Payment fraudsters are becoming increasingly brazen and collaborative in their efforts, leveraging the dark web to access financial data and identify fraud opportunities.
Growth in e-commerce since the pandemic has upended traditional fraud models. Previously, criminals stole consumer data to produce counterfeit cards and purchase goods at the physical point of sale. Now, they take advantage of social platforms to communicate, connect and share resources with one another.
“Our fraud team is constantly analyzing data to identify shifts in old patterns, or the emergence of new patterns.”
Russell Brown, Senior Manager of Fraud Operations Strategy at PULSE®
“During the pandemic, fraudsters had to stay home, so they had to find new pathways to remain lucrative,” said Russell Brown, Senior Manager of Fraud Operations Strategy at PULSE. “As a result, collaboration among thieves is on the rise.”
Collaboration and attacks grow in sophistication
The most prominent example of how fraudsters help one another through social media and the dark web is the “Fraud Bible.” This 35-gigabyte, how-to file contains more than 14,000 instructional PDFs, includes lists of vulnerable websites to exploit, shares ways to confirm the legitimacy of card data and more.
Fraudsters can access programs that let them enter large swaths of stolen card data and whittle it down to identify active, exploitable cards. At the same time, fraudsters collaborate to identify gaps in issuer or merchant processes that create vulnerabilities. When they find one, they share it with other fraudsters, enabling them to also exploit those vulnerabilities.
Among the most common attacks is enumeration, also known as brute force or BIN attacks. This process entails the use of software to identify valid card data, including associated information (expiration date, CVV2, postal code, etc.) to use in fraudulent, online transactions. Once a card is identified as exploitable, the software generates additional card numbers and associated data, often by increasing the card number by a constant number such as seven. Fraudsters then attempt small online transactions to verify the data generated.
“These attacks are generally targeted at large e-commerce merchants. Their assumption is that it is easier to pass a fraudulent transaction amid a high volume of transactions,” Brown explained. “They often target sites that have micro-merchants behind bigger dotcoms,” he said.
Another approach is to create a fictitious merchant, which has no real products or services, but has a website created specifically to run fraudulent transactions.
How PULSE is fighting back
Because fraud constantly evolves, PULSE recognizes it must “move at the speed of fraud,” Brown said.
The standard fraud protocol, he explained, has historically consisted of aggregating data by merchant and looking for decline code reason patterns, then blocking activity once a certain threshold is reached. While this approach works, it is time-consuming, and dollars are lost while the pattern is being identified.
“Last year we set about finding a better way to detect this activity,” said Brown. “We can now go from identifying an event to blocking and mitigating it in five to 10 minutes, which is monumentally faster than monitoring excessive decline code reasons,” Brown explained.
To identify BIN attacks, PULSE runs automated processes every 15 minutes to monitor all card-not-present (CNP) transactions by BIN and Merchant ID combinations. Once PULSE identifies an active fraud transaction, it goes onto a hotlist in the network’s DebitProtect® fraud-detection and risk-mitigation system.
Among the patterns PULSE monitors are:
- A significant uptick in transaction velocity or volume at merchants with low settlement rates, or at merchants that are historically inactive
- Large volumes of authentication attempts at CNP merchants
“Issuers often ask us what they can do to prevent fraud. Our best advice is to participate in DebitProtect. We are here to help you,” said Brown.
Seven best practices to fight BIN attacks
Following these seven best practices is key to combatting BIN-attack risk:
- Continuously monitor transaction activity on active and inactive BINs to recognize potential fraud patterns
- Validate unsupported transaction types, for example, a CNP transaction without a CVV2
- Avoid issuing card numbers in sequential order
- Stagger expiration dates on newly issued cards
- Check that expiration dates on authorizations are valid
- Identify, flag and action account numbers that have an excessive number of authorization declines
- Archive account-testing attacks, including merchant names, targeted account numbers, dollar amounts and times of attacks
The fraud landscape is constantly shifting, and debit issuers are dealing with more threats than ever. What worked two years ago may no longer suffice. PULSE is here to help you identify attacks and mitigate them quickly.