May, 2009

Survey: ATM/debit fraud on the rise

More than 80% of financial-services managers said they expect ATM/debit card fraud attempts to increase this year, a survey finds.

A recent survey by Actimize has some noteworthy findings, once you get past the parts that are geared to promote the vendor’s antifraud and risk management software.

Of the 113 financial-services managers polled (albeit, not a very big sample), 40% said they experienced double-digit ATM/debit fraud claims in 2008 compared to 2007. More than a whopping 80% said they expect ATM/debit card fraud attempts to increase this year, and almost 35% expect them to increase between 10% and 14%. Survey respondents represented retail banking, card issuers and payment processors.

More than 55% of the respondents predict U.S. card fraud to increase when Canada adopts chip and PIN, which Actimize said is expected to “reach critical mass” by 2010. Almost half said they expect fraud perpetrated by customers themselves — not outsiders — to increase this year.

Actimize’s survey also asked a lot of questions about the impact of mass compromises of payment card data, such as the Heartland breach.  Such breaches impact financial firms in three main areas, said Jasbir Anand, fraud product manager at Actimize: overall costs, call center volume and a decrease in customer confidence.

Forty-eight percent of those surveyed said less than 1% of compromised accounts actually experience fraud and almost 15% said of the cards they reissued after a mass breach, 20% were for accounts that were unaffected by actual fraud. The cost of reissuing a payment card can range from $3.50 to $30, Anand said, making the costs of reissuing cards out of proportion to actual fraud losses.

I know some credit unions, in the wake of the Heartland breach, acknowledged that reissuing cards was costly, but they also said it was the right thing to do for their customers. A spokesperson at Washington State Employees Credit Union, which had to reissue about 4,000 affected debit and credit cards, said it wasn’t acceptable to see if something happened to the cards before reissuing them.

Software delivery could fix software patching issues

When was the last time you considered the state of your vendor relationship? Are they doing anything behind your back?

Google recently presented the results of its study touting that users of its Chrome browser are far more likely to have the latest version installed, because Chrome includes a silent update feature that automatically checks and installs the latest version with virtually no user interaction.

Software updates have become ubiquitous with all applications, regardless of their purpose. Sometimes the user must check for a new version, but often an automated process checks for an available update and then prompts the user to approve its installation.

I must admit that like many users, when I am moving quickly on a task, I’ll sometimes delay an application update for another time. But keeping that update process silent, without the user’s knowledge, strikes me as putting security ahead of the user. If I want to surf the Web without antivirus protection, I will do so. If I want to remain on version 1.x instead of 1.5, I want the ability to have that choice. When was the last time you got into an automobile and an automatic seat belt swung into place? Admit it, the auto industry caught on. Even though seat belts could save a customer’s life, automatic seat belts are a thing of the past. They were too intrusive, resulted in less choice for the driver and passenger, and ultimately, I bet they hurt sales.

Mozilla’s Johnathan Nightingale got it right when he said Mozilla prides itself on giving its users information. “We make certain choices, like telling users when security updates happen, and not automatically upgrading users to new ‘major’ versions … because we think it’s important to give our users that information and choice,” he said, explaining his take on the Google study.

Software as a Service and cloud computing services could dramatically change the discussion around patching. But perhaps more importantly are the questions that remain unanswered. Marcus Ranum, CTO of Tenable Network Security Inc., asked the following two questions:

• Why are we running software that is so bad it constantly needs patching?
• Since the “security researchers” have been saying for 15+ years that their bug-hunting activities are part of “making software better,” can we declare that effort to be a failure, yet?
  

It’s possible that if the industry starts to adequately address the issues within the software development lifecycle, the patching discussion will become a moot point. Bruce Schneier said something several times at the 2009 RSA Conference that stuck in my mind: Cloud computing is about trust. Do you trust your vendor? I suspect we are trusting our software and hardware vendors to a certain extent. By downloading a piece of software or buying an electronic device, we are engaging in a relationship. The fact is, by making software updates silent, the vendor is doing something behind our back. It’s something that begins to question our relationship. Isn’t that when relationships have a tendency to fail?

For now, I’ll happily continue to put off my software updates until they’re convenient for me. And yes. I wear a seatbelt.

Panda goes light on client, heavy into cloud

Feeling stuffed, sluggish? Oh, it’s not you? It’s your PC suffering from a bad case of AV bloat. How many thousands of antimalware definitions can it take? How many updates? (Remember when your AV vendor recommended downloading updates at least once a week — or was it even once a month?)

Small wonder antimalware vendors are seriously looking to cloud-based detection, taking the burden off your poor laptop’s memory, CPU and grinding hard drive.

The latest idea, coming from Panda Security, is a free thin client product, which analyzes potential malware on execution, not on the PC, but in the cloud, where the resources of PandaLabs Collective Intelligence determines whether it is malicious or benign and directs the client to allow or block execution accordingly.

“It’s getting more and more cumbersome to deal with large signature files and pushing those out to everybody,” said Forrester analyst Jonathan Penn. “We’ve seen the hockey stick graphs with thousand s of new virus strains a month. Pushing into cloud instead — assuming some level of network connectivity — makes a lot of sense

The cloud approach is not unique to Panda. Most of the leading AV vendors have some similar component: If the desktop engine — using whatever combination of traditional signatures, behavioral analysis, host-based intrusion prevention, application control, etc. — encounters a file it can’t assess, it ships its telltale traits in some sort of hash off to the Big Lab in the Sky for analysis by the vendor’s analog to Panda’s Collective Intelligence.

The cloud’s capacity — unlike your PC — is unlimited.

But the unique and really intriguing aspect of Panda Cloud Antivirus, released in beta this week, is the thin client aspect. Users install the client (you have to uninstall your current AV, which probably rules out your corporate laptop as a test machine), and, Panda tells us, you’re protected in real-time.

It’s not clear where Panda plans to go with this eventually — they’re holding that close to the very least, Cloud Antivirus will increase the flow of potential malware samples to their cloud-based detection, improving its effectiveness. The target community, for now, are sharp end users, including IT and security professionals, who can give them some significant feedback.

(I’ll nervously, at first, run it on my home PC and back it up with Spybot and Malware Bytes Antimalware on-demand scans to assure myself. I expect serious security people, not journalist-poseurs like me, will get deep under the hood to see what’s really  happening on their test computers.)

“Panda recognizes they can benefit from a broad consumer footprint,” said Penn. “Consumer PCs are kind of the  front line in the fight against malware. They’re going to detect things first, they’re more likely to be the target of attack. More attacks will get actually through to them.”

Panda said Cloud Antivirus will utilize a third of the RAM of traditional desktop of  products and have about half the average performance impact.

The thin client notion is not unique to Panda, though it’s arguably taking the lead among vendors. McAfee has a thin client product, VirusScan TC (ThinClient), which is pitched as a small-footprint, low-bandwidth alternative, especially for remote users on slow connections.

And, last September, researchers at the University of Michigan, Ann Arbor, proposed a service provider/network-based approach using a thin client and multiple detection engines (“Rethinking Antivirus: Executable Analysis in the Network Cloud”). They used a thin client to ship thousands of malware samples through eight AV products and two behavioral analysis tools. The individual AV products’ detection rate ranged from about 55% to 87%, but the combination of all detected more than 96% of all the malware.

Using a bunch of different AV engines may not be a practical solution, but the thin client model is valid, especially when one considers the constant flow of information into the cloud and the resources any given vendor can throw at the problem.