Mar 26

Understanding Gift Card Fraud Part 2: Fraudsters love gift cards, too!

Share this:
Twitter Email Linkedin

41st_GiftCard_Fraud_InfographicIn part one, we spoke about what an amazing deal gift cards (GCs) are, and why they are incredibly popular among consumers. Today we are going to dive deeper and see why fraudsters love gift cards and how they are taking advantage of them.

We previously mentioned that it’s unlikely a fraudster is the actual person that redeems a gift card for merchandise. Although it is true that some fraudsters may occasionally enjoy a latte or new pair of shoes on us, it is much more lucrative for them to turn these forms of currency into cold hard cash. Doing this also shifts the risk onto an unsuspecting victim and off of the fraudster.

For the record, it’s also incredibly easy to do.

All of the innovation that was used to help streamline the customer experience has also helped to streamline the fraudster experience. The websites that are used to trade unredeemed cards for other cards or cash are the same websites used by fraudsters. Although there are some protections for the customer on the trading sites, the website host is usually left holding the bag when they have paid out for a GC that has been revoked because it was purchased with stolen credit card information.

Others sites, like Craigslist and social media yard sale groups, do not offer any sort of consumer protection, so there is no recourse for the purchaser. What seems like a great deal— buying a GC at a discounted rate— could turn out to be a devalued Gift card with no balance, because the merchant caught on to the original scheme.

There are ten states in the US that have passed laws surrounding the cashing out of gift cards. * These laws enable consumers to go to a physical store location and receive, in cash, the remaining balance of a gift card. Most states impose a limit of $5, but California has decided to be a little more generous and extend that limit to $10. As a consumer, it’s a great benefit to be able to receive the small remaining balance in cash, a balance that you will likely forget about and might never use, and the laws were passed with this in mind.

Unfortunately, fraudsters have zeroed in on this benefit and are fully taking advantage of it. We have seen a host of merchants experiencing a problem with fraudulently obtained GCs being cashed out in California locations, specifically because they have a higher threshold. While five dollars here and ten dollars there does not seem like it is very much, it adds up when you realize that this could be someone’s full time job. Cashing out three ten dollar cards would take on average 15 minutes. Over the course of a 40-hour workweek it can turn into a six-figure salary.

At this point, you might be asking yourself how fraudsters obtain these GCs in the first place. That part is also fairly easy. User credentials and account information is widely available for purchase in underground forums, due in part to the recent increase in large-scale data breaches. Once these credentials have been obtained, they can do one of several things:

  • Put card data onto a dummy card and use it in a physical store
  • Use credit card data to purchase on any website
  • Use existing credentials to log in to a site and purchase with stored payment information
  • Use existing credentials to log in to an app and trigger auto-reloading of accounts, then transfer to a GC


With all of these daunting threats, what can a merchant do to protect their business?

First, you want to make sure your online business is screening for both the purchase and redemption of gift cards, both electronic and physical. When you screen for the purchase of GCs, you want to look for things like the quantity of cards purchased, the velocity of orders going to a specific shipping address or email, and velocity of devices being used to place multiple orders.

You also want to monitor the redemption of loyalty rewards, and any traffic that goes into these accounts. Loyalty fraud is a newer type of fraud that has exploded because these channels are not normally monitored for fraud— there is no actual financial loss, so priority has been placed elsewhere in the business. However, loyalty points can be redeemed for gift cards, or sold on the black market, and the downstream affect is that it can inconvenience your customer and harm your brand’s image.

Additionally, if you offer physical GCs, you want to have a scratch off PIN on the back of the card. If a GC is offered with no PIN, fraudsters can walk into a store, take a picture of the different card numbers, and then redeem online once the cards have been activated. Fraudsters will also tumble card numbers once they have figured out the numerical sequence of the cards. Using a PIN prevents both of these problems.

