PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

Fraud Prevention Against Sophisticated Attacks

By PaymentsJournal
May 13, 2021
in Featured Content, Fraud & Security, Fraud Risk and Analytics, The PaymentsJournal Podcast
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Fraud Prevention Against Sophisticated Attacks - PaymentsJournal

Fraud Prevention Against Sophisticated Attacks

Cybercriminals have really taken work from home to a new level. Before the pandemic, fraudsters focused their sophisticated attacks  (those more complex threats that attempt to mimic humans) on financial institutions (FIs), but with nearly every vertical being forced to move online, these bad actors are truly expanding their horizons.

Retail, streaming, travel, and digital goods are all sectors that have had to up their fraud prevention game to protect against the more sophisticated methods of attacks that have expanded over this last year.

To learn more about basic and sophisticated fraud attacks across all online verticals, PaymentsJournal sat down with Michelle Hafner, SVP of Product Strategy & Execution at NuData Security, and Tim Sloane, VP of Payments Innovation and the Director of the Emerging Technologies Advisory Service at Mercator Advisory Group.

Sophisticated vs. basic attacks by industry

COVID-19 made the world more digital, and with that digitization came many positive results—customer satisfaction, on-demand services, and contactless payments, to name a few. But with more sophisticated technology came more sophisticated cyberattacks. Fraudsters started to act as “business entities,” using specific modes of attack and pooling resources together to carry out more advanced criminal activity.

These attacks are happening across all industries. Sophisticated attacks are able to mimic human behavior to fool traditional bot detection tools by running scripts that show common browser and application behavior. “While the sophisticated attacks are usually lower in volume than basic attacks, they’re much harder for common security tools to detect,” said Hafner.

The bots use techniques such as spoof locations, pretending to type, and slowing the attack down to more closely resemble human interaction speed. The chart below shows that in the first half of 2020, sophisticated attacks were primarily targeting FIs, with 96% of FI attacks being sophisticated.

Sophisticated attacks vs basic attacks

Then, the criminals changed their focus and began targeting other industries with these types of attacks, anticipating similar success across verticals. “Not only did consumer behavior shift, but that consumer behavior opened up new vectors of attack,” added Sloane. Aside from financial, the largest percentage of sophisticated attacks occurred during the second half of 2020 in the retail sector. The percentage of sophisticated attacks doubled, from 38% in H1 to 76% in H2. The highest increase from H1 to H2 happened in streaming, jumping from 4% to a shocking 63%.

“During COVID-19 lockdowns, consumers were buying goods online, and the demand for streaming services increased. The attack traffic aligned with how consumers’ purchasing patterns changed, as attackers were trying to maximize their success rates within the industries experiencing high demand, in the hopes that companies wouldn’t be ready to respond effectively,” concluded Hafner.

Sophisticated attacks are coming to town

Fraudsters certainly made their lists and checked them twice because over the 2020 holiday season, there was an increase in sophisticated attacks. Because of the pandemic and subsequent decrease in in-person shopping, the spike in online gift buying started around October instead of its usual end of November kickoff. It is interesting to review this activity to see how consumer behavior changes are reflective of what some might consider as the new normal. 

Most cybersecurity outlets prepare for these spikes but not all have the capacity to discover sophisticated attacks. Hafner shared a NuData specific example with the PaymentsJournal Podcast: A sophisticated automated attack at login occurred at a retailer, where a bot was using human work in real time. This attack occurred over a period of several days, with attacks happening hundreds of thousands of times.

“What was happening on these sophisticated attacks was that the fraudsters were going in and testing scripts, so they would present an attack script and attempt to log into a targeted platform like a retailer with a long list of credentials that were bought off the dark web,” explained Hafner. “And if the login attempt failed, the script recorded whether the failure was due to an incorrect credential or a technical problem that may have triggered a [VVM4] [R5] detection tool, such as the login attempt taking place before the page is fully loaded.” When the login inevitably failed because of a technical problem, the scripts know and repeat the attempt with the same credentials.

