An Abney Associates Fraud Awareness Program on Nine tips for councils on tackling fraud

As fraud gets harder to detect, what can councils do to protect themselves?

1. Fraud is getting harder to detect – so be vigilant

Technology means fraud has become more sophisticated and harder to detect. Awareness and vigilance must be key to protecting ourselves and the economy from these organised criminals.

– Lee Ormandy is intelligence and legal manager at Surrey county council

2. Beware of corruption growing in local government

We think that the corruption risk for local government in the England has increased, and that – as a result – corruption in UK local government is likely to increase. We may not see the consequences for a decade. Many changes, such as those to the audit regime and ethical standards, are recent, and the precise consequences are not possible to predict. However, a lesson Transparency International has learnt across the world is that it is better to take notice of emerging risks and to act early, because once corruption takes root it can be very hard to eradicate. Relatively few cases of fraud and corruption can have high impact, and this affects trust in local government and in politics more generally.

– Nick Maxwell works for Transparency International UK

3. Invest, invest, invest

We have a concern that local authorities will lose their fraud investigators due to the welfare reform, and when they do realise that they need investigators they will have to go out and re-recruit. Local government needs to make it a duty on each council to ensure that fraud is investigated and that there is zero tolerance to fraud. Share out the £16.6m given to the Department for Communities and Local Government. Investing in fraud protection will mean local government is up-to-date on any threats and gets rewarded for identifying and prosecuting fraud.

– Andrew Williams is a member of the Local Authority Investigation Officers Group

4. Make young people aware of the dangers of fraud online

An increasing worry is young people not appreciating the dangers of online fraud. People growing up treating the internet as a given before they're old enough to have a bank account are often less likely to realise that fraudsters are targeting them through pop-ups or other scams.

– Lee Ormandy is intelligence and legal manager at Surrey county council

5. Make sure the loss of the Audit Commission doesn't cause problems

The Audit Commission used to also play a role in offering protection to external auditors, which empowered them to pursue investigations without fear of being sued or losing future contracts. In the new arrangements, there is no supportive role for an auditor to look at corruption risks and there will be no duty for auditors to consider corruption.

– Maxwell

6. Learn from central government

What is the difference in this area between central and local government? Is one better than the other at tackling corruption? Is there good practice that could be shared?

– Rachael Tiffen is head of the counterfraud centre at the Chartered Institute of Public Finance and Accountancy

7. Learn from other councils

Stoke developed its own anti-fraud awareness campaignStop the Cheater (complete with an image of a cheetah) and concentrated on tenancy, benefits, and blue badge fraud. They increased referrals by 22% and recovered about 100 properties.

– Tiffen

8. Watch out for electoral fraud

There are lots of opportunities, from impersonating voters, postal votes, spending more than you declare etc. There is no proactive investigation or development of prevention-related strategies. The police have little interest in this. This is a classic area of fraud: because there are few detected cases it is thought that there is not a problem.

– Mark Button is director of the Centre for Counter Fraud Studies

9. Use data to plan services

Are councils communicating the benefits of using the personal data they hold to help plan the right fraud services? The care data, for example, being put on hold is due to lack of communication but it can only benefit everyone. We need to educate the public.

– Katrina Wakefield is head of public sector marketing at SAS UK

An Abney Associates Fraud Awareness Program: When Someone Steals Your Smartphone, Snap a Theftie

We all know selfies. And even dronies. But if you thought it could stop there, you are deeply naive. Bring on the “thefties.”

The name may come from a cheery social phenomenon, but thefties are a little more serious. They’re photos of electronics thieves taken with a tablet or smartphone’s front-facing camera. The goal is to give police something to go on if your device is stolen, or let you ID the culprit if it's someone you know.

The mobile security company Lookout is marketing thefties as part of its software suite for iOS and Android. The service currently sends you email alerts when it seems like someone is tampering with your device (by entering incorrect security codes, trying to uninstall software, etc.), and then GPS-tracks it so you can locate it from a browser. But now the thefties feature will also activate the device's front-facing camera and stealthily photography whoever is staring down at it. You get the photo in your inbox with a map pointing to the device's location. This is the theftie.

The FCC says that 1 in 3 U.S. robberies concerns a mobile device, and the problem has motivated legislators and the telecommunications industry to begin working on safeguards. But consumers are looking for immediate solutions. Though thefties aren't perfect, because they may not capture a clear image depending on how the thief is holding the phone, they're certainly a creative solution. But as David Richardson, Lookout's lead product manager for iOS, told CNET, "Not everyone here likes the name."

