Hackers masquerade as Best Buy to steal credit-card details

E-mail scam targeting eBay users for identity information

New twist to data-matching fight against Internet fraud

Biometrics meets e-commerce

Crackdown on identity theft

Task force to target computer crimes in Hawaii

Other items

What is Identity Management

and finally ...on the subject of trust

CNET News.com, 20th June 2003

An email purporting to be from the electronics chain is directing would-be victims to a fake Best Buy Web site.

Best Buy moved on Thursday to limit damage from an email scam that sent potential victims to a look-alike Web site in an attempt to persuade them to give up their credit-card information. 

The Minneapolis-based electronics and consumer-goods chain consulted with both the Federal Trade Commission's identity-theft group and federal and state law enforcement to try and track down those responsible for an email message that apparently started circulating on Wednesday. full story

commissum comment: A familiar scam perhaps, but the news has hit the headlines and caused business disruption, embarrassment and potential loss of customers to Best Buy and its subsidiaries. The irony lies in that the scam email used the subject of fraud to defraud Best Buy's customers. The email alerted readers to theft of their credit card details asking them to click on a link to Best Buy's Fraud Department, which was then redirected to a fake web page to gather their personal information and credit card details. A classic case of social engineering playing on human weakness - in this case the fear instilled over a potential fraud overriding any inclination to check the identity, source or veracity of the information.

Best Buy became aware of the problem when customers called in to complain, and the company responded by releasing a press announcement, emailing their customer base, recording warning messages on their telephone help lines and through their web site. Best Buy insists that their systems were not compromised and that they are fully cooperating with the FBI in an investigation. However, a worry for Best Buy here should be the threat that this incident poses to the credibility of their fraud department.

It is not clear how many of Best Buy's customers fell victim to this scam. This scam may be an old trick but unfortunately it is not surprising that it works; at the risk of being seen to bang our old drum about awareness here at commissum, we would point out that although awareness would not stop this type of fraud from being attempted, it would significantly reduce the chance of it succeeding.

PressofAtlanticCity.com, 20th June 2003

A new e-mail scam, seen Thursday in southern New Jersey, targets eBay users and seeks to ferret out vital financial information that can be used to destroy a person's credit history.

As you read this, the Web site aimed at stealing your credit history is gone:

www.ebay-validations.com

Through programming sleight of hand, the site was online Thursday, hidden behind free, low-cost and stolen Internet services. The site undoubtedly will appear again. Whoever the real owner is has registered the domain name through January 2004. Sooner or later, e-mail will go out to eBay users worldwide with what appears to be a legitimate request for credit information.

"I don't think the average person will know this one's a scam," said Michael Stein of the Computer House in Absecon.

"All of the links work, and the page looks real," he said. "All but one of those links goes to eBay." full story

commissum comment: This is not the first time eBay has been in the headlines for a security related incident; nor the last we suspect. In the US, complaints about online fraud have tripled in 2002, with auction fraud continuing to be the most frequently reported according to figures from the Internet Fraud Complaint Centre (IFCC) (a partnership between the FBI and the National White Collar Crime Centre). The IFCC reports that for the third year running, internet auction fraud has been the most reported offence, compromising 46% of referred complaints.

Online security breaches and fraud are a result of exploiting a wide variety of vulnerabilities, including the human element through social engineering. However, a primary underlying issue is the apparent anonymous nature of the internet, which goes back to its origins. Thus, to counteract the anonymity of the internet, it is fundamental to have a robust identity management infrastructure underpinning the e-commerce service offering.

CNET News.com, 19th June 2003

VeriSign will match Internet addresses' physical locations with cardholder details in an attempt to quell scams.

In a bid to beat Internet fraud, VeriSign is introducing a service for merchants that will compare credit card numbers, the names of cardholders and the Net address of buyers to spot scams.

The Internet services company announced on Wednesday a new Fraud Protection Service that ties geographical information from its domain registry database -- which is managed by VeriSign's Network Solutions -- to timing data from its credit card clearinghouse service. The technology, which the company has tested during the last 18 months on its own business, will identify transactions that have an unacceptable probability of being fraudulent. full story

commissum comment: All statistics show that online identity theft and fraud have dramatically increased over the last few years. As Stratton Sclavos, Chairman and CEO of VeriSign quoted, "While e-commerce has grown by nearly 74 percent in the past year, the amount of fraudulent transactions has grown even faster, jumping 114 percent." Clearly, something needs to be done to reduce online fraud growth, but will VeriSign's newly launched Fraud Protection Service cut it?

