Guest Post: Lock It Down and Smarten Up – Best Practices for Online Security

This is a guest post from Zack Pumerantz, fraud prevention manager at FanDuel. At FanDuel, Zack is responsible for proactive investigation, chargebacks, reporting and training his quickly growing team of cyber crime specialists.  Zack’s team brings to the table a ruthless drive to catch criminals, a focused approach and team chemistry reminiscent of the ’96 Bulls. Connect with Zack on Twitter @zpumerantz.

It’s been more than two decades since a beloved group of East Coast rappers iconically confirmed that cash does in fact rule everything around us, but their timelessly epic quip may be truer in today’s money-hungry pool of online scammers than it’s ever been. With cyber criminals focused on the green, companies sometimes in denial about their vulnerabilities, and consumers just beginning to scrape the tip of the realization iceberg, the evolution of online robbery is only just getting started.  

The harsh reality of today’s e-commerce cesspool is that there truly is no silver bullet. Neither Batman nor Elliot Alderson can save us from the brute-force hackers, the Trojan Horse malware, or the Nigerian princes asking for fund transfers. Instead it’s up to us to lock it down and educate others on the intricacies of online security and protection.

Let’s start with the no-longer-elementary password. What was once a burden to remember, passwords quietly keep sites disconnected when one or more gets hacked. Below are the most crucial best practices; the methods that every consumer needs to follow and every company/merchant needs to relay to its consumer/user base.

Creating the perfect passwords

• Create site-unique passwords that that use a combination of words, numbers, symbols, and upper and lower-case letters.
• Avoid neighboring keyboard combinations as passwords, such as “user”, “qwerty” and “password”
• Make it strange and random (your favorite movie line mixed with some numbers/symbols or maybe even combining your least favorite movie directors or the backup guard on everyone in the AFC East – NO LIMITS HERE)
• Never use the password you’ve picked for your email account at any online site
• Do not use private details (once someone has access to those seemingly confidential details, which isn’t so tough these days, it’s easy game)
• Don’t use your network username as your password
• Don’t use words that can be found in the dictionary (freely available password-cracking tools come with dictionary lists that will try numerous common name and password combinations)
• Don’t store your password list in plain text/sight.
• Use a third-party online service that can help users safeguard sensitive passwords in a master-password vault (including but not limited to LastPass, DashLane, and 1Password)

*REMEMBER*: every character you add to a password makes it a bit tougher to attack via brute-force methods.

Now that we’ve covered the basics of personal online security, we’ll move on to the manual aspects of fraud prevention. It’s a topic that piques most readers’ interest as they search for a vat of substantial methods for preventing and posthumously rectifying fraudulent occurrences – likely as vulnerable merchants looking for answers. Here we’ll explore the front end prevention and the backend rectification. First, the protection side, also known as “Knowing the Flags.”

Knowing the Flags

Bad actors by definition are intent on hiding or masking their behavior in order to accomplish their financial goals, which is why isolating and remediating those “flags” that may indicate suspicious or bad behavior is key. However, it’s just as important to understand what your normal consumer looks like so that you can put anomalies into proper perspective.

Below are some basic flags for spotting risk:

1. Velocity of Deposits
2. Repeat/Repetitive Deposits
3. Non-whole dollar amount deposits (e.g. $98 vs. $100)
4. Deposits in excess of your risk threshold (defined by business/industry)
5. Odd/Unusual Username(s) (i.e. gibberish)
6. Flip-flopped First & Last Name combinations
7. Numeric or seemingly sequential email address(es)
8. Location variation

I found a Flag! Now what?

Identifying is never enough. At this point, tactics like “skiptracing” will help us to find the true individual and answer the question: “Does this individual actually exist?”

Confirm within website environment:

• Failed Deposit research
• Linked participants & relationships
• Matching of names (email vs. username vs. full name)
• Matching of cards

Confirm outside of website environment:

• Email address search
• Username/screen name search (if applicable)
• Cardholder name search/match
• Full name & location address search
• Social media search based on information found
• Contact user directly to analyze response

Confirmed “Bad Actor.” What’s next?

• Deemed fraud – Suspend and refund deposits back to true cardholder
• Deemed questionable but potentially legitimate (strange activity, but legitimate information) – suspend, refund unused funds, potentially contact customer
• Collusion – Refund fraudulent participants, but not the main colluder (head of it) unless he too is thought to be using unauthorized funds

Phishing Best Practices

Phishing is an internet scam in which attackers maliciously attempt to trick consumers into releasing sensitive/personal/financial information (or click a link that hacks their device). Techniques involve fraudulent emails and websites that impersonate legitimate institutions. It can be tough for companies and their brands when phishing runs rampant. Here are some quick tips for setting a protected and secure standard.

1. Establish corporate policies and communicate them to your consumer base to eliminate confusion in regard to what’s real and what’s not
2. Offer a unique way for the consumer to confirm that the email is legitimate (i.e. embedding authentication information into every email)
3. Monitor for widespread phishing attempts/sites
4. Implement anti-virus, content-filtering and anti-spam solutions
5. Streamline HTML based emails
6. Try a browser add-on that will prevent employees from clicking on malicious links
7. Create a fake phishing campaign to test who clicks
8. Cyber Security Training session (game, quiz, whatever works for you) to test vulnerable employees and see who’s paying attention

With merchants working as isolated silos, fraudsters joining forces to create global networks, and the overall dispute process in archaic disarray thanks to arbitrary and old blanket rules that don’t apply to many, we’re left with one crucial choice.. Will we join hands, share insights, and create a global merchant revolution against online crime? Or will we continue to deflect one dollar at a time, bury criminal details beneath desk-filling book stacks, and keep calling online crime a “cost of doing business?”

The tides are turning and change is coming. As T.C. Williams head coach Herman Boone said in Remember The Titans, “If we don’t come together right now, on this hallowed ground, we too will be destroyed.”