Friday, March 23, 2007
ICANN May Strengthen Domain Privacy Rules
Many owners of Internet addresses face this quandary: Provide your real contact information when you register a domain name and subject yourself to junk or harassment. Or enter fake data and risk losing it outright. Help may be on the way as a key task force last week endorsed a proposal that would give more privacy options to small businesses, individuals with personal Web sites and other domain name owners. "At the end of the day, they are not going to have personal contact information on public display," said Ross Rader, a task force member and director of retail services for registration company Tucows. "That's the big change for domain name owners."
At issue is a publicly available database known as Whois. With it, anyone can find out the full names, organizations, postal and e-mail addresses and phone numbers behind domain names.
Hearings on the changes are expected next week in Lisbon, Portugal, before the Internet Corporation for Assigned Names and Numbers , or ICANN, the main oversight agency for Internet addresses. Resolution, however, could take several more months or even years, with crucial details on implementation still unsettled and a vocal minority backing an alternative. Under the endorsed proposal -- some six years in the making -- domain name registrants would be able to list third-party contact information in place of their own -- to the chagrin of businesses and intellectual-property lawyers worried that cybersquatters and scam artists could more easily hide their identities. "It would just make it that much more difficult and costly to find out who's behind a name," said Miriam Karlin, manager of legal affairs for International Data Group, publisher of PC World and other magazines. She said she looks up Whois data daily to pursue trademark and copyright violators.
Privacy wasn't a big consideration when the current addressing system started in the 1980s. Back then,government and university researchers who dominated the Internet knew one another and didn't mind sharing personal details to resolve technical problems. Today, the Whois database is used for much more. Law-enforcement officials and Internet service providers use it to fight fraud and hacking. Lawyers depend on it to chase trademark and copyright violators. Journalists rely on it to reach Web site owners. Spammers mine it to send junk mailings for Web site hosting and other services.
Internet users have come to expect more privacy and even anonymity. Small businesses work out of homes. Individuals use Web sites to criticize large corporations or government officials. The Whois database, for many, reveals too much. The requirements for domain name owners to provide such details also contradict, in some cases, European privacy laws that are stricter than those in the United States. Registration companies generally don't check contact information for accuracy, but submitting fake data could result in missing important service and renewal notices. It also could be grounds for terminating a domain name.
Over the past few years, some companies have been offering proxy services, for a fee, letting domain name owners list the proxy rather than themselves as the contact. It's akin to an unlisted phone number, though with questionable legal status. The U.S. government has banned proxies entirely for addresses ending in ".us," even after many had already registered names behind them.
Critics also complain that such services can be too quick or too slow -- depending on whom you ask -- in revealing identities under legal pressure. "Right now there's no regulation, no accreditation, no standards," said Margie Milam, general counsel for MarkMonitor, a brand-protection firm. "Some can take weeks, which can slow down investigations."
The task force proposal, known as operational point of contact, would make third-party contacts a standard offering. Domain name owners could list themselves, a lawyer, a service provider or just about anyone else; that contact would forward important communications back to the owner.
Details must still be worked out, but the domain name registrant rather than the proxy would likely be clearly identified as the legal owner, unlike the current, vague arrangement. ICANN's staff also pressed for more clarity on to whom and under what circumstances the outside contact would have to release data. Although that proposal received a slight majority on the Whois task force, some stakeholders including businesses and lawyers have pushed an alternative known as special circumstances. Domain name holders would have to make personal contact details available, as they do today, unless they can justify a special circumstance, such as running a shelter for battered women. "On the whole, society is much better off having this kind of transparency and accountability," said Steven Metalitz, an intellectual-property lawyer on the task force.
ICANN's Council of the Generic Names Supporting Organization plans public hearings in Lisbon, after which it could make a recommendation or convene another task force to tackle implementation details. Supporters of the new proposal remain hopeful that resolution is near.
"A lot of public interest groups have been waiting a long time to see if this process actually works or if it's just a charade," said Wendy Seltzer, a nonvoting task force member and fellow with Harvard University's Berkman Center for Internet and Society. "If this turns out to have been for naught, you will have a lot of frustrated people."
Exposing Trustworthy Websites, Join The Privacy SSL Seal Program!
At issue is a publicly available database known as Whois. With it, anyone can find out the full names, organizations, postal and e-mail addresses and phone numbers behind domain names.
Hearings on the changes are expected next week in Lisbon, Portugal, before the Internet Corporation for Assigned Names and Numbers , or ICANN, the main oversight agency for Internet addresses. Resolution, however, could take several more months or even years, with crucial details on implementation still unsettled and a vocal minority backing an alternative. Under the endorsed proposal -- some six years in the making -- domain name registrants would be able to list third-party contact information in place of their own -- to the chagrin of businesses and intellectual-property lawyers worried that cybersquatters and scam artists could more easily hide their identities. "It would just make it that much more difficult and costly to find out who's behind a name," said Miriam Karlin, manager of legal affairs for International Data Group, publisher of PC World and other magazines. She said she looks up Whois data daily to pursue trademark and copyright violators.
Privacy wasn't a big consideration when the current addressing system started in the 1980s. Back then,government and university researchers who dominated the Internet knew one another and didn't mind sharing personal details to resolve technical problems. Today, the Whois database is used for much more. Law-enforcement officials and Internet service providers use it to fight fraud and hacking. Lawyers depend on it to chase trademark and copyright violators. Journalists rely on it to reach Web site owners. Spammers mine it to send junk mailings for Web site hosting and other services.
Internet users have come to expect more privacy and even anonymity. Small businesses work out of homes. Individuals use Web sites to criticize large corporations or government officials. The Whois database, for many, reveals too much. The requirements for domain name owners to provide such details also contradict, in some cases, European privacy laws that are stricter than those in the United States. Registration companies generally don't check contact information for accuracy, but submitting fake data could result in missing important service and renewal notices. It also could be grounds for terminating a domain name.
Over the past few years, some companies have been offering proxy services, for a fee, letting domain name owners list the proxy rather than themselves as the contact. It's akin to an unlisted phone number, though with questionable legal status. The U.S. government has banned proxies entirely for addresses ending in ".us," even after many had already registered names behind them.
Critics also complain that such services can be too quick or too slow -- depending on whom you ask -- in revealing identities under legal pressure. "Right now there's no regulation, no accreditation, no standards," said Margie Milam, general counsel for MarkMonitor, a brand-protection firm. "Some can take weeks, which can slow down investigations."
The task force proposal, known as operational point of contact, would make third-party contacts a standard offering. Domain name owners could list themselves, a lawyer, a service provider or just about anyone else; that contact would forward important communications back to the owner.
Details must still be worked out, but the domain name registrant rather than the proxy would likely be clearly identified as the legal owner, unlike the current, vague arrangement. ICANN's staff also pressed for more clarity on to whom and under what circumstances the outside contact would have to release data. Although that proposal received a slight majority on the Whois task force, some stakeholders including businesses and lawyers have pushed an alternative known as special circumstances. Domain name holders would have to make personal contact details available, as they do today, unless they can justify a special circumstance, such as running a shelter for battered women. "On the whole, society is much better off having this kind of transparency and accountability," said Steven Metalitz, an intellectual-property lawyer on the task force.
ICANN's Council of the Generic Names Supporting Organization plans public hearings in Lisbon, after which it could make a recommendation or convene another task force to tackle implementation details. Supporters of the new proposal remain hopeful that resolution is near.
"A lot of public interest groups have been waiting a long time to see if this process actually works or if it's just a charade," said Wendy Seltzer, a nonvoting task force member and fellow with Harvard University's Berkman Center for Internet and Society. "If this turns out to have been for naught, you will have a lot of frustrated people."
Exposing Trustworthy Websites, Join The Privacy SSL Seal Program!