PC Speak: An Abney and Associates Internet and Technology Research Lab 5 Tips to Avoid Tax Fraud

Tomorrow, April 15, is tax deadline day. As tax filers get busy trying to beat the deadline for filing their returns and submitting their documentation, cybercriminals will also work in a rush online, plying their nefarious phishing scams and stealing personal information.

An official warning from the Internal Revenue Service (IRS) was released last week against hackers posing as the Taxpayer Advocate Service through bogus emails. The IRS also announced that it had begun over 200 new investigations this filing season, concentrated on tax refund fraud and identity theft.

A recent IRS press release states that in Fiscal Year (FY) 2013, the IRS started about 1,492 identity theft connected criminal investigations, 66% more than those initiated in FY 2012. Since January of this year, IRS Criminal Investigation has begun 295 new identity theft investigations, increasing the number of active cases to over 1,800.

As you do your final touches on your taxes, consider these steps to help you avoid from being defrauded on your taxes:

1. Know How Social Engineering can Harm You

With the increasing number of cyber attacks this tax season, make sure you proceed with caution when giving out confidential financial or banking information with others. If you get emails or phone calls from anyone presenting themselves as IRS personnel, do not give your bank account data or social security number unless you have confirmed their identity.

2. Avoid Opening Email Attachments as much as Possible

Are you aware that 1 out of 25 email attachments is considered malicious? Cybercriminals will often pose as IRS representatives, looking around for taxpayer with problems on their returns and their refunds through emails which they infect with attachments that have hidden programs to steal information or data.

Often, we cannot easily tell which files are genuine and free from malware. Use an antivirus and antimalware app to scrutinize those attachments and web downloads to minimize the risk of infecting you PC.

3. Avoid Using Public WiFi

Make it a habit to use only a private WiFi network when you file your tax return. Public WiFi hotspots may be often free and helpful, you could end up being targeted by many hackers on the prowl and compromising your personal data.

4. Use Strong Passwords to Protect Your Data

When you prepare your tax return for filing online, make sure you use a strong password to protect the file attachments.

After you finish filing your tax return, store the documents in a CD or flash drive and keep it in a safe place, then delete the documents from your hard drive. If you hire an accountant, inquire as to the how they ascertain that your data are safe and not accessible by any unauthorized persons.

5. Always Maintain Updated Antivirus and Two-way Firewall Protection

We cannot overemphasize the importance of updating your antivirus and firewall protection during tax season since cybercriminals constantly lurk in search of any access points into your system to steal personal information. Strive to set up a two-way firewall, which prevents unwelcome incoming traffic and arrests spyware and adware from sending your personal information out in the Internet. You need an antivirus application that has an efficient detection capacity and is able to identify attacks that arise between your updates.

If you believe you have become a victim to the tax return scammers and their fraudulent plans, inform the IRS as soon as you can.

An Abney Associates Fraud Awareness Program: Click patterns, an IBM patents technique for killing fraud

A new technology would pick up on suspicious changes in people's online activity

Someday, if you use your non-dominant hand to control your mouse or touchpad when you're say, shopping online, websites might interpret your irregular scrolling and clicking as a sign of fraud and require you to prove your identity, thanks to an IBM fraud-detection patent.

The company has patented a technique for better detecting fraud online to prevent the theft of log-in credentials and other sensitive information, particularly in e-commerce and banking, it said Friday.

U.S. patent #8,650,080 is intended for a "user-browser interaction-based fraud detection system."

How people interact with websites, such as the areas of a page they click on, whether they navigate with a mouse or keyboard, and even how they swipe through screens on a smartphone or tablet, can all be identified, IBM said. The technology could identify sudden changes in online behavior, which would then trigger a secondary authentication measure, like a security question. It would work on a mobile device or PC.

If the technology works as IBM says it will, and other businesses license it, it could help to secure online transactions against cyberattacks, such as the recent eBay hack. Sensitive information of up to 145 million people may have been breached in that recent attack.

It would also lend credence to IBM's previously stated ideas related to a "digital guardian" that would protect Internet users.

"It's important to prevent fraudulent financial transactions before they happen," said Brian O'Connell, an IBM engineer and co-inventor of the patent.

Trusteer, an IBM-owned company that makes malware detection technology mostly for banks, is already using some of the technology in the patent, IBM engineers said Friday. Other sites like eBay or Amazon might one day choose to license it as well.

