Sunday, September 27, 2009

first blog since 2003 - internet anonymity, privacy and fraud

In 1993, the famous New Yorker cartoon "On the Internet, nobody knows you're a dog" captured the beauty of a new frontier.

You could be a single person company with a great website that made you look huuuuge. History has proven the clear benefit of size doesn't count (or even location or age) - but the same benefits of anonymity have brought lots and lots of bad guys....botnets, phishing, 419 and advanced fee scammers, credit card fraud, account hijack, identity get the idea - the list goes on and on.....

Back in 2003, I finished up my role as VP R&D at Surfcontrol a few years after they acquired the email filtering company I started in a bedroom. During that period, I had seen spam grow from a trickle to a pandemic and become more of a commercial tool. Spam had shifted from open-relays and open-proxies to malware that compromised machines - the perfect storm of anonymity and compromisable Windows host was a cybercriminals best tool.

It was clear to me that once the bad guy had your PC, then spam was just one kind of fraud - my partner Scott Thomas and I built a system (SpamMATTERS) accepting crowd-sourced spam and security reports, then correlating to identify the players behind spamming operations - we built this for the federal government and remains in production today.

From this botnet tracking was a key side-effect that could be used as a security defence and in 2005, ThreatMetrix was founded. In 2009, anonymity and fraud is big business and we help websites running eCommerce, payments, dating, marketplaces enable the good guys whilst stopping the bad guys in real-time. The good news for ThreatMetrix is that in a world where identities are phished, keylogged and credit-card numbers are stolen this is a hockeystick problem that we are helping to address.

The bad news is that its a hockeystick problem.

So, I'm excited about the single-signon/auth solutions emerging (OpenID, Facebook Connect, OAUTH, FriendConnect) AND I am excited about the conversation of social media but I am pretty sure that social media spear-phishing is going to grow as more valuable assets are all contained behind one login/password.

If a bad guy gets access to your Google account, they may not merely have access to your reputation but also your Google Checkout or maybe your Google Voice account. Over the weekend, I saw on my screen - I've never signed up for Checkout but there is was. Google doing some A/B testing or maybe just a reinvention of subliminal advertising :)

With Facebook Connect, its likely/predicted that Facebook will allow you to shop purely by logging into a merchant site with your Facebook ID. This is a Paypal killer if they execute it well, an Amazon 1-click experience - but are Facebook users conscious of the risks of having their ID phished? Up until now, its been fairly isolated with mostly scam account hijacks but with purchasing power - your Facebook account is gold to a fraudster.

And it might just be micro-payment fraud. I can easily see Facebook enabling micropayments in their platform. They need to monetize somehow right? :)

I am also keen to understand the impact of mobile on commerce, all of the above applies but the smartphones now offer a semi-solution for 2-factor authentication. But are handsets vulnerable and what if your handset is lost/stolen - is it always logged into your accounts and not protected by a PIN?

Wow - what a downer of a first post - well that not my intent, I aim to post on mobile, social, startups, cloud, meta and other goodies.

No comments:

Post a Comment