Monday, November 3, 2008

Online Fraud Double Whammy

I am sure that you have heard about the startling discovery that a malware (Sinowal Trojan) has been harvesting financial data, including credit card numbers for nearly three years. The cache of stolen data exceeds half million records reports RSA FraudAction Research Lab.

On a related note, The New York Times reports
Microsoft plans to report on Monday that the security of its Windows operating system has significantly improved, while at the same time the threat of computer viruses, frauds and other online scourges has become much more serious.
News like the above are bad news for the online commerce industry. Especially, given the current mood of the consumer and economic environment. Improvements in technology can be leveraged to minimize the ability of fraudsters to profit from data collected by crimeware/malware.

A variety of participants, including CyberSource, Iovation, 41st Parameter have been working on combating this kind of fraud. However, what is becoming clear is that the fraudsters are a lot savvier and that we need to approach this problem very differently.

Call to action: Support the below technologies (some of which are already deployed for offline transactions) for online commerce transactions:
  1. Support one-time credit card number, such as those offered by MasterCard in association with Orbiscom
  2. Support use of dynamic CVx (CVV / CVC...)
  3. Support multi-factor authentication, including utilizing CVM (Card holder verification) methods that are part of the current MasterCard and Visa specifications
The above advances will make the stolen information unusable. As credit card issue cycle is on average three years, the higher security cards will make it to the hands of the consumer over the course of the normal card replacement cycle. The cost differential of the higher security card will be made up by issuers if the consumer makes one additional transaction because of the higher security card.

Would love to hear about innovations that you are working on or are aware of that would remove the profitability from stolen data.

No comments:

Post a Comment