Google Reinvents Online Advertising Again
Google announced Tuesday that it plans to enhance its successful online advertising service by offering clients an alternate business model -- if an ad does not get results, advertisers do not have to pay for it. Now, instead of paying per click, advertisers will be able to experiment with paying each time a user takes an action on their Web site, such as filling out a form. The new model is part of an ongoing effort to provide advertisers and publishers with more value, said Google.
The new model isn't intended to replace the current system but rather provide advertisers greater control over their advertising costs, as well as complementing the existing cost-per-click and cost-per-impression pricing models. The new pay-per-action pricing enables advertisers to reach their customers in a new way, thereby better meeting their goals and objectives, according to Google.
Google said the beta ads would not run on its search results pages, but on its AdSense network of content sites. The AdSense publishers will gain greater control over the ads that run on their sites after they start accepting pay-per-action ads.
After starting a beta test of the new program last year, Google recently expanded its pay-per-action offering to include 75 publishers and 75 advertisers. More will be added on a rolling basis as the test expands. "The ability for advertisers to pay on a cost-per-action basis should provide them a more effective way to track their ad dollars," Rob Enderle, an analyst with the Enderle Group, said. The new model is likely better suited for businesses that sell services rather than products, and are looking for customer leads, Enderle added.
The new model, which is limited to a select group of advertisers during the beta-testing period, will be offered for ads displayed on Google's content network and on Web sites that display ads sold by Google in return for a share of the profits, the company said. The model may help combat click fraud which has been rampant in recent years and has advertisers skittish on shelling out big chunks of their budgets for online anything. "Google is trying to get ahead of the problem with this new model," said Enderle. "They have been worried that that advertiser are pulling back dollars because they no longer trust the numbers."
Increase Site Trust. Site Credibility Pays! Join The Guardian eCommerce SSL Privacy Seal Program!
The new model isn't intended to replace the current system but rather provide advertisers greater control over their advertising costs, as well as complementing the existing cost-per-click and cost-per-impression pricing models. The new pay-per-action pricing enables advertisers to reach their customers in a new way, thereby better meeting their goals and objectives, according to Google.
Google said the beta ads would not run on its search results pages, but on its AdSense network of content sites. The AdSense publishers will gain greater control over the ads that run on their sites after they start accepting pay-per-action ads.
After starting a beta test of the new program last year, Google recently expanded its pay-per-action offering to include 75 publishers and 75 advertisers. More will be added on a rolling basis as the test expands. "The ability for advertisers to pay on a cost-per-action basis should provide them a more effective way to track their ad dollars," Rob Enderle, an analyst with the Enderle Group, said. The new model is likely better suited for businesses that sell services rather than products, and are looking for customer leads, Enderle added.
The new model, which is limited to a select group of advertisers during the beta-testing period, will be offered for ads displayed on Google's content network and on Web sites that display ads sold by Google in return for a share of the profits, the company said. The model may help combat click fraud which has been rampant in recent years and has advertisers skittish on shelling out big chunks of their budgets for online anything. "Google is trying to get ahead of the problem with this new model," said Enderle. "They have been worried that that advertiser are pulling back dollars because they no longer trust the numbers."
Increase Site Trust. Site Credibility Pays! Join The Guardian eCommerce SSL Privacy Seal Program!
'Searchandising' and the Zen of Online Retailing
It's no secret that e-commerce search and online merchandising have a magnetic attraction. These applications morphed into the e-commerce lexicon as "searchandising," enabling merchants who integrate search and merchandising to realize higher levels of customer satisfaction and returns.
Seventy percent of retailers surveyed in the recent Aberdeen Group benchmark report, "Web Site Search: Revenue in the Results," said that visitors who used search tools were more likely to convert from browsers to buyers.
Seventy percent of retailers surveyed in the recent Aberdeen Group benchmark report, "Web Site Search: Revenue in the Results," said that visitors who used search tools were more likely to convert from browsers to buyers.
The average conversion rate for nearly one quarter of online merchants was 5 percent or greater. With conversion rates for e-commerce sites averaging from 2 percent to 5 percent, it's encouraging to see that search tools help to exceed averages for nearly one quarter of the survey group. Retailers were asked just how they attained these profitable clicks. Among merchants achieving the highest profits, conversions and returns from their online offerings -- termed "Best-in-Class," 54 percent utilize search as a merchandising tool.
Additionally, 62 percent continually fine tune search for desired results based on user actions, current promotions and collective behavior. Further, 38 percent of Best-in-Class retailers segment search query results using faceted search tools. These metrics clearly show that leading companies are thinking about their search tools as a way to serve up products and inextricably link their merchandising processes to their product discovery tools.
When asked about specific processes used to merchandise to customers, Aberdeen found that 50 percent of Best-in-Class companies use "faceted navigation" to segment products into manageable categories. Faceted information can be described as topics broken down into categories or attributes (e.g., topic equals "music" and attributes equals "genre, artist, album, song, lyrics"). This method of categorizing information is extremely useful when presenting online search results.
Adoption of faceted search is on the rise among online retailers and will penetrate 92 percent of Best-in-Class within 24 months. Only 23 percent of all retailers surveyed stated that they did not have plans to implement faceted navigation on their e-commerce Web sites. Faceted navigation begins with the way metadata is tagged and associated throughout the site. The goal is to produce search results that facilitate product discovery or additional drilling to reveal more choices for buyers. Challenges include search tools that provide too many responses, which forces users to wade through lines of products and/or data to find relevant information or not enough responses -- it leaves them wanting more.
To combat these challenges, half of Best-in-Class companies use a faceted search taxonomy that segregates query matches by attributes. For example, a customer visited an online consumer electronics site and searched for a 6-megapixel digital camera. He checked the results, which were segregated into categories (i.e., cameras and camcorders, computers and office products), brands (Canon, Casio, Fuji, etc.) special offers (On Sale, Free Shipping, Package Deals) and actual products.
The site used faceted navigation to display navigational choices to narrow the search and focus on specific selection criteria. The customer clicked on the camera category and was presented with additional product choices with options to sort by price, brand, best sellers or new products. Sites that are not built with a navigation structure designed to accommodate search taxonomy have significant challenges to implement these best practices.
Companies that compete in the search and merchandising arena provide decision-making tools for customers to allow them to find products quickly and easily. Although the concept is called faceted search, vendors have different names for it and are busy registering and trademarking their segmented search descriptors, including the following:
Endeca calls their faceted search Guided Navigation;
Mercado goes by Product Data Optimizer;
FAST provides faceted search but doesn't apply a moniker;
SLI Systems trademarked their faceted technology Learning Navigation; and
DieselPoint calls theirs Search and Navigation.
Mercado goes by Product Data Optimizer;
FAST provides faceted search but doesn't apply a moniker;
SLI Systems trademarked their faceted technology Learning Navigation; and
DieselPoint calls theirs Search and Navigation.
Each of these solutions offers a slightly different approach to segmenting search results into a structured schema, with the end result of driving relevant, understandable results and adapting to user behavior. The benefit to consumers is that they can refine their search requirements based on information specific to their needs without sifting through a multitude of results. Currently, 82 percent of laggard retailers do not use a faceted search structure, but this is likely to change as 44 percent of all respondents plan to implant this taxonomy within the next 24 months. Faceted navigation is a searchandising mentality that plays on a shoppers' inclination to start with a vague idea of what they're looking for and to browse a site until they stumble upon relevant products. Yet, retailers serve up these products through a series of calculated rules-based procedures (used by 72 percent of Best-in-Class retailers), working behind the scenes.
In this way, sites can merchandise based on user analytics data and build upon the collective behavior of the best paths to conversions and to profitability. Search analytics data is currently used by 65 percent of Best-in-Class retailers to build customer profiles, evaluate buying patterns and discern successful keywords and conversion paths. This data can be modeled to anticipate customer behavior and is leveraged by 26 percent of Best-in-Class merchants to tune search results in order to merchandise to customers and customer segments on a predictive basis.
