Microsoft launches internet fraud alert system

The Internet Fraud Alert service is providing a clearinghouse where security researchers can report incidents and hand over stolen credentials to financial institutions

Microsoft has teamed up with security and consumer groups to set up a centralised service where security researchers can report incidents of internet fraud and hand over stolen personal data.

Internet Fraud Alert, which began operations immediately on its launch on Thursday, is a partnership between Microsoft and the US-based National Cyber-Forensics and Training Alliance (NCFTA). It is supported by organisations including Accuity, the Anti-Phishing Working Group (APWG), eBay, the Federal Trade Commission and PayPal, Microsoft said.

With the service, security researchers can use a centralised alert system developed by Microsoft to report stolen data — such as online account login details or credit card numbers — that they come across during their work. They can also use it to notify the financial and other institutions responsible for the compromised accounts, Microsoft said.

There was previously no centralised way of securely passing information on account compromises between security researchers and service providers, retailers, financial institutions and government bodies, according to the software maker.

"To date, when the security community uncovers compromised credentials stemming from phishing attacks, for example, there has been no simple mechanism to warn the service provider or bank about the exposed credentials," Microsoft said in a statement.

Such compromises represent a growing threat, with the APWG receiving more than 410,000 phishing email reports in 2009, the software maker noted.

Organisations expected to participate in the service include retailers, financial institutions, service providers, technology companies, academic researchers, consumer advocates and government agencies, Microsoft said. Participating organisations will be vetted by payment-routing data provider Accuity.

Internet Fraud Alert will be operated by the NCFTA, which is backed by the FBI and Carnegie Mellon University, among others.

"One of the challenges of e-crime response is the routine mobilisation of e-crime event data that must be exchanged to protect consumers," said APWG secretary general Peter Cassidy in a statement. "Microsoft and NCFTA have done an enormous service to the e-crime response community by establishing this system to better enable industrial institutions to work together to protect consumers."

In the UK, the government this year set up a national service, the Action Fraud helpline, to handle reports of all types of fraud, including cybercrime. The helpline is the first service in the UK that allows individuals and small businesses to report cybercrime to a central agency. In the past, reports of e-crime such as phishing attacks or malware-related identity theft were handled by local police stations.

UK merchants say online fraud is now the greatest threat they face, costing them on average £400,000 in annual losses, according to a survey published in January by payments processing provider CyberSource.

Microsoft has been active in fighting internet fraud in the courts, for instance filing a lawsuit in May against a website accused of a new type of fraud called "click laundering".