The phenomenon of payments fraud is not a modern one — far from it.
But as RL Prasad, SVP of payment system risk at Visa, told Karen Webster in a recent conversation, what is new today is the who and the how of fraud, particularly in a digital world.
As for the who, Prasad told Webster that there are still plenty of attacks perpetrated by the more professional organized crime-modeled hacker gangs that are behind massive breaches that capture the headlines. But these fraudsters aren’t the only players in the game — and by and large, they aren’t the best at being the worst when it comes to efforts to infiltrate global payments systems.
The frequency of state-sponsored attacks has intensified in recent years — with a level of sophistication and technical and financial backing to their operations that has never before been seen. Cash-out scams, he noted, used to be about harvesting thousands and perhaps even hundreds of thousands of gift and prepaid cards in a heist. Today, when they are the product of state-sponsored rings, those attacks can mean millions of dollars leaving ATMS in minutes in a coordinated worldwide assault.
That leads to the second big change in the world of fraud, Prasad said – the expanded scope and reach of its targets. What was once limited to defrauding retailers at the physical point of sale with counterfeit cards is now digital, and accomplished by a variety of methods.
“There is skimming, account enumeration, combination attacks — the goal [of the fraudster] is to find any vulnerability they can find in the system, any tiny logic error that lets them slip in unnoticed,” Prasad told Webster.
It’s why, he said, Visa introduced three new tools last week to help merchants and issuers fight back: Visa Vital Signs, Visa Account Attack Intelligence and Visa Payment Threat Lab and eCommerce Threat Disruption
Hackers, he noted, are only getting smarter about leveraging data tools to improve the subtlety and reach of their attacks, and these new tools give Visa customers the ability to see, isolate and stop fraud before it has a chance to scale across issuers and retailers.
“We still have the edge,” Prasad remarked, referring to this new breed of cyber attacker, “because we have better access to data, at scale, than they do.”
Seeing the Attack Before it Happens
To say that VisaNet processes a lot of transactions every second over its network is like saying that the Earth is just a little far away from the Sun. So because Visa sees something on the order of 150 million transactions on an average day, it becomes possible to really see them differently — and over time, it becomes more efficient to draw a baseline for each of its merchants and issuers of what is normal and what is not. Importantly, this makes it possible to act quickly on a threat as it emerges — instead of after it has already escalated to a fraud incident, Prasad explained.
That sort of early detection and warning, he told Webster, is what Visa Account Attack Intelligence is all about. Using AI and deep learning across Visa’s vast transactional records identifies anomalies that indicate that hackers may have gained access to a merchant or financial institution’s systems and are gearing up to use them for malicious purposes.
Visa Vital Signs helps blunt the cash-out attacks emptying ATMs in a timed worldwide grab. These multiple step combination attacks start with a piece of malware that partially quarantines the ATM from the bank’s core systems, and makes it possible for fraudsters to hit specific ATMs on a time signal and all at once with a series of dummy plastic cards that the malware primes the ATMs to accept. End-to-end, an operation that could take weeks or even months to plan can be carried out in minutes.
“Visa Vital Signs observes volumes over and above set issuer thresholds and allows us to alert them that they could be under attack,” Prasad said.
Building Bespoke Solutions
One of the more confounding facts of modern cyberattack methodology is the ways in which it is becoming more pervasive and subtle. Enumeration attacks, he noted are a good example of this. Hackers could try to break into a merchant and steal valid card numbers, but fraud tools are making that harder to do. Fraudsters, themselves sophisticated technology players with the latest technology tools, are instead using that processing power and a sophisticated number generator to create “arbitrary card numbers” to see which ones might eventually attach to a legitimate card.
“All of a sudden, a lot of bad transactions start coming in — and all the processors see is that the common element between them is a coffee shop in downtown Chicago,” Prasad explained.
In this case, even if processors are bouncing most of those fraudulent verification attempts, every time a bad one gets through, another piece of card data goes up for sale on the dark web.
What Visa’s Payment Threats Lab is designed to do is offer a bespoke testing solution that evaluates the clients client's processing, business logic and configuration settings to identify errors leading to potential vulnerabilities. What that means in practical terms is stress-testing and “ethically hacking” client systems to find the weaker spots that a less altruistically-motivated hacker might look to exploit.
That process, he notes, is a mutually beneficial one. The client is able to identify and fix the weaker points of its systems. Visa can feed back the data it learns to its network to better identify common and recurring weak points to check in the future. Because what the continuing theme of cybersecurity is shaping up to be, he noted, is really about seeing the path to the threats before they erupt, and then designing preventively around them.
Fighting The Infection
Fraud is persistent, which is why Visa has spent the last six decades fighting it and why it’ll spend the next six doing the same. When EMV made card skimming in the physical world hard, fraudsters didn’t quit the business. They figured out how to insert card skimming malware into eCommerce sites to lift card number data that way.
Visa eCommerce Threat Disruption was built for that, taking advantage of the fact that anyone can see a site’s java script with a simple look.
What eCommerce merchants often need is simply the push, the information that they could be infected, to take steps to remediate that situation. And to realize that this is never going to be a one-and-done process. Merchants, he noted, will be alerted to a problem and close the holes in their system that made it possible— and when Visa next scans, they don’t appear on a list of potentially infected sites.
A few months later, after a new scan, the same merchant is back on the list and getting another alert. It isn’t that they’ve incorrectly solved the old problem. It is that new malware has come to the market and is a new issue to solve.
But fraud prevention doesn’t needs to be a silver bullet to be an effective tool — it needs to be an evolving series of responses capable of doing one thing: stop fraud before it starts.
“The best way to fight fraud is to get ahead of it and cut it off upstream before it can start and begin doing damage in earnest,” Prasad said.