It should be noted that this process can be achieved in real-time -- but it is extremely difficult to do. Sophisticated search technologies can deliver real-time merchandising results based on information gained during a consumer's current online session, but most often this is not the case.
Predictive analysis and collective behavior are capabilities inherent to some search applications, but retailers must start with segmentation and faceted search basics prior to getting accurate predictions of what customers want and what they will purchase.
Additionally, 68 percent of leading sites use data collected from search to feed back into their merchandising tactics to influence results. What's even more important is the ability to measure and manage the conversion process to key into what works and to modify tactics that fail. According to 55 percent of leading retailers, they actively monitor conversion rates achieved from search optimization tactics and continually fine tune results as a corrective measure. Customer conversions for online shoppers that use the search tool vs. those that do not show significant advantages to drawing customers into the search tool. Twenty-two percent of retailers reported conversion rates 26 percent to 50 percent better than those who did not use search; 11 percent of Best-in-Class retailers reported improvements in conversion rates that were 51 percent to 75 percent better than non-search users.
To achieve these increases in conversion rates, companies first must align their navigation structure to accommodate search queries, as well as ensure that zero yield searches and failed search attempts are kept to a minimum by measuring and managing these metrics. If these processes are put in place, sites can maximize the profits of searchandising to provide a more relevant shopping experience for customers -- and higher profits.
Thursday, March 22, 2007
Market Your Online Startup for Next to Nothing
There is an ever-increasing number of people that are utilizing the Web to support or altogether run their businesses. However, setting up your online storefront is not the last hurdle an e-business owner faces. Once an online presence is established, there is still the matter of marketing your business and selling your products. Below are some tips that online entrepreneurs can use to maximize their marketing efforts.
The first section below is comprised of recommendations that will cost entrepreneurs nothing at all; the second section offers tips that will exact small financial tolls.
Ask visitors to bookmark your site. A quick, low-cost strategy is to simply ask your visitors to bookmark your site, or save it in a "Favorites" list. Visitors who've bookmarked your site can find it faster and are more likely to visit again. The best way to get these visitors to return is to make regular updates to your site.
Take advantage of others' forums and blogs. There are innumerable forums, discussion lists, blogs and news groups online. These are comprised of people with specialized interests. As such, you'll be able to find quite a few that are dedicated to what you're selling. Register and post about your online business.
Start a blog. Weblogs give you the opportunity to provide your visitors with new -- perhaps more personal or pointed -- content. Let your visitors know what's going on with your store. Or, if you're interesting (or even if not), let them know what you're doing. (Just don't write about the weather that day.)
Exchange banners and links with complementary sites. Contact others whose sites are related to yours, and exchange banners and other ads. Remember that there is a difference between competition and complementary sites.
Competitive sites aim to take your visitors and your business. Complementary sites sell products that complement the ones you sell -- they do not sell the same products you do. These help you reach a new audience. For example, if you run a DVD store, think about contacting sites that sell DVD players. Customers buying DVD players are going to need DVDs at some point.
Get visitors to subscribe to a mailing list. Visitors who sign up to receive e-mails from you are already interested in what you have to offer. It's up to you to entice them to come back and become customers.
Send promotions, coupons, updates and offers to your customers. Existing customers are a valuable market for you. Solicit your customers to return by rewarding them with coupons and offers. Keep them interested with updates. You've already reached them -- it's up to you to give them a reason to come back.
Tell your friends. Word spreads quickly. Word of mouth is the most effective way to promote and advertise your store. It's as easy as it sounds. Tell your friends -- they're the most difficult customers for your competition to take away from you.
Send out online press releases. Press releases are a great way to get some low-cost exposure on your Web site and build up your reverse links for search engine optimization. While purchasing media lists is a consideration, it is not a necessary expense.
With some good, old-fashioned detective work, you can find the right contacts. Read your target publications to find appropriate contacts. Their e-mail addresses are usually listed beneath their byline. For follow up, you can usually find the main number on the publication's Web site. If you're following up with a local publication, just pick up the yellow pages.
Google and Yahoo ads. You can pay for ads with Google AdWords and Yahoo Search Marketing. When you conduct a search using either of these search engines, take notice of the advertisements that come up to the right of the results. They are geared towards the search query you entered. You can pay to have your link come up as an advertisement whenever someone enters search words you pay for.
Advertising on blog sites. The blogosphere wields a lot of power and is a good way to connect with consumers with particular tastes. Starting your own blog is a good, free way to get your business name out there.
For a little investment, you can advertise on blogs with influence on particular readerships. Blogads.com, for instance, has low cost, high volume sites. Another thing to keep in mind is that blog readers are typically early adopters.
Get your site listed with targeted industry Web sites or directories. These are usually charged through a pay-per-click model. A great way to find them is searching keywords you target and see if there are directories or Web sites where you might be able to place yourself into.
Buy a direct e-mail list. This may be a little pricier -- depending on the list -- but it allows you to target your audience.
Check out content advertising networks. These are typically much cheaper per click than search engine clicks. Check out Clicksor.com to see a good example.
Advertise on e-zine Web sites. Again, these are typically low-cost sites that produce visitors who are typically a little more Web savvy and more inclined to buy online.
Advertise on online shopping Web sites. Be sure you are unique here as this is where you will really need to stand out from some of the main players like eBay, Amazon.com and Wal-Mart.
Add your online store to online shopping malls. Typically you can do this for free, but it's well worth the investment to pay for the add on such as getting featured listing. It will boost your traffic.
Create business cards. Often, people with online storefronts overlook traditional methods when marketing their businesses. Make sure to have personal printed media (e.g. stationery, business cards and print ads) pointing offline contacts to your Web site. Pass them out to friends, acquaintances, etc. and tell them to visit your store. If you don't carry what they are looking for ask them to e-mail you.
And don't forget to increase site trust and provide site credibility.
Join the Guardian eCommerce Privacy Seal program.
The first section below is comprised of recommendations that will cost entrepreneurs nothing at all; the second section offers tips that will exact small financial tolls.
Ask visitors to bookmark your site. A quick, low-cost strategy is to simply ask your visitors to bookmark your site, or save it in a "Favorites" list. Visitors who've bookmarked your site can find it faster and are more likely to visit again. The best way to get these visitors to return is to make regular updates to your site.
Take advantage of others' forums and blogs. There are innumerable forums, discussion lists, blogs and news groups online. These are comprised of people with specialized interests. As such, you'll be able to find quite a few that are dedicated to what you're selling. Register and post about your online business.
Start a blog. Weblogs give you the opportunity to provide your visitors with new -- perhaps more personal or pointed -- content. Let your visitors know what's going on with your store. Or, if you're interesting (or even if not), let them know what you're doing. (Just don't write about the weather that day.)
Exchange banners and links with complementary sites. Contact others whose sites are related to yours, and exchange banners and other ads. Remember that there is a difference between competition and complementary sites.
Competitive sites aim to take your visitors and your business. Complementary sites sell products that complement the ones you sell -- they do not sell the same products you do. These help you reach a new audience. For example, if you run a DVD store, think about contacting sites that sell DVD players. Customers buying DVD players are going to need DVDs at some point.
Get visitors to subscribe to a mailing list. Visitors who sign up to receive e-mails from you are already interested in what you have to offer. It's up to you to entice them to come back and become customers.
Send promotions, coupons, updates and offers to your customers. Existing customers are a valuable market for you. Solicit your customers to return by rewarding them with coupons and offers. Keep them interested with updates. You've already reached them -- it's up to you to give them a reason to come back.
Tell your friends. Word spreads quickly. Word of mouth is the most effective way to promote and advertise your store. It's as easy as it sounds. Tell your friends -- they're the most difficult customers for your competition to take away from you.
Send out online press releases. Press releases are a great way to get some low-cost exposure on your Web site and build up your reverse links for search engine optimization. While purchasing media lists is a consideration, it is not a necessary expense.