This service is based on the ability to identify transactions that have an acceptable probability of being correctly classified as fraudulent. This probability is calculated by evaluating the validity of a transaction against rules derived from information collated on different kinds of fraudulent patterns and behaviour. VeriSign claims that at a flick of a switch the service will recognise 50% of fraudulent transactions on a merchant's system.

commissum's view is that at first glance, this figure seems to be high and it would be interesting to see if the metrics are valid for the majority of merchants. The other issue to consider is the efficiency and cost effectiveness of the service. Like any service, it comes at a cost. In this case, a monthly subscription and an additional per transaction cost. As we understand it, this service is based on a transaction being classified as potentially fraudulent. If a transaction appears to be fraudulent, it will be stopped before money exchanges hands. The merchant will then be notified by phone or email, and the transaction will only be resumed when the merchant has verified the transaction with the customer. On the face of it, the upfront costs (subscription + cost per transaction) of the service may seem reasonable. However, if a higher number of genuine transactions than fraudulent transactions are stopped and investigated, this will incur further cost.

In the absence of merchants taking appropriate measures to protect themselves against fraud, this could prove to be a valuable service. However, the uptake of the service remains to be seen, and it will ultimately come down to merchants deeming the service cost effective.

Business Week, 20th June 2003

Personal traits such as vocal or typing patterns could soon serve as powerful fraud-prevention tools for online shoppers

Scammers, spammers, e-grifters -- E. Lee Falls has encountered them all, and he has the bruises to prove it. Falls is CEO of Electracash, a Long Beach (Calif.) company that processes checks for e-merchants. That means he handles payments for a chunk of the 20% of Web shoppers who choose not to put their credit-card numbers online every year. Electracash processed 1.2 million payments in 2002, and Falls says 5% to 10% of them came from cheaters and crooks.

His problem, which lies at the root of e-commerce, is simple: Neither he nor anyone else can identify the person making a purchase on a distant computer. Passwords and PIN codes can be stolen, or even guessed. Know what the most common password is? full story

commissum comment: Security experts have been talking about biometrics for a number of years for good reason - the use of biometrics has much potential for addressing identity issues. Even though fraud has had an impact on e-commerce, be it a direct financial loss, reputation damage or a curb in exploiting new business opportunities, the industry's embrace of biometrics has been very slow, verging on non-existent. This has mainly been due to lack of confidence in the technology in the past and cost.

Increasing fraud, maturity of the technology and lower costs are making biometrics a more viable option for e-commerce. It is encouraging to see that companies like Electracash are continuing to take steps to embrace and move this technology forward. With increasing terrorist activities and national security concerns, it also comes as no surprise to see that the US government is equally turning to biometrics for more robust identification.

It is commissum's belief that attitudes towards the adoption of biometrics are likely to take a turn in the not too distant future. There are many different approaches to biometrics, and each comes with its own challenges, but a main barrier to adoption is cost. Social arguments aside, adoption will only really take off once the economics of biometric solutions prove to be viable.

BBC, 18th June 2003

A fraudster could be arrested for mere possession of a false document, in a new attempt by the government to stem the rising tide of identity fraud. 

The new measures would mean criminals who were caught with stolen documents, such as fake passports or driving licences, could face up to two years in prison. full story

commissum comment: Governments in the west are taking identity theft increasingly seriously following recent incidents which saw millions of credit card and users' personal data being stolen. The new attention paid to money laundering and terrorism is also helping the cause.

Identity theft is the fastest growing type of fraud in the UK and costs Britain £1.3 billion a year. In a new attempt to crack down on identity theft, the government has recently announced new proposals that mean, a fraudster could be arrested for the mere possession of a false document if he could not prove a reason for possession. It is not clear what percentage of identity theft is conducted online, but it is certain that online fraud is growing in scale and sophistication; the legal framework to back up the initiatives being taken by organisations is essential, but needs to ensure that it takes into account the inherent complexities of online identity theft and fraud.

Honolulu Advertiser, 18th June 2003

U.S. Attorney Ed Kubo Jr. is forming a cybercrimes task force in response to what he calls an "increasing number of problems" with identity theft and fraud on O'ahu.

"It's of substantial federal interest," Kubo said.

O'ahu has seen a spike in the number of identity theft and computer fraud complaints, Kubo said.

Cybercrime is a large state and national concern, investigators say. The formation of a cybercrimes task force comes at a time when computer crime numbers are rising all over O'ahu and the nation. full story

commissum comment: With an explosion in online identity theft and internet fraud, it is encouraging to see that governments and intelligence agencies are continuing to take pro-active step towards addressing online crime. Technological solutions and business processes provide baseline protection against the threats, but do not act as a deterrent to crime. A reduction in incidents and control of the problem could only be achieved by having an adequate legal framework under which law enforcement officials, intelligence agencies, businesses and the public can work together to bring online criminals to justice.