Photo via CSO
Maritza Dominguez has seen some impressive attempts at payment fraud in her 18 months as trust and security lead at Patreon, a site that allows online artists and web content creators to get paid by running membership businesses for their fans. The scheme she uncovered this summer proved to be one of the most impressive to date, not only for its innovation but for its sheer complexity.
In a multi-account takeover scheme, fraudsters would take over a content creator’s account, then take over dozens of patrons’ accounts, which they would use to make fraudulent pledges using stolen credit card data. The fraudsters would then create a PayPal account, change the artist’s payment method to the account and then cash out. “It takes a lot of skill” to pull off a fraud like this one, Dominguez says.
She was tipped off when a patron noticed his account showed a pledge that he didn’t make. A day or two later, a creator notified Patreon that his account information had been changed. “We realized the patron had made a pledge to that creator’s account, and then noticed that all the IPs were the same between these two and a bunch of other accounts,” Dominguez says. “It took a lot of investigative work.”
E-commerce fraud attack rates spiked more than 30 percent in 2016 over the prior year, according to Experian. The credit reporting agency attributes the rise in part to the switch to EMV (Europay, Mastercard and Visa) chips in credit cards, which reduced counterfeit card fraud at the point of sale, but has driven fraudsters online with account takeover and card-not-present schemes. Account takeovers similar to the one experienced at Patreon rose 31 percent in 2016, according to a report by Javelin Strategy & Research.
“Fraudsters never rest, and when one area is closed, they adapt and find new approaches,” said Al Pascual, senior VP, research director and head of fraud and security at Javelin, in a statement.
Sign up for CIO Asia eNewsletters.