With some good, old-fashioned detective work, you can find the right contacts. Read your target publications to find appropriate contacts. Their e-mail addresses are usually listed beneath their byline. For follow up, you can usually find the main number on the publication's Web site. If you're following up with a local publication, just pick up the yellow pages.
Google and Yahoo ads. You can pay for ads with Google AdWords and Yahoo Search Marketing. When you conduct a search using either of these search engines, take notice of the advertisements that come up to the right of the results. They are geared towards the search query you entered. You can pay to have your link come up as an advertisement whenever someone enters search words you pay for.
Advertising on blog sites. The blogosphere wields a lot of power and is a good way to connect with consumers with particular tastes. Starting your own blog is a good, free way to get your business name out there.
For a little investment, you can advertise on blogs with influence on particular readerships. Blogads.com, for instance, has low cost, high volume sites. Another thing to keep in mind is that blog readers are typically early adopters.
Get your site listed with targeted industry Web sites or directories. These are usually charged through a pay-per-click model. A great way to find them is searching keywords you target and see if there are directories or Web sites where you might be able to place yourself into.
Buy a direct e-mail list. This may be a little pricier -- depending on the list -- but it allows you to target your audience.
Check out content advertising networks. These are typically much cheaper per click than search engine clicks. Check out Clicksor.com to see a good example.
Advertise on e-zine Web sites. Again, these are typically low-cost sites that produce visitors who are typically a little more Web savvy and more inclined to buy online.
Advertise on online shopping Web sites. Be sure you are unique here as this is where you will really need to stand out from some of the main players like eBay, Amazon.com and Wal-Mart.
Add your online store to online shopping malls. Typically you can do this for free, but it's well worth the investment to pay for the add on such as getting featured listing. It will boost your traffic.
Create business cards. Often, people with online storefronts overlook traditional methods when marketing their businesses. Make sure to have personal printed media (e.g. stationery, business cards and print ads) pointing offline contacts to your Web site. Pass them out to friends, acquaintances, etc. and tell them to visit your store. If you don't carry what they are looking for ask them to e-mail you.
And don't forget to increase site trust and provide site credibility.
Join the Guardian eCommerce Privacy Seal program.
Sunday, March 04, 2007
Online Merchants Can Block Phishing Attacks for Good
Last month, Web-security firm MessageLabs said that for the first time ever it had recorded more e-mails bearing phishing attacks than those containing viruses or other malware. January's MessageLabs Intelligence Report also found that phishing attacks were becoming increasingly sophisticated, which was attributed to the rise in the number of online merchants and sites requiring users to access their accounts using more than just a login and password. "We are seeing phishing attacks increase in sophistication and ability to evade many preventative technologies," said Mark Sunner, MessageLabs's chief security analyst. "Cybercriminals continue to seek new and more subversive means to launch their attacks." Sunner said one out of every 93.2 e-mails, or about 1 percent of all e-mail traffic traced in January, bore evidence of some form of phishing attack.
Already, 2007 is shaping up to be a year in which the e-commerce sector in particular takes aim at phishing and subsequent identity theft. eBay and PayPal, two favorite targets of phishing attacks, have pledged stepped-up security efforts with PayPal offering automated pass code generators it says will foil efforts by third parties to access user accounts. Meanwhile, various law enforcement agencies have stepped up their pursuit of criminals who use e-mail to perpetrate attacks, utilizing the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003 to lower the federal prosecution boom in some cases.
Though consumer education has helped explain the risks involved when Web surfers provide account information , phishers have become increasingly adept at creating fake e-mails and spoofed Web sites that are so convincing they can fool even the most experienced Internet surfer.
Indeed, the stakes are high for consumers and criminals alike. A report by Gartner found that the average identity theft victim suffered losses of US$1,000 and that high-income individuals, a favorite target of phishers, lost more than $4,300 in each attack. All told, Gartner pegged phishing-related financial losses at more than $2.8 billion for 2006. While many banks and online services are starting to put measures in place to prevent such losses, cybercriminals will continue to seek new avenues for their attacks, Gartner Vice President Avivah Litan predicted. "Cybercriminals are starting to shift away from attacking online banks directly, and they are leveraging less conventional brands and/or using hard to detect social engineering methods to reap financial gains," Litan said. "Countermeasures such as phishing detection and take-down services deployed by banks, Internet service providers and other service providers are obviously not sufficiently widespread or effective," she added.
In fact, the security industry continues to seek ways to get a step ahead of identity thieves. Reflexion Networks, a Boston-based e-mail security firm servicing businesses and ISPs, uses an address-based e-mail security solution that could have wider applications in the battle against phishing. The sheer number of "[phishing] incidents tend to erode public confidence in e-mail which has serious consequences," Reflexion CEO David Hughes said. "People are more and more automatically deleting messaging from leading brands. People's first inclination is just to hit the delete button." Reflexion's approach uses what Hughes says is analogous to e-mail PINs (personal identification numbers), in which a user creates an e-mail address that includes a component known only to the recipient and the party to which it has been disclosed. For instance, the user can create an alphanumeric address that is given only to eBay, PayPal or a bank. Any e-mail received that purports to be from that merchant could then be easily identified -- the combination of correct "to" and "from" e-mail pairs is nearly infinite. Under this scheme, phishers would likely be unable to acquire the correct e-mail address. For Reflexion users, all qualified e-mails are placed in a common inbox. Users are also given a software-based dashboard that provides a view of e-mails that have been blocked.
Beyond the Reflexion user base -- it targets large, mid-sized and small businesses -- the same technology could be used by merchants directly in order to give their consumers a higher level of confidence in their e-mail correspondence. Any vendor "could give its customers the opportunity to define an e-mail PIN and the merchant could include that PIN in the 'from' address every time they communicate," Hughes said. For the scheme to work effectively, users must be willing to define and manage additional e-mail addresses; however, Hughes believes consumers would adapt. "There was a time when ATM cards were new and there were a lot of questions about whether the public would use them," he said. "Now, everybody is accustomed to the concept. Our subscribers say [Reflexion is] very intuitive for them and gives them more confidence the messages they are receiving are really from the merchants and partners they trust." That is an important issue, as Gartner's Litan explained that more users are deleting e-mail messages without reading them in order to protect themselves. "The traditional approaches aren't working," she said.
Join the privacy seal program.
Already, 2007 is shaping up to be a year in which the e-commerce sector in particular takes aim at phishing and subsequent identity theft. eBay and PayPal, two favorite targets of phishing attacks, have pledged stepped-up security efforts with PayPal offering automated pass code generators it says will foil efforts by third parties to access user accounts. Meanwhile, various law enforcement agencies have stepped up their pursuit of criminals who use e-mail to perpetrate attacks, utilizing the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003 to lower the federal prosecution boom in some cases.
Though consumer education has helped explain the risks involved when Web surfers provide account information , phishers have become increasingly adept at creating fake e-mails and spoofed Web sites that are so convincing they can fool even the most experienced Internet surfer.
Indeed, the stakes are high for consumers and criminals alike. A report by Gartner found that the average identity theft victim suffered losses of US$1,000 and that high-income individuals, a favorite target of phishers, lost more than $4,300 in each attack. All told, Gartner pegged phishing-related financial losses at more than $2.8 billion for 2006. While many banks and online services are starting to put measures in place to prevent such losses, cybercriminals will continue to seek new avenues for their attacks, Gartner Vice President Avivah Litan predicted. "Cybercriminals are starting to shift away from attacking online banks directly, and they are leveraging less conventional brands and/or using hard to detect social engineering methods to reap financial gains," Litan said. "Countermeasures such as phishing detection and take-down services deployed by banks, Internet service providers and other service providers are obviously not sufficiently widespread or effective," she added.
