Fraudsters, anticipating the U.S. shift to EMV security at the point of sale, are busy looking for ways to hack into the e-commerce sites and consumer bank accounts that will be unaffected by the change in payment card security.
Time is of the essence; on Oct. 1, the card networks will enforce a liability shift for almost any company not able to handle EMV-chip card payments (gas stations have an extra two years).
Since many merchants will not be EMV-compliant at the exact time the deadline hits, there may not be an avalanche of e-commerce fraud right away, but criminals are already testing the ways in which they can use the Web to steal card data and cash out, said John Canfield, vice president of risk for e-commerce payment technology provider WePay.
"One direct way to monetize is to buy something on Amazon with a counterfeit card and then resell that product," Canfield said. "But they are taking it a step farther in setting themselves up as fake sellers."
WePay serves crowdfunding sites, e-commerce marketplaces and small merchants, giving it a close-up view of fraudsters' activities.
In the "fake seller" scheme, the fraudster behaves like any other online merchant and may establish accounts with multiple e-commerce sites. After becoming a "seller," the fraudster will pay for the fake items on the site with stolen cards, essentially paying himself, Canfield said.
"They get that money onto a prepaid debit card, go to the ATM and withdraw the cash," Canfield added.
It's a growing problem because so many marketplaces are catering to people who established themselves as online merchants after losing their office jobs during the recession, and thus are making it harder to spot the fraudsters among the many new sellers with little business history.
Other fraud tricks include trying to overpay for a product with stolen credentials, and then getting cash back as a partial refund, Canfield said.
As EMV security makes it harder to skim card details at the point of sale, fraudsters will increasingly target any type of account created online, Canfield said
"There is a lot of risk associated with the transition from the physical world to online when filling out an account application," Canfield said.
Much of the supposed "secret information" such as Social Security numbers, phone numbers and e-mail addresses are readily available to hackers finding a way onto networks where applications are filled out, Canfield added.
Complicating things dramatically are findings this week from security vendor and researcher Trustwave, which discovered a malware operation affecting up to 27,000 computers daily. An estimated 1.3 million computers are already infected with the malware known as RIG 3.0, which attaches itself to e-commerce advertisements. As computer users click on those ads, it gives fraudsters a chance to take control of their computers.
Once in, fraudsters can discover personal information and passwords that could give them access to financial accounts.
Experienced hackers will target business accounts, Arseny Levin, the leader researcher for Trustwave's Spider Labs, stated in a blog post about the finding.
The malware finding exposes the bad state of Internet security, said Lane Thames, security research and software development engineer for cyber security vendor Tripwire.
Security vendors have been warning e-commerce merchants for the past few months of the need to change secure socket Web protocols as part of Payment Card Industry security standards compliance.
"Malvertising campaigns exploit a number of systematic weaknesses within the Web's ecosystem," Thames stated in an e-mail. "Scale is an issue here because one successful penetration of an ad system leads to a huge payoff in terms of the total number of victims who can be attacked via malicious ads."
Security vendors are encouraging merchants and consumers to be vigilant when clicking advertising links, while keeping software patched and updated.
At the detection level, WePay's Canfield said his company focuses on the social media profile of a fake seller or fraudster attempting any type of scam, as well as the details of the invoice in fraudulent purchases.
"We are able to track many of these illegal purchases by the way the invoices were worded," Canfield said. "There are a lot of clues in those invoices and we are able to differentiate a good scenario from a bad one."
A fraudster setting up a fake fundraising effort on Facebook may have established the profile only a day ago, with very few or no friends on the site. "Most people who use Facebook have hundreds of friends, and that's hard for a fraudster to duplicate," Canfield added.
Also, if the fraudster is able to get a large payout on a fake site, WePay looks for links on that Facebook site to the actual cause or charity for which the funds are being raised. A site without that link is a red flag.
"We can do a lot with a digital footprint, sometimes just an e-mail address, to determine what else that address is associated with," Canfield said.
Ultimately, the payments industry has plenty of case studies and a clear understanding that the pace of fraudulent online activity picks up when EMV halts counterfeit transactions at the physical point of sale.