Those in the business know that December is a notoriously risk-ridden time for identity theft, as hackers take advantage of escalating ecommerce around the holidays. How are merchants and business owners to safeguard identity when customers like Joe Consumer make identity theft child’s play? One of the keys in identity protection is anticipating the evolution of technology. Responding reactively to current and past attacks only leaves users highly vulnerable.

A recent two-pronged RSA security breach hows just how deep hackers will go, uniting efforts across nations to attack secure data. Tokens are out of reach for many, with their high cost of maintenance. SMS authentication is cumbersome at best, and the most user-friendly solutions require nothing other than the user himself. That said, biometrics are excessively expensive.

Strong mutual authentication systems, like that of Tricerion, offer secure protection against assault while maintaining accessible affordability in comparison with biometric or token-based systems.  Picture-passwords have been found more memorable and harder to crack than alpha numeric passwords in multiple studies . Details on our authentication systems can be found on our website.

In brief:

• Complaints received:  336,655
• Total loss:  $559.7 million
• Increase from 2008 by 22.3 percent
• Median dollar loss of $575
• Average dollar loss: $1,633

Top five categories of offenses:

1. Non-delivered merchandise and/or payment – 19.9%
2. Identity theft – 14.1%
3. Credit card fraud – 10.4%
4. Auction fraud – 10.3%
5. Computer fraud – 7.9%

Find lots more data and demographic information by reading the full report at IC3.

Taking a quick look at several of these emissions trading registries’ websites (DEHSt, DEFRA, ETR.ie, etc.), it appears that SSL certificates is the limit of security on all of them.  While the banking industry is generally perceived to be very conservative when it comes to adopting new technologies, in the past several years a large number of banks chose mutual authentication technologies as an effective and low-cost solution to fight phishing.  As criminals learn about new schemes where social engineering can turn into profit, they will pursue other industries that will be vulnerable and that have not adopted safe login mechanisms.

The moral of the story? Mutual authentication isn’t just for banks. Companies in other industries need to anticipate cyberthieves just as much as banks do. What’s next?

Another research study comes from RSA’s 2010 Global Online Consumer Security Survey, which shows very interesting trends:

“Of the more significant survey findings, consumer awareness of phishing attacks has doubled between 2007 and 2009 and the number of consumers who reported falling prey to this attack increased six times during that same period of time. In addition, while hundreds of thousands of people join social networking websites each day, the survey exposed that nearly two in three (65 percent) people who belong to these online communities indicated they are less likely¹ to interact or share information due to their growing security concerns.”

“Consumers using online banking (86 percent) websites shared more concern with the theft of their personal information than those using healthcare portals (64 percent) and government websites (68 percent). As a result of these concerns, more than half of all consumers reported that they are less likely to share information and interact on these websites.”

This is interesting because it tells us that phishers are becoming more and more sophisticated and consumer education is limited in terms of preventing online and identity fraud.

What it means for us is that social engineering is becoming more sophisticated, fooling even those who don’t remember the times before Internet and mobile phones.  Effective proactive defense includes mutli-channel authentication options, which will not rely on user alertness or mental mapping techniques.   Secure web services will help protect their customers without relying on their ability to recognize a phishing attack.

A Canon advertisement at the International Consumer Electronics Show (CES) in Las Vegas, Monday, Jan. 4, 2010. (AP Photo/Paul Sakuma)

This year’s Consumer Electronics Show brought us some interesting trends and ideas.   In his review of the show, Lance Ulanoff lists 9 things he’s learned there.  In the last point in that post, he makes the observation that “the marriage of technology and content took center stage”.

There is a fundamental change in how we’ve been turning every possible device into content delivery or presentation mechanism.  You can read your email or a book on you PC, on your phone or on TV.  I can now watch a TV show on cable, on my iPod, iPhone or on Hulu Desktop.  I happened to be in an Eastern European country during their parliamentary election.  The ruling party rigged the election and when the students came out protesting, they were using Twitter and Facebook to organize themselves and broadcast the latest news.  The government promptly shut down Internet access to these websites.  However, I was pleasantly surprised to learn that the Facebook app on my iPhone continued to work.  Multi-channel communication rocks.

