Wednesday, July 13, 2016

Fraud, Inc.

Fraud, Inc.
by Robert Capps, VP at NuData Security

July 13, 2016 - Eskenzi PR - While fraudsters are getting more sophisticated and organized, they are also growing in numbers. The relative ease in which an individual can commit credit card fraud, along with the sheer volume of cheap card account data available on the black market, makes it a highly lucrative business to be in. When combined with the number of vulnerable merchants, and the lack of accountability, well, every day is Christmas day.

Here's the math:
Ease of attack +
Bountiful cheap credit card data on the black market +
More opportunity to commit fraud +
Very lucrative +
Little down side of penalties/accountability
= more people who are willing to commit the crime.

So, why the US is the king of card fraud online? It's the ubiquity of eCommerce merchants that accept credit cards for payment, coupled with a lack of preparation on the part of most eCommerce merchants to combat fraud risks, and made worse by a lack of consistent cooperation between merchants, card brands, and issuing banks, to take a holistic stand against the card fraud risks.

Contrary to some reports, EMV adoption in the US is not currently driving the increase of Card Not Present (CNP) transaction fraud online, although in time it will eventually reduce CNP fraud from counterfeit cards being created and used in store.

Consumers as Unwitting Accomplices
Consumers are victims of financial/card fraud over and over, because they continue to shop at the same places, and use their cards in the same ways, even after cards have been replaced. Often, falling victim to the same ongoing skimming and data theft attacks against a compromised retailer.

Even our own devices are sometimes complicit in the theft, with malware and other threats often resident on them, leading to immediate re-compromise after a card is replaced by a financial institution.

We've seen that new account/application is fraud rising due to the ubiquity of rich consumer data available on social media, and via other sources. Making it easier for those with malicious intent to go out and apply for a loan or credit card in your name, or even engineering their way in to controlling your existing accounts. This puts good cards and accounts in the hands of the bad guy, allowing them more time, and greater access to the credit line of a legitimate consumer, often before the crime is detected and can be mitigated. In some cases, access may persist for months before it is detected, often because the overdue notices begin to arrive in the legitimate customer's mailbox.

Close the Door, for Good
There are solutions that protect merchants and consumers from identity and credit card fraud risks. One solution that is seeing broad adoption is based on the science of behavioral biometrics, which provides continuous, multi-factor authentication that goes beyond the typical static data matching used to identify consumers to their creditors, merchants, and banks.  Behavioral biometrics accomplishes this task, by evaluating the entire customer behavior profile, built up over time. Providing true insight in to how a customer behaves, and comparing these behaviors to other interactions by this user, it accurately identifies them in future interactions - all without adding friction to the user experience, and without opening up the legitimate user to impersonation and account takeover.

Studies like this continue to highlight what we’ve all been thinking for a long time, namely that true authentication demands a higher degree of scrutiny of the end user at the keyboard, not just device in use, or the static data entered into a web page.