First Data charts the rise of FaaS

A new First Data Corp. white paper reports that cybercriminals have adopted their own form of software as a service (SaaS). It's called fraud as a service (FaaS), which uses the same online infrastructure as SaaS to more efficiently perpetrate fraud schemes.

In Fraud Trends in 2010: Top Threats From a Growing Underground Economy, Rick Van Luvender, Director of the First Data InfoSec Incident Response Center, wrote that fraudsters have exploited business tools – the Internet chief among them – to "gain access to a wide range of applications while offloading the need to have knowledge of, expertise in or control over the technology infrastructure that supports them."

Central to FaaS are online fraud forums through which individuals and organizations exchange information and buy and sell stolen wares, such as card numbers. To increase online traffic, forums often "offer tutorials, how-to guides or even specialized venues for goods from specific countries or regions," Van Luvender wrote.

The forums provide access to fraudsters who specialize in designing software applications for Trojan and phishing scams, for example. Furthermore, the forums facilitate the "cash-out" process after data has been stolen.

On a commission basis, contractors known as cashiers and money mules utilize electronic money transfers to drain the accounts and convert the funds into legitimate currency, the white paper said. These contractors also help validate customer verification value numbers against corresponding credit card numbers, for a fee.

Into the cyber underground

Fraud continues to grow, according to the white paper. Citing the 2009 Verizon Business Data Breach Investigations Report, First Data's InfoSec said 285 million consumer records were compromised in 2008, more than the previous four years combined.

Credit card numbers remain the most popular stolen item, according to the white paper. Stolen card numbers sell for between 10 cents and $25 per card, with discounts offered for bulk purchases. The average stolen credit card has a credit limit of $4,000, the report stated.

The report listed the top 10 fraud trends. They are:

1. Malware attacks 2. Phishing and other types of social engineering scams 3. ATM skimming 4. Structured Query Language (SQL) injections 5. Counterfeiting outside the Europay/Mastercard/Visa security standard zone 6. Insider fraud 7. Money mules 8. Avatar/virtual criminal markets (online role playing games, social networking) 9. Supply-and-demand black markets 10. Creative money laundering schemes

Navigating the threat landscape

InfoSec advised payments industry constituents, as well as merchants and consumers, to more fully understand how fraudsters operate, specifically in new media environments like social networking site Facebook, in order to mitigate risks and recognize attacks before they inflict severe damage on businesses and individuals.

"Understanding the nature of both data theft and the conversion of stolen data into cash can help organizations of all types better anticipate where criminals may exploit the system, so they can put appropriate preventive measures in place," the whiter paper said.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.