If fraud attacks are the flu, then the Equifax data breach was a raging fever: a symptom (albeit a dramatic one) of a larger illness that will almost inevitably infect any organization that hasn’t had its shots.
And yet, despite headlines featuring Equifax, Sonic, Deloitte and Whole Foods – and cybersecurity companies consistently preaching that attacks are not a matter of “if” but “when” – many organizations are still not taking fraud prevention seriously. Instead, they’re simply crossing their fingers and hoping they won’t get hit, while at the same time surrendering to the notion that if it will happen eventually, why fight it?
That’s how Bern Ersell, CFO of an international fraud syndicate, sees it – and frankly, the lack of inoculations is making his job very easy.
“Companies treat cybersecurity like it’s a flu shot: They keep delaying it, and hope they won’t get hit,” Ersell told Karen Webster in a recent interview. “Getting hacked is a lot worse than getting the flu. When you get the flu, you don’t lose personal data for millions of individuals; you don’t lose your job and your team’s jobs and you don’t put your company and your career back 10 years. When you get hacked, that’s what happens.”
The Security Love Triangle
Security, Ersell said, is an old business, and it’s still ruled by the same love triangle of warring priorities: security, convenience and resources. He is shocked that organizations have not learned from past mistakes, and how they continue to choose convenience and resources (i.e. saving money) over security.
Ersell suspects they would choose differently if their lives depended on it. People accept the inconvenient and costly screenings they must endure before boarding an airplane because they know those measures are in place to protect them.
“There, you take it seriously,” said Ersell – so why not in the protection of personal data? If people can accept long lines at the TSA and the occasional sore arm at the Minute Clinic, why can’t they accept an extra layer of authentication when using their credit cards online or the need to update their passwords more frequently?
Webster noted that she always gets her flu shot, but sometimes she still gets the flu. She also changes her passwords regularly. Can fraudsters still take over her accounts?
“Of course we can,” Ersell claimed with an eerie confidence, “but you’ve made yourself a more difficult target, which reduces your chances of being hit and the severity of potential loss.” Ersell explained that fraudsters come in different strains: They don’t all do the same thing, so they may get snared in one security net while sliding through another. Ersell’s organization specializes in credit card and eCommerce fraud (including account takeover), which calls for different skills and strategies than, say, hacking into merchants’ websites.
Beyond better initial defenses, Ersell claimed that organizations that take cybersecurity seriously will also have rapid response and recovery plans in place. They are aware of the risks and the potentially devastating effects to their businesses, so they prepare more than one backup plan, with safety nets and fail-safes to help them recover quickly and minimize the damage of any potential hit.
Having worked his way up through the ranks of his organization, Ersell shared some of the methods he’s honed over the years, which merchants and online shoppers would do well to bear in mind as retail’s flu season, or holiday rush, approaches.
Even at the highest levels of the corporate ecosystem, executives are making the same mistakes as first-time online buyers. They’re using weak passwords – oftentimes, the same weak password for all of their online accounts. Account takeover is a process, Ersell admitted, but it’s far less difficult when consumers insist on using the same password everywhere. It’s almost like they’re asking to be hacked.
Plain text is easy to hack, said Ersell. If he’s got a database of usernames or email addresses and he can access it offline, he can fire millions of algorithms at the password field to recreate and simulate the key using hash information. This method limits the number of times he’s trying to log in on the live website, since most sites will shut users out after three or so failed login attempts.
It’s important to modulate velocity, Ersell said. Bots are very efficient, and can be both a blessing and a curse – crack the code too efficiently, and it raises alarms. Patience is a virtue in the business of fraud. Ersell said he spreads his bot activity across time and geographies to blend in with regular consumers.
Once he becomes, say, Karen Webster (for example), he can access her email account as well as her favorite shoe website. From the shoe website, he requests a password reset, gets the link in an email, changes the password and deletes that email – changing the password there as well, so Webster can’t initiate a password reset of her own.
Then, Ersell is free to order whatever he wants and ship it. Even if Webster gets an alert of some kind, she won’t be able to get into the account or email to find out what’s going on. If Ersell has been really thorough (which he typically is, for customers with the most purchasing power), he may have even gained access to her phone account. So, if she calls the merchant, there will be no way to confirm her identity, since most verification codes are sent by SMS and would thus go straight to Ersell.
It is worth noting that to successfully compromise an online shopping account and order goods delivered to a drop site, Ersell doesn’t even need to change the user’s password, as his order would simply blend in with what looks like another order from a trusted, loyal customer.
Account takeover is a job to which Ersell promotes only his most trusted team members – ones with proven performance who not only have the requisite skills, but also the patience and discipline to maximize returns from every account.
One $800 shoe purchase can get an account flagged, forcing fraudsters to work as fast as they can before machine learning systems identify their behavior pattern with one or more accounts. Instead, a savvy fraudster can pull in several pairs of shoes at a lower price point over a few transactions before the cardholder, issuer or merchant notices.
Account takeover is not entry-level fraud. It takes a certain amount of finesse, said Ersell, while stolen financials require only brute force. With account takeover, fraudsters need to move fast and move smart once they’re in, to make it seem like the merchant isn’t being hacked. They must be masters of social engineering, not just data literate.
That’s why this method of fraud has recently gained momentum. The success rate still isn’t very high, said Ersell – which is scary when you think about just how much success fraudsters have found. To turn a profit, Ersell said, he and his company must work hard, just like employees at any other company. But the tools and methodology are becoming more readily available … and so is leaked data, as organizations continue to pinch pennies on cybersecurity.
According to Ersell, account takeover was on the rise before the Equifax breach – that was just the moment of public knowledge. The demand for personal data is up and has been for a while, so the supply naturally follows.
Account takeover isn’t about cash, Ersell said. He doesn’t want people’s money. He’s a mover of goods. The important thing for him is getting goods delivered to his drop site as quickly as possible, so he can turn them around and sell them on the gray market – often at only a slight discount, since he doesn’t want to set off any alarms by pricing them suspiciously low.
“What we’re doing is changing how people buy and sell online, how they shop and where they get the things they want,” Ersell said. “I’m sharing this because I want people to know what’s really going on. I’m not a terrorist. I’m not in other kinds of crime. I move goods from eCommerce sites, and this is happening in a big way, on a global scale. But the people doing it, people like me, we’re not walking around with guns in our hands – that’s not who we are.”
Likewise, “Bern Ersell” is not who Webster really interviewed this month. This fraud syndicate CFO is actually Sourabh Kothari, director of merchant advocacy at eCommerce fraud protection firm Signifyd. The San Jose, California company uses real-time machine learning to protect online merchants (and their customers) from fraud and chargebacks.
Signifyd and PYMNTS jointly produce the Global Fraud Index, which includes detailed data and insights about stolen financials, friendly fraud, account takeover and what’s changing in the rapidly evolving world of eCommerce fraud.