Sign up for The Paypers newsletter Follow The Paypers on LinkedIn Follow The Paypers on Twitter Follow The Paypers on Facebook
The Paypers, paypers, Insight in payments, News, Reports, Events

Fraudsters change tack – is online accounts data the new gold?

Wednesday 19 September 2018 | 09:30 AM CET

Justin Lie, CashShield: On top of account takeovers, another popular form of fraud attacks on accounts involves the creation of multiple new accounts using stolen genuine user credentials

Could you provide an overview on account takeover status at a global level?

Fraudsters are no longer attacking just merchants on the payments front; as fraudsters become increasingly sophisticated and creative, we see one trend occurring: the rise of fraud attacks on accounts. As noted in the 2018 Identity Fraud Study, account takeover fraud has tripled over the past year, reaching the highest level in the past four years, and resulting in a total loss of USD 5.1 billion for businesses globally.

This is evident as well from the increase in data breaches of recent, from the most high profile Equifax breach, to other breaches involving Panera Bread and MyFitnessPal, where the user’s personal information was leaked, rather than credit card information. Accounts are becoming increasingly valuable, whereby a stolen Uber account can sell up to USD 30 on the dark web, compared to a stolen credit card number that costs between USD 0.50 to USD 1.

Stolen passwords and account logins may be used for hostile account takeovers on the breached website, where genuine credit cards on file may be used for purchases undetected, or in the cases of e-wallets and loyalty wallets, cash credits or loyalty points can be used or transferred into shell accounts. Even competing websites and organisations may be vulnerable to attacks, as users often share similar passwords and login information across multiple platforms and fraudsters may use the stolen login credentials on multiple websites to maximise the monetisation of the stolen data.

On top of account takeovers, another popular form of fraud attacks on accounts involves the creation of multiple new accounts using stolen genuine user credentials to abuse promotional codes and discounts. Many merchants use promotional codes to attract new users to sign up and make a first purchase, but fraudsters have found these promotional codes as a new way to monetise with the stolen personal information.

Why have credit card details become less valuable to cybercriminals and how do you explain the significant shift of fraudsters to online accounts?

An increasing number of enterprises are building online ecosystems, as well as branching into different services beyond their initial product offering. With the growing connectivity of data, fraudsters can have unparalleled access to multiple services with just one single account, making stolen accounts more valuable than stolen credit card numbers.

A case in point: one Amazon account may be used to access multiple services including Amazon Prime, Alexa, cloud storage, music streaming and more. With one stolen Amazon account login and password, the fraudster would have access to the card-on-file to make purchases, or have access to the user’s information, or worse, in the case of Alexa, spy on the users in their homes. Once a single account is compromised, it would be difficult to have damage control on all possible endpoints that could benefit the fraudster. Fraudsters are becoming creative in their attacks and are no longer simply making unauthorised payments with stolen credit cards, but are also carrying out promo abuse with the creation of multiple accounts, making unauthorised transfer of funds and top-up of credits.

In addition, current methods of fraud protection for accounts are still far behind, especially compared to the systems designed to secure payments. Most enterprises rely on static verification measures such as two-factor authentication (2FA) or multi-factor authentication (MFA). However, such methods are easily bypassed by fraudsters (e.g. via SIM hacks, SIM swaps or advanced phishing techniques) and create unnecessary friction for users. Therefore, fraudsters can carry out their attacks more successfully with a lower chance of getting caught.

What industries are more affected by account takeover and why?

The digital goods industry generally faces the highest risk of fraud, including account takeover, as compared to the physical goods industry. This industry, which comprises of products such as game credits, e-gift cards, e-tickets, prepaid services and subscriptions among many others, is especially prone to fraud due to the nature of the goods. As compared to physical goods, digital goods are more vulnerable to fraud, including both payment fraud and account takeover. Gaming accounts, in particular, are especially valuable because they include everything: from attached payment details to in-game virtual assets that the player has invested maybe months or years to amass.

The ridesharing industry has been known to be hit by fraudsters frequently as well, with many Uber users receiving notifications on unauthorised rides in foreign countries. Another interesting phenomenon, as mentioned previously, is that many businesses are now building online ecosystems. This is true for ride-sharing companies Grab and Go-Jek, which have developed their own e-wallet systems that allow users to pay not only for the ride, but also at stores, for food delivery and even P2P transfers. Such ecosystems will be heavily targeted by fraudsters who can profit via different modes of fraud attacks.

On the other hand, the risk of account takeover is lower for subscription-based services. While fraudsters can use stolen credentials to acquire products and services, this is often not as lucrative. Fraudsters want to get in and out fast, with the focus on making quick profits. Taking over accounts and waiting to receive subscription boxes takes too much time, and the risk of getting caught or having the purchases called back before shipping is much higher.

How does CashShield address the issue of stolen accounts?

CashShield takes the approach to preventing the stolen accounts from being monetised so as to mitigate the damage done. The system uses real-time active surveillance to assess logins in the background, constantly monitoring accounts for unusual or conspicuous behaviour and filtering out potential threats. This happens passively so the user experience remains frictionless, unlike static verification measures. By detecting if the login behaviour is genuine or part of a coordinated fraud attack, fraudsters are instantly blocked from gaining unauthorized access to stolen accounts.

This is done by deploying a multidisciplinary approach combining passive biometric analytics, real-time pattern recognition and high frequency trading algorithms. CashShield’s fully-automated system analyses millions of data points in real-time, including the user’s typing speed, mouse clicks and swiping patterns, which is then run through our in-house pattern recognition system to identify if the user matches a genuine or fraudulent pattern. Fraudsters often trick systems by making micro-changes in between each login attempt to pose as unique users, which is why it is important to analyse more data to detect and prevent such fraudulent behaviour.

With the multiple points of entry possible for fraud, CashShield provides enterprises with an end-to-end solution to cover all bases – monitoring logins and transactions across multiple channels and devices in real time, at every stage of the process. From front-end filters detecting fraudulent logins to machine automation preventing fraudulent purchases and chargebacks through illegitimate account takeovers, the system defends against fraudsters as comprehensively as possible.

About Justin Lie

Born to be an entrepreneur, Justin started his first venture during the advent of ecommerce and online payments, setting up a cross border ecommerce business whilst still in his teens. When his sites were attacked by the first wave of online fraudsters, Justin devised his own system of rules on whether or not to accept a transaction, which would develop into the more sophisticated CashShield system today. Over several years of R&D, Justin successfully integrated various disciplines from the latest machine learning technologies and financial principles, creating the world’s first full-machine automated fraud management system that functions without any human involvement.

About CashShield

CashShield is a global online fraud management company that helps enterprises manage their risk from fraudulent payments and accounts. Uniquely powered by high-frequency trading algorithms combined with real-time pattern recognition and passive behavioural biometrics, CashShield’s award-winning solution functions without the need for any data scientists or fraud analysts. To date, CashShield has global operations in the US, Europe, China and Southeast Asia.