November 17, 2015 - Ting Fang Yen

The Changing Tide of Financial Fraud

On October 1, the financial payments world was abuzz with talk about how the increased adoption of the new EMV standard for credit card purchases was going to bring about dramatic changes to financial fraud. Likely we will see a reduction in the amount of “brick and mortar” financial fraud transactions. But unfortunately it is going to result in a dramatic increase in the amount of online fraud as fraudsters change their focus to places that do not require the credit card to be physically present. According to a study by Javelin Strategy & Research, card not present fraud is predicted to grow by 200% over the next three years [1]. Are you ready for this tidal wave of financial fraud? Let’s arm you with a couple tips to keep you from being the victim this holiday season.

Financial Fraud to Surge
Predictions on the increase in card not present (CNP) fraud
by Javelin Strategy & Research [1]
Know Your Enemy
As you brace yourself for the coming wave of fraudsters, it is important to understand how this modern adversary behaves and make sure your defenses are up to date. Gone are the days where a single attacker uses a single stolen credit card to make a quick score. Financial fraud has become a professional enterprise, with a complete ecosystem of fraud-as-a-service stealing over $16B per year [2]. The adversary is now a well-organized crime ring that utilizes armies of fake and compromised accounts to conduct stealthy attacks posing as legitimate users. So how do these modern attacks work? Let’s look at a few examples of what DataVisor is seeing in the wild.

Don’t Judge a Book by its Cover

Hushmail, a private email service, could be used for financial fraud
Hushmail, a private email service

One thing is constant in the security world – cyber attackers will continue to evolve in how they attack you. If you are reliant on reputation-based security solutions like IP blacklists, GeoIP databases or email domain reputation solutions, these new adversaries will be robbing you blind.

In a recent case we observed at a travel-based e-commerce site, fraudsters were able to steal thousands of dollars per month in free flights by using a combination of attack techniques to appear as legitimate users and circumvent the traditional security solutions in place. The attack was launched from a large set of distributed IP addresses, including many home DSL IP ranges that made the traffic appear similar to legitimate users. Each malicious host only made one or two transactions, allowing the low-volume activities to stay under the radar.

In conjunction with this distributed attack technique, these fraudulent transactions were all associated with email accounts from anonymous email providers, such as Guerrilla Mail, Mailinator, Fake Mail Generator, or Hushmail. These solutions are designed to allow attackers to easily create a mass number of fake email accounts that cannot be easily traced back to the user and also defeat email domain reputation solutions that blacklist known malicious email addresses. In order to defeat these types of adversaries, you will need to stop judging these users solely by their email address, IP or geographic location and use solutions that can pick out the bad actors even when they look and feel like legitimate users.

There is Not a Single ‘Rule’ or ‘Model’ for Success
Rule-based systems or machine learning models are commonly deployed for detecting online financial fraud. For example, large transactions over a certain amount will trigger alerts that result in additional authentication requirements or manual review. Other rules look for changes in the user’s behavior, such as blocking transactions originating from a different device or geographic location, or transacting with a new party. But the flaw with any rules or supervised machine learning models is they do not account for the changing nature of attacks, so the merchants are only reacting long after the financial damage has been done.

DataVisor has seen in multiple clients how fraudsters will often use large armies of fake accounts to “test” the detection rules by making one or multiple small transactions on stolen credit cards to see if they are approved by the financial institution. If the transactions go through, they will then proceed with larger amounts. These subsequent transactions may be days or weeks apart from the initial “test” transactions. By the time they are detected, the damage is already done.

anatomy of financial fraud attack campaign

The figure above is an example of how these adaptive malicious campaigns operate. While bad actors who started out making large transactions upfront were blocked by traditional rules-based systems, we observed the same attack campaign evolve their tactics to find gaps in the rules. Fraudsters began to make multiple transactions per stolen credit card, with a small transaction (the “test”) followed by a few large transactions about one week later. All of the latter transactions went through but ended up in financial loss for the merchant. In order to prevent these types of attacks, we need to stop relying completely on rules or pre-trained models, and use more sophisticated analytics to automatically discover new attack patterns.

Get to High Ground
Clearly, transaction fraud is a problem that needs to be tackled from multiple angles. In order to withstand the coming tsunami of online transaction fraud, we need to reassess our security strategies. As fraudsters are constantly devising new techniques, we must adopt more sophisticated technologies that are able to automatically adapt to ever-changing attack patterns and catch fraudulent activities before they happen – without relying on knowledge of existing attack techniques.

References
[1] “Global card fraud damages reach $16B.” Pymnts 6 Aug 2015.http://www.pymnts.com/news/2015/global-card-fraud-damages-reach-16b/[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

about Ting Fang Yen
Ting-Fang Yen is Director of Research at DataVisor. Ting-Fang specializes in network and information security data analysis and fraud detection in the financial, social, and e-commerce industries. She holds a Ph.D. in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.
about Ting Fang Yen
Ting-Fang Yen is Director of Research at DataVisor. Ting-Fang specializes in network and information security data analysis and fraud detection in the financial, social, and e-commerce industries. She holds a Ph.D. in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.