As fraudsters continue to evolve their tactics and become more sophisticated in their use of stolen data, fighting fraud is a focus for many organizations who aim to protect their customers, bottom line, and brand. SpyCloud fraud experts Pattie Dillon, Anti-Fraud Solutions Product Manager, and Pete Barker, Director of Fraud & Identity, sat down with Trace Fooshee, Analyst, from Aite-Novarica to discuss:
Here are some highlights from their conversation:
What is Driving Fraud Today?
Trace: We’re seeing new fraudsters in the game as a result of the pandemic, and while they might be unsophisticated in their tactics, they are still able to gain a critical mass of data. I know SpyCloud is constantly analyzing the stolen data you recapture from the criminal underground — what do you see driving fraud these days?
Pete: PII exposures are really driving online fraud. SpyCloud recaptured 15.5 billion credentials and PII assets from the criminal underground last year alone, and these are all pieces of data used to create synthetic identities, open up new accounts, and perpetrate account takeover and online fraud. We also saw that password reuse continues to be a major problem, and unfortunately people’s password habits aren’t getting better. We found 130 million users with the same email address exposed across breaches in 2021 and prior years, as well as a 70% password reuse rate. On average, a user is exposed in 8-10 breaches, so if they’re not taking action, they could continue to get exposed.
Pattie: It really doesn’t even stop with passwords. There’s also a growing threat of malware infections, and malware is one of the most overlooked and hardest to detect types of fraud. It creates a backdoor into systems that logs keystrokes – so when a user is infected, a criminal is able to collect everything they need to steal identities or create identities. It’s a perfect playground for fraud.
Criminals can also buy malware-as-a-service now, and in our own research, we’ve seen a surge in information stealing malware (or infostealers) like RedLine Stealer, which accounted for 50% of all malware we observed last year. Organizations need to be able to arm themselves with data like malware-infected user records so they negate stolen web sessions, reset passwords, and do the customer outreach that helps level the playing field with criminals for their consumers and themselves.
What is Fueling ATO and Fraud Attacks?
Trace: Are there any specific data assets a criminal needs to perpetrate an ATO or construct an identity?
Pattie: Knowing who your consumers are is foundational to establishing accounts at financial institutions, and being able to detect and predict what a criminal is going to use to bypass your fraud prevention solutions is really important data to understand.
Let’s focus on ATO first. The sooner you’re able to detect the signs of account takeover, the more likely you are to prevent it. The more recent the exposure, the more targeted the attacks and the higher the losses. The older the data is, the more likely it is to be on a combolist that would be used for credential stuffing, so still valuable to a criminal. Criminals need stolen credentials (passwords, email addresses, usernames) to be able to take over accounts. They also use a proxy to hide their IP address and location, and then they can bypass fraud solutions with their device.
Another method is malware and leveraging web session cookies. Most often criminals will use an anti-detect browser that will hide their fingerprint – the criminal appears as the legitimate user and can bypass fraud solutions, even multi-factor authentication (MFA).
From a synthetic identity perspective, assembling both stolen credentials as well as PII and some forms of fabricated information, criminals construct identities to make fraudulent purchases and build credit profiles. Those identities can be used for a single transaction, or to establish a long-term relationship with an org to build trust and credit lines, and then abandon the account after leaving the merchant or credit issuer with losses.
Why is Loyalty Fraud Top of Mind for Fraud Teams?
Trace: Fraudsters will target anything that is even remotely of tangible value, and loyalty points can easily be converted to monetary value. What are your thoughts on loyalty fraud?
Pete: Loyalty fraud was a big opportunity at my past (retail) company, and most of it was tied to an ATO from previous data breaches that customers were involved in. Poor password hygiene drove this as most customers reuse their passwords across multiple accounts, which I think we’re all guilty of. At the end of the day, this drove many customer service calls and also caused issues with margin erosion due to price adjustments to make the customer happy. And, the challenge is about protecting the brand. From a customer’s perspective, they actually thought the company was involved in a breach, but after further investigation, the customer was always tied back to a previous breach (from an unrelated site) and a reused password. I’m confident that these customers also could have had malware or hijacked sessions, but we didn’t have the tools to identify or detect these types of issues.
How Does Recaptured Data Enhance Fraud Prevention Frameworks?
Trace: We all know there is no silver bullet when it comes to protecting your organization and your consumers from fraud. What are your thoughts on the layers of defense for fraud teams looking to enhance their control framework?
Pete: You’re spot on – there’s no silver bullet out there, and we know that traditional identity verification is not enough. There are definitely unidentified gaps. Identity verification solutions do not account for a consumer’s risk of ATO, nor does it account for potential malware infections on their devices, and it doesn’t provide the confidence that people interacting with your site are legitimate consumers and not criminals leveraging stolen data.
Underground data wasn’t even on the radar of the big fraud platforms until recently, and still today many aren’t using underground data in an actionable way. But SpyCloud does.
Recapturing data from the criminal underground and transforming it into actionable insights and solutions that give enterprises an upperhand is our area of expertise.
Trace: I love that concept of underground data and adding additional data points to your intelligence file of who this persona is that you’re doing business with. We’re having to infer some degree of confidence as to who the identity is we’re having to deal with on the other side of the account or transaction. It’s been my experience that the more layers you’ve got and the better you are at orchestrating all of those signals together and putting them into this meaningful picture of the identity you’re working with, the better off you’ll be.
The interesting direction that fraud prevention is taking is moving from making inferences about identities that we’re working with to where we can almost predict the WHY a consumer is doing what they’re doing. And it’s a really key destination because it’s one of the most important emerging methods available to fraud executives in terms of combatting and mitigating social engineering or scams. You can discern all day long what consumers are doing, but it’s very difficult to infer why they are doing what they’re doing. And it’s difficult to do that unless you have layer upon layer of context around who that persona is and what their patterns of behavior are. So it sounds like this underground data concept is a great way to add contextual information about that persona, specifically in support of the objective of identifying legitimate users, isolating those folks, and giving them a more frictionless path through the experience.
Pattie: When we talked about identity verification not being enough, recaptured data is a complement to the existing layers organizations already have to bring that added dimension and added context to answer the question of why. Especially with malware we see that as it helps criminals bypass traditional authentication measures, wouldn’t it be nice to know that your customer has malware on their device before allowing them to transfer funds or make a significant purchase? There’s so much to add to what you already have with recaptured data.
About Aite-Novarica Group:
Aite-Novarica Group is an advisory firm providing mission-critical insights on technology, regulations, strategy, and operations to hundreds of banks, insurers, payments providers, and investment firms—as well as the technology and service providers that support them. Comprising former senior technology, strategy, and operations executives as well as experienced researchers and consultants, our experts provide actionable advice to our client base, leveraging deep insights developed via our extensive network of clients and other industry contacts. Visit them on the web.