The use of GCs is going to continue to increase in the coming years— this is no surprise. Mobile will continue to be incorporated with these offerings, and answering security challenges will be paramount to their success. Although we are in the age of the data breach, there is no reason that the experience of purchasing or redeeming a gift card should be hampered by overly cautious fraud checks. It’s possible to strike the right balance— grow your business securely by implementing a fraud solution that is fraud minded AND customer centric.
*The use of GC/eGC is used interchangeably

Mar 05

Understanding Gift Card Fraud Part 1: Their prevalence in modern society

Share this:
Twitter Email Linkedin


Gift cards have risen in popularity over the last few years— National Retail Federation anticipated more than $31B in gift card sales during the 2014 holiday season alone. Gift cards are the most requested gift item, and they have been for eight years in a row. Total gift card sales for 2014 were anticipated to top $100 Billion.

Gift cards are a practical gift – the purchaser can let the recipient pick exactly what they want, eliminating the worry of picking something that doesn’t fit right, that is a duplicate, or something that the recipient just might not want. They are also incredibly convenient, quick, and easy to purchase. The stigma behind gift cards is starting to fade, and it no longer seems as though they are an impersonal gifting option.

Additionally, the type of gift cards available has expanded greatly in the last few years. If you are of the procrastinating nature, there are eGift Cards or eCertificates, which can be emailed in a matter of minutes to the recipient. If you are truly unsure what to purchase altogether, you can give an open-loop card, which are usually branded by Visa, MasterCard, and American Express, and can be used anywhere their logo appears.

It also seems like a quick win for merchants to carry gift cards. The overhead cost to store them is extremely low because a small box of gift cards takes up very little space. When customers come in to redeem their GC, they usually spend more than the original value of the card itself, thus allowing for additional revenue capture.

Something else that merchants have started doing in this big data world we live in is tying gift cards to consumer loyalty programs. Reloadable cards are now linked to a specific customer, who can also tie their credit card to the account, which is automatically charged once their account is below a pre-defined threshold. These new consumer loyalty accounts can be used to track spending history, tailor offers to the specific customer, and continue to expand on the immersive brand experience.

Recently, a certain Mexican-themed fast food establishment launched their new mobile app; in the app, you could pre-order food, send and redeem eGCs, and find the nearest location. I don’t even eat at this establishment, but the innovation of their app was so enticing that I installed it the morning it came out, purchased an eGC for my husband, and pre-ordered breakfast. It was extremely easy and convenient, and I got a free taco! Now they have my soul. Okay, maybe not my soul, but they have my credit card data, purchasing preferences, device information, and location, which is almost the same thing at this point. After the experience I found myself asking why other merchants haven’t already done this or why it hasn’t taken off yet. This is a great example of how gift cards and emerging technology are being used as a marketing tool to entice consumers to build up a customer base.

In the rare instance that a gift recipient does not actually find value in their gift card (the horror!) there’s a multitude of options for trading them in or redeeming for cash. Some well-known websites for trade-in are Giftcard Granny, Card Hub, and; it’s also incredibly common to find discounted GCs for sale on eBay, Craigslist, and Facebook groups. A couple familiar names that have recently entered into the mix are Wal-Mart and CoinStar. You can now exchange your physical gift card for cash at a specific CoinStar machines, and if you don’t feel like leaving your home, you can exchange your card online with Wal-Mart, and they will provide you with a Wal-Mart gift card that can be redeemed online or in stores. It’s such common practice that you can find articles on this topic on local, national, and 24-hour news websites.

This tremendous revenue booster does not come free of risk, however. We know that fraudsters are clever and opportunistic. They will penetrate every weakness possible and take advantage of programs that are being used to enhance the consumer experience. But are they really stealing all these gift cards for personal gain and taking all of their friends out to their favorite local coffee shop for free drinks? Stay tuned for the second part of this blog that talks more about the fraud risks associated with gift cards and what you can do to mitigate them.

Please note: *The use of GC/eGC is used interchangeably.

Feb 11

After A Breach … Now What?

