Page 18 - GS190702
P. 18
Views
The very point of sale Bedard has seen cases where criminals intercept text
messages from banks and spoof mobile phone addresses
to respond on behalf of end-users and redirect their
funds. Citing Javelin's 2019 Identity Fraud Study, he noted
mobile phone account takeovers rose from 380,000 in 2017
to 679,000 in 2018. Additional targets include mortgage
accounts, student loans, car loans, and demand deposit
and credit card accounts. Across this broad attack surface,
cybercrime is accelerating, with year-over-year growth in
credit card fraud, he stated.
"We need to look at transactions in real time across digital
channels and challenge or provide the precise level of
Things that go bump security at the right time," Bedard added. "Ten years ago,
credit bureaus provided adequate protections, but their
technology is based on static data. If the forms are not
on your screen updated at the credit bureaus, criminals can easily defeat
knowledge-based authentication."
By Dale S. Laszig Just add water
DSL Direct LLC Like the 1984 comedy horror movie, Gremlins, identity theft
and online attacks can appear to be playful furry creatures
ave you ever been redirected to a checkout but be devious monsters underneath. With WarnerMedia
page when you shop online? Transitions are planning to release an animated Gremlin series this year,
not always smooth, and the bad guys know it. it's clear the film's underlying message still resonates with
H Criminals know we're accustomed to seeing audiences. What do we really know about our ever-present
pop-up screens at checkout, and their man-in-the-middle digital assistants and smartphones? If they start to talk
attacks exploit this vulnerability. These attack vectors are back or give questionable driving directions, it may be time
hard to detect, look legitimate and can shape-shift in sec- for a software update and dynamic security tools.
onds, security experts warn.
"Malicious scripts can morph inside a CSP [content security
David Ellis, vice president, investigations at SecurityMetrics, policy] database, and the smallest of changes will defeat
said checkout shopping cart environments are fertile the CSP," Ellis said. "This is prompting some companies to
territory for emerging fraud schemes. Popular methods implement subresource integrity validation. These tools
involve third-party hosted content providers and content check content served by third parties and provide a hash
support services. A recent investigation of a scrolling ad of a clean version. Before content is loaded on a site, it is
network showed payment card data was lost each time one checked against the hash."
of the ads appeared on a screen.
The past 18 months of EMV adoption have made it harder
"A criminal could exploit an SQL vulnerability and inject for criminals to access card-present environments, Ellis
a website with malicious Java scripts," Ellis said. "Content continued. In 2017, 80 percent of ecommerce payment pages
security policy tools are costly and require a high level of were modified, reflecting efforts to address a massive
expertise to configure and use. They do an adequate job uptick in CNP fraud. Describing payment pages as dynamic
of filtering content, but alerts are based on documented environments, Ellis said final integrity monitoring tools
vulnerabilities and are no match for emerging fraud can deter criminal activities.
schemes."
Let the old ways die "Fraudsters are getting into ad networks and mounting
sophisticated attacks," Ellis said. "They create an entire ad
Like Jason Isbell's song, "Maybe it's time," in the 2018 movie or fictitious call center where you can't reach anyone, while
A Star is Born, maybe it's time to let the old ways die and injecting malicious code into JavaScript. They build tools
find new ways to safely transact on the Internet. Let's look and get networks to take their ads. As investigators, we see
beyond the security lock icon or IP address at the top of a these attacks firsthand."
web page. They hardly tell the whole story. Tim Bedard, Web skimmers
director of security and product marketing at OneSpan
said, "IP addresses are nice, but in this day and age, they Jérôme Segura, head of threat intelligence at Malwarebytes,
can be easily spoofed and bounced around the world mentioned criminals use iFrame attacks to inject content
several times." in payment forms. Consumers can sometimes spot the
attackers if they insert content that doesn't fit into the form.
18