In fact, the security industry continues to seek ways to get a step ahead of identity thieves. Reflexion Networks, a Boston-based e-mail security firm servicing businesses and ISPs, uses an address-based e-mail security solution that could have wider applications in the battle against phishing. The sheer number of "[phishing] incidents tend to erode public confidence in e-mail which has serious consequences," Reflexion CEO David Hughes said. "People are more and more automatically deleting messaging from leading brands. People's first inclination is just to hit the delete button." Reflexion's approach uses what Hughes says is analogous to e-mail PINs (personal identification numbers), in which a user creates an e-mail address that includes a component known only to the recipient and the party to which it has been disclosed. For instance, the user can create an alphanumeric address that is given only to eBay, PayPal or a bank. Any e-mail received that purports to be from that merchant could then be easily identified -- the combination of correct "to" and "from" e-mail pairs is nearly infinite. Under this scheme, phishers would likely be unable to acquire the correct e-mail address. For Reflexion users, all qualified e-mails are placed in a common inbox. Users are also given a software-based dashboard that provides a view of e-mails that have been blocked.
Beyond the Reflexion user base -- it targets large, mid-sized and small businesses -- the same technology could be used by merchants directly in order to give their consumers a higher level of confidence in their e-mail correspondence. Any vendor "could give its customers the opportunity to define an e-mail PIN and the merchant could include that PIN in the 'from' address every time they communicate," Hughes said. For the scheme to work effectively, users must be willing to define and manage additional e-mail addresses; however, Hughes believes consumers would adapt. "There was a time when ATM cards were new and there were a lot of questions about whether the public would use them," he said. "Now, everybody is accustomed to the concept. Our subscribers say [Reflexion is] very intuitive for them and gives them more confidence the messages they are receiving are really from the merchants and partners they trust." That is an important issue, as Gartner's Litan explained that more users are deleting e-mail messages without reading them in order to protect themselves. "The traditional approaches aren't working," she said.
Join the privacy seal program.
Securing Your Online ID
There's no doubt that online banking is widely popular in this country -- just ask the millions of customers who've signed on for the convenience it provides. As fraudsters create new scams to bilk financial services customers or to simply hijack their accounts, however, banking customer trust is on the decline. That customer trust is a powerful thing. Without trust, financial institutions could experience diminishing use of the online channel, which would have a significant impact on the bottom line for many financial institutions.
Consumers are tired of fraudsters wreaking havoc on their personal financial accounts and trying to compromise their identity. The impact is anything but small -- more than 9 million Americans were victims of identify theft in 2005. Securing online accounts from malicious activity is important to consumers who -- and this may surprise some banks -- are willing to take considerable steps to protect their assets. This notion of enabling the consumer to actively participate in an authentication solution is contrary to how most financial institutions are addressing the issue. Most financial institutions are relying on less successful authentication methods. Those methods include the following:
Token-based, one-time password -- Customers are issued security passwords through a separate purpose-built device. The trouble is they often lose them or forget to carry them at all times, making it difficult -- and frustrating -- to complete a transaction. Security tokens also are expensive for institutions, and may lead to higher customer support. Image and text confirmation -- Sometimes referred to as reverse-authentication, financial institutions ask customers to choose an image and/or phrase that can be displayed when they access their account. This method does little to verify the user's identity; instead, it is intended to confirm that the site they're visiting is authentic. It's highly debatable, though, whether customers will actually pay attention to these safeguards in a way that will make them meaningful.
Transaction anomaly detection systems -- Help identify transactions suspected of fraud or changes in customers' use patterns, but are back-end focused and require little interaction with the user. While they may be effective in spotting some types of fraud, they do little to reassure the end user.
Multifactor authentication methods, such as image and text confirmation, are more difficult to compromise than single-factor methods such as passwords. As we saw last summer in the case of Citibank, even a two-factor authentication process can still be foiled. The New York-based financial giant was targeted by about three dozen phishing Web sites that tricked users into entering a second authenticator, which then let the phisher sign on for the victim. The banks claimed that no customers were affected by the scam, but it clearly showed some security flaws with Citibank's system.
Javelin Strategy & Research, an independent research and strategy consulting firm, asked 1,000 consumers how safe they would feel with a given authentication solution -- either device recognition, image display/recognition, or a one-time password generating token -- and how likely they would be to adopt a solution should it be offered by their bank. Half of customers surveyed said they preferred device recognition -- recognizing the device used to access the account online.
Device recognition addresses all of the customer and bank concern areas when it comes to preventing identity fraud: convenience, reality and perception. Because it's easy to use, it requires minimal need for change in consumer behavior. However, just device authentication is not enough. By allowing banking customers to register a device, such as their home PC, and lock it to their online financial accounts, the bank now has two-factor, two-way authentication. Even if a user is phished, the stolen login ID/password information is rendered useless unless the fraudster has access to the victim's PC. Users then become "deputized security officers" and are in control of which device will have access to their accounts. They're also alerted by e-mails, text messages or phone calls when illegal access occurs.
Javelin analysts report that limiting online account access to certain devices, such as PCs -- with additional authentication measures necessary for login via unrecognized devices -- is a superior security and authentication solution. Financial institutions benefit from a solution that customers can easily adopt, which leads to increased use of the online channel and a better return on investment.
If customer security weren't enough of a driver to embrace more advanced authentication solutions, financial institutions have another reason: The Federal Financial Institutions Examinations Council (FFIEC) has begun enforcing a risk analysis and audit of banking organizations to determine the need for "stronger" authentication for online account access. The enforcement began last year and financial institutions are still trying to evaluate what it all means.
Our analysis is that these institutions should meet and exceed the FFIEC expectations by deploying a multifactor, online authentication solution. Moreover, they should employ a system that allows them to share information about devices and accounts that have a record of negative behavior. We think of this as "reputation." We've made it our business to throw roadblocks in the faces of fraudsters by amassing millions of PC reputations and helping financial institutions share this information to stall the growth of online fraud. By sharing reputation, all parties realize the benefit of a solution that far exceeds the sum of individual technologies. This is finally a formula for combating fraud on a global basis, not just within isolated networks.
Trustworthy Website? Prove it. Join The Guardian eCommerce Privacy Seal Program.
Consumers are tired of fraudsters wreaking havoc on their personal financial accounts and trying to compromise their identity. The impact is anything but small -- more than 9 million Americans were victims of identify theft in 2005. Securing online accounts from malicious activity is important to consumers who -- and this may surprise some banks -- are willing to take considerable steps to protect their assets. This notion of enabling the consumer to actively participate in an authentication solution is contrary to how most financial institutions are addressing the issue. Most financial institutions are relying on less successful authentication methods. Those methods include the following:
Token-based, one-time password -- Customers are issued security passwords through a separate purpose-built device. The trouble is they often lose them or forget to carry them at all times, making it difficult -- and frustrating -- to complete a transaction. Security tokens also are expensive for institutions, and may lead to higher customer support. Image and text confirmation -- Sometimes referred to as reverse-authentication, financial institutions ask customers to choose an image and/or phrase that can be displayed when they access their account. This method does little to verify the user's identity; instead, it is intended to confirm that the site they're visiting is authentic. It's highly debatable, though, whether customers will actually pay attention to these safeguards in a way that will make them meaningful.
Transaction anomaly detection systems -- Help identify transactions suspected of fraud or changes in customers' use patterns, but are back-end focused and require little interaction with the user. While they may be effective in spotting some types of fraud, they do little to reassure the end user.
Multifactor authentication methods, such as image and text confirmation, are more difficult to compromise than single-factor methods such as passwords. As we saw last summer in the case of Citibank, even a two-factor authentication process can still be foiled. The New York-based financial giant was targeted by about three dozen phishing Web sites that tricked users into entering a second authenticator, which then let the phisher sign on for the victim. The banks claimed that no customers were affected by the scam, but it clearly showed some security flaws with Citibank's system.
Javelin Strategy & Research, an independent research and strategy consulting firm, asked 1,000 consumers how safe they would feel with a given authentication solution -- either device recognition, image display/recognition, or a one-time password generating token -- and how likely they would be to adopt a solution should it be offered by their bank. Half of customers surveyed said they preferred device recognition -- recognizing the device used to access the account online.
