasingly targeting online lenders and emerging financial services, says Vanita Pandey, vice president of strategy and product marketing, ThreatMetrix.


[ Related: 8 tips to defend against online financial fraud threats ]


ThreatMetrix’s report is based on data drawn from its ThreatMetrix Digital Identity Network, which analyzes about 2 billion transactions per month for insight into traffic patterns and emerging threats. The network uses a real-time policy engine to analyze transactions — about 44 percent of which originate from mobile devices — for legitimacy based on hundreds of attributes, including device identification, geolocation, previous history and behavioral analytics.


ThreatMetrix’s data shows 1 million cyberattacks targeted online lending transactions throughout 2016, Pandey says . It estimates the total value of these transactions at about $10 billion. It expects the number of attacks to continue to grow in 2017. Indeed, the number of attacks specifically targeting alternative lending increased by 150 percent quarter-over-quarter in the fourth quarter of 2016. That doesn’t mean criminals have stopped targeting banks: ThreatMetrix says it detected 80 million attacks using fake or stolen credentials during 2016 in the finance sector alone.


It should be noted that attacks are increasing both in number (ThreatMetrix says it detected and stopped nearly 122 million attacks in real-time in the fourth quarter, an increase of more than 35 percent over the previous year) and in proportion: growth in attacks outpaced overall transaction growth, and the overall rejected transaction rate grew by 15 percent.


[ Related: Online card fraud up as thieves avoid more secure chip cards for in-store payments ]


“Fraud has evolved from being like robbing a house to being a big heist on a bank or institution,” Pandey says.


Increasingly, she explains, cybercriminals are stealing identities and using them to create accounts that they allow to sit and mature, sometimes for years, before leveraging them for crime.


First, she says, criminals buy, trade and augment stolen identity credentials from any of the numerous data breaches that occur with increasing frequency.


“Most of us have been breached, whether you’ve stayed at an InterContinental Hotel, or you had a Yahoo account or you have a LinkedIn password you haven’t changed in four years,” she says.


Those credentials are then used to create new accounts with retailers, banks and e-lenders. E-lenders are frequently targeted, perhaps because the criminals see them as softer targets than more established banks, according to ThreatMetrix.


“They will then use automated bot attacks on a new site to create an account for you,” Pandey says. “If it doesn’t exist, they’ll create an account. If it does, they’ll bring in sophisticated tools to crack your password. They’ll let an account sit and mature for a while. Once your identity has been verified, a lot of times you won’t be stepped up or challenged. Imagine if I have a stable account, I’ve been transacting for two years nicely and then I use my account to buy a big item and change my address, they may not flag that.”


Pandey says ThreatMetrix sees a lot of fraud being committed with accounts that have five or even six years of credit history and a big credit file. Even victims who regularly check their credit reports may not pick up on the fraud, as the criminals take care not to damage their victims’ credit ratings until the accounts mature.


“Due to its surge in popularity, and fast transaction cycles, online lending has become a prime target for cybercriminals,” she says. “Online lenders are under increasing pressure to adopt smarter authentication methods that leverage real-time, behavior-based intelligence to accelerate genuine loans and prevent fraud. This is the only way to thrive in an increasingly competitive market.”


Developing countries becoming bigger players in online fraud game


This type of fraud isn’t limited to the U.S. and other developed nations. ThreatMetrix says it has seen this type of fraud originating in developing countries including Brazil, Egypt, Ghana, Jordan, Nigeria and Macedonia. ThreatMetrix also reports a significant increase in attacks, particularly identity spoofing attacks, from emerging economies including Tunisia, Ukraine, Malaysia, Bangladesh, Pakistan, Serbia, Morocco, Guadeloupe, Qatar and Cuba.


“The fact that developing nations are becoming bigger players in the online fraud game demonstrates the spread of breached identity data to countries across the globe,” Pandey says. “One in four transactions on our network is now cross-border, illustrating a global village economy that’s continuing to take root. Global data breaches are making stolen identity data globally available via the dark web, and this information is traded by organized and networked crime rings.”


How to keep the online digital world safe


With cybercriminals becoming more ambitious and more sophisticated, Pandey says it’s becoming clear that text-based authentication needs to be deprecated. In fact, she says, any static information used for authentication that must be stored by a company is susceptible to a data breach and therefore an outdated way of thinking about secure authentication, identity verification and fraud prevention.


