Keeping yourself protected from criminals can often seem a daunting task. Even the most eagled-eyed person — for instance, a veteran tourist in a crowded plaza thick with professional pickpocket artists — probably lacks the laser focus, determination and experience of those bent on theft and other illegal activities.
That holds true in the digital world, where software, computer and fraud experts operate globally, and part of global networks, using their expertise not only to steal from consumers, financial institutions and other businesses — but knowing how and where to sell payment and consumer ID data without attracting the attention of their targets or law enforcement.
But those illegal marketplaces — often called the “Dark Web” — also present a juicy opportunity for those fighting fraud to detect and even preempt criminal activities than cost businesses revenue and, often, parts of their brand reputation.
In short, financial institutions that set up what amounts to an early warning system for Dark Web activity can find value in that.
To learn more about that opportunity, and that value, and what it all means specifically for issuers, PYMNTS recently caught up with Danny Rogers, CEO of Terbium Labs, a dark web data intelligence company. He talked about how monitoring those relatively underground parts of the web can save banks money and hassle, and why a measured approach to those marketplaces is more pragmatic than hitting them with what amounts to digital artillery.
Dark Web Terms
First, let’s get some terms straight, at least for use among the payments and commerce communities. “‘Dark Web’ doesn’t mean anything,” Rogers told PYMNTS. “It’s a marketing term used to describe unknown or uncharacterized parts of the Internet, and no two definitions are the same.”
For purposes of payments and commerce, it’s best to think of those parts of the web as, in Rogers words, “anywhere our enterprise clients wouldn’t want to see elements of their data posted.” Those parts of the web, basically functioning as digital black markets, often involve people using such tools as Tor — software that masks IP addresses to enable anonymous communication over the web — to further protect themselves from the prying eyes of the legitimate world.
Another term to know is “carding” — that’s the catch-all world criminals use for crimes that involve stolen payment card data, Rogers explained. And “fullz” — yes, it does look like a word written by a grade-schooler on the back of a notebook — refers to the “full ID” package sold by criminals, an illicit product that might contain sets of data from payment and ID cards (more about fullz in just a bit).
Early Warning Value
Enough of the basics. The main message Rogers offered PYMNTS during his interview was that banks need to a better job of monitoring activity on the Dark Web (or whatever term you prefer), and do so more proactively than is generally the case now.
What Rogers called “large bank inertia,” along with other factors that include lack of awareness, funding and technical know-how, can work to create a situation where issuers continue to view payment card fraud as a “mundane cost of doing business.”
But that goes only so far.
An issuer that waits for customer complaints before tackling a specific issue of fraud is already behind in the game — which, itself, can lead to other dangers that go behind the potentially negative PR and the costs of reissuance and the risk that the affected customers simply start using another payment card.
Stolen data, even when attached to a card that is closed in the wake of fraud, can still be sold to criminals who might then try account takeover — or who could use composite IDs from various victims to build a false ID, gain access to credit and them steal money through there.
A more proactive strategy on fraud prevention — an early warning system — offers value for issuers and other payments players, as well as their customers. By monitoring the Dark Web, technology and experts can determine, for instance, that a batch of stolen card numbers came from a particular issuer. That knowledge, in turn, can help fraud experts and the technology to figure out where the data was stolen from — maybe a specific merchant.
“We can flag (the data) before the cards are put up for sale or even used” by criminals, Rogers said of consumer data protection. “We can do this before anyone takes a loss.”
As well, there is also another danger from too much cost-of-business response — though, to be both fair and brutally honest, this danger won’t show up in balance sheets, and will often be seen as someone else’s problem. Payment card fraud, Rogers said, is often “tied to other crimes, including funding terrorism and human trafficking.” As he sees it, “credit card fraud is the slush fund for much worse stuff.”
Still, he said he doubts that the prospect of credit card fraud keeps many bankers up at night. So the right cybersecurity move is to view such fraud as a step toward bigger fraud attempts. “Banks naively think that when you close an account, you mitigate the risk,” he said. But criminals can “commit follow-on fraud with the rest of the ID information, like tax fraud and account takeover.” And that danger, he said, stands as a reason to proactively monitor those parts of the web where criminals sell their stolen information.
In fact, one the main recent trends in the world of those illicit online marketplaces is the sale of “fullz” to facilitate such fraud — or, more specifically, “dead fullz,” which refers to cancelled credit cards, not the cards of deceased individuals. According to data from Terbium Labs, dark web vendors are openly advertising listings for dead fullz for as little as $1 per fullz on major dark web marketplaces.
No matter the scale and the ultimate destination of those ill-gotten gains — no matter the use of those slush funds — the fraud problem “is only getting worse,” Rogers said.
One big reason?
The spread of EMV chip cards is “pushing card fraud to card-not-present situations” — a trend fueled by criminals' use of digital and web technology to scale their operations. “It’s become a much more prevalent, pernicious thing because you are taking the physical portion out and it’s becoming digital.”
So how to fight back, assuming a financial institution and its security vendors want to do more than just consider fraud a cost of business?
It’s human nature to want to hit back hard. In the context of the Dark Web, that mainly means doing hacking counterattacks directed as those illicit marketplaces — essentially, a massive frontal attack.
That’s the wrong move, at least according to Rogers. “I am not a fan of what they call the hackback,” he said. Such a response can end up harming innocents and create even more chaos. “I don’t think anarchy is the answer.”
A smarter response, he said, is to “use the power of automated intelligence on these dark web marketplaces to gradually get ahead of this stuff.” The idea is to shut down enough activity — and spot fraud attempts early enough so that stolen data is identified and neutralized — to have a “chilling effect” on those marketplaces. After all, a marketplace selling data or dead fullz that don’t end up bringing in a positive ROI will eventually become unattractive to criminals. “You can effectively shut them down without have to resort to hackback activities,” he said.
The fight against fraud will never end, but history does offer this optimistic lesson: the more intelligence you have against your foes, the better you will be able to protect yourself.