While it might seem that the technology has the potential to cause false positives, IBM said the prototype it tested successfully confirmed identities and showed that sudden changes in browsing behavior were likely due to fraud.

And some Internet users might consider the technology to be an invasion of privacy. But the data gathered through the technology would not amount to personally identifiable information, said Keith Walker, another co-inventor on the patent.

Tackling fraud and financial crime is high on the agenda for IBM. Recently the companyannounced new software and services to address the US$3.5 trillion lost each year to fraud.

An Abney Associates Tech Tips: Visa, MasterCard Renew Push for Chip Cards

Visa and MasterCard are renewing a push to speed the adoption of microchips into U.S. credit and debit cards in the wake of recent high-profile data breaches, including this week's revelation that hackers stole consumer data from eBay's computer systems.

Card processing companies argue that a move away from the black magnetic strips on the backs of credit cards would eliminate a substantial amount of U.S. credit card fraud. They say it's time to offer U.S. consumers the greater protections microchips provide by joining Canada, Mexico and most of Western Europe in using cards with the more advanced technology.

Chips aren't perfect, says Carolyn Balfany, MasterCard's group head for U.S. product delivery, but the extra barrier they present is one of the reasons criminals often choose to target U.S.-issued cards, whose magnetic strips are easy to replicate.

"Typically, fraudsters are going to go to the path of least resistance," Balfany says.

The chip technology hasn't been adopted in the U.S. because of costs and disputes over how the network would operate. Retailers have long balked at paying for new cash registers and back office systems to handle the new cards. There have been clashes between retailers, card issuers and processors over which processing networks will get access to the new system and whether to stick with a signature-based system or move to one that requires a personal identification number instead. These technical decisions impact how much retailers and customers have to pay - and how much credit card issuers make - each time a card is used.

The disputes have now largely been resolved. And the epic breach of Target's computer systems in December, which involved the theft of 40 million debit and credit card numbers, along with smaller breaches at companies such as Neiman Marcus and Michaels, helped garner support for chip-based cards among retailers who were previously put off by the costs.

Chip cards are safer, argue supporters, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer's register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards, say experts, are also nearly impossible to copy.

For its part, Target is accelerating its $100 million plan to roll out chip-based credit card technology in its nearly 1,800 stores. New payment terminals will appear in stores by September, six months ahead of schedule. Last month, the retailer announced that it will team up with MasterCard to issue branded Target payment cards equipped with chip technology early in 2015. The move will make Target the first major U.S. retailer with its own branded chip-based cards.

Even so, the protections chips provide only go so far, according to opponents who note that chips don't prevent fraud in online transactions, where consumers often enter credit card numbers into online forms. Some opponents also point to other technologies, such as point-to-point encryption, as better long-term solutions.

Ken Stasiak, founder and CEO of SecureState, a Cleveland-based information security firm that investigates data breaches, says that while chips would be a big security improvement, they wouldn't have stopped the hackers from breaching Target's computer systems where they also stole the personal information, including names and addresses, of as many as 70 million people, putting them at risk of identity theft.

"Chip and pin is just another security component," Stasiak says. "What matters is how companies like Target use consumer information, how they protect it."

Banks generally pick up the tab for credit card-related losses, but companies such as Visa and MasterCard stand to lose too, if data breaches continue to occur with increasing frequency. After all, if consumers don't feel safe using cards, they may choose other ways to pay for purchases.

"It's not just about fraud and losses, it's about the trust involved in electronic payments that's destroyed," says Ellen Ritchey, Visa's chief enterprise risk officer.

In March, Visa and MasterCard announced plans to bring together banks, credit unions, retailers, makers of card processing equipment and industry trade groups in a group that aims to strengthen the U.S. payment system for credit and debit cards. The initial focus of the new group will be on banks' adoption of chip cards.

That comes ahead of a liability shift set to occur in October 2015, when the costs resulting from the theft of debit and credit card numbers will largely fall to the party involved with the least advanced -and most vulnerable- technology. For example, if a bank has updated to chip technology, but the retailer involved hasn't, the retailer will be liable for the costs.

Stasiak says many of the retailers he works with already have the technology in place. Once the banks start issuing chip cards, the retailers will activate their new systems, he says.

Banks say that despite the jump in high-profile data breaches, fraud still accounts for a small fraction of total transactions processed, while the cost related to issuing chip cards to all of their customers and switching out all of their ATMs is substantial. Banks have urged lawmakers to make retailers more accountable for their own security in hopes of recouping more of the losses from cybercrime.