“It is becoming increasingly clear that the only true way to keep the online digital world safe and secure, (and processing transactions in the manner that technology-savvy consumers expect), is by analyzing the digital identity of every online user, an identity that is built on dynamic, shared intelligence harnessed from sources far wider than the individual companies a user transacts with,” the ThreatMetrix report says.


Behavioral analytics and machine learning are the keys to making this work.


“It is only by using this holistic, crowdsourced approach to digital identities that companies can be more confident of accurately differentiating fraudsters from genuine customers,” the report concludes. “In the case of Yahoo, the cookies might have been forged, but the online footprint of those fraudsters would have been markedly different to the genuine users, and it is up to Yahoo to be able to detect that in order to protect sensitive customer data.”

Online security review: Hacking Is About to Get a Lot Harder With Card less ATMs

A few years back, a friend of mine was traveling from New York City to Paris. After landing at Charles de Gaulle Airport, he reached for his wallet, but realized it was no longer in the back of his trouser pocket. He had been pick-pocketed during his metro ride. All of his cash, credit cards, and debit cards were gone.


Were something like this to happen in the near future, my friend would’ve had a much easier time making it through the next 48 hours, so long as he had his smartphone. In just the last few weeks, a number of banks have announced plans for cardless ATMs. Wells Fargo (WFC, +0.26%), J.P. Morgan Chase (JPM, -0.32%), and Bank of America (BAC, -0.16%) are all piloting their own initiatives. The basic idea is that a code will be generated on the banks’ mobile apps that consumers can use to unlock their bank accounts, enabling them to withdraw money from an ATM simply by tapping their device when they’re in front of the ATM.


The smartphone has already established itself as an indispensable device for nearly everyone on the planet, even in some of the most remote and seemingly underdeveloped regions. But with respect to innovations, we are still only scratching the tip of the iceberg. Despite claims that innovation in smartphones may be dying and that the market is becoming flat, there is still plenty of room for innovative, non-trivial design changes and introduction of new features. In the next few versions of our smartphones, there will be integration with augmented reality, flexible and bendable screens, and even wireless audio and wireless battery charging.


Of course, connectivity of this magnitude has already taken shape, from smart cars to smart homes to targeted advertising. Paying for purchases, therefore, needs to be just as seamless as the rest of our lives are becoming. Thanks to the likes of Apple (AAPL, +0.33%) Pay, Android Pay, and Square (SQ, -0.94%), mobile-payments systems are now poised to cause massive disruption. The significant majority, nearly 80%, of Apple Watch users use Apple Pay to pay for both online and in-person purchases. Android has followed suit with its Android Pay system, allowing customers to walk through a physical store and select an item, tap their phone to scan a barcode, and make a purchase without even thinking of waiting in line.


As with any new form of payment technology, though, there’s typically a catch. In mobile banking, the catch is significant when considering the level of security breaches and fraud. Fraud in 2014 caused approximately $32 billion in losses in the U.S. retail industry in 2014. To mitigate this across in-store, online, and mobile payments, payment companies and card issuers started the move from magnetic stripes to chip-based cards. While that did stymie the losses, still, in 2016, it was predicted that there would be about $4 billion in retail fraud in the U.S. And, in the U.K. for example, where chip-based credit cards were introduced a decade ago, online fraud rose 79% in the first three years of introduction of chips-based cards. Similar stories abound in Australia and Canada. So the threat from moving to new payment systems is non-trivial and real, and often inadvertent.


For many banks, though, it turns out that mobile-phone-enabled, cardless ATM transactions have the potential to actually reduce the threat of fraud and security breaches. This is especially true of threats from skimmers, or fraudsters who copy card and ID numbers from the magnetic stripes of the widely used plastic cards in ATM machines.


In ATM skimming, scammers use various kinds of electronics to steal the personal information stored on your card, record your PIN number to access your account, and withdraw your cash. First, a fake card reader (known as a skimmer) is placed over the ATM’s real card slot. As an unsuspecting user slides their card into the ATM, they basically end up inadvertently sliding it through the scammer’s counterfeit reader, which then stores your card’s info. To gain access to the bank account on an ATM, the skimmers use tiny cameras hidden on or near the ATMs to get a clear view of the keypad, record the tapping activity on the ATM’s screen, and get the PIN number.


That being said, phishers—malicious hackers interested in identity theft or stealing credit card information—in the past have hacked into unsuspecting smartphone users, often web browsing using a public Wifi, to retrieve sensitive financial or personal information. So the only way a phisher could steal a user’s banking info is if he or she was on a public WiFi when doing cardless ATM banking.


