April 24, 2020
– By Rich Stuppy, Chief Customer Experience Officer, Kount
This article is adapted from a presentation Rich gave as part of Kount’s recent Digital Protection Summit. Watch here.
When it comes to emerging fraud and security, the trend is. . . there is no one trend. There are several trends occurring at the same time, flowing together, and making things interesting for all of us. In fact, the pace of change is increasing dramatically, and these changes are coming from fraudsters as well as the fraud fighters.
The following are a few examples of the converging fraud and security trends impacting industries:
- Traditional Cyber Events are Merging with Fraud Trends
- A New Crossover Between Payments and Account Fraud: Card/Credential Testing
- Businesses Are Combining the Physical and Digital Customer Journey
- Traditionally Siloed Cyber Security, Fraud Prevention, and Customer Experience Teams Are Now Merging
Traditional Cyber Events are Merging with Fraud Trends
Data breaches have malicious relationships with fraud attacks – they feed and fund each other. Ransomware is a good example of how this type of fraud can have an impact across fraud channels. One of the byproducts of a ransomware attack is the wholesale extraction and exfiltration of the credentials stored in the compromised systems and encrypted data. Unfortunately, whether or not an impacted individual or business pays the ransom or restores the data from backup, it is likely that the criminals already extracted a significant quantity of credentials and data.
This extracted data makes it easier for other scams and attacks to occur. Fraud protection against attempts such as business email compromise, identity theft, the use of synthetic ID etc., has traditionally fallen within the responsibility of the cyber security team. However, each of those events produces raw material that fuels the classic account takeover, malicious account creation and payment fraud which were and are the domain of the fraud teams. Those fraud attacks in turn are a source of money and capital which further funds the cyber attackers and the malicious circle continues.
As a result, robust funding and collaboration across criminal elements leads to the merging of cyber-attack tools and fraud attack tools.
A Crossover Between Payments and Account Fraud: Card/Credential Testing
In many situations, similarities exist between traditional payment attacks and identity attacks. Criminals now bring long-standing payments fraud techniques to identities. For example, they are practicing account takeovers (ATO) on accounts with relatively low value. They then use these validated credentials for precise attacks on higher values services. The goal is to collect compromised accounts for later monetization.
Within the card or credential testing approach, fraudsters take a large list of stolen credit cards and use them to make small, inexpensive purchases on relatively insecure commerce sites or mobile apps. Once the fraudster determines which of the cards are “open to buy” they quickly take those cards to high value, highly protected sites and procure expensive goods and services by meticulously planning the attack.
The industry now sees this same approach in account takeover (ATO) attacks. Fraudsters take massive lists of username and password combinations and use automation tools like credential stuffers to find valid matches. Credential stuffing occurs when attackers take a massive trove of usernames and passwords from a breach and try to “stuff” those credentials into the login page of a digital site. Because people tend to use the same usernames and passwords across multiple sites, attackers try to use these credentials by unlocking multiple accounts.
Rather than immediately exploiting the compromised account, bad actors take those valid username and password combinations to more valuable site or apps and use them to gain access to those accounts. This process dramatically increases their success rate from a fraction of a percent or one percent on a brute force attack up to 50 percent or more because the credentials are known as “good.” With this validated information, the fraudster can now afford to use precise and methodical manual approaches, which are harder to detect than brute force attacks, because it is worth their time.
Interestingly, the compromised accounts in the first “low value” site may not be acted upon or exploited. So, normal use continues by the legitimate users. The fraudster does not want to tip them off that the account is compromised until after they have hit the higher value sites.
The fraudsters also know the compromised accounts will still be there when they decide it is time to monetize them.
Businesses Are Combining the Physical and Digital Customer Journey
In order to maintain a competitive leg-up in the marketplace, businesses need to meet the changing demands of their customers. Often, that means expanding digital transformation initiatives that keep a focus on the customer. To fulfill that goal, there are many examples of digital transformation that aid customers and the fraud that subsequently follows:
- Buy Online Pick Up In Store (BOPIS)
- Buy Online Return in Store (BORIS)
- Pay at the Pump
- Mobile Order Ahead
- Curbside Pick Up
- Ship from Store
- Pizza Plug (or other delivery schemes)
Within these examples of expanded digital convenience, there are more touchpoints the fraudster can attack – a larger attack surface. This makes detection and mitigation of fraud more difficult because often the responsibilities for physical and digital fraud and theft are split across an organization’s departments.
The fraud prevention strategies businesses rely upon have to be different when tackling fraud in the combined digital and physical customer journey.
The bottom line is this: fraud doesn’t occur only at the time of payment anymore. It can occur at any stage of the customer journey, including at order delivery, account creation, through gift cards, and more.
Traditionally Siloed Cyber Security, Fraud Prevention, and Customer Experience Teams Are Now Merging
How are fraud fighters working together to defeat fraud attacks? Fraud prevention leaders can act as champions who add a tremendous value to organizations.
On the left of this graph, the Cybersecurity Teams operate in terms of preventing breaches. They are thinking about secure coding, patching infrastructure, vulnerability scanning, penetration tests and the like. All of this technological protection is very important.
On the right, the Customer Experience Professionals are focused on delivering customers zero checkout friction, instant access to loyalty accounts, and powerful brand experiences that allow amazing functionality. Again, these focus areas are very important and valuable to business success.
Yet, Fraud Prevention Professionals know that neither side has it quite right since these other teams aren’t as focused on fraud, they don’t understand fraud’s powerful implications. For example, a fraudster will take a “perfectly secure” API or interface and use it against the company to commit fraud because the proper security controls are not in place. The customer experience professional doesn’t understand the implications of what the criminal element will do with that amazing, one-click button that converts loyalty points to a gift card and allows a transfer to a friend. These situations create vulnerabilities that a fraud professional would anticipate, but individuals within other specialties may not have the knowledge to look for them.
Fraud prevention professionals can apply their knowledge and deep understanding of fraud to potential activities that are designed to deliver new digital channels or customer experiences. This is what Kount calls the “fraud mindset.” This expertise can educate and inform the organization about the damage fraud can wreak on a brand and the brand’s customers. The fraud prevention pro can make a huge difference by helping people across the organization understand how to protect customer accounts, detect synthetic identities, and stop the use of stolen cards.
The organization can gain a ton of value by understanding how these areas of expertise can work together to prevent fraud.
As a wrap up, the trend is that many trends are coming together – not just fraud trends, but within fraud prevention trends as well.
About Rich Stuppy: For more than a decade Rich has been involved in developing fraud mitigation, compliance, and big data strategies. Rich came to Kount after 14 years with a fortune 50 retailer. Collaborating directly with customers, he works to inform Kount’s product roadmap, identify new and emerging threats, and drive innovation for ultimate customer satisfaction.