By Doriel Abrahams, Head of Risk, U.S.
When I started working in the fraud space, I spent a lot of time diving into different types of attacks. The differences between credit card fraud, ATO, card testing, credential stuffing, etc., enthralled me. Between theoretical training, on-the-job training, and occasional on-the-crisis training, I learned a lot fast and started building up my picture of how the different attacks work.
That knowledge has served me well over the years and has become the foundation for all my learning since then. As fraud fighters know, learning never stops. I realize now that although the structure of neat divisions is helpful when you’re starting out, it’s not really how fraud works in the real world. One type of attack morphs into another, supports another or is just one step in a broader scheme.
In a spate of recent attacks, this has become clearer than ever. And so has something else: To get what’s going on and stop the risks before they start, you need to see fraud attacks in 3D.
“Checkout Protection Can Wait; We Need Login Protection”
Recently, I’ve seen something in new Forter customers that I’ve never seen before.
Forter’s customers typically take advantage of a range of the protections offered by the Forter platform. Depending on the nature of the business and its challenges, they’re likely to want some combination of checkout fraud prevention, login protection, policy protection, chargeback management, or intelligent PSD2/3DS assistance. So far, so typical.
I’m used to talking to merchants equally focused on checkout protection and policy protection or checkout and chargeback management. Sometimes they’ll be passionate about the whole stack.
I’ve never seen customers red-hot focused on login protection, with everything else — including checkout protection — taking second place. But now that’s just what’s happening. “We need the login protection integration rushed through ASAP! Can it be live next week? Checkout can wait until next month.”
Which leads to the fraud fighter’s favorite question: What’s going on, and why?
The Tentacles of ATO Are Expanding
Account takeover used to be primarily a way for fraudsters to succeed more effectively at checkout. They knew their fraudulent order was more likely to be approved if they were using the account and, in some cases, the payment method of a known customer.
That’s still true, but fraudsters are increasingly more creative. As more apps and sites offer competitive loyalty programs and compelling reasons to store credit or other value in accounts, those accounts become more valuable — and more of a target for ATO. I’ve seen this a lot in the food delivery/QSR and beauty industries, though I’ve also seen it in other verticals.
Forter’s analysis shows that accounts with funds loaded — prepaid top-ups or loyalty points — are 6-7x more likely to attract fraud.
Fraudsters might use the points or prepaid top-ups to make purchases, often skipping some checks that normal payments go through. Sometimes points can be converted into gift cards. Or, they might add to the funds with a stolen payment method and resell the account for a nice profit.
Fraudsters get into the accounts through phishing, using information from data breaches, or leveraging credential stuffing and/or password sniffing techniques. All of these methods lead to unhappy customers with broken trust — and it’s happening more often.
Some of these stories have made it into the news, with upset customers driving the story. Others have not, although it’s clear from conversations with merchants that this is always a concern. Either way, the uptick in these attacks appears to be a trend.
What’s challenging for merchants is that the attack stages often play out across different sites. By the time the fraudster gets to the site or app they’re targeting for their payoff, they’re already confident about all the pieces of their attack (username, password, payment method, etc.) because they’ve tried them all out in stages on other sites.
So that’s what’s happening. Next question: Why? I think there are several factors (at least) in play:
- The seesaw has swung to ATO. Checkout protection and ATO are always on something of a seesaw together. Stringent login protection? Fraudsters target checkout with guest accounts. In recent years, fraud prevention teams have become confident of their checkout protections thanks to advances in technology and collaboration, and in the UK/EU, perhaps thanks to the additional use of 3DS2, which leads… to ATO.
- Sim swapping has become a standard technique. Sim swapping has been around for years, but it was most often associated with targeted attacks, such as when a criminal wanted to gain access to sensitive systems via employee accounts or when they were targeting a bank account. Since sim swapping has become easy for anyone, it’s also a factor in digital commerce fraud attacks — even with fraudsters who aren’t particularly sophisticated or expert.
- Data breaches continue. The more data breaches there are, the easier it is for clever fraudsters to “Frankenstein together” pieces of information from different breaches to better understand a customer’s preferred email addresses, passwords, sites, etc. Paired with credential stuffing, this inevitably increases the scale of ATO attempts.
- Merchants invest in loyalty and similar programs. One piece of this puzzle is benign in origin; merchants are creating fantastic loyalty programs and app advantages that entice customers to return and become loyal followers of the brand. This is, of course, a good thing, but extra protection efforts are also essential.
“Dog in the Night-time”
Gregory (Scotland Yard detective): Is there any other point to which you would wish to draw my attention?
Holmes: To the curious incident of the dog in the night-time.
Gregory: The dog did nothing in the night-time.
Holmes: That was the curious incident.
In the Sherlock Holmes story “The Adventure of Silver Blaze,” the crucial clue is the dog in the night-time – because it didn’t bark. In the story, that’s because the detectives looking for an outside attacker are mistaken; it must have been an insider already known to the dog.
The exact opposite is true with expanded ATO attacks. The reason so many merchants are having trouble with these attacks, and the loss of trust and revenue they cause, is that they think the fraudster is already an insider — a good user — because they don’t trigger any of the normal red flags that show up credential stuffing, password sniffing, and so on. When they arrive on their target site, they’re perfectly primed with the right information.
Seeing Fraud Attacks in 3D
I’ve been greatly intrigued while investigating this trend because I’m fortunate to have a unique perspective on the fraudster journey. A feature of Forter’s extremely extensive network of identities — one of the things that makes it so interesting as an analyst — is that the same core understanding of user identities is leveraged to protect any part of the customer journey. And we look at the whole picture — not only at individual sites, apps, or users.
So from my vantage point, I can often see all the pieces of the attack before me. I’ve traced an attempt at credential stuffing, to attempts at logins, to attempts at checkout (in companies that don’t block malicious activity until checkout). Some fraud rings even have preferences about which sites, or which types of sites, they’ll use for each stage in their evolving attack. That’s a pattern you can trace across the network.
It’s fascinating on a purely intellectual level, and the analyst in me can lose hours to this kind of work. But it’s also practical because it means that from Forter’s perspective, by the time the attacker reaches their target site, the “dog” is barking its head off. It’s clear that’s an intruder — we saw them start the early pieces of this attack somewhere else days ago.
As an industry, we need to shift from looking at isolated attacks or types of attacks, as I used to do when I was learning at the start, to seeing the bigger picture. Fraudsters are already using that big picture to attack, and if you’re only focused on your slice, you’re giving them an advantage.
Forter is the Trust Platform for digital commerce. We make accurate, instant assessments of trustworthiness across every step of the buying journey. Our ability to isolate fraud and protect consumers is why Nordstrom, Sephora, Instacart, Adobe, Priceline, and other leaders across industries have trusted us to process more than $500 billion in transactions. Click here to learn more.