arrow left facebook twitter linkedin medium menu play circle

The Changing Tide of Financial Fraud

By Ting Fang Yen November 17, 2015

Photo of Ting Fang Yen

about Ting Fang Yen
Director of Research // Ting-Fang specializes in network and information security data analysis and fraud detection in the financial social and eCommerce industries. She holds a PhD in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.

Financial Fraud WaveOn October 1, the financial payments world was abuzz with talk about how the increased adoption of the new EMV standard for credit card purchases was going to bring about dramatic changes to financial fraud. Likely we will see a reduction in the amount of “brick and mortar” financial fraud transactions. But unfortunately it is going to result in a dramatic increase in the amount of online fraud as fraudsters change their focus to places that do not require the credit card to be physically present. According to a study by Javelin Strategy & Research, card not present fraud is predicted to grow by 200% over the next three years [1]. Are you ready for this tidal wave of financial fraud? Let’s arm you with a couple tips to keep you from being the victim this holiday season.

Financial Fraud to Surge
Predictions on the increase in card not present (CNP) fraud
by Javelin Strategy & Research [1]
Know Your Enemy
As you brace yourself for the coming wave of fraudsters, it is important to understand how this modern adversary behaves and make sure your defenses are up to date. Gone are the days where a single attacker uses a single stolen credit card to make a quick score. Financial fraud has become a professional enterprise, with a complete ecosystem of fraud-as-a-service stealing over $16B per year [2]. The adversary is now a well-organized crime ring that utilizes armies of fake and compromised accounts to conduct stealthy attacks posing as legitimate users. So how do these modern attacks work? Let’s look at a few examples of what DataVisor is seeing in the wild.

Don’t Judge a Book by its Cover

Hushmail, a private email service, could be used for financial fraud
Hushmail, a private email service

One thing is constant in the security world – cyber attackers will continue to evolve in how they attack you. If you are reliant on reputation-based security solutions like IP blacklists, GeoIP databases or email domain reputation solutions, these new adversaries will be robbing you blind.

In a recent case we observed at a travel-based e-commerce site, fraudsters were able to steal thousands of dollars per month in free flights by using a combination of attack techniques to appear as legitimate users and circumvent the traditional security solutions in place. The attack was launched from a large set of distributed IP addresses, including many home DSL IP ranges that made the traffic appear similar to legitimate users. Each malicious host only made one or two transactions, allowing the low-volume activities to stay under the radar.

In conjunction with this distributed attack technique, these fraudulent transactions were all associated with email accounts from anonymous email providers, such as Guerrilla Mail, Mailinator, Fake Mail Generator, or Hushmail. These solutions are designed to allow attackers to easily create a mass number of fake email accounts that cannot be easily traced back to the user and also defeat email domain reputation solutions that blacklist known malicious email addresses. In order to defeat these types of adversaries, you will need to stop judging these users solely by their email address, IP or geographic location and use solutions that can pick out the bad actors even when they look and feel like legitimate users.

There is Not a Single ‘Rule’ or ‘Model’ for Success
Rule-based systems or machine learning models are commonly deployed for detecting online financial fraud. For example, large transactions over a certain amount will trigger alerts that result in additional authentication requirements or manual review. Other rules look for changes in the user’s behavior, such as blocking transactions originating from a different device or geographic location, or transacting with a new party. But the flaw with any rules or supervised machine learning models is they do not account for the changing nature of attacks, so the merchants are only reacting long after the financial damage has been done.

DataVisor has seen in multiple clients how fraudsters will often use large armies of fake accounts to “test” the detection rules by making one or multiple small transactions on stolen credit cards to see if they are approved by the financial institution. If the transactions go through, they will then proceed with larger amounts. These subsequent transactions may be days or weeks apart from the initial “test” transactions. By the time they are detected, the damage is already done.

anatomy of financial fraud attack campaign

The figure above is an example of how these adaptive malicious campaigns operate. While bad actors who started out making large transactions upfront were blocked by traditional rules-based systems, we observed the same attack campaign evolve their tactics to find gaps in the rules. Fraudsters began to make multiple transactions per stolen credit card, with a small transaction (the “test”) followed by a few large transactions about one week later. All of the latter transactions went through but ended up in financial loss for the merchant. In order to prevent these types of attacks, we need to stop relying completely on rules or pre-trained models, and use more sophisticated analytics to automatically discover new attack patterns.

Get to High Ground
Clearly, transaction fraud is a problem that needs to be tackled from multiple angles. In order to withstand the coming tsunami of online transaction fraud, we need to reassess our security strategies. As fraudsters are constantly devising new techniques, we must adopt more sophisticated technologies that are able to automatically adapt to ever-changing attack patterns and catch fraudulent activities before they happen – without relying on knowledge of existing attack techniques.

References
[1] “Point-of-sale card fraud predicted to decrease as card not present and new account fraud increases.” Javelin Strategy & Research 9 Jun 2015.https://www.javelinstrategy.com/news/1586/92/Point-of-Sale-Card-Fraud-Predicted-to-Decrease-as-Card-Not-Present-and-New-Account-Fraud-Increases/
[2] “Global card fraud damages reach $16B.” Pymnts 6 Aug 2015.http://www.pymnts.com/news/2015/global-card-fraud-damages-reach-16b/[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]


Popular Posts

Intelligent solutions. Informed decisions. Unrivaled results.

DataVisor Fraud Index Report: Q2 2019

Learn More

The DataVisor Q2 2019 Fraud Index Report is here.

Customers online want convenience, ease, and access. Fortunately, your business offers it all. Unfortunately, that’s what fraudsters want too. To a cyber criminal, those features mean vulnerabilities. To bring you the very latest and most actionable insights about where the risks are and what you…

Dumb & Dumber vs Ocean’s 11

Learn More

Understand the range of modern fraud attacks to ensure complete coverage for your organization.

Complex and coordinated fraud attacks that are extensively planned, hard to detect, and highly scalable are the new normal for online platforms. Explore and understand the full spectrum of fraud attacks—from simple to sophisticated—and learn how you can defend against each type in this…

Diagnose and Defeat Application Fraud with the Latest AI-Powered Tools

Learn More

Learn how leading financial institutions are using ML to proactively detect card application fraud.

In this insightful webinar, you’ll explore how organizations are leveraging AI-powered fraud management solutions to get tangible, real-world benefits as they work to proactively detect and defeat sophisticated modern fraud attacks. Plus, you’ll discover strategies for empowering cross-team…


Protect your business, your customers, and your data.

Request Demo