Preventing Online FraudBanks Must Assume Consumers Will Compromise Themselves
Oscherwitz, chief privacy officer and vice president of government affairs for ID Analytics, says online security measures are failing because current authentication techniques are too basic. Oscherwitz says social networking sites such as Facebook often lead fraudsters to all the information they need to figure out basic log-in credentials.
"The type of information they are putting on these profiles is exactly the type of information organizations might use to validate people online," he says. "[If] you have challenge questions for consumers when they sign on, like, 'What is your favorite book?' or 'What is your birth date? or 'What is your mother's maiden name?' you really need to think about those questions, because those are the types of answers that are also being provided by consumers in the [social media] online space."
Today's cybercrime rings closely resemble and model corporations, in the ways they are managed and operated, than the street-corner gangs to which we often compare them. And that organization and level of sophistication has helped international rings extend their reaches and their targets. Beyond financial services, today's fraudsters are hitting the telecommunications industry and the retail industry, just to name two, Oscherwitz says.
"People may target industries for different purposes," he says. "And fraudsters go where the least effective defenses are."
During this interview [transcript below], Oscherwitz discusses:
- How smaller banking institutions and businesses can improve online security;
- The role local law enforcement plays in international fraud-prevention barriers;
- Simple techniques and they can curb online-fraud incidents.
Oscherwitz is ID Analytics' chief privacy officer and vice president of government affairs. Oscherwitz monitors and manages compliance with key government laws and regulations for ID Analytics, regularly providing advice to ID Analytics' customers in the areas of privacy, regulation and legislation.
TRACY KITTEN: Cyber attacks are getting more targeted, more sophisticated, and more frequent, and industry experts agree 2011 will be the year that attacks begin trickling down, targeting new areas and smaller organizations that are not well equipped to detect, fight, and prevent emerging fraud threats. Globalization also is playing a role, as cyber attacks launched by overseas cyber thieves and crime rings are targeting more U.S. businesses and consumers. How will smaller U.S. businesses and organizations react?
Global CyberthreatsI'm here today with Tom Oscherwitz, the chief privacy officer for ID Analytics. Tom, it's no secret that cyber attacks are improving. What are you seeing, especially from a global perspective, and what are you seeing industries do to fight back, and which ones are getting hit the hardest, especially as we look over the course of the next 12 months?
TOM OSCHERWITZ: Tracy, a great question, and it's a pleasure to be here. A couple observations: One is that we are seeing over time the increasing sophistication of fraudsters and the increasing capabilities, and, in fact, the increasing prevalence of organized fraud rings, which are not only operating offline, but online as well. Often, they have the structure of almost modern corporations, where they'll have management. They'll have folks in different parts of the organization with varied tasks, such as one part of the organization might be collecting data; another part might be providing that data to somebody who can obtain illicit goods with it. So, we're seeing incredible increasing sophistication of fraudsters. he other point I would make is that with the Internet there is increasing globalization of fraud, and there is the capability of overseas fraud rings to ply their trade in the United States. For folks with sophisticated technical skills, it's an attractive financial option.
KITTEN: And Tom, when we take a step back and look at the industries and maybe some of these smaller entities that are being targeted, everyone is connected to the online channel, regardless of where they're located. But are there some entities that stand out as being targeted more than others?
OSCHERWITZ: Financial industries have traditionally been targeted. The old adage is, "Fraud goes where the money is," and, obviously, the financial-services industry provides numerous avenues for access to cash. For example, credit cards are obviously a highly desirable target for thieves, because that can be quickly converted into a variety of goods. The telecommunications industry has been targeted for a significant period of time, as have the retail credit card issuers and retailers. So, one thing I would note is that people may target industries for different purposes. Information that you procure in a wide variety of organizations can be used, ultimately, to pursue fraud elsewhere. So if I steal information from a healthcare clinic or from a mom-and-pop grocery store, that information can be used elsewhere. So, to some degree, the targets are widespread, and fraudsters generally go where the least effective defenses are.
Siloled Channels Hinders Online Fraud DetectionKITTEN: You've noted that fraud detection, especially in the online space, is often siloed, which limits its ability to detect fraud across numerous channels, platforms, and sources. Can you explain?
