Payment Fraud Detection Growing Tougher as Fraudsters Shift Tactics

Posted May 8, 2019

Payment Fraud Detection Growing Tougher as Fraudsters Shift Tactics

Call it a case of good news masking bad. According to the 2019 Identity Study from Javelin Strategy & Research, credit card fraud dropped by nearly 25% in 2018, or $6.4 billion, compared to $8.1 billion in 2017. The bad news reflects rapidly changing tactics among cybercriminals—and threatens to make payment fraud detection harder than ever before.

That’s because as defenses against card-not-present have hardened, fraudsters have begun shifting their focus to account takeover (ATO) and new account fraud, which are far more threatening—and much harder to detect. These shifts aren’t wholesale, nor are they happening at the flip of a switch. CNP losses remain unacceptably high. And ATO losses are actually down, from $5.2 billion to $4 billion.

But that’s still three times higher than 2016. And when you factor in a $400 million increase in new account fraud in just 12 months’ time, to at least $3.4 billion, you’re talking about total fraud losses approaching $15 billion annually in the US alone. And it’s getting worse. But what’s driving these shifts? And what can merchants, issuing banks, and other payment processors do to protect themselves and their customers? Here’s a look at what you need to know now.

ATO and New Account Fraud Pay Big

According to Javelin, existing account takeover fraud, in which a criminal hacks into a victim’s account to place purchases and change contact information so thefts go unnoticed, tripled in 2018 to 1.5% of all US-based consumers.

Instead of merely placing purchases until a credit card is maxed out, ATOs enable thieves to drain checking, savings, or retirement accounts. Thanks to beefed up bank security controls, merchant cards and pre-paid credit cards accounts are increasingly popular alternatives for fraudsters. After cutting their teeth on bank rewards programs, fraudsters have also branched out into travel rewards programs.

Also lucrative: mobile phone account takeovers, which doubled to nearly 680,000 in 2018. With a hijacked mobile account, fraudsters can intercept alerts and one-time passwords sent by text message, one of the most common forms of two-factor authentication. Cybercriminal organizations have found ways to intercept 2FA codes using phishing website ploys, as well.

In new account fraud, cybercriminals use manufactured, “synthetic identities” to take out mortgages, car or student loans, merchant lines of credit, new credit cards and more—with no intention of repaying them. Javelin estimates fraudsters get away with an average of $15,000 per attack. But one fraud ring successfully stole $200 million by acquiring 25,000 credit cards using 7,000 false identities.

Crimes perpetrated from compromised or fraudulently-created accounts are enormously difficult to detect, primarily because for all intents and purposes, their transactions are trusted, the motivation behind them assumed legit.

Stolen Data Makes it All Too Easy

Three and a half billion personal identity files were stolen from hotels, retailers, social media networks and other businesses during just the first half of last year. The total number of records is expected to increase 22.5% per year through 2023, to 146 billion stolen records in all, according to Juniper Research. The fraudsters behind data breaches monetize identity credentials by using them to pull off crimes directly, or to sell online.

A single ATO can spark a chain reaction in so-called Cross-Account Takeovers (CATOs), where a victim’s mobile phone account and bank account are hijacked, for instance. Sometimes this is facilitated with “fullz,” a slang term used by credit card hackers meaning complete dossiers of stolen personal identity information for sale online. But the fact that so many consumers use the same password across numerous accounts doesn’t help the situation. CATOs were up 32% last year.

In terms of new account fraud, synthetic identities are used to sign up for utilities, social media, and mail drops to add the veneer of authenticity to these fictitious people and to establish a credit record before taking out credit cards and loans that will likewise be seasoned before they’re suddenly maxed out, never to be repaid. It’s estimated synthetic fraud may account for 5% of all uncollected debt and up to 20% of all credit card losses.

Fraudsters are Joining Forces

ATOs and new account fraud are no longer just the purview of lone wolves and a loose knit groups of hooligans, either. Professionally run and sporting the technological firepower of any modern enterprise, these groups grow more sophisticated by the day. According to our own data, fraudsters launched 3 billion automated bot attacks last year, for example. That included 2.1 billion bot attacks targeting merchants. A staggering 189 million of those were mobile-based automated attacks.

Cybercriminals are also teaming up. It’s estimated that up to 30% of ATOs are actually perpetrated by networked crime rings. Account opening fraud could be worse, given the complex web of fraudulent or complicit businesses needed to establish credit for and season a synthetic identity. As Payments Journal points out, this enables these groups to maximize the number of successful scams they’re able to pull off.

They might share vulnerabilities they’ve found in the defenses of target businesses and payment providers, divvy up jobs among themselves to utilize different kinds of expertise or databases, or to leverage regional assets such as money mules for cashing out funds stolen a world away. It may also be a primary factor in the increase in CATOs over the past year.

Fighting Back is a Group Effort

All of this creates tension with those other goals of merchants and payment providers alike: onboarding and authenticating customers as easily and quickly as possible, preventing false declines that can see them defect to competitors, while protecting them, and the business, from theft and exploitation.

Payment fraud detection systems must look beyond static identity data in order to make better informed risk decisions. In Al Pascual’s view, that means “it’s paramount that they incorporate tools like document scanning, behavioral risk assessment and digital identity.” Look for more adroit issuers and merchants to turn to solutions that enable them to connect the dots between users, their historical behaviors, their devices, and their accounts in order to detect anomalies that may signal fraudulent identities and risky transactions.

Some organizations will gravitate toward region or industry-specific consortiums and other options that grant them shared, global, and anonymized identity intelligence combined with behavioral and device biometrics so they can instantly recognize legitimate customers while blocking out those wielding stolen identity information, whether it’s been associated with verified fraud elsewhere, or the first time it’s being leveraged in a crime. This concept of consortium is particularly helpful in pinpointing and stopping money mule activity. Traditional approaches often fail to create the linkages between separate accounts and identities, which may be part of a complex network of mules.

The Bottom Line

In a constantly evolving, hyper-competitive environment where growing transaction volumes could easily top $520 billion in sales in just the US this year, and up to $3 trillion worldwide, it’s imperative for payment providers to find ways to help their merchants accept more orders, reduce chargebacks, and attract loyal customers. It’s a tall order, but the online payment fraud detection systems they deploy had better be up to the challenge.

Download this solution brief “Increase Payment Processing Confidence & Efficiency” to learn more about implementing a digital identity-based approach to payment fraud detection.

ThreatMetrix Team

ThreatMetrix Team

close btn