The common saying that practice make perfect is applicable to various things, and fraudsters are also getting better at what they do. According to the report given by the latest edition of the PYMNTS Global Fraud Index – after a short lull post-EMV in the U.S., when there is a reduction in fraudulent activity but they have bounced back with a vengeance.
With the look of things, when fraudsters encounter a more sophisticated lock on the commerce front door that are retail POS terminals, they did not decide to forgo their lives of digital crime in favor of becoming a mathematics teacher in Belarus. They however moved online and started looking for a window that is very easy to open.
According to the manager of the identity theft program at the Federal Trade Commission (FTC), John Krebs, the situation which exists between the good guys who are trying to protect the system and the bad guys who are trying to break in and exploit them will always be very asymmetrical. The good guys such as the financial institutions, retailers as well as cybersecurity firms have to be right always by finding all the possible entry and ensuring that they are totally locked down at all times. The bad guys which include the international army of fraudsters as well as hackers have to be right only once: They only need one open window and proof which is the data of 143 million American adult which is for sale on the dark web.v. And, Krebs observed that, although Equifax is getting much attention and concern given its size and scope, the problem with the fraud has extended beyond the big breach which occurs recently. “There is large volume of data which are available from thousands of other breaches, which implies that there are numerous tools for attacking, and the only thing the bad guys need is time and patience before they break the system,” he said.
“They are always looking for ways by which they can monetize the data they obtain from the breach, and as they find them, they observe that there are numerous amounts available out there which they have to try millions of time. Although there might be a very low rate of success, however the reward as well as the amount of damage that will be caused will be huge.”
According to Krebs, with the extraction and monetization of more information, this serves as more tools for better infiltration, and it supports the stealing and monetization of more information thereby creating the vicious cycle which is occurring today. He also noted that the attacks are becoming numerous but varied.
The Many Ways To Play At Fraud
Account takeover has been a great concern, but Krebs observed that institutions and customers are well protected against it. Most bank and card issuer has an idea about the way their customers behave, so if they observe that a regular customer files a new address and started buying equipment in large number, red flag will fly immediately.
However, consumers are also aware of these things like banks accounts, and a credit statement with a balance reduced by thousands of dollars would draw attention. The aim of account takeover is short-term: You obtain the credentials, buy various things with the card before they sound the alarm and then burn the card when you are done.
Krebs also noted that “the mechanisms on the dark web are getting better at spreading and stretching out the detection.” “Because I live in DC, so if I am buying a fraudulent payment card, I would buy the one that is from DC so that it won’t flag a warning immediately that the card is supposed to be in Texas while buying lunch in Washington.”
However, Krebs noted that when you observe things like Equifax breach and other breaches that have made the information of consumers to go out, account being taken over is becoming less frequent than fraudulent accounts and synthetic identity frauds, this involves the attachment of stolen data to fabricated accounts and identities.
Krebs said it is harder to explain because in those cases, the merchant as well as the creditor did not know you, outside the authentication information which you provided earlier. They do not know anything about your habit or what you like, and from the data they have, they will see you as a reasonable person who is applying for an account or buying goods and services. This kind of scenario will be very hard to resolve from the consumer end.
Because he explained that after the creation of the new account, it would be very difficult for the real owner to prove that he or she is not a fraudsters. It involves a lot of issues and it makes it very difficult to resolve because they have to consider both parties when trying to resolve such issue.
“It is also crucial to focus on two prongs: the first is when you come and demand for an account. There is need for me to be able to ascertain that you are the person whom you prove to be. From that point, the issue becomes the usage of account, and ensuring that the only person who have access and using to the account is the authentic owner.”
Fighting The Phishermen
Due to the fact that the marketplace for consumer data is always growing, and criminals are always looking for new and improved ways by which they can monetize the data, people are now realizing that username and password is not a suitable authentication strategy because these data can be phished easily.
Krebs said “these are quite different from the older types of phishing email whereby consumers click on it and then respond to horror because they’ll observe that they have been grabbed”. These are emails which looks like they come from bank and when the customer tries to sign in, they will then get an innocuous error message and they won’t observe that their credentials have been sent.
However, Krebs noted that, they have and in most scenarios have also sent skeleton key for most of their accounts, because most customers usually repeat passwords and usernames. Once the bad guys get one, it would be very easy to “brute force” and open lots of their accounts with that password, or its variations.
Whenever you are building a multi-factor authentication, ensure you look for something that is hard to phish from a consumer because it is not based on a known data. He noted that biometrics is an intriguing area but one with a significant caveat used incorrectly, it can also stealable and static data source.
Krebs said, if the thumbprint or face-print has been digitized, it can be used. Biometrics can be static information because you cannot change your fingerprint and it can also become data that risks being compromised, especially if our systems is very attached to it and also use it as the single and major factor rather than one factor among many.
Krebs observes that the FTC by its nature would only get complaints from consumers who are aware that they have been victimized by cybercriminals. This is because one can only complain about something he or she is aware of.
Krebs also pointed out that, it is either you figure it or someone inform you. “We are able to track risks because of our numbers, but there are some things that consumers can’t complain about because they are not aware of its occurrence.”
A good example of that are synthetic identity fraud and account creation fraud, this is because these kinds of frauds are designed to be invisible to consumers for a long duration. “We are also aware that there are larger unknown that is resistant to being watched,” he noted. “We know the challenges and how it works but we do not have enough data to quantify the magnitude of the problem.”
Krebs noted that what can be done by everyone is to think of their “digital persona” just like their physical persona. In the real life, we ensure our health is being monitored and we also practice good hygiene and whenever we observe something is not right, we go to places where those problems can be healed.
He said that the same is supposed to be applied to our digital personnel.
Krebs concluded that “that’s the way we need to look at it, and by so doing the society would be able to deal with this new challenges.”