On the whole, cardless ATM banking provides immediacy, security, and accessibility. Next time a family member desperately needs cash in a foreign land or my child has lost her wallet, I know I can bail them out simply by passing on the code from my phone app to them. All they need to do is to find the nearest ATM.

Online security review: Unstoppable JavaScript Attack Helps Ad Fraud, Tech Support Scams, 0-Day Attacks

Argentinian security expert Manuel Caballero has published new research that shows how a website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute his very own persistent JavaScript code while the user is on other domains.


There are multiple issues and attack scenarios that Caballero discovered, but fortunately, they only affect Internet Explorer 11, but not Edge, or browsers from other vendors.


The bad news is that, according to Net Market Share, IE11 is the second ranked browser version, with a market share of 10.46%, right behind Chrome 55, with 37.27%, meaning it still accounts for a large portion of the online user base, despite its advanced age.


The undying IE popups


In a blog post published yesterday, the Caballero demonstrated how a developer could create popups that persist in the browser, even after the user has left the page where the popup’s code was loaded, either by clicking a link or entering a new URL in the browser’s address bar.


According to the veteran security researcher, there’s no limit on how many popups a malicious website owner could show users after they left his site.


The only way users can stop the popups is to close the tab and open a new one. Navigating away from the malicious page in a new tab also prevents the popups from showing up.


Never-ending popups could be used in tech support scams


In a real-world scenario, this Internet Explorer issue could be a handy tool in the arsenal of tech support scammers, shady advertisers, or other scare ware operators.


A user leaving a shady page could still receive popups peddling all sorts of products and links, even after he clearly left the previous domain.


Similarly, users that land on tech support scam websites and find a way to leave the site will still receive popups afterward.


If the victim navigates to reputable or neutral sites, such as Google, Wikipedia, Bing, or others, the constant stream of subsequent popups could convince almost any non-technical users into thinking their computers have a real problem indeed, and dial the tech support number to get help cleaning their computer.


An IE user reading a Forbes article would receive a malicious ad, and start seeing popups about being infected with a virus. Navigating to one or more new sites in the same tab will still show the same popups, leading inexperienced users on the same path to believe their PC might have real issues.


Despite IE security measure, users can’t block popups


Besides discovering a way to perpetuate popups across different domains, Caballero says another issue could be used to disable the checkbox at the bottom of the repeating popups, which normally IE11 allows users to block.



This second issue can be integrated into the first, allowing malicious website owners to create popups that span across multiple domains that are impossible to kill using IE’s built-in popup-limiting system.


Popups are simple attacks. Issue can do even more harm


But popups are only scratching the attack surface. The real problem here is that Internet Explorer executes persistent JavaScript code even after users leave a site. The attacker can replace the popup code with everything he wants.


“Let’s say there’s a new zero day and the attacker needs to download 5 megs into the user [‘s browser],” Caballero told Bleeping Computer in a conversation. “How can he make sure he has time to download the bits? With a persistent script, the attacker has time for everything.”


“With a persistent script [like this] you can create a network of bots without installing anything to anyone,” the researcher also added.



IE11 issue is a malvertiser’s lottery ticket


“For example, imagine a malvertising campaign that sets this script and then forces users to make hidden requests to ads,” Caballero noted, explaining that a website owner could use past site visitors for ad fraud.


“[Y]ou [the fake advertiser] buy cheap inventory and then, keep rotating hidden ads for hours, until the user […] closes the tab.”


Even worse, the persistent script issue can be used as a supplement to already existing exploits, improving their success rate.


No patch available


At the heart of the persistent script problem is a universal cross-site scripting (UXSS) bug and Same Origin Policy (SOP) bypass in IE’s htmlFile/ActiveXObject component, which Caballero described in depth two weeks ago, but only recently realized he could use to do more damage.


There’s no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they’ve ignored many of his previous reports.


Caballero has put together a demo page that shows all his findings. Make sure you access the page through Internet Explorer 11.


Last December, Caballero found a way to abuse Edge’s Smart Screen security feature to show warnings on legitimate domains. This issue too, could be abused by tech support operators, and this too, Caballero didn’t report to Microsoft.

Cyber security: Researchers trick ‘CEO’ email scammer into giving up identity

Businesses targeted in email scams don’t always have to play the victim. They can actually fight back.


Researchers at Dell SecureWorks have documented how they identified a suspected email scammer from Nigeria by essentially playing along with the scheme to fool the attacker into revealing his true whereabouts.


