Cross-Border Payment Fraud: The Battle of the Bots Goes Global
Posted May 29, 2018
The fact that a new report finds the first quarter of 2018 saw 210 million cyberattacks worldwide—a 62% jump from the same period last year—may not be that surprising.
The fact that there was a record 1 billion bot attacks on top of that is, and it may signal the digital economy has entered a troubling new phase. For one sector in particular, the surge in bot attacks combined with other trends may be enough to set off alarm bells.
According to the Q1 2018 Cybercrime Report from ThreatMetrix, global cyberattack rates saw a predictable lull following the 2017 holiday shopping season. Yet while the average rate of attacks across industries drifted down by roughly 1.7 percent from Q4 highs, attacks against payment processors have actually gone up.
In fact, attack rates on this sector were nearly twice that of the cross-industry average for the quarter. So, what’s going on? Well, let’s just say you can blame it on Rio. Or Hanoi. Or maybe Kiev.
The truth is, advances in digital technology and shifting consumer behavior continue to transform the nature of anytime, anywhere digital commerce for people around the globe.
In particular, the proliferating use of smartphones and an expanding universe of payment options are providing faster, more convenient ways to pay for goods and services.
More than 51 percent of all transactions are now made via mobile devices—a 170 percent increase from Q1 2015. And with consumers looking for goods and services across a global pool of options, roughly half of all payment transactions are cross-border. Unfortunately, all this growth comes with a downside.
Today, fraudsters are capitalizing on the borderless nature of the Internet to monetize an endless stream of stolen identity credentials making its way to every corner of the planet.
While the US and UK continue to generate most of the world’s cyberattacks, new and emerging economies are quickly becoming hotbeds for fraudsters. In fact, Brazil, Vietnam and Russia currently rank among the top 5 originators for new attacks.
The largest attackers tend to target businesses within their own country. But they’re also making incursions into other countries within their region. Collectively, these and other cyberattacks are expected to generate more than $600 billion in losses worldwide this year.
While device spoofing remains the biggest threat for payment processors worldwide, massive armies of bots are clearly gaining traction.
One Billion Strong and Growing
As stolen identity data becomes more readily available, fraudsters are increasingly launching large-scale bot attacks to validate and test list data—and payments processors are prime targets.
The goal: hijack existing accounts with stolen credentials or create new ones. And because so many consumers have started to store card-on-file information in online accounts, one successful attack can lead to many more.
The record level of bot attacks in Q1 offer just one among many reasons overall cross-border payment attacks are nearly 30 percent higher than they are for domestic transactions. Indeed, 820 million of those bot attacks were perpetrated against online retailers both foreign and domestic to the cybercrooks behind them, pointing to perceived weaknesses in that particular industry.
But there’s little doubt bots are increasingly seen as an effective tool in cross-border attacks—including those focused on payment transactions.
Targeted, Tailored and Treacherous
Beyond the sheer scale of global attacks, Q1 saw other worrisome developments in the evolution of bots, including:
- Geographic Tailoring
Cybercriminals are getting more adept at tailoring attacks for different regions, with bot attacks found to have strong geographic biases, even those launched from new and emerging economies such as Vietnam, South Korea and Ukraine. The focus of cyberattacks of all kinds, including those involving bots, tends to be new account origination in South America, and account takeover in the Philippines.
In Q1, roughly 10 percent of all bot traffic came from mobile bots. Often, criminals reverse engineer mobile apps in order to emulate requests sent by the app to an online merchant. This can look like genuine app traffic, but a closer look often reveals its really bot traffic attempting to access customer accounts. With the rapid rise in mobile payments fueled in part by consumers in emerging economies, mobile bots are likely to be among the weapons with which criminals in-region or globally attack these mobile-centric growth markets.
Bots’ ability to quietly compromise nearly any online authentication system (including 2-factor) means attacks are increasingly reserved for operations with large payouts. In Q1, bot attacks on one global merchant reached as high as 90 percent of all daily site traffic.
The Bottom Line
For payment processors, mitigating the ever-evolving threat from bots and other cyberattacks will be tough going.
Deploy anti-fraud systems that are too cautious, and consumer friction and false declines could drive merchants to competitors. Opt for solutions that are unable to tap global sources of dynamic, digital identity data, and you may fail to get the visibility required to fend off these attacks successfully.
Indeed, finding the sweet spot that helps merchants accept more orders, reduce false declines and curtail chargebacks will be quite the balancing act. But with an estimated $2.3 trillion in digital and mobile transaction revenue in play, merchants and other businesses at the forefront of the digital economy had better hope their payment processors can find it.
To learn more about the threat from bot attacks and other forms of cross-border payments fraud, download a FREE copy of the ThreatMetrix Cybercrime Report for Payment Processors.