Share this:
Twitter Email Linkedin

data breach excerpt_2

The news of the latest breach last week reported that tens of millions of customer and employee records were stolen by a sophisticated hacker incursion. The data lost is reported to include names, birth dates, Social Security numbers, and addresses.

The nature of the stolen data has the potential to create long-term headaches for the organization and tens of millions of individuals. Unlike a retailer or financial breach, where stolen payment cards can be deactivated and new ones issued, the theft of permanent identity information is, well, not easily corrected. You can’t simply reissue Social Security numbers, birth dates, names and addresses. What’s more, the data likely includes identity data on millions of dependent minors, who are prime targets for identity thieves and whose credit goes frequently unmonitored.

According to the Identity Theft Resource Center’s 2014 Data Breach Report, a record 783 breaches, representing 85 million records, occurred from January through September 2014 alone. The breaches have ranged across virtually every industry segment and data type.

So where does all this breached data go?

It goes into the massive, global underground marketplace for stolen data, where it’s bought and sold, and then used by cybercriminals and fraudsters to defraud organizations and individuals. Like any market, supply and demand determines price, and the massive quantity of recent breaches has made stolen identities more affordable to more fraudsters, exacerbating the overall problem. In fact, stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company.[1]

The big question: So what now?

The answer: Assume that all data has been breached, and act accordingly.

Such a statement sounds a bit trivial, but it’s a significant paradigm shift. It’s a clear-headed recognition of the implications of the ongoing, escalating covert war between cybercriminals and fraudsters, on one side, and organizations and consumers on the other.

For individuals, we need to internalize this fact: our data has likely been breached, and we need to become vigilant and defend ourselves. Sign up for a credit monitoring service that covers all three credit bureaus to be alerted if your data or ID is being used in ways that indicate fraud. Include your children, as well. A child’s identity is far more valuable to a fraudster as they know it can be several years before their stolen identity is detected. Many parents do not check their child’s credit regularly, if at all.

For organizations, it’s a war on two fronts: data protection and fraud prevention. And the stakes are huge, bigger than many of us recognize. We’re not just fighting to prevent financial theft, we’re fighting to preserve trust — trust between organizations and consumers, at the first level, and ultimately widespread consumer trust in the institutions of finance, commerce, and government.

We must collectively strive to win the war on data protection, no doubt, and prevent future data breaches. But what breaches illustrate is that, when fundamental identity data is breached, a terrible burden is placed on the second line of defense — fraud prevention.

Simply put, organizations must continually evolve their fraud prevention control and skills, and minimize the damage caused by stolen identity data. And we must do it in ways that reinforce the trust between consumers and organizations, enhance the customer experience, and frustrate the criminals.

At 41st Parameter, we are at the front lines of fraud prevention every day, and what we see are risks throughout the ecosystem. Account opening is a particular vulnerability, as consumer identity data obtained in the underground will undoubtedly be used to open lines of credit, submit fraudulent tax returns, etc. unbeknownst to the consumer. Since so much data has been breached, many of these new accounts will look “clean,” presenting a major challenge for traditional identity-based fraud and compliance solutions. But it’s more than new accounts — account takeover, transactions, loyalty, every stage is in jeopardy now that so much identity data is on the loose. Even the call center is vulnerable, as the very basis for caller authentication often relies on components of identity.

At 41st Parameter and Experian Fraud & Identity solutions, we advocate a comprehensive layered approach that leverages multiple solutions such as FraudNet, Precise ID, KIQ, and credit data to protect all aspects of the customer journey while ensuring a seamless, positive user experience across channels and lines of business. Read our fraud perspective paper to learn more.

Now is the time to take action.


Oct 09

#FraudLifecycle Series: The Right Amount of Authentication

Share this:
Twitter Email Linkedin

Our #fraudlifecycle series of blog posts intends to inform our audience about trends, challenges and strategies of addressing fraud. Make sure to follow the #fraudlifecycle conversation here and on Twitter at @41stParameter

In last week’s post we explored the topic of authentication’s role in a world of emerging technologies. This week, we chose to delve into the evergreen question: what is the best balance of authentication in fraud prevention?

