Crooks are using 'human-like' digital features to thwart fraud guards
Cybercrime has become harder to fight as it becomes more sophisticated. Criminals have deployed technology that can infiltrate a consumer's personal computer and copy parts of the underlying hardware and mimic typing speed, style and other computer habits of the user.
The holiday shopping season brings high awareness of fraud potential, especially with the growth of online and mobile transactions.
But the holidays represent an easy mark for fraudsters, a time in which they can accomplish what they need to through fairly basic attack methods with stolen accounts and payment credentials.
Of increasing concern is accelerated attacks that can bypass many machine-learning and artificial intelligence defenses, and also increase the speed in which stolen payment credentials can be tested and quickly sold on the Dark Web, according to new research from Mastercard's NuData Security.
In the past year alone, attacks that could be defined as highly sophisticated rose to 62% of all attacks by October, after starting 2019 in a range of about 20%.
This goes hand-in-hand with a drop off in spoofing, or the basic practice of changing device information to try to fool security measures. Spoofing has declined from 60% in 2018 to 2% in 2019. Nearly every fraud defense platform has anti-spoofing tools, so fraudsters have moved onto something more insidious.
"Fraudsters are trying to get past AI or machine learning and in order to get past those protections, they have to look more human," said Robert Capps, vice president of market innovation at NuData. "This is just the beginning of this new attack, and we are starting to see cyber criminals realizing they have to emulate real humans and get more precise with their attacks."
The fraudsters deploying sophisticated attacks are looking for quality rather than quantity. "The more advanced techniques are made to use against large organizations with the most value to be derived," Capps said. "That tends to be financial institutions and large retailers who have products that can be shipped and resold."
Because more banks and large businesses have bot detection and machine-learning technologies in place to thwart basic fraud attacks, the fraudsters are finding ways to bypass those challenges. In some cases, they have created human-like algorithms, in others they simply create "human farms" in which they pay workers to type out the required information on a device. Those workers are paid by completed task, whether it is a login, a posted review or creation of a new account, the NuData research noted.
The NuData research covered 2019 through October, highlighting Valentine's Day and other times on the calendar when fraud activity was high. September was cited as a month in which they target banks.
"While I have heard about some of these replay attacks, I think they are still few and far between," Julie Conroy, research director and fraud expert with Boston-based Aite Group said. "Fraudsters look for profitable outcomes, and there is so much low hanging fruit out there for them to go after that we still aren't seeing a ton of these attack vectors."
However, awareness of the sophistication trend "reinforces the common wisdom and best practice that any single-point solution can be bypassed," Conroy added. "So, a layered approach to detection and authentication is essential."
NuData's Capps agrees. "We have to be proactive and need to look at emerging issues and understand them before they affect a majority of consumers," he said. "We have to be prepared for the next-generation of fraud problems, not the thing that got us last year."
There is some good news. Capps said sophisticated attacks are "very high tech and very movie-plot worthy," but are not easy for a fraudster to pull off.
"Consumers are not going to see this as a big issue now, but it is the way things are headed," he added. "It is the thing that companies like ours are focusing on and asking how we can up our game to deal with these trends that are becoming urgent."
The call for this sort of diligence and risk assessments at financial institutions and businesses is likely to increase, especially after the current holiday shopping season. It was off to a fairly rugged start in terms of fraudulent transactions and attacks.
TransUnion's Iovation company reported earlier this month that suspected online retail fraud rose 29% compared to last year in the days between Thanksgiving and Cyber Monday. When comparing over a two-year period, the e-commerce fraud spike is 60%.
The percent of suspected fraudulent e-commerce transactions spiked to 26% on Black Friday, and 22% on Cyber Monday. Approximately 57% of those transactions originated from China.