Visa as gumshoe: How the card network tracks fraud to its source
There’s an adage in business and war that goes, “The best defense is a good offense.” This is the philosophy that Visa is deploying against online fraud.
When an incident occurs, Visa, along with the affected merchants and banks, will examine how it happened, the extent of the damage and what can be learned from it. However, Visa has decided to take it one step further by pursuing the online criminals to prevent future fraud. Visa also works with law enforcement agencies to quantify potential losses and, where possible, assist in the threat mitigation.
In one instance, Visa was able to locate the actual buildings where the fraudsters were operating, according to Penny Lane, vice president of payment fraud disruption in the global risk group at Visa.
“We look for digital fingerprints and follow the attackers," she said. "I want to make it tougher for the criminals. It’s more than just not being the low-hanging fruit."
Lane spoke during SourceMedia's PayThink conference in Austin last week.
The idea of following cybercriminals is not necessarily new, but it is unique in that this is not a one-time exercise for the company. Rather, Visa has decided that if it is to effectively mitigate online fraud, it needs to identify the parties before they find more victims.
However, others may question if the pursuit of criminals is a worthwhile endeavor. It might be best to devote those resources to identifying — and blocking — fraud during actual e-commerce transactions.
“The efforts need to be focused on stopping fraud before it happens by intercepting fraudulent transactions when a merchant unknowingly submits it for approval. That’s the biggest help that the card networks can provide," said Tim Sloane, vice president of payments innovation at Mercator Advisory Group. "While chasing down fraudsters sounds good, the networks need to remember their role in the transaction and improve their ability to spot fraud as it’s happening.”
While transactional fraud can occur in milliseconds, the fraudsters behind those schemes are less nimble.
“It requires many steps and involves numerous individuals," Lane said. "For example, it can take four to six weeks to pull off a cash scam.”
When the Equifax data breach occurred, exposing the credentials of at least 143 million consumers, authorities noted that the breach spanned a three-month period between May and July 2017. The details of a recent breach at British Airways, which exposed payment details on 380,000 transactions, went on for days: between 10:58 p.m. London time on Aug. 21 and 9:45 p.m. on Sept. 5.
In the process of battling online fraud, the results are not always straightforward and don’t always lead to criminal prosecution. Lane commented that sometimes you know who is behind the fraud but you just can’t pursue them, particularly if they live in countries that won't facilitate prosecution.
But that doesn't mean the investigation is fruitless. By identifying the fraudsters and any malware they use, Visa can examine other consumer-facing e-commerce sites for signs of compromise.
“When we look at who conducts online fraud, we see three different sets of actors, each with different motivations," Lane said. "First, you have organized cybercriminals who are in it just for the money. Second, you have the ‘hacktivists’ who are only in it for the attention. They are often responsible for disruption activities such as DDoS [distributed denial of service] attacks. They also steal information and leak it. Finally, you have the nation-states."
The last group is potentially the most dangerous.
"This is state-sponsored cybercrime and they are in it for the long haul," Lane said. "They want to establish a presence. It’s political and often it involves stealing money, but other things as well. The challenge with nation-states is that they have the most money and are harder to disrupt. Everything is more sophisticated and bigger.”