Account Takeover: The Fraudsters' EdgeAnti-Fraud Investments at Banks, Retailers Lagging
The United States should be prepared for a dramatic increase in card-not-present fraud as cards using the Europay, MasterCard, Visa standard are widely deployed, says Julie Conroy, an analyst with consultancy Aite.
"I think merchants around the world, and banks for that matter, should prepare for a very sharp increase in card-not-present fraud," she says during this interview with Information Security Media Group [transcript below]. "As the last country migrates to EMV ... it's all going to focus on the online environment, and we're going to see pretty dramatic increases in card-not-present fraud."
The tough task now is protecting the mobile and online environments, Conroy explains.
"That's where consumers are increasingly transacting," she says. "But the bad guys also recognize the profit opportunity."
And e-commerce retailers are increasingly being targeted by fraudsters, Conroy says, which has made authentication and layered security more of a priority.
"I have talked to a number of e-commerce companies that are starting to put some of those extra steps in front of their customers to stymie this account takeover trend that's been so damaging," she says
During this interview, Conroy discusses:
- The positive impact the FFIEC's updated authentication guidance has had on fraud prevention;
- Emerging cross-channel fraud risks affecting mobile and online banking; and
- How card fraud will increase within the next two years.
Conroy has more than a decade of product management experience, working with financial institutions, payments processors and risk management companies. Before joining Aite, she was the senior vice president of product management with Golden Gateway Financial, where she developed and managed new financial services lines of business. Previously, she was vice president of product solutions with Early Warning Services, where she managed a suite of fraud prevention services. Conroy also formerly led operational process improvements for NextCard, where she identified points of compromise and implemented solutions to reduce fraud and operational expenses. She began her career as a research analyst at E*Offering.
Account Takeover Fraud
TRACY KITTEN: How have losses linked to account takeover fraud increased in the last year?
JULIE CONROY: The report doesn't actually have substantial numbers on the e-commerce side, but we do have firm numbers on the financial institution side, and there we're seeing a steady uptick in account takeover fraud. In 2012, global corporate account takeover losses were right around $455 million and jumped to $523 million in 2013; and the growth rate is continuing to be pretty robust there. We'll see those numbers reach nearly $800 million by the end of 2016. As I spoke with e-commerce retailers for this report, which looks at the cyberthreats and how they're impacting financial institutions and merchants, many said they saw account takeover really kind of hit a tipping point in 2012 and 2013, relative to stolen card fraud. Stolen card fraud - those credit card numbers that have been captured through skimming attacks, attacks through database breaches - traditionally have represented the greatest form of fraud losses for e-commerce retailers. But in 2012 and 2013, many saw account takeover take the top spot and eclipse stolen card fraud, in terms of their greatest cause for losses.
KITTEN: How does account takeover occur from the e-commerce perspective?
CONROY: This is why we've seen it be so damaging. Those database breaches that we see, where the username and password are compromised, are how account takeover takes place in the e-commerce space. The bad guys then take those compromised credentials, load them into their automated box and direct them against as many online properties as they can, cognizant of the fact that about 55 percent of consumers use the same set of credentials across all of their online relationships. When those credentials do successfully get the bad guys into an e-commerce site where the consumer has their card data stored on file, the bad guys then go in and buy as much as they possibly can and sell their goods on the black market. It's very damaging to the merchant, because the merchant, at the end of the day, is the one that's left holding the bag for those losses.
Fraud Impact to E-Commerce Retailers
KITTEN: Are e-commerce retailers suffering greater losses than banking institutions?
CONROY: It's hard to tell, because it's such a different type of fraud. The individual losses do tend to be smaller; but we have greater opportunity, because you have so many of these credentials that are getting compromised and they're being used against multiple e-commerce retailers. The other thing that we see s that the bad guys are starting to figure out that B-to-B [business-to-business] types of losses with e-commerce retailers can be extremely profitable, very similar to what we see on the banking side. You have greater exposure on your B-to-B. When I say B-to-B, picture an office supply company that has an online presence and services a lot of businesses and is used to much bigger orders - computers and the type of equipment that has a very healthy resale value on the black market. I'm not sure that you can say that one industry or the other is taking greater losses. The pain those are feeling are pretty great, and the exposure going forward is also great, because the bad guys just keep innovating and keep working their way around the defenses.