Richard Hunt, CEO of Consumer Bankers Association, says that in cases of major fraud, banks have generally been able to collect only pennies on the dollar from the retailers involved.

Hunt says even if banks put chips in cards, it won't do any good if retailers don't upgrade their systems.

"We have to improve fraud prevention across the board," he says. "There are people who get up every day across the world with one mission and that's to break credit card technology. But there's no magic pill out there. The solution involves everyone."

The article above is a repost from Abney and Associates.

An Abney Associates Tech Tips: EBay believed user data was safe after cyber attack

EBay initially believed that its customers' data was safe as forensic investigators reviewed a network security breach discovered in early May and made public last week.

EBay has come under fire over its handling of the cyber attack, in which hackers accessed personal data of all 145 million users, ranking it among the biggest such attacks launched on a corporation to date.

"For a very long period of time we did not believe that there was any eBay customer data compromised," global marketplaces chief Devin Wenig said, in the first comments by a top eBay executive since the e-commerce company disclosed the breach.

EBay moved "swiftly to disclose" the breach after it realised customer data was involved, he said.

Wenig would not say when the company first realised that the cyber attackers accessed customer data, nor how long it took to prepare last week's announcement.

He said hackers got in using the credentials of three corporate employees, eventually making their way to the user database.

The attackers accessed email addresses and encrypted passwords belonging to all eBay users. "Millions" of users have since reset their passwords and the company had begun notifying customers, though it would take some time to complete that task, Wenig said.

"You would imagine that anyone who has ever touched eBay is a large number," he said. "So we're going to send all of them an email, but sending that number all at once is not operationally possible."

At least three US states are investigating the company's security practices, and New York's attorney general called on eBay to provide free credit monitoring services to users.

But the internet retail giant has no plans to compensate customers or offer free credit monitoring for now because it had detected no financial fraud, Wenig said.

Wenig declined comment when asked if he thought eBay had good security prior to the breach. He said the company would now bolster its security systems, and has mobilised senior executives in a subsequent investigation of the attack.

"We want to make sure it doesn't happen again so we're going to continue to look our procedures, harden our operational environment and add levels of security where it's appropriate."

The breach marked the latest headache for eBay this year. In January, it crossed swords publicly with activist investor Carl Icahn, who mounted a campaign to get it to spin out PayPal. Then in April, the e-commerce company disappointed investors with a weak second-quarter outlook, pressuring its shares.

Avoiding back doors

Buying and selling activity on eBay remained "fairly normal" though eBay is still working out the cost of the breach, which included hiring a number of security firms. Wenig, who was previously a senior executive at Thomson Reuters, declined to comment on whether the cost could be material to eBay's results.

Wenig's revelation that the company initially believed that no customer data had been compromised might take some of the heat off eBay's executive team.

Cyber forensics experts said it's not uncommon for large companies to take weeks to grasp the full impact of an attack, because hackers are often able to steal data without leaving obvious clues.

"In some cases you go in and find the smoking gun immediately. Other times, it takes a few days or even a few weeks," said Kevin Johnson, a cyber forensics expert who was not involved in the eBay investigation but has worked for other Fortune 500 companies.

Daniel Clemens, a forensics expert and CEO of Packet Ninjas, said investigators often ask companies to hold off on disclosure until they believe they understand the full extent of an attack.

Otherwise, they risk tipping off attackers who might cover their tracks or leave "back doors" so they can return after the investigators complete their probe.

Last week, the e-commerce company announced that hackers raided its network between late February and early March. The company said financial information was not compromised and its payments unit PayPal was not affected.

When eBay first discovered the network breach in early May, the senior team was immediately involved and held multiple daily calls on the issue. EBay staff have been working around the clock since then.

Wenig said he could not provide much more detail about what happened in the attack beyond the scant information given out so far.

He declined to provide further specifics, citing ongoing investigations by the Federal Bureau of Investigation and several forensics firms including FireEye's Mandiant division.

The article above is a repost from Abney and Associates.

An Abney Associates Tech Tips: Americans Are More Afraid Of Credit Card Fraud

What are you afraid of?

That's the question that information technology company Unisys aims to answer in the 2014 installment of its annual security index, which measures eight major concerns of U.S. citizens in four areas: national, financial, internet, and personal security.

This year, credit card security tops the list, which may not be too surprising when you consider the hysteria surrounding the Heartbleed Bug. In fact, Americans are more concerned about technological threats than they are about physical ones, like war or terrorism.

The above article is a repost from Abney and Associates.