Today’s Landscape

Today’s multi-device landscape promotes a number of different ways to complete online transactions. While this has prompted the number of online transactions to grow at an exponential rate, it also has instigated greater opportunities for fraud to occur. The key to enabling top-notch fraud prevention as fraud events escalate is to strike the proper balance of authentication. Here are some key points of view on the subject taken from our most recent webinar.

The Answer Is In The Data

There are many factors to consider when determining this balance. Michelle Brisby, senior fraud manager with Sephora Direct, said that the amount of authentication really depends on the business that it supports. She notes the differences between shipped goods merchants and digital merchants. Shipped goods allow for more time for verification prior to actual shipment, whereas in the digital realm the authentication process needs to happen immediately. But business categories aside, Brisby noted that knowing the data and understanding how to leverage the fraud tools in the transaction process is a sure-fire way to reduce false positive rates and ensure a good and memorable client-customer experience.

Dave Britton, from 41st Parameter, a part of Experian, agreed with Brisby’s point about the amount of authentication correlating to the business category. “At 41st Parameter we often discuss the attack rate against a business. Every business has a different attack rate. Part of that’s driven by the types of goods being sold and part of that’s driven by the methods of sale. It can even be shaped based on geography,” said Britton. He explained how this rate is important to cultivate and is calculable by comparing blocked fraud rates to what was lost. Britton maintains that this data-centric method is a sound way to balance authentication with the customer experience.

Food For Thought

While data appears to be ever important in discovering appropriate authentication amounts, the progressing instant gratification expectation of the customer is beginning to pose a challenge in maintaining this authentication balance. Cherian Abraham from the Experian Decision Analytics team honed in on this potential balance rift. “There is a lot of data at your disposal to be able to knock out fraud. However, at the same time, the bar is set very high as it relates to customer experience in terms of how they expect the brand to behave with them as a consumer and to provide consumer fulfillment.” Abraham delved into the idea of newer technologies and how the modern consumer mindset is creating a gap in authentication balance. “Brands have to be very cognizant of the fact that they have the fraud prevention toolset today, but at the same time customer expectations around what brands need to be doing is slipping and further widening this gap,” said Abraham.

For more information and access to the full webinar – please click here. Stay tuned for additional #fraudlifecycle posts.

Sep 29

#Fraudlifecycle; turning the tables on cyber criminals

Share this:
Twitter Email Linkedin

Fraud is not a point-in-time problem and data breaches should not be considered isolated attacks, which break through network defenses to abscond with credentials. In fact, data breaches are just the first stage of a rather complex lifecycle that begins with a vulnerability, advances through several stages of validation and surveillance, and culminates with a fraudulent transaction or monetary theft.

Cyber criminals are sophisticated and have a growing arsenal of weapons at their disposal to infect individual and corporate systems and capture account information: phishing, SMSishing and Vishing attacks, malware, and the like are all attempts to thwart security and access-protected information. Criminal tactics have even evolved to include physical-world approaches like infiltrating physical call centers via social engineering attacks aimed at unsuspecting representatives. This, and similar efforts, are all part of the constant quest to identify and exploit weaknesses in order to stage and commit financial crimes.

There are some companies that claim malware detection is the silver bullet to preventing fraud. This is simply not the case. The issue is that malware is only one method by which fraudsters may obtain credentials. The seemingly endless supply of pristine identity and account data in the criminal underground means that detecting a user’s system has been compromised is akin to closing the barn door after the hose has bolted. That is, malware can be an indicator that an account has been compromised, but it does not help identify the subsequent usage of the stolen credentials by the criminals, regardless of how the credentials were compromised.

Compromised data is first validated by the seller as one of their “value adds” to the criminal underground and typically again by the buyer. Validation usually involves logging into an account to ensure that the credentials work as expected, and allows for a much higher “validated” price point. Once the credentials and/or account have been validated, cyber criminals can turn their attention to surveillance.