Enhanced Security not Effective?
KITTEN: What about the enhanced security layers and authentication methods that banks have invested in? Are they just not effective?
CONROY: Those populations continue to invest in additional layers. The challenge is that the banks and e-commerce retailers have to make a business case every time they want to deploy another layer of technology. They have to work through their own internal software development lifecycle. It tends to be a little bit longer at the banks than the e-commerce retailers; but at the end of the day, both of these groups do have to have some sort of cost justification and they have an implementation process to go through, whereas the bad guys don't have to make a business case to develop their latest innovation. You witness that with the current trend line, where we have 150,000 unique strains of malware being deployed every single day. They just have a lot more resources, and those resources are permitted to be a bit more nimble than their targets, unfortunately.
FFIEC's Impact on Account Takeover
KITTEN: It's been two years since the FFIEC issued its updated authentication guidance. What difference, if any, have some of these changes related to conforming to the updated guidance made, where account takeover losses are concerned?
CONROY: Some of the good news with the guidance is that it did force institutions to institutionalize some of their processes. It enforced periodic risk assessments, which I think was one of the best elements of the guidance. It also gave institutions that had behavioral analytics on their wish lists a compliance excuse to prioritize the investment, relative to some of the other things on the roadmap. There have certainly been some positives that came out of the guidance; that said, we continue to see the loss rates rise. Again, it just goes back to the fact that the bad guys have the luxury of moving more quickly. They're smart; they're well-funded; and they're very well-resourced. They aren't constrained with some of the same business processes that their targets are, and so institutions do continue to feel the pain.
One thing I'll say is the guidance came in 2011, and true to these processes I just described, where banks have to do their research, do their business case, go through the implementation processes, some of the technologies like behavioral analytics haven't even been implemented yet at banks. I think that we will continue to see banks make incremental progress, but at the same time, they're up against a fast and formidable foe. As quickly as they progress, the bad guys keep evolving and innovating on their side as well.
Are E-Retailers the Weak Point?
KITTEN: Are e-commerce retailers the weak point? Are they not investing in the same types of authentication and layered security that banking institutions are?
CONROY: It really depends on who you're talking about and what business they're in. Unfortunately, for these e-commerce retailers, it's a little bit of a different equation for them, because they're very sensitive to putting too much friction in front of the customer. At the end of the day, they would rather take a little extra risk, rather than risk losing a customer because the process is too clunky.
That said, I have talked to a number of e-commerce companies that are starting to put some of those extra steps in front of their customers to stymie this account takeover trend that's been so damaging. ... In the digital space, we're seeing a number of folks that are selling software downloads, or in the online gaming space, starting to introduce out-of-band authentication as a stepped-up process. If their first line of defense, which is usually device fingerprinting, shows some anomalies, then they'll have the stepped-up capability and do an out-of-band authentication prompt.
In some of the more traditional e-commerce, B-to-C [business-to-consumer] types of endeavors, I'm also seeing folks do things like not completely relying on all that stored credit card data in the wallet. One of the merchants I spoke with has started requiring CVV for every single online purchase, and is not relying on stored data; they're asking the consumer to input it. The interesting thing in this case was that the merchant really was braced to have attrition and a loss in sales because of this; but they actually saw an increase in their completed sales. Because they were sending CVV2 with every transaction, they were seeing a higher approval rate coming from the issuers on those transactions. It's very interesting to see how merchants are braced and they're very leery of putting consumers through any extra steps. But sometimes there can be some unforeseen positive consequences as well.
Gaps in the Industry
KITTEN: Is there some place where the industry is failing to address a core problem or vulnerability?
