Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Credit card fraud: What you need to know now

Stacy Collett | Aug. 31, 2017
Credit and payment card thieves are getting more sophisticated as chipped cards drive them to account takeover and card-not-present schemes.

Fraud and security experts offer a sampling of today’s biggest credit and payment card fraud tactics and tips on how to prevent them.

 

Account takeovers

Online account takeovers, where hackers steal passwords instead of credit cards, and then log onto other more lucrative sites where even more money is at stake, cost consumers $2.3 billion in 2016, a 61 percent increase from 2015, according to Javelin.

“They log in and instead of stealing one card they steal 10 cards in your eWallet,” says Andras Cser, VP and principal analyst in risk and compliance at research firm Forrester.  Account takeovers tend to be complex, with vulnerabilities traced back to lax passwords and authentication, Cser says. Preventing account takeovers require solutions such as longer passwords, two-factor authentication or authentication that takes into consideration the device being used, the user’s country of origin and time of day.  “If you’re logging in from your own desktop at your normal place of work on a Tuesday morning local business time, it’s a much lower risk event than someone logging in on a new device in the middle of the night from Eastern Europe and masquerading as a U.S. user,” Cser says.

Machine-learning tools have shown promise in detecting anomalies in user behavior that can help detect payment fraud. In addition to a rules-based approach to detection, “you should also be collecting data points in terms of user behavior… to go from a defensive position to an offensive position where you learn from behavior patterns of both good and bad users,” says Kevin Lee, trust and safety architect Sift Science, a fraud detection provider. Small and mid-size firms could benefit from third-party providers to handle this type of fraud detection for them, he adds.

 

Magecart Part 2

The fraudsters who created the Magecart shopping cart software exploit in 2016 are at it again. Digital threat management firm RiskIQ tracked activity in the first half of 2017 showing how the actors behind it are cashing in by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S. that foreign entities hire through online job postings for “transport agents.”

“Reshipping is a form of money laundering that enables those actors to go to online stores and purchase high value items like electronics worth several hundred to a thousand dollars per transaction” and have it shipped back to them through the mules for resale, says Darren Spruell, threat researcher at RiskIQ.  Spruell believes that the tangible money trail the fraudsters are creating will help financial services firms and law enforcement identify and stop the fraudsters.

 

Third-party vulnerabilities grow

Magecart appeared in unpatched versions of off-the-shelf shopping cart software from Magento, Powerfront, and OpenCart. By logging consumer keystrokes, Magecart captured large quantities of payment card information from unsuspecting shoppers.  This should serve as a warning that other third-party providers to ecommerce sites, such as WordPress or Joomla content management software, are equally vulnerable and should also be scrutinized carefully, Spruell says.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.