What Do Porch Pirates and Credential Stuffers Have in Common? Fraud
Do you remember when you first heard the term “Porch Pirate?” That is now a commonplace term for an individual who literally steals delivered packages off of neighborhood porches. That phrase has a clear meaning, but, many fraud-related phrases and names out there don’t have such obvious definitions.
There are many terms the fraud prevention industry relies on to describe different types of fraud. Yet, it can be hard to keep up with all these phrases and words, especially if you aren’t spending your day preventing fraud. Part of the reason for the variety of phrases is that as fraud evolves, fraud prevention strategies anticipate and disrupt the criminal practices with new strategies and new nomenclature.
Check out this short and fast list of a few of the more convoluted (and sometimes weird and not intuitive) words to learn more about the digital fraud prevention industry’s lexicon.
Let’s do a quick breakdown of common threat terms* related to web applications: (Note this is not a comprehensive glossary, but includes a few highlights).
Account Creation Fraud: The process of creating multiple accounts for misuse by threat agents.
Account Takeover: Illegal access to genuine customer accounts. Due to mass data breaches and phishing attacks that expose billions of usernames and passwords, a threat agent is able to access a user’s confidential online loyalty accounts and then steal the data contained within them.
Botnet (Bot): A combination of the words “robot” and “network,” this term refers to a malicious string of internet-connected devices that are used to steal data and compromise other computers and systems. Bots are created when a device is hacked by malware, enabling the hacker to take over the device and assist with activities like distributing denial-of-service (DDoS) attacks and emailing spam to thousands of users.
Carding: Multiple payment authorization attempts used to verify the validity of bulk stolen payment card data.
Card Cracking: Identifying missing expiration dates and security codes for stolen payment card data by trying different values.
Card-Not-Present (CNP) Fraud: A card-not-present transaction happens when a customer makes a purchase by mail, phone, or online, where the customer is not physically present to present the credit card for purchase.
Cashing Out: Buy goods or obtain cash using validated stolen payment card or other user account data.
Credential Cracking: Practice of identifying valid login credentials by trying different values for usernames and/or passwords.
Credential Stuffing: Mass login attempts used to verify the validity of stolen username/password pairs.
Chargeback: A charge that a business or merchant is required to return to a payment card after a customer successfully disputes an item on their account transactions report.
Dispute: Occurs when a customer calls their bank to reject a charge on their credit card they don’t recognize. This generally triggers a chargeback.
Friendly Fraud (also known as First Party Fraud): Occurs when customers request refunds from their issuing banks, claiming that transactions on credit card statements are fraudulent. This type can include accidental friendly fraud or intentional friendly fraud.
False Declines: (Also referred to as false positives) occur when a legitimate transaction is flagged by a merchant’s fraud protection system and is inadvertently declined. A purchase may flag a fraud prevention high risk score.
Identity Theft: Occurs when fraudsters gather enough critical pieces of personal data about an individual (such as name, driver’s license number, date of birth and address) and pose as that person to open new accounts and make purchases.
Phishing: A cybercrime in which a target is contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Threat Agent: Any agent that acts against an asset in a manner that can result in harm.
Threat Event: Occurs when a threat agent acts against an asset.
Token Cracking: Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
Velocity Filters: Monitor specific data elements (like email address, phone number and billing/ shipping addresses) and limits the number of transactions that a website can process in a certain time frame (an hour, a day) using this data. Why might a business want to limit the number of transactions a single customer is allowed to make? When a threat agent accesses credit card numbers from the dark web, they might start rapidly testing those numbers on a merchant’s site in order to determine which cards work. If a transaction goes through, the threat agents often try to max out the card with more (and bigger) purchases.
*From OWASP Automated Threat Handbook Web Applications