CONROY: I don't think that you can say that there's any one gap. The reality is that many of the larger merchants are pretty savvy about this stuff. They have taken to heart the need to deploy layered defenses; financial institutions have as well, for that matter. But the bad guys study the target and they evolve around those defenses. The unfortunate reality is the consumer, the end-user, who is our weakest link and always will be. As much as the [industry] wants to harp on the need for consumer education, it can only go so far. Consumers continue to fall for the tricks that the bad guys use to get the malware on the computers to capture credentials. Phishing is still going strong, even after all these years of consumer education. We need to continue to view fraud as a journey, not as a destination. The effort is to be the institution or e-commerce company that makes it harder for the bad guy to get through your defenses, or at least harder to get through your defenses than it is to get through the defenses of the guy down the street.
Account Takeover's Impact in Different Markets
KITTEN: Are fraud losses impacting some markets more than others?
CONROY: We're definitely seeing that, like all types of fraud, there's a cyclical nature is. I'm seeing an uptick in Asia-Pacific, particularly in corporate account takeover fraud. But these are global organizations. They go where the money is, and they also go where the softest targets are. I think that there's no economy that's immune. E-commerce companies in Latin America are certainly seeing that they're under pressure as well.
The other thing you could look to as a global trend is anywhere that EMV is being deployed will see a corresponding uptick in all other types of fraud. As EMV comes to the market, you will see increases in account takeover. You will see sharp increases in CNP fraud. The unfortunate reality is that as the U.S. migrates to EMV in just a couple years, I think merchants around the world and banks, for that matter, should prepare for a very sharp increase in CNP fraud. As all of these other geographies have gone [to EMV], we have been an easy outlet for all of that still-in-card data at the point-of-sale, because of our reliance on mag-stripes. As we, the last country, migrates to EMV, there's not going to be any other really easy target out there for the stolen card data. It's all going to focus on the online environment, and we're going to see some pretty dramatic increases in CNP fraud.
KITTEN: Is mobile somehow linked to account takeover?
CONROY: There's a linkage to account takeover. We actually see a lot of cross-channel fraud that takes place with mobile. One of the bankers I spoke with said that it never ceases to amaze him how willing consumers are to click on a link that's been texted to them by somebody they don't know and then input their credentials. It's a little flabbergasting, actually.
But mobile, from the e-commerce perspective, is actually a bit of a canary in the coal mine for the financial services industry, and particularly for the banks and credit unions. Banks and credit unions have had their mobile channels pretty tied down from a transactional standpoint; not a lot in the way of high-risk transactions could take place on mobile. But that's very rapidly changing. E-commerce folks, on the other hand, haven't had the luxury of tying down. They want to execute the sale, so they create a very similar experience in the mobile environment to what they have in the online environment. The app environment, in particular, I'm hearing has been particularly painful. As those apps get pushed out, the bad guys find the loopholes first. Many of the e-commerce retailers I spoke with said they're seeing loss rates that are higher in mobile than what they're seeing online right now, and I think that's a lesson for the banks as well, because as they push additional functionality to the mobile environment, we will see the bad guys catch on and follow.
The case with mobile malware, I think, is an early indicator of that. As of 2011, there really weren't many strains of mobile malware out there. I think the number of unique strains produced in 2011 totaled something like 792. We've seen that lengthened by the end of this year. If we continue on the current growth pace, we'll have close to 100,000 unique strains of malware produced for the mobile environment this year. It pales in comparison to what we're seeing online, but it's a pretty robust growth rate, and it shows that the bad guys are starting to focus their efforts on that environment.
KITTEN: Are there any final thoughts you'd like to share?
CONROY: It continues to be a really tough job protecting your bank or your e-commerce company's mobile and online environments. The reality is that's where consumers are increasingly transacting. That's where banks and merchants are increasingly encouraging consumers to transact, because those consumers tend to be very profitable. But the bad guys also recognize the profit opportunity; they're focusing intensively. There's not a lot in the way of deterrents of this, because it's so difficult for law enforcement to crack down on this issue. One interesting bit of positive news I got as I was speaking with some of the e-commerce merchants was that there are a few that are actually finding successful ways to prosecute. The hope is that as they do go out and actually start getting successful prosecution, that will start having a bit of a deterrent effect. It's early yet, but I think we just need to continue to iterate what we do as an industry: Be creative. We're not going to get a step ahead at this point, but at least we can start keeping pace.