“That’s a simple way in which an attacker can optimize the list of credentials to get accurate results.”

Additionally, fraudsters will hire human workers for a small fee to solve CAPTCHAs. They also harvest payment information.

Fortunately, out of all of the attempts made, 99.9% were mitigated by NuData’s solution in real time. And with behavior learned by AI, successful mitigation of these future attacks happens at an even higher rate.

Sophisticated or basic: What’s the difference?

Example of a sophisticated attack flow

We know that there are basic and sophisticated attacks happening, but what’s the difference between the two? “Sophisticated attacks are typically lower in volume than basic attacks, but they’re much harder for common security tools to detect,” said Hafner.

They take a layered approach, and in order to execute them effectively, bad actors must have the ability to scale complex attacks. The bots are mimicking human behavior while also using some form of human interaction. A company called 2captcha.com is enabling ‘work horses’ easily accessible to fraudsters. This means that someone can go to this site, create an account, and solve one CAPTCHA after another while getting paid to do so. Hafner calls this a game-changer for hackers, and expects it to make hybrid scripted human attacks grow in popularity.

In regards to login attacks, many of the login attempts have the incorrect credentials. However, in the first half of last year, 1.4% of login attempts were executed appropriately. In the second half of 2020, that number nearly doubled to 2.6%. “That’s a huge jump in what we were seeing from actual credentials that were legitimate credentials,” added Hafner. “And it’s probably a consequence of COVID scams and the data breaches that we have seen in 2020.”

The ability of fraudsters to generate losses is higher today than ever before. Fortunately, 48% more consumers are concerned about data privacy today compared to a year ago, so it’s clear they’re becoming more aware of how their data is being used and consequently expect a higher security level.

“So, together with an increasingly sophisticated breed of attacks, comes higher end-user sensitivity and an expectation and responsibility for companies to protect consumers. Companies can and should offer this security to them,” concluded Hafner.

A warning for 2021

According to the data from a report by NuData, it is clear that sophisticated attacks are no longer going steady with FIs; it’s happening across every vertical. The traffic volume is trending toward marketplaces with high-demand products, where fraudsters can steal those goods and then sell them on an open market.

“The data that we saw is really where you would expect, where retailers are getting a lot of the sophisticated attacks, digital goods were increasing, and streaming was increasing,” said Hafner.

NuData is always mindful of how it can protect its consumers, leveraging its passive biometrics and behavioral analytics technology to protect different industries across the different user touchpoints. Figuring out a company’s biggest security gap is the first step in mitigating fraud, and a layered sophisticated approach is the best way to catch the nuances of these complex attacks before it’s too late for the company and for the end user.

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: CybersecurityFraud ManagementFraud PreventionMastercardNudata

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    Generative AI Supporting Supply Chains with Cloud Computing

    Why Decentralized Computing Models Are Gaining Momentum

    May 22, 2025
    gift card programs

    The Gift Card Boom—and What’s Driving It

    May 21, 2025
    Fleet Management payments

    Driving Into Digital: How Modernized Payments Platforms Impact Fleet Management

    May 20, 2025
    emerging payment trends

    From the Name on the Cup to Custom Hotel Lighting: The Future of Loyalty Programs

    May 19, 2025
    push notification bank

    From Bland to Beneficial: Using Push Notifications to Reach Business Customers

    May 16, 2025
    recurring payments, PCI Compliance for small business, Fintech for Underserved Small Businesses

    Tariffs May Create an Opportunity in Small-Business Cards

    May 15, 2025
    Using the Card “Beyond” Payments to find the Holy Grail

    Using the Card “Beyond” Payments to find the Holy Grail

    May 14, 2025
    Payments Modernization

    Playing Offense and Defense: Why Now Is the Time for Payments Modernization

    May 13, 2025

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result