So says ThreatMetrix, a San Jose-based startup that has attracted more than $42 million in venture financing and that presumably knows plenty about cybercrime. The seven-year-old company combats online fraud by “fingerprinting” the devices used to commit it, and it has convinced roughly 700 customers – which represent more than 5,000 Websites – to employ its cybercrime-fighting services. (Thomson Reuters, peHUB’s parent company, is among them.)
Earlier this afternoon, I caught up with Alisdair Faulkner, ThreatMetrix’s chief products officer, to find out why New York is particularly attractive to hackers, and where else in the country fraud is becoming rife. Our conversation has been edited for length.
According to your report, New York is the biggest target of high-risk fraud transactions, based on roughly a billion transactions that you monitored in the first quarter by U.S.-based e-commerce merchants. First, what does “high risk” mean, as opposed to low risk?
High-risk transactions are transactions we were confident would result in a fraudulent transaction, as opposed to low-risk transactions, which look benign and like they might be good transactions, perhaps because the credit card address matches the device’s IP address and doesn’t look instead like it’s coming from behind a hidden proxy. On average, 2 to 5 percent of credit card orders are high-risk fraud attempts, based on what we’re seeing.
Any theories about why New York sees the greatest percentage of these?
Some of it is: why mark someone on the subway when you can just steal their credit card? With online theft, it’s harder to be convicted; it’s harder to be tracked down. Because [attackers] aren’t directly in touch with their victims, they might also feel less like someone is getting hurt directly. New York is also a major trading city. It’s easier to pedal goods once you’ve stolen them than in many other places.
Given how wired San Francisco is, I was surprised to see that it ranks seventh on your list.
It’s complete speculation, but I think San Francisco may be so low on the list [comparatively] because so many [residents] are Mac users. If you walk into a café in San Francisco, nearly every laptop has an Apple on it, and pretty much every other device, too. And Apples have historically enjoyed better security; it’s harder to infect them and to steal someone’s details.
Yet many of those San Franciscans are downloading apps, and many social app developers don’t employ or promote the tightest privacy controls, as we were all made very aware a couple of months ago. How tightly correlated are privacy and fraud?
It’s a fraud risk, absolutely. If your email is in the hands of a fraudster, phishing attacks follow. It’s very easy then to send you a targeted email that says, ‘I’m a friend who wants to connect with you on [XYZ recognizable service],’ Whenever data gets leaked, fraud follows. The two are absolutely correlated.
Which types of transactions are most risky?
We find that e-commerce and digital goods have higher attack rates. When I say e-commerce, I mean e-tailers versus digital goods, which tend to be music downloads or virtual goods. The latter have much higher fraud attempt rates but lower losses, because with virtual goods, you’re losing, say, a virtual cow. The attempt rate is slightly lower when it comes to online retailers because it’s [more complicated]: you not only have to secure a credit card but line up a physical address where the goods can be delivered.
What types of transactions would consumers be most surprised to discover can be dangerous?
In general, people don’t think about networks like Twitter and Facebook [creating problems for them], but we’re in a generation where we probably tend to overshare, and people are only as protected as their most weakly protected friends. The person who always clicks on links and likes to share content that, unbeknownst to them, may be infected [creates entrée for fraud]. If your Facebook friend’s account is hacked or phished, [a hacker] can get access to all your data, too.
What’s the best advice you can give consumers, especially without a corporate IT department trying to protect them?
First, make sure your machine is always up to date. If it starts running slow for any reason, take notice. Also, use at least two browsers. You can use one for Web searches. Use the other to conduct all your ecommerce transactions and lock it down; don’t install any plug-ins and only visit trusted sites.
The top 10 list of U.S. cities for fraud origination, ranked from highest to lowest:
1 New York
4 Los Angeles
7 San Francisco
9 Washington D.C.
10 Lexington, KY
Photo: Chart courtesy of ThreatMetrix