Device recognition addresses all of the customer and bank concern areas when it comes to preventing identity fraud: convenience, reality and perception. Because it's easy to use, it requires minimal need for change in consumer behavior. However, just device authentication is not enough. By allowing banking customers to register a device, such as their home PC, and lock it to their online financial accounts, the bank now has two-factor, two-way authentication. Even if a user is phished, the stolen login ID/password information is rendered useless unless the fraudster has access to the victim's PC. Users then become "deputized security officers" and are in control of which device will have access to their accounts. They're also alerted by e-mails, text messages or phone calls when illegal access occurs.
Javelin analysts report that limiting online account access to certain devices, such as PCs -- with additional authentication measures necessary for login via unrecognized devices -- is a superior security and authentication solution. Financial institutions benefit from a solution that customers can easily adopt, which leads to increased use of the online channel and a better return on investment.
If customer security weren't enough of a driver to embrace more advanced authentication solutions, financial institutions have another reason: The Federal Financial Institutions Examinations Council (FFIEC) has begun enforcing a risk analysis and audit of banking organizations to determine the need for "stronger" authentication for online account access. The enforcement began last year and financial institutions are still trying to evaluate what it all means.
Our analysis is that these institutions should meet and exceed the FFIEC expectations by deploying a multifactor, online authentication solution. Moreover, they should employ a system that allows them to share information about devices and accounts that have a record of negative behavior. We think of this as "reputation." We've made it our business to throw roadblocks in the faces of fraudsters by amassing millions of PC reputations and helping financial institutions share this information to stall the growth of online fraud. By sharing reputation, all parties realize the benefit of a solution that far exceeds the sum of individual technologies. This is finally a formula for combating fraud on a global basis, not just within isolated networks.
Trustworthy Website? Prove it. Join The Guardian eCommerce Privacy Seal Program.
Google To Defend Against Click Fraud
Google plans to provide Web advertisers with more data and tools to combat click fraud, a damaging practice that costs advertisers an estimated US$16 billion a year. The new tools are part of an effort to crack down on click fraud and dull its impact on the otherwise highly profitable pay per click online advertising model. "There has been an increasingly growing cloud over Google on this issue," Ron Enderle, a principal analyst with the Enderle Group said. "If folks have been gaming the system , advertisers want to see some corrections."
With the pay per click model, advertisers pay every time someone clicks on their ads. However, some companies mount campaigns to click repeatedly on their competitors' ads just to drive up their costs. The practice takes advantage of the system Google currently has in place for Internet advertisers to pay their fees. Now, Google intends to address the issue by providing advertisers with a means to scrutinize the process and gain more control over it, according to Enderle.
In March, Google will begin allowing advertisers to blacklist certain IP addresses if click fraud is suspected -- for example, if a large number of clicks from a particular address results in few or no sales. The company also plans to launch a Web site resource center to combat click fraud, where it will post information and tutorials to educate its advertisers on the issue of invalid clicks. On Wednesday, Google released data indicating that most fraudulent clicks are automatically detected, but it acknowledged that its pay per click Web advertising system has been abused.
Critics contend the practice is already out of control, claiming that up to half of all ad clicks are fraudulent. However, that figure is overblown, Google maintained, pegging the true number at closer to 10 percent.
Google bases its estimate on the average number of invalid clicks it catches, and doesn't charge for. The 10 percent represents an estimate US$100 million in lost revenue, Google said.
Google conceded that it doesn't catch about 0.02 percent of the click fraud that occurs -- those instances are brought to its attention by advertisers. However, says Enderle, the information Google released does not present a complete picture. What is missing is the number of fraudulent clicks neither the search giant nor the advertisers catch. Google is now moving to put adequate tools in place so it can more accurately measure what is happening. "Google is realizing it better get its arms around this, or advertisers will fix the problems themselves," said Enderle, "and Google won't like that."
Increase online sales. Site credibility pays. Join the privacy seal program.
With the pay per click model, advertisers pay every time someone clicks on their ads. However, some companies mount campaigns to click repeatedly on their competitors' ads just to drive up their costs. The practice takes advantage of the system Google currently has in place for Internet advertisers to pay their fees. Now, Google intends to address the issue by providing advertisers with a means to scrutinize the process and gain more control over it, according to Enderle.
In March, Google will begin allowing advertisers to blacklist certain IP addresses if click fraud is suspected -- for example, if a large number of clicks from a particular address results in few or no sales. The company also plans to launch a Web site resource center to combat click fraud, where it will post information and tutorials to educate its advertisers on the issue of invalid clicks. On Wednesday, Google released data indicating that most fraudulent clicks are automatically detected, but it acknowledged that its pay per click Web advertising system has been abused.
Critics contend the practice is already out of control, claiming that up to half of all ad clicks are fraudulent. However, that figure is overblown, Google maintained, pegging the true number at closer to 10 percent.
Google bases its estimate on the average number of invalid clicks it catches, and doesn't charge for. The 10 percent represents an estimate US$100 million in lost revenue, Google said.
Google conceded that it doesn't catch about 0.02 percent of the click fraud that occurs -- those instances are brought to its attention by advertisers. However, says Enderle, the information Google released does not present a complete picture. What is missing is the number of fraudulent clicks neither the search giant nor the advertisers catch. Google is now moving to put adequate tools in place so it can more accurately measure what is happening. "Google is realizing it better get its arms around this, or advertisers will fix the problems themselves," said Enderle, "and Google won't like that."
Increase online sales. Site credibility pays. Join the privacy seal program.
Fighting ID Theft (Pt 1)
Currently, identity theft may be the most worrisome and threatening problem for online users and the businesses and institutions that support them. Unfortunately, it is now easier and cheaper than ever for those bent on illicit gain to use the Internet to obtain the private, personal information necessary to impersonate you online -- the first step for cybercriminals to gain access to your financial information. "Online identity theft is going to grow significantly given the millions of records that have been lost or stolen from banks, credit agencies, hospitals, government agencies and businesses over the past year," said Randy Abrams of online security and malware detection systems provider ESET. The good news is that banks, brokerages and financial services providers, along with the security technology providers that service them, are rolling out a variety of new methods and tools to thwart such threats.
Some 10 million Americans have been victims of identity theft and they spent an average of US$1,500 and 175 hours to recover from it, according to the Fight Identity Theft site. Moreover, victims spent nearly 250 million hours trying to sort out fake credit card accounts and set their credit records straight, according to the U.S. Treasury. "As more and more people take advantage of the convenience of online banking and e-commerce, the pool of potential victims of fraudsters increases in size and volume," Greg Hughes, chief security executive at Corillian, said.
"This presents more opportunity for criminals to take advantage of users, not only through technology like malware and other forms of technical fraud, but also through the evolution of social engineering," he said. "There is simply a greater variety of people and a greater number of people (and therefore dollars) for fraudsters to target. In addition, the increased complexity and variety of systems in the marketplace present a ripe environment for finding new holes and creating new forms of trickery," noted Corillian.
The first steps online fraud artists take to perpetrate ID theft and online fraud often occur offline, however, through more run-of-the-mill petty crimes such as pick-pocketing and mail theft, as well as more serious felonies such as burglary -- and, of course, the theft of notebooks, laptops and other portable network devices. "According to the Federal Trade Commission , identity theft accounts for almost 40 percent of all fraud complaints," Absolute Software CEO John Livingston said. "With the popularity of mobile technologies such as laptop computers, people are more prone than ever to having their personal information stolen." Common acts of online fraud resulting from ID theft include the following: 1) Unauthorized transactions on existing accounts (e.g., unauthorized charges on a credit card or checks on a checking account); 2) Takeover of existing accounts (e.g., prolonged use or emptying of a financial account); and 3) Creation of new accounts
A 2006 Ponemon Institute report stated that 81 percent of companies reported the loss of one or more laptops containing sensitive information during the past 12 months, according to Absolute Software.
