Features : Security and Fraud Become Top Tech Issue

Even as they increase corporate efficiency, Internet banking and e-commerce are heaping additional burdens on the financial services industry. As a result, security has become the number one spending priority for many companies.

Youve seen the worrisome stories. Viruses and worms literally spreading doomthrough global computer networks; spam clogging personal and corporate email systems; and identity theft, aided by the Web, robbing financial institutions, merchants and their customers.

We need to be able to refute those headlines and say, Hey look, this is how were addressing security, says Robert Blackburn, director, cash management, in the global transaction services unit of Citigroup.

Many bankers and corporate executives grappling with the harrowing security issues of the present day share Blackburns view. Security is a hotter topic than ever before for financial institutions, retailers, other corporations and the technology and software providers trying to help them cope with the threats.

The scale of the interest generated by Internet fraud was clear at the annual information technology conference hosted by RSA Security in San Francisco in late February, which drew 10,000 attendeesa 20% jump over the preceding year. The need for better security management was the major theme of the confab.

I think theres concern about security but not enough action.A lot of people are talking about it, but they havent figured out what solutions to put forward, says Tom Miltonberger, senior vice president of product development at Quova, a Mountain View, California- based firm that sells technology services that allow online businesses to pinpoint the location of their Web site visitors to prevent fraud and comply with regulatory requirements.

Anonymity Aids Internet Criminals

All these crimes are flourishing in large part because the Internet allows the hackers and the fraudsters on the whole to remain anonymous while doing the deed. The speed and efficiency of the medium also plays a significant role. Statistics help tell the story. In 2004, malicious codeviruses, worms and Trojan horses will cost the worldwide economy $35 billion, according to the Radicati Group, a Palo Alto, California-based technology research firm.

The major technology companies are responding to the hacker threats largely by introducing new versions of their software and hardware products that work better with other security management products.The dominant theme is integration of intrusion detection systems, firewalls, anti-virus programs and authentication technologies to get a single view of network security.

Then theres the matter of online fraud.A recent study by the Internet Fraud Prevention Advisory Council, a consortium of online merchants, merchant acquirers, credit card associations and credit card issuers, estimated that the occurrence of online fraud, as a percentage of business revenues, might be as much as 40 times higher than for face-to-face transactions offline.

Identity Theft

One scary financial crime made efficient by the Web and rapidly expanding is identity theft.The number of identity theft cases jumped 40% in 2003, according to the US Federal Trade Commission. The crime is expected to have cost consumers, businesses and governments $221 billion in losses worldwide last year, according to the Boston-based research firm Aberdeen Group. Those losses could increase almost tenfold within two years to reach as much as $2 trillion by the end of 2005.

Identity theft can take several forms. Perpetrators can use the Internet to hack into businesses servers and databases to steal client and account information. That can then be used to create new accounts, in customers names, that can be emptied out. Of course, the perpetrators can simply steal from the existing accounts they tapped into. Firewalls and encryption are the common methods to stop this form of attack.

Another identity theft scheme rapidly gathering steam is called pfishing.The fraudsters pretend to be well-known legitimate businesses such as banks or brokerage firms by setting up Web sites using those companies names and logos. They then email customers of those firms, encouraging them to give out key personal, financial and account data.That data can be used to take over their identities for the purposes of applying for credit cards, loans and mortgages.

What weve seen recently is that identity theft has gained a lot of celebrity, says Tracy Stover, director, client development, in the commercial card services group at Citigroup. She says that the bank has had some cases of corporate customers who became identity theft victims on their personal accounts. In those cases, the bank works with the client and the major credit bureaus to repair their damaged credit records so that they can obtain loans and financing in the future.

However, bank customers are not immune to theft attempts when they are at work.Turner says Citigroups commercial card services group recently received calls from some (fewer than 50) upset corporate customers saying they received emails at work from people claiming to be the bank and asking for account information. Whats made people a little more nervous is that pfishing was happening on their corporate email, says Stover.I think people get a false sense of security with corporate email.We all have firewalls so they automatically assume the email is legitimate.

Identity theft is a crime that often is difficult or timeconsuming to detect, allowing fraudsters plenty of time to do a lot of damage. Like their colleagues the computer hackers, online fraudsters are generally relentless and innovative in pursuing new techniques, technologies and ingenious new schemes.One of these innovations is the automatic credit- or debit-card number generator. These programs, which can easily be found on the Internet, automatically generate thousands of 14- or 16- digit card numbers.

