Data breaches have been a hot topic this year, as the Covid-19 pandemic has seen an increase in fraud and other cyber attacks across the board, for both consumers and businesses.
Tonia Luykx is VP of EMEA Sales at Sift, providers of solutions to help combat payment fraud. Having previously helped roles at Amazon, Dropbox and Google, Tonia is currently focused on building sifts strategic partnerships across the EMEA region.
Here she shares her thoughts on data breaches and the fraud supply chain.
2020 broke sales records for e-commerce and unsurprisingly fraudsters went to work as well. According to Sift’s Q4 2020 Digital Trust & Safety Index, between March and August, physical e-commerce, those businesses that sell physical goods online, saw a 378% jump in account takeover (ATO) fraud. ATO attacks, where fraudsters acquire legitimate user data to take over online accounts, simply don’t happen overnight and can usually be traced to information stolen from a data breach. But how does a data breach fuel ATO? It’s all possible because of the fraud supply chain.
Fraud Supply Chain
First, it’s important to understand that data breaches are a means to an end. Information like usernames or passwords arm bad actors with enough details to execute more sophisticated attacks which combined together create a fraud supply chain. They are interconnected and self-supporting, powered by breaches and pave the way for more complex attacks such as phishing scams and ATO.
While a data breach on its own might not be enough for cybercriminals to execute immediate attacks, simple credentials, such as an email address, can help fraudsters create phishing schemes. The additional pieces of information taken from small breaches allow fraudsters to personalise content that makes their scams more believable and ultimately convince the target audience to share even more details about themselves or their account.
Coordinating Account Takeovers With Compromised Credentials
Once fraudsters have enough information, they can leverage stolen credentials to break into one or multiple accounts. After all, despite warnings, most individual’s account credentials are not differentiated. A password for one account potentially grants access to many. This opens the door to a variety of opportunities, including exposure to payment information, the ability to open new accounts with similar credentials, and access to post fake or malicious content to victims’ personal networks.
Siphoning Money and Assets Through Payment Fraud
Payment information is the holy grail for fraudsters. Payment fraud typically begins with card testing through the purchase of typically low-value, low-effort items. If successful, criminals know the payment information is valid and usable to purchase goods to keep or resell, or to buy more data on the Dark Web. Sift recently discovered a, notably sophisticated, fraud ring in Russia that tested dozens of credit cards and digital wallets by posting fraudulent content listings on an e-commerce marketplace.
Breaking the Chain
The extent of the fraud supply chain is overwhelming, but not insurmountable. With a playbook of internal and external controls, fraud prevention teams can identify and stop many of these scams.
For security teams, email protection is critical and must lean on a layered approach. Standards like email authentication and domain-based message authentication, reporting and conformance (DMARC) are imperative to protect employees, stakeholders, and customers from unauthorised usage.
Secure email gateways (SEGs) and phishing awareness training also help avoid external threats. For example, fraudsters often play to consumer emotions and fears, a reason why we’ve seen phishing attacks accelerate amid the pandemic. Recent phishing schemes include cybercriminals impersonating health officials and agencies seeking consumer information to facilitate fake virus testing or contact-tracing initiatives.
There is no solution for managing what users click on, believe and fall for outside of your platform. But when these bad actors show up, you can take control back. Two-factor authentication (2FA) adds friction when someone is trying to gain unauthorised access into an account and notifies users when suspicious account access has been detected.
Businesses dealing with payments can leverage a holding period before funds can be transferred, and review transactions that seem anomalous, like amounts outside of the user’s normal activity or transfers into a new account.
Finally, advanced velocity checks can detect changes in typical user behaviour, whether through purchase volume, changes in device or payment method. These checks account for natural changes in customer behaviour, providing that seamless shopping experience all while preventing fraud.
As data breaches multiply giving more ammunition to cybercriminals, organisations must adapt their security procedures accordingly. It is only then that companies will stand a chance of breaking the chain and thwarting the vicious cycle.