More than 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information, claimed Safeware Insurance. In order to help thwart the theft of mobile computers and associated data, Dell Computer and Absolute on Feb. 7 announced that buyers of select Dell Inspiron and XPS notebooks who purchase Dell's CompleteCare Accidental Damage Service will get Absolute's Computrace LoJack for Laptops theft recovery service gratis for the length of their service contracts. The Computrace LoJack system protects personal data on the system, as well as helps track down and recover the computer.
Online fraud artists have also come up with increasingly devious, complicated ways to obtain personal ID information. "The tactics fraudsters have developed to target end users are extensive and are evolving," commented Corillian's Hughes. "From complex social engineering in the form of phishing and similar tactics to purely technical exploits like man-in-the-middle, man-on-board, Trojans and malware. "All of these are deployed -- and are often combined -- to carry out the gathering of information to gain unauthorized access to a user's private information or, in some cases, to create identifying documents and other physical media such as duplicate debit and credit cards for the purposes of conducting fraud and theft." One of the more common, simple and effective means to obtain personal ID data is through the use of spam, noted Kaspersky Lab's senior technical consultant Shane Coursen. "Today's most common method is to send spam messages to a large number of e-mail addresses (a.k.a. a spam run). The spam message refers to a Web site that, once visited, begins a process of placing malware of various types (downloaders, keyloggers, bankers, etc.) on the visiting PC."
Another tried, true and growing method is the insider attack. "It's not a new method but one that seems to be increasing in frequency," said Coursen. "For example, a malicious person attacks their own company by tricking a fellow employee into installing malware, or by bending company policies that result in the installation of malware. It is a troubling trend."
Join the privacy seal program.
Some 10 million Americans have been victims of identity theft and they spent an average of US$1,500 and 175 hours to recover from it, according to the Fight Identity Theft site. Moreover, victims spent nearly 250 million hours trying to sort out fake credit card accounts and set their credit records straight, according to the U.S. Treasury. "As more and more people take advantage of the convenience of online banking and e-commerce, the pool of potential victims of fraudsters increases in size and volume," Greg Hughes, chief security executive at Corillian, said.
"This presents more opportunity for criminals to take advantage of users, not only through technology like malware and other forms of technical fraud, but also through the evolution of social engineering," he said. "There is simply a greater variety of people and a greater number of people (and therefore dollars) for fraudsters to target. In addition, the increased complexity and variety of systems in the marketplace present a ripe environment for finding new holes and creating new forms of trickery," noted Corillian.
The first steps online fraud artists take to perpetrate ID theft and online fraud often occur offline, however, through more run-of-the-mill petty crimes such as pick-pocketing and mail theft, as well as more serious felonies such as burglary -- and, of course, the theft of notebooks, laptops and other portable network devices. "According to the Federal Trade Commission , identity theft accounts for almost 40 percent of all fraud complaints," Absolute Software CEO John Livingston said. "With the popularity of mobile technologies such as laptop computers, people are more prone than ever to having their personal information stolen." Common acts of online fraud resulting from ID theft include the following: 1) Unauthorized transactions on existing accounts (e.g., unauthorized charges on a credit card or checks on a checking account); 2) Takeover of existing accounts (e.g., prolonged use or emptying of a financial account); and 3) Creation of new accounts
A 2006 Ponemon Institute report stated that 81 percent of companies reported the loss of one or more laptops containing sensitive information during the past 12 months, according to Absolute Software.
More than 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information, claimed Safeware Insurance. In order to help thwart the theft of mobile computers and associated data, Dell Computer and Absolute on Feb. 7 announced that buyers of select Dell Inspiron and XPS notebooks who purchase Dell's CompleteCare Accidental Damage Service will get Absolute's Computrace LoJack for Laptops theft recovery service gratis for the length of their service contracts. The Computrace LoJack system protects personal data on the system, as well as helps track down and recover the computer.
Online fraud artists have also come up with increasingly devious, complicated ways to obtain personal ID information. "The tactics fraudsters have developed to target end users are extensive and are evolving," commented Corillian's Hughes. "From complex social engineering in the form of phishing and similar tactics to purely technical exploits like man-in-the-middle, man-on-board, Trojans and malware. "All of these are deployed -- and are often combined -- to carry out the gathering of information to gain unauthorized access to a user's private information or, in some cases, to create identifying documents and other physical media such as duplicate debit and credit cards for the purposes of conducting fraud and theft." One of the more common, simple and effective means to obtain personal ID data is through the use of spam, noted Kaspersky Lab's senior technical consultant Shane Coursen. "Today's most common method is to send spam messages to a large number of e-mail addresses (a.k.a. a spam run). The spam message refers to a Web site that, once visited, begins a process of placing malware of various types (downloaders, keyloggers, bankers, etc.) on the visiting PC."
Another tried, true and growing method is the insider attack. "It's not a new method but one that seems to be increasing in frequency," said Coursen. "For example, a malicious person attacks their own company by tricking a fellow employee into installing malware, or by bending company policies that result in the installation of malware. It is a troubling trend."
Join the privacy seal program.
Fighting ID Theft (Pt 2)
Approximately 10 million Americans fall victim to identity theft each year, a statistic that is expected to increase despite the diligent efforts of government and institutions to turn the tide. Leading IT security providers are arguably in the best position to understand the nature and scale of the problem, as well as help organizations and individuals prevent ID theft. The number of keyloggers increased by 250 percent between January 2004 and May 2006, according to a McAfee Avert Labs white paper released in January, while the number of alerts listed by the Anti-Phishing Working Group grew 100-fold -- 17,600 in May 2006 compared with 176 in January 2004. "ID theft is a huge problem," Craig Schmugar, said a virus researcher at McAfee Avert Labs.
The act of stealing someone's identity often combines physical methods -- dumpster diving, fake telephone calls, snail mail rerouting and shoulder surfing -- and virtual methods, such as hacking, phishing, pharming, keylogging, spam running and advanced fee fraud, according to Schmugar.
Recently, spam runs and insider attacks have been on the rise, although spam runs may become less of a problem over time, said Kaspersky Lab's Shane Coursen, as users are becoming aware of their potential danger. It's a numbers game, however. "When a spam run consists of a million or more messages, statistically, there will always be a certain number of people who will fall victim," Coursen said. "As for insider threats," he continued, "the problem is likely to get worse before we see a turnaround. The turnaround will come when the majority of IT personnel understand the threat, develop best practices that help their companies avoid falling victim to scams, and deploy software and hardware that can protect the infrastructure they manage. "The security industry is also responding to this threat. For instance, Kaspersky Lab's sister company, InfoWatch, provides data leakage detection and prevention solutions for the enterprise," he added.
"McAfee pioneered detection of password-stealing Trojans a decade ago, a time when antivirus products were dealing with replicating viruses more often than Trojan Horse programs," Schmugar recounted. "That paradigm would shift several years later, when Trojans -- especially those capable of stealing passwords -- would take over as the most predominant type of malware," he said. What can organizations do to protect and prevent ID theft and unauthorized network and systems incursions? "Securing sensitive information is key. Access controls must be secure, data needs to be encrypted and Web and database applications need to go through extensive security auditing," he recommended. "Strong network and system policies need to be put in place. SOHO (small office-home office) users who jump on and off corporate networks are often a challenge for organizations to secure," Schmugar said. "Additionally, theft of mobile devices such as laptops seem to be in the headlines every week; in many cases confidential data has not been encrypted," he said, adding that the Privacy Rights Clearinghouse site is a good source of information.
