Sizzle of The Week: Fraudsters
And for the record, making “fraudsters” a sizzle isn’t because we think it’s a good thing to do – but, unfortunately, they have earned it.
And they’ve earned it not for lack of effort on the part of fraud and security professionals. Many of the best and brightest minds across payments, financial services, fraud and risk spend the vast majority of their time trying to find and fix the weak links that fraudsters could exploit for their own devious means.
But yet, as this week demonstrates, the fraud wave keeps on coming – proving that the fraudsters of the world are nothing if not inventive.
So, what were the lowlights that made fraudsters a sizzle?
Well, for one, account takeovers, which are on the rise.
According to the October 2017 Global Fraud Index, a PYMNTS and Signifyd collaboration, account takeover has spiked 45 percent in Q2 2017 alone.
That was before Equifax flooded the dark web with the personal credentials of every adult in the United States.
And the not-so-good news just keeps on coming, according to the Index. The increase in account takeovers is symptomatic of the larger landscape of fraud. All told, merchants lost $3.3 billion to the increasingly popular fraud technique over the course of the 12 weeks of Q2 2017.
More broadly, fraud overall increased 5.5 percent year-on-year (Q2 2016 to Q2 2017). Fraud rates for transactions above $500 jumped to 11.47 percent, which is 22 times the rate of fraud on transactions under $100. This is a sharp reversal from stats that actually showed fraud levels on the decline between Q4 2015 and Q1 2106, thanks to the implementation of EMV at the physical point of sale. Fraud has been rising steadily and sharply over the last three quarters – and out of the nine industry segments covered by the Fraud Index, some $57.8 billion was lost in eight specific industries.
As the report noted, this is just the beginning of a spike, not the end. It’s going to be a bumpy ride.
So, fraudsters are busy – and now, post-Equifax breach, they are better armed with consumer information than ever before.
And that news just gets a bit more daunting from there.
Fraudsters appear to be getting more creative about their craft, always hunting for the path of least resistance. That has given some the idea that schools – in particular, student information –are logical targets. The U.S. Department of Education has confirmed that a new cyberthreat is targeting school districts across the country with an extortion attempt that warns educators to pay them – or risk the school’s private records going up on the public web.
“In some cases, this has included threats of violence, shaming or bullying the children unless payment is received,” the department wrote in an advisory this week.
So far, the attack has been seen in three U.S. states, although law enforcement officials believe the threats are empty.
All schools have refused to pay the ransom, while at least one continues to receive threats. No student data has been released.
Why might fraudsters be targeting the personal information of kids? To paraphrase the Big Bad Wolf in Little Red Riding Hood, the better to create synthetic IDs, he said.
There is, however, a concern that the hackers involved are not making empty threats. The attacks are believed to be the handiwork of “Dark Overlord,” a group known to have previously attempted to extort Netflix last year by threatening to release “Orange Is The New Black” early. Netflix balked, and the episodes were released.
The Department of Education also notes that Dark Overlord is picking districts “with weak data security or well-known vulnerabilities that enable the attackers to gain access to sensitive data.”
And, in fact, federal warnings have proliferated this week, as things scarier than schools are under assault.
Cyberattacks targeting U.S. energy and industrial firms are increasing, prompting the U.S. government to issue a public warning about the potential threat.
This week saw warnings from both the Department of Homeland Security and the Federal Bureau of Investigation (FBI) that sophisticated hackers are targeting nuclear, energy, aviation, water and critical manufacturing industries, as well as government entities.
The cyberattacks date back to May, but could go back even further. The goal of the hackers was to use malicious emails and websites to obtain credentials in order to access the computer networks. The hackers were able to compromise some of the targets, but the government wouldn’t provide information about any specific incidents. Authorities have been monitoring the activity for months now, noted Reuters, citing a confidential report that was distributed to firms determined to be at risk of an attack.
Department of Homeland Security spokesman Scott McConnell declined to tell Reuters what prompted the current government cybersecurity warning.
“The technical alert provides recommendations to prevent and mitigate malicious cyberactivity targeting multiple sectors, and reiterated our commitment to remain vigilant for new threats,” he said in the report.
The FBI declined to comment.