As our life becomes more digitized, we are being asked to get used to reading and sending information via a multitude of devices and services.  We’ve been conditioned to open up our private lives and share (some more, some less) our life experience with our online social networks.  Various companies are now hording more and more data about who we are.  I laugh every time a bank asks me to select “What year did you graduate from high school?” as one of my security questions.  Come on, there are at least 1000 people who know the answer to this question.  Besides, about 50% of half of all identity fraud crimes are committed by people who know the victims personally.

As we enable more types of devices to access our private or paid content, the identity access technologies will have to evolve in order to make sure we have consistent usability and security across all information delivery platforms.   The users also need to know that the service they are accessing is authentic, based on the mutual authentication principle, where the service provider will first reveal a secret which will assure the user of the integrity of the communication channel.

Two of the ones I found somewhat surprising were shortened URLs (since fraudulent URLs look just like legitimate URLs when they’re shortened); and malware coming through sites with tricky URLs that look authentic but aren’t (like International Domain Names).

Scareware and computer hijacking are still on the list and probably always will be. Same song, different verse. It’s a fluid scheme, changing from season to season, but the motivation remains the same.

Another one we’re looking at? It isn’t part of the top 5, but its implications reach far and wide. Healthcare security. With more and more ways to manage health information online, that’s sure to be a target for breach in the near future.

When it comes down to it, hackers are as motivated by the laws of supply and demand as the free market is. Just as legitimate businesses look for new ways to earn income and meet needs, so do hackers. As long as there is money to be made, hackers will continue to find new methods to steal it.

Our job is to beat them at their own game – anticipating their next steps, preventing their success, and defending our clients’ information and assets.

In the last two years hackers have stolen over $40 million from small to medium enterprises that typically don’t have the resources or tech expertise to protect themselves from such attacks. They often do business with small banks and credit unions, which are typically considered “low hanging fruit” for hackers. Channel-Pro SMB interviewed our very own Stuart Morris about this issue, and the write-up points out some key issues – like the impact this can potentially have on small to medium businesses.

The solution the feds propose is a dedicated computer used only for banking. They recommend it because malware is often installed when surfing the net, gaming, emailing, and downloading programs. It isn’t fool-proof though. Crooks are smarter than we like to think and a computer dedicated to online banking isn’t a surefire way to stop them. And logistically, unless we’re talking about sole proprietors, it becomes both a hassle and prohibitive expense when every person who needs access to banking information requires a separate computer to do so.

Hey! I have an idea! What if banks, e-commerce sites, and other agencies requiring sensitive login procedures found a way to protect their users and consumers from this type of fraud? Is it possible? Is it plausible? What is this, 1976? Of course it is! And it has been for years.

The only real way to stop keyloggers is to stop typing passwords. You know how you use your mouse to click on buttons on the computer screen?  There’s no reason banks couldn’t use a clickable keypad on the screen to replace password typing, or even credit card entry. And guess what? It’s already being done. There’s a system that first recognizes the user and generates a customized keypad for them. If your keypad doesn’t look right you know you’re on a fraudulent site. When you see the keypad you recognize, you use your mouse to key in your password. Easy, breezy. And keyloggers don’t have a chance. (Neither do man-in-the-middle, man-in-the-browser, or any host of other hackers.)

Wanna give it shot? You can. Go ahead – try it now. I’ll give you a buck – a whole greenback for the minute you spent – if you think it’s too hard to use.

The same article tells us that identity theft is up 33.1%, according to CIFAS, and that’s before taking into account the increase in fraud that we expect over the holidays. It seems that come holidays, crooks get greedy, which corresponds with a year-end boost in opportunity.

Happy Christmas to all and to all good security.