OSCHERWITZ: In my opinion, fraud detection in the online space, in terms of its global response to the problem, is still a little bit where the financial-services industry was five to 10 years ago. There's very much of a siloed approach to the problem. For example, an organization might have a mechanism to check IP addresses; but IP addresses can be covered or spoofed or hidden in much the same way that somebody can spoof a caller ID. People might also have a device-ID check; but people can use public computers to also avoid that. So, one of the challenges is: How do you integrate these various silos of information to get a comprehensive view of risk? And one of the things I would point out is that, especially from the financial-services industry, we've invoked risk-based responses and global responses to identity fraud for quite a while.
KITTEN: One thing I've noted from some of the other interviews that you've conducted is IP geolocation, and I don't know that everyone in our audience is familiar with that that is. Can you give us a little background?
OSCHERWITZ: Sure. One of the challenges for an organization in verifying somebody's identity is that you can present basic identity information like name, address, phone number from anywhere in the world. The question is: Are you actually there? So, if somebody is claiming that they're John Smith from New York, N.Y., but they're actually applying from Estonia, that information is highly informative, in terms of evaluating the likelihood that this person is who they say they are. Some of what IP geolocation does is it links an individual to a specific part of the world, based on underlying information in their IP address.
KITTEN: And gathering that type of information, could some of that be done manually, or does this require some kind of automated solution?
OSCHERWITZ: There are a variety of providers out there that provide IP geolocation services.
KITTEN: And so this would be something that a smaller entity, such as a family [medical] practice or a smaller community bank, might be able to do without a lot of expense?
Fraud Targets the VulnerableOSCHERWITZ: Most certainly. But I guess what I would caution is that when people are thinking about their approach, they need to focus, whether you're large or small, on a holistic approach to fraud. By that I mean, look at the multiple channels. Fraudsters do take time to evaluate the defenses of the organizations they're targeting, and one of the things that we've seen at a high level is that overall fraud is plateauing for the bigger customers. And what that reflects, to some degree, is that some of the larger institutions are putting up sophisticated defenses, and this is partly due to new regulations, whether it's the USA Patriot Act or because of the Red Flag Rules. But, bottom line, financial institutions and other leading industries are getting more sophisticated, and the threat is that fraudsters are going to migrate to areas where there are fewer defenses, which are smaller institutions.
KITTEN: Now, getting this broader look at ID is critical, you've noted, but for smaller entities, such as community banks or even a family medical practice, obtaining the software and management tools that provide that level of detailed analytics might be considered unreasonable. But fraudsters are targeting a lot of these smaller entities. What do you think they can do to fight back? Should they partner with a third party?
OSCHERWITZ: There are technologies out there today that allow organizations to get online risk evaluation or identity scores at a relatively low price. They're provided by a variety of providers. So, I think organizations should look at some of the same solutions that larger organizations are using. The challenge, obviously, is to find, as you pointed out, an integration point. The other thing I would say is there are simple, practical things that organizations should do. One of the big things that I find surprising is, going back to the silo concept, how information that's used to verify people is being siloed. ID Analytics recently did a survey on social-networking practices of consumers, and what we found was that about 24 percent of American who are using social networks have public profiles, and the type of info they're putting on these public profiles is exactly the type of information that organizations might use to validate people online. So, if you're a small organization and you have challenge questions for consumers when they sign on, like you're asking them what their favorite book is or what was their birth date or mother's maiden name, you really need to think about those questions, because those are the types of questions that are also being provided by consumers in the online space.
KITTEN: I'm going to get back to one of the things that you specialize in, and that is, of course, identity theft. Online fraud, phishing attacks, and many of the other attacks that are perpetrated ultimately try to steal identities. How can smaller businesses ensure that they're adequately protecting consumers' identities, where the security of electronic records is concerned?
OSCHERWITZ: Well, I would say there's two different issues. One issue is security, and the other issue is how you handle information and collect information. I would point to the guidelines of the FTC and the Red Flag Rules, which essentially argue that if you're a creditor, you need to develop a program that can both identify fraud risk issues within your organization, detect them, have a mechanism to mitigate them, and then update them over time. Now, with a small organization, there are some advantages. If you're a small organization, it's quite possible that you're more familiar with your customer base, that you might have traditional customers. So, some of the more complex challenges that organizations have when they're identity-proofing or verifying people whom they've never met before are less of a challenge in the small organization space. So, there are some advantages to being a small organization, in that you might have a better knowledge and more personal and immediate direct knowledge of your customer base.
