Fraud and security experts offer a sampling of today’s biggest credit and payment card fraud tactics and tips on how to prevent them.
Online account takeovers, where hackers steal passwords instead of credit cards, and then log onto other more lucrative sites where even more money is at stake, cost consumers $2.3 billion in 2016, a 61 percent increase from 2015, according to Javelin.
“They log in and instead of stealing one card they steal 10 cards in your eWallet,” says Andras Cser, VP and principal analyst in risk and compliance at research firm Forrester. Account takeovers tend to be complex, with vulnerabilities traced back to lax passwords and authentication, Cser says. Preventing account takeovers require solutions such as longer passwords, two-factor authentication or authentication that takes into consideration the device being used, the user’s country of origin and time of day. “If you’re logging in from your own desktop at your normal place of work on a Tuesday morning local business time, it’s a much lower risk event than someone logging in on a new device in the middle of the night from Eastern Europe and masquerading as a U.S. user,” Cser says.
Magecart Part 2
The fraudsters who created the Magecart shopping cart software exploit in 2016 are at it again. Digital threat management firm RiskIQ tracked activity in the first half of 2017 showing how the actors behind it are cashing in by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S. that foreign entities hire through online job postings for “transport agents.”
“Reshipping is a form of money laundering that enables those actors to go to online stores and purchase high value items like electronics worth several hundred to a thousand dollars per transaction” and have it shipped back to them through the mules for resale, says Darren Spruell, threat researcher at RiskIQ. Spruell believes that the tangible money trail the fraudsters are creating will help financial services firms and law enforcement identify and stop the fraudsters.
Third-party vulnerabilities grow
Magecart appeared in unpatched versions of off-the-shelf shopping cart software from Magento, Powerfront, and OpenCart. By logging consumer keystrokes, Magecart captured large quantities of payment card information from unsuspecting shoppers. This should serve as a warning that other third-party providers to ecommerce sites, such as WordPress or Joomla content management software, are equally vulnerable and should also be scrutinized carefully, Spruell says.
Sign up for CIO Asia eNewsletters.