Podcast: Play in new window | Download
Looking back at the holiday season, merchants faced a timeless struggle: stopping fraudsters. While dealing with fraud is a challenge year-round, the holiday season makes it even more difficult.
In November and December, people shop more to prepare for the holidays, causing eCommerce volumes to rise. Aware of the uptick in volume, criminals launch attacks, trying to take advantage of merchants who are struggling to keep up with all the traffic.
A common fraud vector used by criminals year around is account takeover. This is when the fraudster gains access to a user’s account, often by using stolen login information or through a brute strength bot attack. In either case, once a criminal gains access to an account, they’re able to steal more personal information, money, and goods.
A recent estimate found that merchants sustained $13 billion in losses due to account takeovers in 2018, said Tim Sloane, VP of Payments Innovation at Mercator Advisory Group.
“And that’s likely to get worse as criminals become more active and smarter in the way they operate, using sophisticated tools to perpetrate their crimes,” he cautioned.
To learn more about the types of account takeover attacks and how companies can fight back, PaymentsJournal sat down with Robert Capps, VP of Market Innovation at NuData, and Mercator Advisory Group’s Tim Sloane.
During the conversation, Capps and Sloane discussed the differences between basic and sophisticated account takeover attacks, described the commonalities of sophisticated attacks, and reviewed some relevant use cases.
Basic versus sophisticated account takeover attempts
Before explaining the difference between basic and sophisticated account takeovers, Capps provided a stark warning: It’s safe to assume that nearly every consumer in the United State has had their data stolen in some way, shape, or form over the past five to ten years.
Sloane noted that it’s easy for criminals to buy and sell the personally identifiable information (PII) of consumers on the dark web, a fact made possible by the numerous data breaches occurring each year.
With vast amounts of PII floating around on the internet, “it’s only a matter of time before that data is used to attempt to login to any valid account,” said Capps. Criminals will take this data and go to major retailers, such as Target or Amazon, and attempt to log into accounts in order to make fraudulent purchases.
The manner in which a hacker tries to gain access into the accounts reveals if it’s a basic or sophisticated attack. In a basic attack, the hackers will try to flood as many accounts and websites as possible with the same data, as quickly as possible. It’s high volume, and there’s not really an effort made to pretend to look like a human.
“They’re just sending data to the form and submitting it in the same format that a legitimate page would, and they’re doing it as quickly as possible,” explained Capps.
He explained that the nature of basic attacks hardly changes from year to year. “I think that the most telling thing we’ve seen about basic attacks is that they’re more of recycling efforts,” he said. Criminals are taking data that’s already been used and using it again to see if there’s any remaining valuable data.
NuData’s internal numbers reveal that the number of sophisticated attacks has been increasing, a trend that is expected to continue.
In contrast, these sophisticated attacks tend to have lower volume, and the attacker tries to disguise the attack as a normal login attempt. They might try to hide their IP address, create a valid device ID, and execute JavaScript to run and render the website pages—all in an effort to appear like a normal user who opens a page or application.
While basic attacks used to be the most common type of account takeover, sophisticated attacks have been on the rise. The reason is that basic attacks are easier to detect. “Frankly, they’re really obvious if you know what signals to look for,” said Capps. Since most companies have deployed solutions that can identify and stop the basic attacks, they’re now largely ineffective.
In response, fraudsters have upped their game and embraced more sophisticated approaches. By generating a valid device ID, rendering the pages, and masking their IP address, criminals have a greater chance of success.
“Fraudsters are realizing these more sophisticated attacks are now more successful against organizations that have basic protections,” said Capps. “So, they’re starting to move those attacks around other environments and see where else they’re effective.”
Sloane added that, often times, the criminals behind sophisticated attacks aren’t just petty criminals. Instead, it’s not uncommon for organized crime and even state actors to be launching these sophisticated attacks.
A real-world example of a basic attack: Over 4 million login attempts
Capps provided an example of how NuData helped one client fend off a basic attack at the end of 2019.
“We saw over 4 million fraudulent login attempts to a client, and they were trying to access almost three-quarters of a million accounts,” he said. Since NuData detected a lot of overlap with the same accounts experiencing attempted logins multiple times, it determined that an attack was occurring, but a careless attack. It showed the attackers were using a messy data set with many duplicates.
NuData stopped the bulk of the attempts right away; of the over 4 million attempts, only around a thousand accounts were accessed. “And those accounts were high enough risk that we passed them on to our customer and they mitigated those transactions using their downstream risk engines,” explained Capps.
An example of a sophisticated attack: Fewer accounts and a human farm
The example of a sophisticated attack consisted of roughly under 30,000 login events. And unlike the basic attack, which we saw overlapping attempts to get into the same account, this attack was cleaner and more precise. “It was very focused on this one company,” said Capps.
When NuData detected an element of automation in the login attempts, it used CAPTCHA technology to test those users. Critically, all the CAPTCHA challenges were solved correctly.
The team at NuData dug a little deeper and discovered that the CAPTCHAs were being taken from the device where the page was rendered and the login was occurring, and passed off to a second device where a human actually solved them.
This was a great example of how humans and computers interact to overcome countermeasures from a company, said Capps. This is a hallmark of sophisticated attacks. The CAPTCHAs were being solved correctly, which led NuData to conclude that the criminals were using humans, in what is typically known as a human farm. A human or click farm is an office somewhere, often in the developing world, where people sit all day behind computers, creating accounts, solving CAPTCHAs, or placing fraudulent orders.
Of the thousands of login attempts, under 300 needed further evaluation—evidence that NuData’s approach reduces the amount of manual review needed to stop sophisticated fraud attacks.
However, both Sloane and Capps warned that many companies are not utilizing the technology necessary to stop such an attack.
“Without the proper techniques and tools, most organizations will be drowning under these volumes of attack,” said Capps.
Since criminals are becoming more sophisticated, companies looking to stop fraud need to become more sophisticated as well.
Companies can leverage existing technologies that detect suspicious activity by harnessing data from different stages of the consumer journey and connecting it together to make a probabilistic determination of whether fraud is occurring. You can learn more about this approach on the recent Mercator report “Authentication, Intelligence, and the Consumer Journey, a Multi-Layered Approach to Reduce Digital Fraud.”