Remember, by the time one realizes that credential information has been exposed, cyber criminal rings have captured the information they need – such as usernames, passwords, challenge responses and even token or session IDs – and have aded it to their underground data repositories. with traditional online authentication controls, it is nearly impossible to detect the initial fraudulent login that uses ill-gotten credentials. That is why it is critical to operate from the assumption that all account credentials have been compromised when designing an online authentication control scheme.

Sep 25

#FraudLifecycle Series: Managing the Integrated Omnichannel Experience

Share this:
Twitter Email Linkedin

Our #fraudlifecycle series of blog posts intends to inform our audience on trends, challenges and strategies of addressing fraud. Make sure to follow the #fraudlifecycle conversation here and on Twitter at @41stParameter

Our latest webinar explored the problems that businesses face in balancing fraud prevention with the frictionless customer experience in today’s omnichannel environment. Today, we’re taking a hard look at managing that all-important integrated omnichannel experience.

According to a 2013 Experian Marketing Services study, 36 percent of organizations interact with their customer in five or more channels. Matthew Ehrlich, director of product management with Experian Decision Analytics, predicts that number will hit 45 percent as we move into the fourth quarter of 2014, given the growth of mobile and tablet usage. “We have some strong forces working against today’s businesses. Retailers strive for a well-balanced and consistent customer friendly experience across all of the channels they offers sales through,” he explained before turning it over to Michelle Brisby, senior fraud manager with Sephora Direct to request her insight on what makes Sephora a leader in the customer omnichannel experience.

First, Brisby noted that the Sephora mobile app has more than 4 million downloads. “In addition, we offer store-to-web purchase. If it’s not on our shelf you can purchase it at the store and then ship it to your location. In the past we’ve also offered a concierge-type service where you can purchase online and then the order would be fulfilled and someone would show-up at your door to deliver the goods. And then lastly we also have the call center where you can receive a beauty consultation, then place an order by phone. Plus, we have different channels that are geared towards client support,” she explained.

Managing various channels is no easy task, particularly web versus mobile. There is a challenge related to separating traffic that comes in from various websites, whether it’s a reseller, referral or ad. Before the mobile explosion, Brisby discussed how fraud managers only had to concern themselves with two channels – phone and web. With mobile now thrown into the mix, they scrambled to find a way to separate additional channels as different devices requiring varying screenings, software and rules.

In new channel environments marketing realizes that to stay relevant they have to have a slick and convenient way for customers to interact. So they very quickly put forth great ideas of new products and services that can be deployed in the mobile space and it’s common to outsource that development. Where the breakdown occurs is risk. In many cases, what we find is that all of the strategies built up by businesses over the last decade to combat the online channel and all of the philosophies and strategies that have been put in place are not making their way into that third party development process.” David Britton, 41st Parameter, a part of Experian

Many companies don’t have in-house resources or experts in mobile. David Britton, an expert on mobile and its associated risks, said “In new channel environments marketing realizes that to stay relevant they have to have a slick and convenient way for customers to interact. So they very quickly put forth great ideas of new products and services that can be deployed in the mobile space and it’s common to outsource that development. Where the breakdown occurs is risk. In many cases, what we find is that all of the strategies built up by businesses over the last decade to combat the online channel and all of the philosophies and strategies that have been put in place are not making their way into that third party development process.”

Cherian Abraham, a senior business consultant with Experian Decision Analytics, says that balancing your approach to satisfying risk mitigation requirements is a challenge for the channel that’s at arm’s length for consumers: mobile. “With the ultimate customer experience on the front end, that’s a challenge regardless of what you know, whether you are a retail brand or a bank. Omnichannel discussions are almost always distilled down to mobile. When you have the limitations that are channel imposed, coupled with the element of fraud, fraudsters are going to leverage it as much as they can.”

Another factor to consider with managing a smooth customer experience across channels is authentication – there is a fine line between protecting customers with the appropriate level of security and turning customers away due to frustrations with authentication. We’ll review what the experts had to say about authentication in our next #fraudlifecycle post. At the end of the day, balance is key. But it’s also a challenge for most of the organization regardless of whether you’re a retailer or a financial institution.

