Cybercrime Report Q3 2016: The Good, The Bad, The (Very) Ugly

Posted December 8, 2016

Cybercrime Report Q3 2016:  The Good, The Bad, The (Very) Ugly
Another day, another data breach.

LinkedIn. Dropbox. Yahoo. On any given day this year, the world learned of yet another successful cyber attack on a high-profile organization—often long after the damage has been done.

In just the last few weeks, these and other organizations were joined by still more, including the US Navy, Michigan State University and adult dating network Friend Finder.

Though not necessarily the case with any of these organizations, it’s not uncommon for organizations impacted by data breaches to issue reassuring (yet wholly ridiculous) statements aimed at assuaging the anxieties of customers and users.

Stop us if you’ve heard any of these before: “No credit card details were stolen,” “password data was encrypted,” or in the worst scenarios, “users will be given free monitoring services for a year.”

While it all sounds comforting, these notions are beside the point. Today, identity data can be easily stitched together using a patchwork of stolen credentials harvested from separate, unrelated breaches and made available on the Dark Web. Once assembled, these stolen or composite identities are used to login to victims’ existing accounts or create fraudulent new ones.

Our Cybercrime Report Q3 2016, based on actual cybercrime attacks from July through September, offers a state-of-the-state look at cyber-security today—and the dangers we face this holiday season and beyond.

The Good

Among the bright spots in our report: Predictions of the biggest holiday shopping season ever, with up to 10 times more online traffic on key shopping days.

Released in early November, our Q3 report forecasts a surge in online shopping that will come at the expense of in-store sales, which is exactly what we’re now seeing on the heels of a record shattering Thanksgiving weekend.

Of course, dynamics are always a bit different in the third quarter, which is traditionally the slowest of the year.

Overall, we noted encouraging signs, such as the fact that 43% of all online transactions (including not just payments, but logins and account creations) now come through mobile devices.

That’s a 50% increase on the same period last year, providing fresh evidence of a mobile revolution in ramp-up mode. Indeed, mobile transactions now exceed those made through the desktop web in financial services, fueled by digital transformation efforts in that sector.

In total, we analyzed around 5 million total transactions, and stopped 130 million attacks in real time.

The not-so-good news: That marks a 40% increase in cybercrime attacks compared to Q3 2015.

The Bad

So what’s behind the spike? For starters, the transition in the US to EMV chips in credit cards has reached full throttle. Aside from making it far more difficult for crooks to make fraudulent purchases in physical stores, it has forced them to shift their attention online.

This is born out by third party data as well. According to ACI Worldwide, the costs associated with in-store credit card fraud have plummeted 15%, while those associated with card-not-present transactions made through digital channels have soared by roughly the same amount.

This poses a significant risk to online merchants in the fourth quarter, with so much shopping (and criminal) activity moving online.

The (Very) Ugly

If this weren’t troubling enough, other threats are on the upswing.

Rejected payment transactions are up dramatically across all industries, but especially for financial institutions. New account originations continue to be the riskiest transaction type, with nearly 1 in 10 attempts now rejected due to possible fraud. And sophisticated, multi-faceted attacks from organized crime rings on the rise.

Far more perilous: As the complexities of conducing business in a global economy grow, businesses are confronted with the emergence of automated botnets targeting cross-border transactions. Already, cross-border attacks are outpacing similar attacks within domestic traffic.

Indeed, cybercrime in general has reached a level now where identifying the rare legitimate customer among a sea of fraudsters and letting them transact with as little fiction as possible has become job #1.

To learn more about best practices for achieving that, along with details on emerging attack vectors and how to defend against them, download the full Cybercrime Report Q3 2016.

It could help your efforts to secure more of the good in 2017—along with a whole lot less bad and ugly.

ThreatMetrix Team

ThreatMetrix Team

close btn