The thief then submits a large number of transactions to test out the number sequences and see if they get a match. However, these attacks are fairly easy to detect and can be blocked with lockout and refusal systems that limit transactions to a set number, or block purchases because of a lack of billing and address information, according to security and fraud experts.

Software maps location of Internet users

As cyber-criminals become ever more sophisticated, it may seem that heading off fraudulent transactions is almost impossible. Software from companies such as Quova can help, though.

The four-year-old Mountain View, California-based firms geolocation technology figures out the physical location of computers by tracking Internet Protocol (IP) addresses, which are like telephone numbers but without the country codes or prefixes to reveal their locations. Quovas GeoPoint Data Delivery Server uses sophisticated algorithms to process data for Internet gateways, routers and registries of IP addresses.

Our product tells you where the user is, says Tom Miltonberger, senior vice president of product development, noting that the privately held companys technology maps the IP location down to a specific metropolitan area.

Thats important in preventing fraudulent orders because certain countries, cities and IP addresses are leading sources of fraud. For example, one-quarter of the transactions originating from St. Petersburg, Russia, last year turned out to be fraudulent, as did 38% of the orders placed from one specific IP domain in Indonesia, according to ClearCommerce, a partner of Quovas. Knowing that the order about to be placed or account about to be opened is originating in one of these places sets off alarm bells for the retailer or financial provider, Miltonberger says.

However, sophisticated fraudsters can try to get around this by setting up proxy servers in other locations not known for fraud, thereby hiding their true whereabouts. Our solution is not perfect either, concedes Miltonberger. In fact, a simple search of the Internet can yield lists of proxy servers that can be used to set up IP addresses that mask the real location of the fraudster. But we do the same thing and search for these proxies, test them and mark them in our databases, says Miltonberger.

Tiny Transactions, Huge Hauls

Another area that is facing increasing attacks is the Automated Clearing House (ACH) network. Fraudsters are submitting small transactions across the system that can reap large amounts if they succeed in initiating automatic debits against thousands or millions of company checking accounts.Clients can set up a debit block to stop any ACH transactions from debiting the account. We advocate that all of our clients put a block on their account when it is used for any sort of checking going out of it, says Citigroups Blackburn.The bank also tells its corporate cash management customers to reconcile their accounts daily. Make sure you recognize them and the persons who made them, he says.

Fraud has become a big concern as use of the ACH system has greatly expanded with consumers use of debit cards to make Internet purchases.

The system used to be primarily the province of businesses as a way of paying their employees, vendors and suppliers.

Another major problem in Internet commerce is the overwhelming amount of spam, or junk email, increasingly dominating the email servers of most companies. Spam will account for 52% of all email by the end of this year and will cost $41.6 billion in financial losses, more than double the amount in 2003, according to the Radicati Group. The losses stem mostly from increased IT infrastructure costs for bigger servers and more administrators.

Identity theft is expected to have cost consumers, businesses and governments $221 billion in losses worldwide last year. Losses could reach $2 trillion by the end of 2005.

Online fraud incidents, as a percentage of business revenues, may be as much as 40 times higher than in face-to-face transactions.

Online credit card fraud could cost businesses $60 billion by 2005.

In 2004, malicious code (viruses, worms and Trojan horses) will cost the worldwide economy $35 billion.

By the end of 2004, spam will account for 52% of all email and will cost $41.6 billion in financial losses, mostly due to higher IT infrastructure costs.

Sources: US Federal Trade Commission, Aberdeen Group, Internet Fraud Prevention Advisory Council, Financial Insights, and Radicati Group

The Real Cost of Spam

The volume of email youre dealing with is enormous because of all the garbage you dont want.Your infrastructure is blown way out of proportion because of the spam, says Sara Radicati, CEO of the Radicati Group. She estimates that companies spend an average of $49 per user mailbox per year in additional administration costs directly caused by the deluge of spam theyre facing. Those costs dont include the loss of worker productivity in having to wade through and delete spam.

Spam is also a security threat because many of the messages carry computer viruses with them.The email pfishing schemes that have become prevalent over the past year often originate in spam messages. Companies typically combat spam with filters, but they are of limited effectiveness. The filters let a lot through, says Radicati, who estimates that 17% of spam still gets through the filters.

Technology companies are now proposing and devising a number of hardware and software solutions that try to verify the access rights of the email sender. For example, Microsoft is proposing a caller-ID system for email.

Theres no magic bullet. Its a complex problem, and the solutions will be expensive, says Radicati.

By Adam Rombel