Sep 05

#FraudLifecycle Series: Q&A with Michelle Brisby, Senior Fraud Manager of Sephora Direct

Share this:
Twitter Email Linkedin

We’re launching a series of #fraudlifecycle blog posts to help inform people on the trends, challenges and strategies associated with addressing fraud. Make sure to follow the #fraudlifecycle conversation on Twitter!

During a recent webinar on balancing customer experience and fraud prevention, we had the opportunity to hear from an expert panel including Michelle Brisby, the senior fraud manager of Sephora Direct. Here’s a Q&A with Michelle:

Fraud Lifecycle: Have recent compromises of personally identifiable information (i.e. name, full address, phone number, social security number, etc.) caused any shifts in your fraud prevention tactics and are you seeing any reluctance on the part of customers to provide this type of information?

michelle_brisbyblogpostMichelle Brisby: In the wrong hands, what is considered good personally identifiable information for our business can be the theft of an identity. This reality requires a shift in fraud prevention tactics. There are things that we do today that are different from what we did in the past. For example, there are new, less obvious, data that can be used behind the scenes to validate a client.

As for our customers, I don’t believe it has stopped them from shopping; it just has made them more aware. Customers are watching their credit cards and bank statements more closely and then disputing suspect transactions much faster. They understand that PII is essential to online commerce because it actually links back to the source: the bank. Banks have email addresses, phone numbers, and billing and shipping addresses on file. So not only are we validating the information as the merchant, but we’re also getting additional validation from the banks and other third party sources.

FLC: Sephora is known for a very elegant and integrated omni-channel experience for its customers. What makes Sephora a leader in this space and what are the challenges of managing the different channels?

MB: Thank you.As a fraud manager, you used to have two sources: your call center and the web. Now you have mobile thrown in to the equation. At a certain point, you’ve got everything – the stores, online, the call center, apps – all flowing through one source: your dedicated website. You need to find a way to separate these channels since different devices require a different set of slot screening and rules, as well as software. There is now a need to separate the channels so that from a fraud manager or fraud analyst perspective you can identify your traffic and determine next steps.

FLC: What are some of the challenges in establishing a mobile presence?

MB: For me the biggest challenge is timing. All of the new software and the preventative measures require involvement from IT in terms of development time. You just can’t add new software without knowing the impact to your website and the requirements for implementation. All of these require the fraud manager to work on coordinating dates, times, testing, and mapping. Then there is also the knowledge piece of it. There is so much information out there in the space that you need to make sure that its right for your brand and your business.

FLC: What is the right amount of authentication in fraud prevention?

MB: The right amount of fraud prevention depends on your business: are you shipping goods? A digital merchant? A subscription-type merchant?

Being that I am a shipped goods merchant, I actually have a little more time than a digital merchant, meaning I can hold that order and do the right type of verification to validate the customer before the package is shipped. If an error is made, I can recall that package—whereas in the digital and subscription space it works a little different.

You also need to know your data, because tuning your fraud tool directly correlates with knowing how you should tune in and what orders need to come into queue to reduce that false positive rate. I would generally look to use the reporting that’s offered through fraud tools and have someone dig through those reports on a daily basis to determine if my rules firing correctly. Am I seeing the right number of orders? Are my false positives too high? Those are the questions that you have to ask yourself when you’re looking to implement a good client-customer experience.

FLC: Thanks very much for your time Michelle.

MB: Thank you, it’s been a pleasure.

Listen to the complete webinar here and stay tuned for more #fraudlifecycle posts.

Aug 28

#FraudLifecycle Series: Balancing Fraud Prevention – Managing Cyber Risks without Sacrificing the Customer Experience

Share this:
Twitter Email Linkedin

We are launching a #fraudlifecycle series of blog posts to inform our audience on trends, challenges and strategies of addressing fraud. Make sure to follow the #fraudlifecycle conversation online!

