Online Fraud: What You See Isn't Always What You Get
By Melisa LaBancz-Bleasdale
A philosophical man once said, "Every time you buy a computer security product, you are trying to compensate for the shortcomings of the products you already have." That philosophical man is Bruce Schneier, industry expert on new and emerging IT threats and the founder and CTO of managed security provider, BT Counterpane. If he is right, then not only are we far from preventing online fraud, we are likely contributing to it. "Internet security is a serious problem and it's not getting better," declares Schneier. "In fact, I think it's getting much worse. Organized crime has taken over in a big way —it's a huge growth area. That's not going to change as long as there's profit to be made."
Schneier points out that crime used to be based on proximity, but the Internet has changed that. "It used to be that I would get next to you, hit you over the head and take your wallet. On the Internet, there 's no conscription to place. Every place is ubiquitous to every other place. So you have more things like identity theft being perpetrated by organized crime syndicates in Eastern Europe and sub-Saharan Africa, because the criminals feel safer there," says Schneier. "You, sitting in whatever happy town in the United States that you are in, are usually separated by oceans from Southeast Asian criminals. On the Net, you aren't. Globalization is extremely important. It makes it hard to track and prosecute criminals, and it makes it harder to defend yourself."
Loss of Trust
The prolife ration and sophistication of online fraud creates a ripple effect that causes damage to more than just the unfortunate victims. It deals a blow to eCommerce as a whole. In the Gartner report, E-Commerce Loses Big Because of Security Concerns, Gartner analysts estimate that in 2006 consumer anxiety over Internet security caused a US$2 billion dollar loss in eCommerce and banking transactions. Online fraud tactics (such as pharming, targeted attacks and phishing) are widely employed by criminals in perpetrating identity theft, as well as the sale of fake services and counterfeit products. "These attacks erode consumer confidence in online sales or selfservice Web portals," states John LaCour, director of product management for anti-phishing solutions for MarkMonitor. "While victims blame the criminals, they typically also hold the targeted organization responsible. Victims expect those organizations to leverage the latest technology to protect them from these scams."
Richi Jennings, lead analyst of the email security practice at Ferris Research, explains that email remains an important vector for scammers to steal their victims' online banking credentials or perpetrate other types of identity theft. "Phishers continue to try their luck with spam, and phishing is a particularly malicious type of spam," explains Jennings. "Because of its harmful nature, it raises special concerns." In particular, organizations need to address the following questions:
- How will the organization protect users from being fooled by a phish?
- Are third parties sending emails that purport to be from the organization? (Such phishing attacks can be very damaging to your brand and business.)
- Are third parties compromising the organization Web servers to host their fraudulent phishing sites?
- Are legitimate messages from the organization being mistaken for phishing attacks?
Spam By Any Other Name
Since most online fraud attacks use email as a gateway to the victim, eradicating spam of every sort would seem to solve the problem. However, as David Atlas, vice president of marketing for Goodmail Systems explains it, spam isn't a term that should be tossed around lightly. "I wouldn't define spam as all email that isn't necessary to one's job, but rather, as email that has been unsolicited. This is the legal definition. People use email to do more than their job, and one of the things they use it for is purchasing products online. When a user requests email from Overstock.com, for instance, it means they want that email. They have given their consent to get such email, and it is therefore, legitimate email." Atlas goes on to explain that spam, which is unsolicited, happens when someone sends non-requested email. The same email promotion sent to someone who requested it means that it is not spam. That same email sent to someone who did not request it, defines it as spam. "Today's email security solutions are by and large based on filtering out the bad messages—anti-spam, anti-virus, anti-phishing, anti-malware, etc. But there is nothing that specially marks known good messages," says Atlas. "In real world security you use a mix of both."
The concept is very appealing to Internet Service Providers (ISPs) who are looking for better ways to prevent victimization of their customers. In early June, Comcast, Cox Communications, Time Warner Cable's Road Runner and Verizon selected Goodmail's CertifiedEmail trusted class email for their email customers. CertifiedEmail is a class of email that the sender pays for. It includes cryptographically secure tokens inserted into individual email messages. If a message is sent Certified, it is not subjected to spam filters or at risk of becoming a false positive. Specially marked with a blue ribbon envelope, consumers can identify which commercial and non-profit emails in their inbox are real. Already in operation at AOL and Yahoo! the addition of these new partners means the CertifiedEmail standard will be in use at all five of the nation's top five ISPs. Atlas adds, "Goodmail Systems provides the means for ISPs to add an additional and complementary layer of security. The other thing they find appealing is that our solution gave them a novel means of providing to consumers a visual representation of what the safe, real, "good" messages were—a major win for a consumer who increasingly doesn't trust his email."
How Do I Know It's You?
The most robust anti-fraud programs take a layered approach to prevention. Consumer education, spam filtering, sender authentication and reputation-based solutions all help. In particular sender authentication solutions hold promise. Sender authentication solutions, i.e. Sender Policy F ramework (SPF) and DomainKeys Identifed Mail (DKIM) are starting to help combat phishing, especially with high-profile targets, such as PayPal customers. Detecting phishing attacks via sender authentication depends on legitimate senders publishing information in the DNS. "An email that purports to come from paypal.com can then be verified against information published in the DNS," notes Jennings. Of course, this doesn't stop phishers from using similar domains, such as verify-paypal.com." It is widely believed in the industry that as more domains publish such information, recipients will be able to detect a larger proportion of forgeries. Reputation services cannot track the reputation of a sending domain unless the recipient can reliably detect a forged message sent in the name of that domain. So, as the use of sender authentication becomes more widespread, reputation services will become more useful. In the future, they will be able to vet the reputation of the sending domain, not just the particular IP address.
Another preventative layer is real-time online fraud detection and monitoring solutions from vendors such as MarkMonitor and iovation. According to MarkMonitor, the company identifies approximately 16 million suspicious events each day. The company receives data from the top ISPs, representing over 80 percent of consumers online. MarkMonitor uses proprietary technology to automatically scan and analyze information from a wide range of sources, including honeypots; suspicious emails; spam and URLs from ISPs; Internet newsgroups; domain name registration zone files; and authoritative DNS and caching servers. "MarkMonitor's comprehensive online fraud prevention solutions combine sophisticated detection technology with around-the-clock fraud monitoring. This enables expedient prediction, prevention, detection, and shut down of online phishing attacks," explains LaCour. As an example, LaCour notes World Wrestling Entertainment (WWE) uses MarkMonitor's Online Channel Protection solution to shut down hundreds of counterfeit sales every week. Unauthorized and counterfeit sales are found on auction sites, B2B Exchanges, and email solicitations for DVDs and numerous other products.
With risk to legitimate businesses rising and consumers reacting to threats by reducing online activities, online fraud needs to be vigilantly monitored and addressed. Online fraud prevention requires a collaborative effort and must include businesses, ISPs, and consumers. Otherwise, customer trust will continue to erode and brands will continue to be tarnished. MB/TMP