Anyone who buys or sells on the Internet may be vulnerable to online fraud. The Internet Crime Complaint Center (IC3), a joint operation between the FBI and the National White Collar Crime Center, released a report in 2009 saying that reported cybercrimes rose about 650 percent compared with 2001, and up 22 percent compared with 2008. The business losses from these crimes totaled $559.7 million in 2009, up 112 percent on the year, according to the report. And to be more specific, an article in October from Investors Business Daily, based on a report from fraud prevention firm Retail Decisions, says that fraudulent credit card attempts increased 32 percent in the first half of 2010. If all of these ecommerce fraud attempts had succeeded, the cost would have been $1.14 billion for the January to June period. Meanwhile, the Better Business Bureau is warning that “skimming,” that is, stealing the information from a credit card when it is swiped, is on the rise. The Wall Street Journal reports that thieves are even stealing card data as consumers use ATMs.
According to a recent report from Verizon, the “Verizon 2010 Payment Card Industry Compliance Report,” there are two categories of attack that web based criminals exploit, malware and hacking. Malware is software that is installed without the user’s understanding of its purpose. Sometimes it is installed covertly, when a user clicks on the wrong web link. Sometimes the user is tricked into installing it, conned into thinking it is one thing while really it is quite another. Hacking consists of human beings who exploit computer systems or users directly to gain access to data that does not belong to them. Via hacking and malware, criminals can attack online merchants in a variety of ways.
Fully a quarter of threats logged by Verizon were “malware backdoor” attacks. That means malware was installed that let hackers log onto computers as if they were privileged users. Other malware attacks logged all the keystrokes made on the computer, revealing user names and passwords. Almost as many attacks, 24 percent, were caused by hackers carefully entering just the right codes into online databases. With these “SQL injection” attacks, the data that hackers put into the databases are instructions that subvert the database software and make it function in ways it should not. Earlier this year, hackers used this kind of attack to steal the data of 12,000 customers of eight online supermarkets in Japan.
“Authentication and authorization attacks,” in which hackers gain passwords and usernames from user error, rather than from computer exploits, accounted for another large part of online fraud attacks logged by Verizon. Fully 21 percent of attacks came from criminals guessing at default and obvious passwords. And another 14 percent of attacks came from stolen passwords. This “social hacking” includes “phishing,” in which a user is directed to click on a link that opens a legitimate-seeming web page prompting the user for personal information, and “pretexting,” in which users are tricked into revealing personal data when approached by hackers masquerading as authority figures (IT personnel, police, bank officials) who then demand data.
So what can ecommerce professionals do to prevent this kind of crime? Security experts offer a range of tips that can help keep business safe, and Visa offers ideas specifically for retailers through its Security Sense program:
• Keep track of exactly what sensitive data you collect and store, such as names, addresses, identification information, payment card numbers, bank account details and Social Security numbers. Think carefully about what data you actually need, and do not store sensitive data you can do without. For example, don’t use credit card numbers as ID numbers, in a customer loyalty program. Retailers should never store the “full track” of magnetic swipe data, the card validation value, or user PINs.• Make sure you are using secure services and tools that have been validated as adhering to industry standards. Use verification services that make sure the purchaser has the correct billing address and is physically holding the card.• Keep your payment system and data isolated so that only those employees who need access can get access. Eliminate remote access if you can, and make it secure otherwise.• Protect your employees from social hackers with strong, unique passwords that change frequently. Use up-to-date firewall and anti-virus technologies. Also make sure employees do not click on suspicious email or online links.
The U.S. Chamber of Commerce just released its new “Internet Security Essentials for Business” report, which also has tips for combating online fraud. Among them:• Look for signs that a web page is safe before entering sensitive data. For example, look for web addresses with https (“s” for secure) and a closed padlock icon beside it.• Never give sensitive information in response to an email or instant message request.• Think before clicking on attachments or links in email or instant message. Accept attachments only from known senders and only if the attachments are expected.• In email, look out for alarmist messages, misspellings, deals that sound too good to be true, requests for sensitive information such as account numbers, and other signs of a scam.• Turn on pop-up blockers that help warn you of suspicious websites.
• Be alert to signs that a computer is infected with malware, including machines and networks that are slow or nonresponsive, unexpected signs of a high level of activity on hard drive, computer messages appearing that have not been seen before, lack of memory messages, and constant crashes.
What should an eretailer do after being hit by online fraud? Most immediately, you have to protect your systems and begin to recover. According to BusinessWeek and TechRepublic.com, your first priorities should be:
• Keep all the records you can about the attack. That includes logs, original files, and financial records. Identify the origin and time of attack, if you can. If at all possible, “image the system,” that is, create a file you can use to re-create the system as it was when you discovered the attack.
• Evaluate the damage done, rebuild compromised systems (ideally, from scratch or from a clean backup from before the time of the attack), and patch vulnerabilities.
• Install log review and intrusion-detection software, since the attacker is likely to come back and try again.
• Perform an external security audit and reset passwords.
After the fact, here are some ways to fight criminals after the crime has been committed, according to ScamBusters.org and ConsumerFraudReporting.org:
• Report the incident to the National Fraud Information Center at fraud.org, ScamWatch.com, the Better Business Bureau, the National Consumer Complaint Center, the Internet Crime Complaint Center at ic3.gov, and the State Attorney General’s Office.
• File a police report and get a copy of the report to submit to your creditors and others that may require proof of the crime.
• Contact your banks and ask them to monitor for unusual activity; consider closing accounts and opening new ones if they have been compromised.
• Contact the fraud departments of any one of the three major credit bureaus. Report the theft of credit card numbers. Ask that your accounts be flagged with a fraud alert so that creditors will contact you before opening any new accounts or making any changes to existing accounts.
With care and vigilance, you can make it harder for criminals to target your business, whether before an attack, or after.
–Michael Moran Alterio