Our latest webinar explored the problems that businesses face in balancing fraud prevention in today’s omnichannel environment. The panel of experts—including Michelle Brisby, senior fraud manager with Sephora Direct, Cherian Abraham, a senior business consultant with Experian Decision Analytics and Dave Britton, vice president of industry solutions with 41st Parameter, a part of Experian—provided insights on the challenges they face in managing cyber risk without sacrificing customer experience.

In this post, we will examine the key problems faced today with the unprecedented level of personal customer information available for exposure to fraudsters. Here’s a look at what our panelists had to say on the subject:


Click here to view the complete webinar replay.

Q1: Do you need to consider every transaction as potentially compromised?

The short answer is yes. David Britton pointed out, “It’s one thing to understand that usernames and passwords may be compromised, but equally important to understand that other data—email addresses, phone numbers and all of the other elements that make-up personally identifiable information—can be used by the fraudsters to build-up very good profiles in terms of impersonating legitimate users.”

Q2: Has this caused any shift in fraud prevention tactics?

Cherian Abraham is an advocate for a layered approach. “Use [of] a layered approach is a smarter approach in terms of decoupling from just using usernames and passwords, but also looking at a variety of other inspirations before…authorizing the customer to do certain things,” he explains.

Michelle Brisby pointed to “other data points that you can use behind the scenes.  So I do strongly feel that with these breaches it has changed the way we look at things.  However, there are more data points available for us to actually validate a client.”

Q3: Is there reluctance on the part of the customer to provide personal information?

Michelle Brisby noted, “I don’t believe it’s stopped consumers from shopping.  I just think it’s made them more aware.  They’re now watching their credit cards and their bank statements more closely and then disputing those transactions much faster.”

Q4: Is it still standard practice to collect this personal information?

“It is essential to continue to collect that information and the reason being that information actually links back to the source: the bank,” Brisby explained. “Banks have phone numbers, billing, shipping addresses [on file], so not only are you validating it, you’re also getting an additional validation from the banks and other third party sources.  So it’s still important to collect the data, but you also need to take it one step further.”

Click here to listen to the complete webinar. Stay tuned for more #fraudlifecycle posts.

Aug 06

Inside the mind of today’s cyber criminal

Share this:
Twitter Email Linkedin

Online crooks are getting more sophisticated by the second. Nowadays, fraudsters have the ability to conduct “clean fraud,” obtaining legitimate identities of users from the black market or data breaches to compromise a victim’s card account. Malware, too, is becoming more sophisticated both in the mobile and non-mobile space. But how can organizations fight such high-level tactics in such a broad, complex space? John Sarreal, Senior Director of Product Management at 41st Parameter, an online fraud prevention player, sat down with PYMNTS after the recent release of the white paper “Surveillance, Staging, and the Fraud Lifecycle” to reveal the inner workings of a cyber criminal’s mind, what should be done before and after data is snatched, and which aspects of account takeover are the most overlooked and dangerous.

Interview excerpts

Take us through the mind of a cyber-criminal. What are the most sophisticated tactics used today to capture account information from corporate systems?

JS: The amount of clean fraud that we see with our customers is unprecedented. By focusing on obtaining legitimate credentials and identities, fraudsters are more easily able to bypass traditional controls. This means that fraud tools need to adapt and gather additional attributes to augment their fraud screening. Although the techniques they’re using now to obtain these credentials are increasingly sophisticated, the MOs are still rooted in basic phishing and social engineering attacks.

Fraudsters will use identity information obtained from the black market or data breaches to conduct very convincing phishing attacks to reveal everything that is needed to compromise a victim’s card account. There’s also increasing sophistication in the use of malware to steal sensitive credentials in both the mobile and non-mobile arena. In Android, for example, Google recently passed a vulnerability that allows sophisticated malware to impersonate digital certificate signing authorities. This vulnerability allowed the malware to install itself on a mobile device without any user notification or intervention – obviously, a very dangerous attack.

Link to the podcast and transcript here.

Older posts «