Anyone can use these tips, said Joe Stewart, director of malware research at SecureWorks. “We’re letting [the scammers] give us all the information about themselves,” he said.


The email scheme involved a fraudster impersonating a CEO in what’s called a business email spoofing attack. The goal is often to trick a victim into wiring funds to the scammer’s bank account.


Although a business can train its employees to learn how to spot these suspicious emails, that won’t necessarily stop the attack, especially since it’s easy for anyone to continually bombard a victim with emails, SecureWork said.


Instead, a business’ IT security staff can fight back and disrupt the scammer’s operations. They can do this, by first replying to an email scam and pretending to act like a gullible victim.


This was how SecureWorks managed to eventually identify an email scammer from Nigeria that targeted a U.S. technology company in November. SecureWorks was brought in to investigate and decided to fool the fraudster into thinking his scheme had worked.


The scammer had tried to trick the technology firm into wiring funds to a bank account by impersonating its CEO. SecureWorks pretended to comply, which caused the scammer to turn greedy.


“He started asking for $18,000,” said James Bettke, a SecureWorks researcher. “And then after that, he said, ‘Oh that’s a typo. It’s a $118,000.’”



To try and identify the scammer, SecureWorks decided to email back a PDF-based receipt, indicating the wire transfer had been complete. In reality, the receipt was a decoy that when clicked on, sent off the recipient’s IP address and other web browser information.


The researchers found that their scammer was using an internet service provider in Lagos, Nigeria, and was viewing the receipt on an iPhone.


SecureWorks continued to play a gullible victim, by claiming the wire transfer had failed. That forced the scammer to hand over details to other bank accounts. The researchers then took that information and notified the responsible bank that these accounts were being used for fraud, shutting them down.


To find out more about the scammer, the researchers sent another decoy receipt of a wire transfer that forced the recipient to enter a legitimate mobile phone number to view the form.


The scammer fell for the ruse. Using Facebook, the researchers found that the entered phone number was tied to a user named “Seun,” which the researchers believe is a real account.


“We know who he is,” Stewart said. “We could report him to the EFCC (The Economic and Financial Crimes Commission in Nigeria). But he didn’t get away with any money.”


So instead, SecureWorks is publicizing information about the fraudster’s scams, including the email addresses he used.

Online fraud detection: PayThink Contextual commerce sputters without deep consumer ties


Every business that uses apps or online platforms to connect with customers knows there’s a major transformation underway in how you do business.


Customer convenience is top priority, while the mechanics of sales and payment transactions are moving out of sight where they are less likely to cause friction that costs sales.


To take advantage of this confluence of technology known as “contextual commerce,” you need to know what it is and what it requires. If your business development plans don’t include reimagining how you will sell to your customers, you risk losing out to competitors that are thinking beyond the traditional e-commerce experience.


The defining idea behind contextual commerce is giving your customers the ability to buy something within the flow of another activity that they’re engaged in. It’s presenting a product or service right at the moment when the buyer might naturally want it, without making them go through a separate commerce or payment experience.


Easy payments are critical: The transaction must occur in the background, relying on stored payment methods rather than making a buyer key in card details. But there’s more to it than that.


Uber — which won its massive user base partly by making payments invisible and freeing riders from worrying about fares and tips — is building out its contextual commerce vision by striking partnerships. For instance, its deal with Hilton to link the Uber app with the hotel chain’s loyalty app makes it easy for travelers to arrange their rides when they are reviewing hotel reservations.


The WeChat messaging platform, which is hugely popular in China, is another example of how users can engage in all kinds of transactions without ever leaving their preferred environment. WeChat users can shop, buy movie tickets, and even pay bills from within the app.


Looking beyond these examples, we can expect opportunities for new contextual commerce business models to arise as stored payment technology finds its way into other environments. Given how much time many Americans spend on the road, one particularly promising new area is the connected car. GM’s OnStar Go platform, which will roll out in automobiles starting in 2017, will feature integration with Mastercard’s Masterpass digital wallet, allowing drivers to buy goods and services from behind the wheel.


Customer trust in the security and privacy of stored payments is essential for contextual commerce to succeed. The growing use of various kinds of e-wallets and mobile payment systems is also helping to put consumers at ease.


The back-end infrastructure to support a contextual commerce ecosystem is taking shape. Tools and interfaces will be needed to easily connect a variety of components, including: The merchant’s payment and order management systems (including inventory, logistics and returns); the “context” in which the customer is found; merchants will strike partnerships with complementary businesses, content providers and others; and the customer’s stored payment and shipping information, such as e-wallets


All of these pieces will need to connect seamlessly so that the customer receives the service they expect, while the payment transaction takes place out of sight.


