Holiday season brings tidings of CNP fraud

Shoppers, retailers and cybercriminals are no longer waiting for Black Friday and Cyber Monday to get into the holiday spirit. Security analysts saw a spike in legitimate and fraudulent retail transactions throughout the third quarter of 2016, a traditionally quiet period. The attacks are becoming more frequent and sophisticated, experts warned. Chief among their concerns is the use of artificial intelligence and social engineering to mimic legitimate customers, which can lead to other crimes.

"The challenge for businesses is that if fraudsters behave more and more like genuine customers, and automated bot attacks are testing identity credentials on a mass scale, what hope is there of detecting the genuine good transactions from the sea of bad ones?" wrote Alisdair Faulkner, Chief Products Officer at ThreatMetrix, The Digital Identity Company. The ThreatMetrix Cybercrime Report: Q3 2016, published Nov. 1, 2016, found a 40 percent increase in card-not-present (CNP) crime between July and September 2016, compared with the same period in 2015. The analysis was based on close to 5 billion transactions and 130 million blocked intrusions, the company noted.

Cybercriminals have graduated from brute attacks to more advanced, nuanced methodologies, according to Vanita Pandey, Vice President of Strategy and Product Marketing at ThreatMetrix. "Attacks have evolved from being one-dimensional with a singular purpose to being a Frankenstein's monster of attack vectors, using bots, social engineering and remote access stealth in various combinations," she said.

Physical, virtual fraud

"True fraud exponentially rises during the holiday season," said Srii Srinivasan, co-founder and Chief Executive Officer of ChargebackGurus. "Many criminals hack into retail networks earlier in the year, planning attacks well in advance of peak retail season. Some of their most insidious strategies involve mimicking legitimate customers."

Pandey and Srinivasan urged retailers to plan ahead for high-volume transactions and implement real-time detection strategies to protect against ever-changing threats. "Fraud prevention is no longer simply about timely detection but about getting under the skin of evolving attack patterns to better thwart the rise of cybercrime," Pandey said.

Srinivasan cited a number of reasons for increased chargebacks around the holidays. "Fulfillment centers may ship the wrong product, or duplicate an order, and there is more physical theft during holiday season, because thieves know high ticket items are being ordered," she said.

Top industries, retailers targeted

Security experts are especially concerned for big-box retailers, which they claim will be primary targets throughout the holiday shopping season and immediately thereafter. There could be as many as 50 million attacks to ecommerce sites in the peak shopping week alone, experts have warned. ThreatMetrix has been stopping an average of one fraudulent new account creation every ten seconds and sees a widespread use of stolen identity credentials. Pandey called these attacks "multifaceted, global and ever-evolving," as criminals strive to steal, validate and sell stolen identities. Increasing crime levels necessitate staying a step ahead "with innovative approaches that derail fraudsters and strike the right balance between protecting businesses and minimizing friction for users."

Srinivasan additionally noted that many retailers hire temporary workers to help manage shipments, returns and inquiries. Merchants need to combine preventive tools and strategies with human oversight to protect against fraud, and information technology departments need to plan for excessive network traffic, she stated.

Following are at-risk categories cited in the ThreatMetrix report:

• E-commerce: Bot attacks are growing in direct proportion to digital ecommerce transactions. Attacks on logins and payment transactions grew 30 percent and 70 percent, respectively, in 2016.

• Financial services: Online financial services transactions continue to be driven by mobile usage. Login attacks in fintech increased due to a large bot attack on an e-lender.

• Digital media/social networks: Fraudsters are testing stolen credentials on sites with modest signup and authentication requirements. Attacks on new account creations increased by almost 400 percent compared with the third quarter of 2015.

• Cross-border transactions: Representing one in five transactions in the digital network, these transactions are considered riskier than domestic transactions and rejected twice as often.

Changing consumer, fraudster behavior

Mobile and in-app payments have created a new frontier for fraudsters, according to the ThreatMetrix study. "As digital transactions have grown, so have the attacks," the authors wrote. "This quarter saw the highest number of attacks on ecommerce with more than 76 million blocked transactions, a 60 percent increase over 2015."

Fraudsters are targeting mobile and online accounts where consumer credentials are stored, the authors noted. They expect these login attacks to continue through the 2016 holiday season as cybercriminals use a combination of techniques to break into ecommerce sites and steal identity and payment card data. This will place inordinate pressure on merchants to validate customer identity while protecting against fraud and theft, they stated.

ChargebackGurus has seen an increase in "friendly fraud"; its analysts are working with payment card brands to evaluate this trend. Some consumers have bragged about friendly fraud on social media, claiming to have received free goods by disputing charges, according to recent reports. Overall chargeback volumes in 2015 were 30 percent friendly fraud and 70 percent true fraud; these numbers have been reversed in 2016 with 70 percent friendly fraud and 30 percent true fraud, the company stated.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.