Fraud Intelligence Newsletter

March 2008

ALERT – donotreply.com

Internet Identity would like to remind its customers to make certain that they have control over the domain and mail servers that they are sending email FROM. Administrators that have not wanted to deal with countless email bounces filling up their mailboxes have been sending email using the donotreply.com domain.  The owners of that domain then receive all replies and bounces to those companies' messages. Bounces could include sensitive information, messages meant for corporate executives, details on IT infrastructure, etc.

Event Schedule

April 8-11, RSA Conference 2008, San Francisco, CA.

May 5–7, Financial Services Information Sharing and Analysis Center (FS-ISAC) Conference, St. Pete Beach, FL – Internet Identity is a conference sponsor.

May 18–23, AusCERT Asia Pacific Information Security Conference, Gold Coast, Australia – Internet Identity president and CTO Rod Rasmussen will be speaking.

May 26-27, APWG Counter eCrime Operations Summit II, Tokyo, Japan – Internet Identity president and CTO Rod Rasmussen will be speaking.

June 4–6, Authentication and Online Trust Alliance Summit 2008, Seattle, WA. Internet Identity is a member of the AOTA steering committee. Early bird registration ends April 15. Please contact us for a big discount on registration fees!

EV Certs have made some difference in customer trust

Extended Validation Certificates, or EV Certs, are an emerging technology already available in Internet Explorer 7 and will be available in upcoming versions of Firefox and Opera. EV certificates are a unique type of X.509 certificate which call for a more extensive investigation of the requesting entity by the Certificate Authority (CA) before being issued. When a user visits a legitimate website with an EV Cert, such as PayPal, the browsers address bar changes to green.

PayPal has been using EV certificates for about a year now. According to PayPal, IE 7 users have been less likely to drop out and abandon the process of signing on to PayPal in the last several months. "It's a several percentage-point drop in abandonment rates," says Michael Barrett, CTO of PayPal. "That number is... measurably lower for IE 7 users."

EV certificates also have their naysayers. Researchers at Microsoft and Stanford University published a study last year showing that (without prior training) people were not apt to notice the green bar provided by the EV Certs.

According to another recent study by Netbenefit, about 70% of all consumers either don’t use the green bar or don’t know what they are looking at when they see it. The consumers reportedly do not understand the significance of the green browser bar.

However, PayPal’s Barrett says EV certificates are having an effect. He says Internet Explorer 7 users are more likely to sign on to PayPal's Web site than users who don't have EV certificate technology, because they are certain that they are visiting a legitimate site.

Verisign recently reported that across the globe over 100 million Internet Explorer 7 users were seeing the green bar from visiting the nearly 5,000 web sites that are using this new technology.

If Netbenefit’s and Verisign’s numbers are correct, the optimistic view is that there are 30 million Internet consumers that ARE recognizing the EV Cert green bar and making transactions online with more confidence than they were a year ago.


UC-Berkeley ID Theft Study and BofA’s response

The Center for Law and Technology at the University of California, Berkeley has issued a controversial report "Measuring Identity Theft at Top Banks" on the numbers of identity theft complaints and it names several national banks and Fortune 500 companies as the worst offenders.

The study draws from thousands of complaints to the FTC over three months in 2006 and lists the number of incidents at banks, top utilities and retail merchants.

In the list of institutions, Bank of America is called out as the number one company (financial or otherwise) with the highest rate of identity theft complaints, followed by AT&T, Sprint/Nextel, JPMorgan Chase, Capital One, Citibank, American Express, Washington Mutual, Wells Fargo, Discover, HSBC, and Wachovia.

The report’s author Chris Hoofnagle began his research in May 2007, when he filed a Freedom of Information Act request with the FTC for the names of companies and institutions identified in consumer Identity Theft complaints over the previous two years. Hoofnagle had to settle for the data from 88,560 complaints from the randomly-selected months of January, March and September 2006. He established that the top 25 institutions of banks, utilities and retailers account for 50% of the identity theft complaints lodged with the FTC.

To his credit, the author points out the obvious flaws with his methodology and small sample set, and that the numbers are only for demonstrative purposes and not to be construed as definitive. However, he points out that the only way to get any sort of numbers, as flawed as they may be, was through an onerous process since the industry is not forthcoming with data on its own. By naming names, he hopes to put pressure on the industry to come up with a solid self-reporting process, since it is in their best interest to have accurate information out there.

Bank of America leads all institutions with 1,117 complaints per month in 2006. When projected annually and divided by per billion of deposits, however, HSBC fares the worst, with 21 incidents per billion annually (BofA has 18). In contrast, ING has less than one incident per billion annually.

