Profiling the future fraudster
Subject: A warning about your online security
Dear chief executive,
You don’t know me, but I know you. You run a business that’s vulnerable to online fraud and it’s going to cost you dearly. How can I be sure? Because sooner or later I or one of my fellow fraudsters will target you.
We’ll use phished or pharmed credit card details to purchase high-value items from your ecommerce site. Perhaps we’ll carry out a spot of charge-back fraud or simply take over some of your customer accounts. Who knows? Maybe we’ll even exploit your loyalty programme. After all, it’s usually one of the weakest links in the security chain.
Naturally, there will be repercussions, for you, I mean. I know how to evade the long arm of the law. You’ll have to cover the charge-back fees and you may be in line for a fine if it turns out you’re not payment card industry data security standard compliant. And let’s not forget the reputational damage, which could equate to millions of pounds in lost business.
Maybe you think I’m talking to the wrong chief executive. Maybe you’re muttering: “But I’ve invested in fraud prevention software. I did so years ago.” Well, sorry to be the bearer of bad news, but online security isn’t something you can just do once and then forget about. Security threats evolve. Fraudsters change their tactics. So if you’re relying on legacy systems, we’ll catch you out sooner or later.
For instance, did you know some fraudsters use location spoofing to make it seem like the device they’re using is in the same location as the cardholder whose details they’ve stolen? And while some cybercriminals used to make huge orders on compromised cards soon after acquiring them, many of us are savvier now. We wait, add and delete things from online baskets, to make it seem as if we’re a legitimate customer, and place small orders before buying something more expensive.
Security threats evolve. Fraudsters change their tactics. So if you’re relying on legacy systems, we’ll catch you out sooner or later
Man-in-the-middle attacks are increasingly sophisticated too and often target mobile devices. These see us intercepting communications between customers and ecommerce merchants or banks. We eavesdrop on the content or modify traffic travelling between the two parties to access passwords and other sensitive information. Once we’ve got it, we can impersonate the victim with ease.
In future, more fraudsters will use deep-fake tools to impersonate everything from someone’s voice to their mannerisms to carry out sophisticated social engineering attacks. In fact, it’s already happening. Last year one enterprising criminal used readily available deep-fake tools to impersonate the voice of the chief executive of a German energy firm and trick a UK executive into handing over £200,000.
Unfortunately for us fraudsters, there are numerous tools and technologies that can stop us in our tracks. Payment gateways, for instance, allow ecommerce merchants to block or flag transactions that may be fraudulent, for example when the billing address doesn’t match the one the credit card has on file. Smart businesses also use multi-factor authentication for high-value transactions or when certain rules are triggered. And no one in my line of “work” is looking forward to the rollout of strong customer authentication and 3D Secure 2, which will make customer transactions even more secure.
Likewise, single sign-on effectively closes off one of the easiest entry points for fraudsters who want to impersonate customers or employees: poor password hygiene. When people have to login multiple times to access the apps and services they need, they’re more likely to reuse the same password or use a less complex one. But by giving people access to all these apps and systems with a single sign-on, businesses can make life that much harder for cybercriminals.
Behavioural biometrics, meanwhile, are some of the most advanced tools you can deploy against fraudsters. By analysing how someone holds their device, how hard they type, how they navigate your site and many other signals, you can be sure they are who they say they are.
Banks and big tech firms such as Apple have also tapped into physical biometric authentication (fingerprints, facial scans and so on) to validate people’s identity. And machine-learning and adaptive behavioural analytics tools create a highly detailed profile of a customer’s behaviour and flag up anomalies, such as a sudden switch to high-value items and expedited shipping.
By now you’re probably wondering why I’m sharing all this advice with you. After all, isn’t it in my interests for businesses to have weak security systems? Well, that was certainly true until last week. But you see, it turns out one of my fellow fraudsters has gained access to my online accounts. I’ve no idea how much data they’ve stolen or what they plan to do with it, so I have a request to make: could you please improve your online security before they defraud me too?
As threats rapidly evolve, identity and access management are more vital than ever. Download the Unlocking digital identity management report to find out and how businesses can achieve watertight security without compromising on a seamless user experience.