Robert Lee, a security expert and chief executive of cybersecurity firm Dragos, told Reuters the infrastructure-targeting hacking appears to be the work of hackers employed by the Russian government, but declined to elaborate. The company is also monitoring other groups targeting infrastructure that appear to be tied to China, Iran and North Korea, the executive told Reuters.
And, tying a nice little bow on it all – just in time for Halloween, the Reaper is here for us all.
Not the Grim Reaper, thankfully, but the Reaper botnet. Reaper, also known as IOTroop, is a growing botnet whose size, at more than 1 million organizations infected, could soon rival that of the Mirai botnet that knocked much of the U.S. offline last year, along with top websites around the world – Reddit, Netflix, Twitter and Spotify, just to name a few.
So far, Reaper lies dormant, but its sheer size and spreading power make it even more threatening than Mirai, with Check Point Research calling it a “cyberhurricane” that could potentially take down the internet.
So, time start fearing the Reaper?
Security researcher Brian Krebs isn’t writing the internet’s eulogy just yet, as it’s not yet well-known what the purpose of the Reaper is, or whether it is capable of the type of attack that took down so many services last year.
But Reaper is big: The team at CheckPoint notes they’ve detected it on 60 percent of the networks it monitors. While its exact purpose is not known, it’s hard to believe that it’s a good one – particularly considering the ways in which it works to burrow into machines with weak password protections (Mirai, on the other hand, targeted machines that were not password protected).
So, to recap: Account takeover fraud is spiking, hackers are now using school and student data to create synthetic IDs, power plants and nuclear facilities are holding the country hostage in the worst of all possible ways, and there is a massive botnet lurking in a staggering number of devices – and no one knows exactly what its goal is and when it might be unleashed.
That’s a sizzle for fraudsters, who’ve not only stolen our information, but have managed to be the scariest thing out there this Halloween season – and beyond.
Worker Productivity: $60 billion annually of anything is nothing to sneeze at. The Information Technology Industry Council has estimated that AI can generate $60 billion in production improvements per year, even as they add $7 trillion to $13 trillion in economic output on a global scale in less than a decade. So maybe this means that while AI is hard at work, you can let your coffee breaks linger a bit?
Commerce Crossing Borders: Numbers are strong from global payments giant, Visa, where cross-border transactions were up 10 percent. Digital shows traction as Visa Direct volumes grow 75 percent year on year. The integration of Visa Europe is, as CEO Al Kelly said, ahead of company plans. Looking into 2018, the company will be leveraging investments into Visa Direct and Open VisaNet, among other initiatives.
Chinese Tourists Traveling To The U.S.: It’s been a busy few days for Alipay, with big benefits for Chinese tourists, who use the third-party payment platform to transact as they sojourn abroad. The company linked up with Marqeta, the open API card issuer, to move payments made in the U.S. ever closer to real time. That partnership comes on the heels of announcements with JPMorgan Chase and Poynt, which also help to expand exposure to U.S. retailers and streamline payments at the point of sale.
Uber Biz Rideshare: Slight dip, yes, but a dip: one percent, according to Certify. Although Uber is still the leader in the space, Lyft grabbed three percent over the same period. We wonder if that has anything to do with the fact that Uber is levying new fees, which would mean that the passenger has to pony up for “out of the way” pickups, and will start to incur charges if the driver has to travel longer than eight minutes to the pickup location.
iPhone X-pectations: Will it be an ex-phone right out of the gate (pun intended)? Even Apple co-founder Wozniak is “meh” and likes his iPhone 8 just fine, thanks. And he doesn’t think the Face ID feature will work the way it is designed, which may throw some cold water on sales. Wall Street analysts are mixed on what might lie ahead for iPhone results.
ICOs: Amid the heated debates about cryptocurrencies in general and how they are marketed through initial coin offerings, one poster child is having some issues. Disputes and controversy mark Tezos, a cryptocurrency project, which had just a few short months ago raised $232 million. The controversy centers on who controls what at the company, with founders trying to push out the president. In the meantime, some industry-wide news is less than stellar: In cryptocurrency land, only one in 10 tokens are used after sales to actually, well, transact. Big surprise.