In one of the more unfortunate examples of practice making perfect, fraudsters are getting better at what they do. According to the latest edition of the PYMNTS Global Fraud Index – after a short lull post-EMV in the U.S., when fraud briefly went down – they have bounced back with a vengeance.
As it turns out, fraudsters – upon encountering a more sophisticated lock on the commerce “front doors” that are retail POS terminals – did not decide to give up their lives of digital crime in favor of becoming math teachers in Belarus. They just moved online, and started looking for easy-to-open windows.
According to John Krebs, manager of the identity theft program at the Federal Trade Commission (FTC), the situation between the good guys who are trying to protect the systems and the bad guys who are trying to break into and exploit them will always be very asymmetrical. The good guys – the financial institutions, retailers and cybersecurity firms – have to be right every time, finding all available windows and making sure they are entirely locked at all times. The bad guys – the international army of fraudsters and hackers – only have to be right once: They only need to one open window and poof! – the data of 143 million American adults is out and for sale on the dark web.
And, Krebs noted, though Equifax is getting a lot attention and concern given its size and scope, the fraud problem extends far beyond just the recent big breach.
“There is a very large amount of data out there from the thousands of other breaches, which means there is [an abundance] of tools for attacking, and these guys have nothing but time and patience to break systems,” he said. “They are always looking for new and unique ways to monetize the data they pull out, and as they find them, they are finding that there is such a vast amount available out there [that] they have an incentive to try millions of times. Even if there is a low success rate, the rewards and the amount of damage they can cause is great.”
According to Krebs, as more information is extracted and monetized, this begets more tools for better infiltration, which supports more information being stolen and monetized, creating the vicious cycle in effect today. The attacks are becoming more numerous, he noted, but also more varied.
The Many Ways To Play At Fraud
Account takeover fraud is a growing concern, but Krebs noted that institutions and customers are better armed against it. Any given bank or card issuer has an idea of what their customers’ typical purchase behaviors are like – so if a regular consumer suddenly files a new address halfway across the world and starts buying stereo equipment en masse, red flags will fly.
Moreover, consumers tend to be aware of things like their banks accounts, and a credit card statement with a balance that’s a few thousand dollars north of where it should be tends to draw attention. The goal of account takeover is short-term: You get the credentials, load up the card with charges before the alarm bells go off and then burn the card when you’re done.
“And the mechanisms on the dark web are getting better at spreading and stretching out the detection,” Krebs noted. “I live in DC, so if I am buying a fraudulent payment card, I am buying one with that is also from DC – so it doesn’t immediately flag a warning that a card that should be in California is suddenly buying lunch in Washington.”
But, Krebs noted, when you look at things like the Equifax breach – and the other waves of breaches that have seen the full suite of consumer information go out the door – accounts being taken over is becoming a less challenging threat than fraudulent accounts and synthetic identity frauds, where stolen data is attached to fabricated accounts and identities.
“That is harder to unwind,” said Krebs. “Because in those cases, the merchant and the creditor don’t know you, outside of the authentication information you provide up front. They know nothing about your habits, what you look like – from the data they have, you look very much like a reason[able] person applying for an account or making a purchase. Those are much harder to resolve from the consumer end.”
Because, he noted, by the time the new account has been created, it becomes really hard for the real person to prove that they aren’t the fraudster. It can encompass a lot of untangling – and it makes it imperative that when entities are thinking about these issues, they are thinking of both parts.
“The important focus is on two prongs: The first is when you come to me and ask for an account. I really need a way to be able to check that you are who you say you are. From there, the issue become account usage, and making sure that the only person accessing and using the account is the proper user.”
Fighting The Phishermen
Because the marketplace for consumer data is always growing, and because criminals are finding new and improved ways to monetize that data, there is a growing realization that username and password isn’t really a suitable authentication strategy – because that type of data is so easily phished.
“These aren’t the older types of phishing emails, where consumers click on it and then respond in horror because they realize they’ve been grabbed,” said Krebs. “These are emails that look like they come from a bank – the customer tries to ‘sign in,’ then they get an innocuous error message and don’t realize they’ve sent their credentials.”
But, Krebs noted, they have – and in most cases, have also sent a skeleton key for most of their accounts, since customers often tend to repeat passwords and usernames. Once the bad guys snag one, it gets a lot easier to “brute force” open a lot of their other accounts with that password, or variations of it.
When building multi-factor authentication, one should look for something that is hard to phish from a consumer because it isn’t based on known data. Biometrics, he noted, is an intriguing area but one with a significant caveat – used incorrectly, it can also be a stealable and static data source.
“Whether it is a thumbprint or a face-print, once it has been digitized, it can be used,” Krebs said. “Biometrics can be static information – because you really can’t change your fingerprint – and it can become data that risks being compromised, especially if our systems are deeply immersed in it and use it as the single or biggest factor, as opposed to one factor among many.”
The FTC, Krebs noted, by its very nature, only gets complaints from consumers who know they’ve been the victims of cybercrime. After all, one can only complain about something they know about.
“Either you figure it out, or someone told you,” Krebs pointed out. “Our numbers help us track risks, but there are some things consumers can’t complain about because they don’t know they happened.”
Synthetic identity fraud and account creation fraud are both gold examples of that, because they are designed to be very invisible to consumers for quite a long time.
“We know there is an even larger unknown that is resistant to being watched,” he noted. “We know the issue, we know how it works – but we don’t have sufficient data to quantify the magnitude of the problem.”
What can be done by everyone, Krebs noted, is to think of their “digital persona” as being as real as their physical persona. In real life, we practice good hygiene and monitor our health – and when things go wrong, we go to places to get those problems healed.
The reality, he said, is that our digital persona has basically all the same needs.
“That is the way we need to look at this: It is how we as a society are going to be able to deal with this new challenge,” Krebs concluded.