Bank of America representative Betty Reiss says the study doesn't jibe with independent surveys that have shown Bank of America as one of the top banks when it comes to protecting consumers from ID theft.

What's more, says Reiss, "if somebody who is a customer of Bank of America is a victim of Identity Theft, it doesn't necessarily mean that the theft, or compromise, originated at Bank of America. A lot of times consumers don't know how the identity theft originated or where it originated."

Anti-Phishing bill generates noise, not help

Senator Olympia Snowe (R-ME) recently introduced legislation (S.2661), co-sponsored by Senators Bill Nelson (D-FL) and Ted Stevens (R-AK), that purports to make it tougher for groups or individuals to engage in identity theft through phishing, and combating the use of deceptive Web site domain names. The proposed legislation, known as the Anti Phishing Consumer Protection Act, would also mandate that owners of commercial Web sites provide true and accurate whois contact information, so that, in instances of ID theft and fraud, Web site owners can be brought to legal account.

Internet Identity and industry groups like the APWG are generally in favor of legislation that provides more legal tools and especially resources to law enforcement for pursuing and prosecuting phishers and other online criminals like malware authors and distributors. While there are already laws on the books that enable prosecution of phishers, the nature of the crime doesn’t always fit neatly under them, and targeted legislation could be helpful. Even more helpful would be increasing government resources dedicated to fighting phishing and on-line crime.

Internet Identity’s analysis of S.2661 finds that it focuses most of its attention on domain name cybersquatting and the privacy of domain WHOIS information, not on the phishing problem. Those issues are at best tangential to the primary issues surrounding phishing, and concentrating so much effort on them may well take away from far more effective things that government can do in this arena. The bill contains some 31 pages of new regulations that could raise the cost of doing business for legitimate companies while doing little to stop the malicious actors behind phishing attacks. We certainly empathize with the trademark community given the continued rampant abuse of brands on the Internet, but there are already multiple recently enacted laws in place to address those issues. Creating yet another under the moniker of “anti-phishing” we feel distracts vital time, energy, and resources from the true fight against online fraud and phishing.

Any new anti-phishing law will need to address the more dangerous aspects of phishing, including computer intrusion, viruses, spyware, keyloggers and other malware. Further, since a major goal of phishers is to use stolen information to commit identity theft, tying their acts in illicitly collecting information to that crime could be a useful tool for law enforcement and others. Already there are two bills working their way through Congress that do a better job than S.2661 of addressing these important issues. These bills are the "Internet SpyWare Prevention Act of 2007" (HR 1525), which has passed the House and is awaiting consideration by the Senate, and the "Identity Theft Enforcement and Restitution Act" (S.2168), which has passed by unanimous consent of the Senate and is now awaiting consideration by the House. We urge our clients and friends to review all such legislation and weigh in with their own opinions on pending legislation to let our lawmakers know that this is an important issue that needs addressing. It is of utmost importance that adequate resources are provided to the law enforcement community to pursue and arrest phishers, hackers and other criminals that threaten to ruin the great promise the Internet holds for our organizations and society as a whole.

For a copy of the proposed Snowe legislation, please see: http://commerce.senate.gov/public/_files/SnoweStevensAntiPhishing.pdf

PayPal tells customers to stay away from Safari

PayPal is warning its customers to not use Apple’s Safari browser in order to avoid online fraud. According to PayPal, Safari does not have two important anti-phishing security features and does not make PayPal’s list of recommended browsers.

Unlike Internet Explorer and Firefox, Safari has no built in anti-phishing filter to warn its users of potential phishing attacks and Safari does not support Extended Validation Certificates (EV Certs). EV Certs turn the address bar green when the browser lands on a legitimate website. Anti-phishing filters warn a consumer when their browser visits a known or suspected phishing site. Internet Identity sends known phishing URLs to Internet Explorer and other browsers.

PayPal’s warning affects a broad range of computer users. Safari is the default browser on Apple computers and the iPhone, and is also available on the PC. Ironically, the newly released Safari 3.1 has received strong reviews from the tech press for usability and true compatibility with web standards. It’s a shame that this great news is being overshadowed by the security issues PayPal has pointed out. We hope that Apple will jump on this issue quickly to help make a strong product a truly safe one as well.

At the publication of this report, Apple had not yet commented on PayPal’s position on Safari.

If you want to learn more about protecting your organization from phone phishing, phishing, spear phishing, targeted malware and other attacks against your customers, please contact Internet Identity.