Cybercrime is now a war of machine vs. machine
As companies invest heavily in artificial intelligence and other high-tech defenses, it is becoming more apparent that criminals are investing in equally powerful technology.
It has morphed into a "machine vs. machine battle" as security firms turn to cloud-based networks, AI and machine learning techniques — and organized criminal networks are using the same tools to mine massive amounts of stolen data and piecing together fake accounts that are increasingly difficult to identify.
In all, there were 3 billion bot attacks and 103 million mobile attacks in the ThreatMetrix cybercrime report for the last six months of 2018. This is part of an ongoing shift from desktop attacks to mobile as a favored platform for targeting e-commerce merchants.
"Technology has evolved so much over the past year, the fraudsters have the ability to really scale up their activity and bring machine learning to the huge amounts of data out there," said Michael Yeardley, senior director of fraud and identity at LexisNexis Risk Solutions. ThreatMetrix operates as a LexisNexis Risk Solutions company.
"It means the technology now powers a lot of processes and capabilities to commit fraud at mass volume and a higher scale of activity," Yeardley said.
That can be translated to much of what merchants and consumers hear about malicious chat bots that can dupe consumers into providing personal information; machine learning algorithms generating social engineering attacks on customer data; internet of things devices being taken over to spy on human interactions; or networked fraud rings and bot armies targeting multiple industries worldwide.
Of the 17 billion e-commerce transactions ThreatMetrix processed between July and December of 2018, 61 percent originated from a mobile device. In addition to the bot and mobile attacks, the network also stopped 244 million human-initiated attacks.
"The real challenge is that the fraudsters have a set of credentials in which to provide information about a person," Yeardley said. "There is a massive amount of data, but it is not about having just one data point on each person."
The strength of fraud prevention lies in an ability to generate "tens of hundreds of data points" on a person that provide more information than the criminals can obtain, Yeardley added.
"It is information on things like how and when they log on, how long it generally takes them to do so, and what their habits are," he said. "It protects an organization by knowing more about their customer, understanding them and protecting them."
The ThreatMetrix network saw 39 percent of its e-commerce transaction volume center on payments, while 58 percent involved account logins, whether financial or social media. New account creations accounted for 3 percent of the transaction volume. Conversely, 2.6 percent of the e-commerce attack rate was on payments, 4.9 percent on account logins, and 14.4 percent on new account creations.
While bot attacks are increasing because they are a simple, automated way for fraudsters to probe weak areas in a network or a consumer's own safeguards, they don't always equate to successful theft of data. But even unsuccessful attacks can damage an e-commerce merchant.
"When that volume of bot attacks hits an e-commerce merchant website, we have seen it represent up to 90 percent of a merchant's daily transaction type," said Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions. "They may not be successful attack attempts, but it can have an impact on the merchant's ability to take and process customer orders."
As mobile transactions increase at more than 60 percent of e-commerce traffic, and fraud attempts against mobile increase as well, it is still a safer way to make a transaction than through a desktop, Moody said.
Mobile transactions generally provide more safety measures through single-use tokens, smartphone secure elements, user authentication through biometrics, and device identification.
"But fraudsters are looking at this shift as well and saying they can hide beneath a sea of large-volume transactions in mobile, and use stolen credentials to their best effect," Moody added. "It will be one of the most interesting shifts in the next year to 18 months."
And it was off to a dangerous start in the 2018 holiday season, in which ThreatMetrix reported fraudsters used 20 million stolen account credentials in bot attacks to attempt bad transactions starting on Cyber Monday and through the following week. Those bots originated from the U.S., Vietnam and China.
That same tactic came into play against banks, as one financial institution saw an increase in attacks on new loan applications from 13 percent to 60 percent on Black Friday.