Online crooks are getting more sophisticated by the second. Nowadays, fraudsters have the ability to conduct “clean fraud,” obtaining legitimate identities of users from the black market or data breaches to compromise a victim’s card account. Malware, too, is becoming more sophisticated both in the mobile and non-mobile space. But how can organizations fight such high-level tactics in such a broad, complex space? John Sarreal, Senior Director of Product Management at 41st Parameter, an online fraud prevention player, sat down with PYMNTS after the recent release of the white paper “Surveillance, Staging, and the Fraud Lifecycle” (click to download) to reveal the inner workings of a cyber criminal’s mind, what should be done before and after data is snatched, and which aspects of account takeover are the most overlooked and dangerous.
Take us through the mind of a cyber-criminal. What are the most sophisticated tactics used today to capture account information from corporate systems?
JS: The amount of clean fraud that we see with our customers is unprecedented. By focusing on obtaining legitimate credentials and identities, fraudsters are more easily able to bypass traditional controls. This means that fraud tools need to adapt and gather additional attributes to augment their fraud screening. Although the techniques they’re using now to obtain these credentials are increasingly sophisticated, the MOs are still rooted in basic phishing and social engineering attacks.
Fraudsters will use identity information obtained from the black market or data breaches to conduct very convincing phishing attacks to reveal everything that is needed to compromise a victim’s card account. There’s also increasing sophistication in the use of malware to steal sensitive credentials in both the mobile and non-mobile arena. In Android, for example, Google recently passed a vulnerability that allows sophisticated malware to impersonate digital certificate signing authorities. This vulnerability allowed the malware to install itself on a mobile device without any user notification or intervention – obviously, a very dangerous attack.
By the time it is discovered that credential information has been stolen, cyber criminals already have the information they need. What can be done then?
JS: What’s most alarming about compromised credentials is that without proper detection mechanisms, a victim will not know that they’ve been compromised. A fraudster can strike at the most opportune time. We’ve written extensively (download the most recent white paper here) about the dangers of account takeover, and have modeled the lifecycle of an attack, which, after the credentials have been stolen, involves broad reconnaissance on the part of the fraudster where they do fraud staging of this. They then set up the compromised account for eventual theft. So essentially, once compromised credentials have been obtained, the fraudster has free reign within that account.
In your opinion, what are the most dangerous and most overlooked aspects of account takeover fraud?
JS: The most dangerous aspect is the over-reliance on relatively simple authentication credentials such as username and password. Although institutions are getting more sophisticated and are starting to adopt authentication methods, most companies still assume that once you get past the front gate, you’re good. You’re given free reign to do whatever you need to within an account. This is dangerous, of course, because we know that authentication systems can be compromised, no matter how strong. And over-relying on login controls without having risk-based authentication measures for additional account activities exposes your account to more fraud.
The most overlooked aspect of account takeover is the tendency to over-correct and install so many controls that authenticating your systems becomes a nightmare for the customer. By not considering the customer experience trade-offs, an institution can potentially give up their repeat customers or lose business by not making that customer experience as friction-less as it can be.
The best solutions provide appropriate measures of protection without sacrificing customer experience and don’t require onerous user interventions to successfully authenticate.
With so many available solutions in the market designed to make the internet a safer place to conduct business, what makes 41st Parameter different?
JS: We are one of the first fraud prevention solutions to secure commerce online and continue to bring innovations to the market to help make the internet a safer place to shop. We pioneered device fingerprinting and offer the first solution to integrate device attributes into our risk engine – and our customers see great fraud results from the approach. In addition, we have a visibility to fraud that spans multiple vertical markets and offer fraud solutions that cover the entire customer life cycle starting with account originations through logins into those accounts and finally customer transactions. This fraud screening is offered not only to online merchants but also to the airline industry and financial institutions. This visibility gives us great insights into the various fraud vectors that are exploiting the online channel, and allows us to build rules and methodologies to stop a wide variety of attacks.
How does surveillance actually work and what risk prevention strategies do you recommend to financial institutions, merchants and government agencies trying to keep their accounts from being drained?
JS: Awareness is key to turning the tide against account takeover fraud. Again, surveillance is so insidious because it often goes undetected, yet it is a critical part of a fraudster’s scheme that allows him to conduct the clean fraud that’s so prevalent today. For example, surveillance activities allow a fraudster to know a user’s deposit and withdrawal habits so that they can bucket that account with similar ones to optimize their extraction of funds. Surveillance also provides the fraudster with examples of transaction amounts that represent good behavior that they can model or proxy for the eventual money movement into their own accounts. This could include the time of day or transaction amount factors that let them know how to slip past an institution’s existing controls.
But the best fraud prevention strategy acknowledges account takeover as the threat that it is and puts protection sensors of various places in their online estate. Login monitoring with device intelligence is a great start because it provides the visibility to all site traffic, both good and bad. False positives, however, can be difficult to control if your security approach is only focused on the login page. Monitoring the other pages that are typically associated with fraud surveillance and staging is a very effective technique for honing in on the riskiest accounts.
Download the complimentary whitepaper below to learn more about how risk professionals can protect their businesses and customers from online account takeover attacks. You’ll walk away with three actions that should be considered to help avoid the potential damage that fraudulent acts can cause to your valuable reputation, customer experience and the company’s bottom line.
To listen to the full podcast, click here.