Fighting an International BattleKITTEN: And then what about the cross-border nature of this fraud. How can the industry fight back and prevent it when a lot of this fraud is being perpetrated overseas?
OSCHERWITZ: That is an absolutely, incredibly good question. One thing we know is that our national government is working with partners overseas to knock down fraud rings, whether it's the postal inspection service, whether it's the FTC, whether it's other organizations. But it is an ongoing challenge, and there are examples of overseas organizations using mules in the United States, which are individuals who essentially, often unknowingly, help them in their process, where they'll collect goods for the fraudulent organizations domestically, then ship them overseas. So, it is a growing and increasing challenge.
KITTEN: And when it comes to phishing attacks or any type of fraud, really, what role should local businesses play, where communicating with local law enforcement in concerned? And, Tom, do you feel that local law enforcement is really well equipped to track cyberattacks and then adequately communicate some of the information they collect with regional and national law enforcement agencies?
OSCHERWITZ: Well, historically, identity fraud has been a significant challenge for law enforcement, both from the identification of the perpetrators, as well as the prosecution of the crime. From the perspective of identifying the perpetrators, often the victims and the perpetrators are in different jurisdictions, which raises challenges. From the perspective of prosecuting the crime, often these crimes are below the threshold limits of local U.S. Attorneys' offices. So, in some jurisdictions, a U.S. Attorney's office may have a $50,000 threshold on prosecuting a case, but a number of the victims fall in the $2,000 to $3,000 category. Several years ago there was an act passed called the Identity Theft Assumption and Deterrence Act, which created enhanced penalties for fraud victims; but it still remains a challenge. In my best recollection, the Department of Justice and state law enforcement have tried to create regional forces to respond to this problem. The one thing I will say is that often it is helpful to file police reports and to work with law enforcement, because by doing that, you can actually help law enforcement identify a collection of attacks and rings, which then can be prosecuted with appropriate resources.
KITTEN: Yes, and I've talked to a couple of banks in the past, and they've noted that their customers did not file police reports, and that actually made investigations a little bit more challenging. So, that's definitely good advice. And before we close, Tom, could you share with our audience some of the top threats and challenges you see facing smaller financial, healthcare and government entities in the coming year?
Challenges Ahead: Fighting Online Fraud
OSCHERWITZ: A couple things: First, I would say that the good news is that fraud is plateauing overall, from what we see in identity fraud. Now the risk, of course, is, as you pointed out, for small organizations, as fraudsters go to where there's less sophisticated, perhaps, technology. The other thing we're seeing, from a fraud perspective, is the economic challenges that have gone on recently. First of all, we're seeing less and hearing less about first-party fraud. First-party fraud is when an individual manipulates their own identity elements to perpetuate fraud. An example might be that you can't afford your utility bills, and so you manipulate your identity information so you can sign on to your utility service. So, because of the improvement in the economy, we've seen less and less of that.
Secondly, because of the still relatively tight credit conditions, there is a demand to better manage the verification of good customers, which means that fraud doesn't operate by itself; you have to look at fraud within the context of how you treat your customer. If you had a 100-step fraud-prevention technique and you analyzed the personal biography of every applicant, you probably could cut down fraud to almost zero; but you would also have no customers. So, the key is: How do you analyze fraud and protect your customers from fraud while allowing them to do the services and procure the services they want to procure? So, for example, you're signing on to a website or you're signing into your online bank account; You want to create a strategy which allows them to get on in as seamless a way as possible and only put up barriers where there are specific activities, and minimize the burdens for legitimate consumers. So, essentially what this means is you want to minimize the false-positives, people who are legitimate being identified as fraud and having to go in through extra hoops. And you also want to minimize the false-negatives, which are bad guys getting through. It is really important to improve and focus on using fraud detection effectively to manage your good customers.
And the last point, which I discussed it briefly earlier, is that in a variety of ways, especially in the online space, there's this issue of siloing. It comes from the social networking space, where verification procedures that institutions are using may not recognize the information that consumers are disclosing elsewhere in their life, and we have to make sure we integrate those. So, we need to really make sure that our fraud-detection systems are recognizing what's going on out there in the social networking space. And, additionally, that especially in the online space, we need a more global perspective of risk.