Vigilance and following some relatively simple "best practice" guidelines are good bets when it comes to avoiding becoming just another ID theft victim. Best practices include running the latest versions of antivirus and spyware programs, running a firewall, and downloading the latest updates from software vendors, particularly from Microsoft if you're running Windows. "To avoid becoming a victim, never provide any personal information to a Web site link that was e-mailed to you -- more than likely, it's a scam. Take precautions in the event your computer or laptop is stolen," Absolute Software CEO John Livingston said. Other recommendations include regular, careful monitoring of your financial accounts and credit report. "The consumer's only significant defense right now is to be vigilant in checking their financial balances and credit reports," commented ESET's Randy Abrams. "While there are the basic steps of shredding documents, covering the keypad when you enter your PIN (personal identification number), consumers also need to be careful of their online habits. "Consumers can use resources such as the Identity Theft Resource Center to help improve their prevention practices. Social Web sites, such as MySpace , where users include every detail of their life, make social engineering attacks designed to garner enough information to perform identity theft a breeze," he added.
Another line of defense against ID theft lies in enhancing organizations' ability to authenticate users. Banks and financial services providers, in particular, are now embedding a variety of authentication processes at all levels of their online platforms. In use at more than 50 financial institutions, Corillian's Intelligent Authentication system is a case in point. Considered a "strong" multifactor authentication solution in accordance with recently introduced FFIEC authentication guidelines, the system resides between users' computers and a financial institution's Web servers and online transaction systems, monitoring and analyzing online activity in real-time in order to detect potential unauthorized and fraudulent access. "It is generally accepted across the industry that the use of a user name and password is simply not a strong enough mechanism to secure sensitive information in today's Internet security landscape," according to Corillian's Chief Security Executive Greg Hughes. "As a result, a wide variety of authentication approaches have been introduced to the market over time, including multifactor, multilayer and multiband methods. In addition, authentication methods involving tracking and validating other types of data have been created with tools that watch specific behaviors to build a user's normal 'behavioral fingerprint.'
"We can leverage that behavioral fingerprint and compare its consistency at any point in time with a user's past behavior patterns, and use the result of the analysis as an additional factor and layer of authentication," he said.
There are some simpler but effective steps that need to be taken to help prevent ID theft, however. Banks and other financial organizations need to know what data is questionable and where their networks are vulnerable. They must also start looking outside the organization to identify sources of data that can be used to perpetrate ID theft and online fraud. "Businesses, especially banks, have a long way to go to help solve the problem. Many banks have neanderthal security practices ... Businesses and other entities also need to stop putting personal data on laptops that do not have encrypted drives," recommended ESET's Abrams. "Credit agencies, such as TransUnion, are able to enter incorrect information about a user without any proof of validity, but will only change the fictitious information they enter if a physical document is mailed to them. If the credit reporting agencies cannot validate their data, we are in trouble and the identity theft problem will continue ... Free annual credit reports are a meager start," he continued. As long as the U.S. treats personal information as a commodity, it is difficult to enforce the vigilance required to eliminate ID theft. "Until the U.S. legally adopts a policy that private information belongs to the individual, we will lead the world in identity theft problems," concluded Abrams.
Increase site trust, join the Guardian eCommerce Privacy Seal Program.
The act of stealing someone's identity often combines physical methods -- dumpster diving, fake telephone calls, snail mail rerouting and shoulder surfing -- and virtual methods, such as hacking, phishing, pharming, keylogging, spam running and advanced fee fraud, according to Schmugar.
Recently, spam runs and insider attacks have been on the rise, although spam runs may become less of a problem over time, said Kaspersky Lab's Shane Coursen, as users are becoming aware of their potential danger. It's a numbers game, however. "When a spam run consists of a million or more messages, statistically, there will always be a certain number of people who will fall victim," Coursen said. "As for insider threats," he continued, "the problem is likely to get worse before we see a turnaround. The turnaround will come when the majority of IT personnel understand the threat, develop best practices that help their companies avoid falling victim to scams, and deploy software and hardware that can protect the infrastructure they manage. "The security industry is also responding to this threat. For instance, Kaspersky Lab's sister company, InfoWatch, provides data leakage detection and prevention solutions for the enterprise," he added.
"McAfee pioneered detection of password-stealing Trojans a decade ago, a time when antivirus products were dealing with replicating viruses more often than Trojan Horse programs," Schmugar recounted. "That paradigm would shift several years later, when Trojans -- especially those capable of stealing passwords -- would take over as the most predominant type of malware," he said. What can organizations do to protect and prevent ID theft and unauthorized network and systems incursions? "Securing sensitive information is key. Access controls must be secure, data needs to be encrypted and Web and database applications need to go through extensive security auditing," he recommended. "Strong network and system policies need to be put in place. SOHO (small office-home office) users who jump on and off corporate networks are often a challenge for organizations to secure," Schmugar said. "Additionally, theft of mobile devices such as laptops seem to be in the headlines every week; in many cases confidential data has not been encrypted," he said, adding that the Privacy Rights Clearinghouse site is a good source of information.
Vigilance and following some relatively simple "best practice" guidelines are good bets when it comes to avoiding becoming just another ID theft victim. Best practices include running the latest versions of antivirus and spyware programs, running a firewall, and downloading the latest updates from software vendors, particularly from Microsoft if you're running Windows. "To avoid becoming a victim, never provide any personal information to a Web site link that was e-mailed to you -- more than likely, it's a scam. Take precautions in the event your computer or laptop is stolen," Absolute Software CEO John Livingston said. Other recommendations include regular, careful monitoring of your financial accounts and credit report. "The consumer's only significant defense right now is to be vigilant in checking their financial balances and credit reports," commented ESET's Randy Abrams. "While there are the basic steps of shredding documents, covering the keypad when you enter your PIN (personal identification number), consumers also need to be careful of their online habits. "Consumers can use resources such as the Identity Theft Resource Center to help improve their prevention practices. Social Web sites, such as MySpace , where users include every detail of their life, make social engineering attacks designed to garner enough information to perform identity theft a breeze," he added.
Another line of defense against ID theft lies in enhancing organizations' ability to authenticate users. Banks and financial services providers, in particular, are now embedding a variety of authentication processes at all levels of their online platforms. In use at more than 50 financial institutions, Corillian's Intelligent Authentication system is a case in point. Considered a "strong" multifactor authentication solution in accordance with recently introduced FFIEC authentication guidelines, the system resides between users' computers and a financial institution's Web servers and online transaction systems, monitoring and analyzing online activity in real-time in order to detect potential unauthorized and fraudulent access. "It is generally accepted across the industry that the use of a user name and password is simply not a strong enough mechanism to secure sensitive information in today's Internet security landscape," according to Corillian's Chief Security Executive Greg Hughes. "As a result, a wide variety of authentication approaches have been introduced to the market over time, including multifactor, multilayer and multiband methods. In addition, authentication methods involving tracking and validating other types of data have been created with tools that watch specific behaviors to build a user's normal 'behavioral fingerprint.'
"We can leverage that behavioral fingerprint and compare its consistency at any point in time with a user's past behavior patterns, and use the result of the analysis as an additional factor and layer of authentication," he said.
There are some simpler but effective steps that need to be taken to help prevent ID theft, however. Banks and other financial organizations need to know what data is questionable and where their networks are vulnerable. They must also start looking outside the organization to identify sources of data that can be used to perpetrate ID theft and online fraud. "Businesses, especially banks, have a long way to go to help solve the problem. Many banks have neanderthal security practices ... Businesses and other entities also need to stop putting personal data on laptops that do not have encrypted drives," recommended ESET's Abrams. "Credit agencies, such as TransUnion, are able to enter incorrect information about a user without any proof of validity, but will only change the fictitious information they enter if a physical document is mailed to them. If the credit reporting agencies cannot validate their data, we are in trouble and the identity theft problem will continue ... Free annual credit reports are a meager start," he continued. As long as the U.S. treats personal information as a commodity, it is difficult to enforce the vigilance required to eliminate ID theft. "Until the U.S. legally adopts a policy that private information belongs to the individual, we will lead the world in identity theft problems," concluded Abrams.
Increase site trust, join the Guardian eCommerce Privacy Seal Program.
