How data predicts a breach
There is a visible shift in attack patterns immediately following a breach, from initial attacks focusing on high-value loan applications at online lenders to low-value identity testing on charities and social media sites to determine if a stolen credential will work.
Daily attack rates hit their highest mark in three years in July of 2017 at close to nine percent of all transactions, according to ThreatMetrix. This could be in line with the breach at Equifax, which took place from mid-May through July — or it could be something that has yet to be disclosed.
ThreatMetrix says its fraud network detected and stopped 171 million cyberattacks during the third quarter of 2017, nearly doubling the amount it detected two years earlier. The network also stopped 450 million bot attacks, predominantly originating from developed economies and focusing on identity tests and automated attacks.
"The attack patterns are more intense than ever," said Vanita Pandey, vice president of product marketing at ThreatMetrix. "And it's not because people are making data available too easily; the attackers already have that data. This is a 'refresh,' seeking to get new data and it results in the peaks of attacks."
ThreatMetrix estimates it analyzes up to 2 billion transactions a month, with most being consumer logins, loan applications or e-commerce payment transactions. About 51% of these transactions came from mobile devices in the third quarter, the first time mobile use was higher than desktop computers for initiation, ThreatMetrix said in its third quarter e-commerce cybercrime report.
The sort of spike reported in July should set off alarms for the entire financial services and payments industries, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"I remember being skeptical when they showed me the report in Q2 and tried to attribute the big spike in attacks at the end of May to WannaCry," a malware attack, Conroy said.
"Now it’s obvious that spike was due to Equifax, which begs the question—is there a breach we don’t know about yet that’s responsible for the spike that the chart shows at the end of July?" she asked.
The increase in transactions over mobile devices has caught the attention of fraudsters.
"Mobile has more engagement and is an easier way for banks to engage with customers, thus we are seeing two to three times the number of logins off mobile compared to desktop with banks," Pandey said. "Fraudsters are realizing this is a good place for account creations."
Once a new account is created through stolen credentials, the criminal can download new apps on the phone and test if they same login will work for other accounts a consumer holds, Pandey added.
"They can call a customer and confirm a phone number for an account, then steal the credentials and then call the bank to put a new number on the account," Pandey said.
The payments industry can no longer point to the presence of EMV chip cards at the physical point of sale as a key factor in an onslaught of e-commerce fraud. The fraud trend has as much, or even more, to do with the advancements fraudsters are making in their own technology to deliver attacks at scale.
"We call it cybercrime in a box," Pandey said. "It is so easy for anyone now to try to become a criminal. You can go on the dark web and learn how to steal a card or identity, and it's not just fraudsters sitting in a basement. They are everywhere and they can look just like anybody else."
The key categories of attack remain device spoofing, in which fraudsters are deleting browser settings or clearing cookies when placing fraudulent malware on an app on a device that will duplicate a consumer's device settings. Any action made with the phony device settings appears to be coming from the owner of the original device.
Another technique is called ID spoofing, in which an identity such as a credit card or account password is stolen, and the fraudster simply pretends to be that person.
With Internet Protocol spoofing, the fraudster is looking to hide his location, making it look like their attacks are coming from somewhere else less likely to be considered suspicious.
All three of those vectors saw increases in the number of attacks during the third quarter. The use of bots fluctuated, depending on the bot size and frequency of attacks and any correlation to a recent data breach.
For every transaction type in every industry, fraudsters will find something of value, she said. They can use fake IDs to seek loans, or get onto a social media or email account and pretend to be somebody they are not, Pandey added.
It is not unusual for a fraudster to take over the email account of a mortgage lender or real estate broker, and send a fake email to a customer requesting a $15,000 check be sent to a certain address as a downpayment, Pandey explained.
In that scenario, the excited would-be homeowner might be inclined to send the money without double-checking with their lender or agent.
"The fraud network is more connected than we realize, and you never know where it will show up," Pandey said. "They determine your most likely most-used words and use them to try random passwords to get into accounts."
And that's the defense layer that needs the most work, if data security vendors and their clients can ever expect to stem this growing trend of cyberattacks, Aite's Conroy said.
"I’ve been feeling for some time that we keep falling farther behind in this war," Conroy said. "I think we can win, but it will require a paradigm shift away from passwords and static identity data—we’re still a ways away from that, unfortunately, especially in the U.S. market."