Coming up with compelling ways to engage your customers through contextual commerce will require you to do three things well:


Gain a deeper understanding of your customers. How, when and why do they buy? Now is the time to make investments in ramping up your data and analysis game. Understand their behavior and what else is going on around their transaction with you, and you may see opportunities for partnerships.


Respect customer preferences. Not everyone wants to be presented with buying opportunities everywhere they turn. Businesses will need to be thoughtful to avoid alienating customers with overly intrusive offers, especially as predictive analytics seek to anticipate consumers’ needs. Remember that what’s convenient to one person may be creepy or annoying to another.


Be alert to all contexts – virtual and real-world. Right now, a lot of focus is on connecting on the virtual plane: Businesses are looking for opportunities to sell within online content such as information, entertainment or gaming, as well as within social experiences such as messaging and social networks. Location-aware and augmented reality technologies will open more opportunities for reaching customers in their real-world contexts as well.


It’s an exciting time to be engaging in tech-fueled commerce. As the contextual commerce revolution begins to get into full swing, make a plan to put your business in the game.

Security and risk complaints online: Police launch bid to tackle dating fraud which sees one victim conned out of £10,000 every three hours


Scotland Yard have teamed up with charities and other forces across the capital amid a spike in fraud linked to dating websites and apps.


According to City of London Police one victim reports scams linked to romantic liaisons every three hours.


Scam victims lose an average of £10,000 in the UK with almost all fraudsters demanding their targets transfer money within the first month of contact.


The two police forces, alongside charities Age UK and Victim Support have urged those looking to romance to follow dating tips in order to avoid financial misery.


Advice includes never sending money to someone you have met online and searching any potential dates on the internet alongside the term “dating scam”.


Detective Inspector Gary Miles, from the Met’s Falcon Unit, said: “The people who perpetrate this type of offence are ruthless, organised, committed and without conscience to the pain, embarrassment and financial loss they cause to their victims. Their methodology is sophisticated. “


Andrew McClelland, CEO of the Online Dating Association, added: “People spend much of their lives online, communicating and meeting new people via dating services or social networks.


“Fraudsters will normally try to move you away from the service as soon as they can, so we encourage users to continue communicating via the dating service which helps dating providers to detect fraudulent behaviour.


“Millions of people have found their partners through online dating but if you think you suspect fraudulent behaviour, please always report it to the dating provider as well as the Police; that way we can make it even safer for all users.”

Security and Risk Online: Fintech firm Zeta launches card with anti-fraud measures

MUMBAI, NOVEMBER 24:  Serial tech entrepreneur Bhavin Turakhia is now betting big on his latest venture Zeta. Having earlier facilitated exchange of meal vouchers through its app, the digital payments company on Thursday launched a secure payment card, Zeta Super Card, marking its foray into the B2C space.

The card comes with anti-fraud security measures such as geo-tagging, dynamic PIN and location shield for authenticating payments.

“So far, Zeta has been a B2B product. With this launch, we intend to offer a mechanism of digital transaction that is 10 times more secure than any other mode available today,” Zeta co-founder and CEO Turakhia told BusinessLine.

“We have built four security mechanisms in Zeta.”

The MasterCard-powered card can be applied for through the company’s app or website. RBL Bank is the issuer of the card, while Zeta is the technology provider. A customer can begin using the card by transferring funds from their bank accounts or debit/credit card via the Zeta app.

Anti-fraud measures

The card, which can be linked to a user’s existing credit/debit cards, comes with a SuperPIN that replaces the static four-digit pin and the SMS-based one-time password with a dynamic six-digit pin, generated on the app for every transaction.

Further, it also comes with a location shield. Using geo-tagging, Zeta tracks and matches the location of the transaction and the place where the pin is generated. In case of a mismatch, the transaction is blocked.

Also, the card can be disabled using the app. Users can also authorise online payments using a swipe action on the app, doing away with the need to punch in an SMS-dependant OTP.

“All these provide added security to the user,” Turakhia said.

“With India’s digital payments industry expected to touch $500 billion by 2020, it is essential that card payment systems offer completely secure methods to safeguard users from all possible threats.”

In August, Bhavin and his younger sibling Divyank sold, an ad-technology company they had founded in 2010 with personal investments, to Chinese investors for a whopping $900 million.