Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO.
Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience.
For example, 51 percent of North American banks are still asking customers to prove their identities by visiting branches or posting documents when opening digital accounts. This also applies to 25 percent of mortgages or home loans and 15 percent of credit cards opened digitally.
“The pandemic has forced industries to fully embrace digital. We now are seeing North American banks that relied on face-to-face interactions to prove customers’ identities rethinking how to adapt to the digital first economy,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO.
“Today’s consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations. Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult.”
Identity verification process issues
The study found that only up to 16 percent of U.S. and Canadian banks employ the type of fully integrated, real-time digital capture and validation tools required for consumers to securely open a financial account online.
Even when digital methods are used to verify identity, the experience still raises barriers with customers expected to use email or visit an “identity portal” to verify their identities.
Creating a frictionless process is key to meeting consumers current expectation. For example, according to a recent Consumer Digital Banking study, while 75 percent of consumers said they would open a financial account online, 23 percent of prospective customers would abandon the process due to an inconsistent identity verification process.
Lack of automation is a problem for banks too
The lack of automation when verifying customers’ identity isn’t just a pain point for customers – 53 percent of banks reported it problematic for them too.
Regulation intended to prevent criminal activity such as money laundering typically requires banks to review customer identities in a consistent, robust manner and this is harder to achieve for institutions relying on inconsistent manual resources.
Fortunately, 75 percent of banks in the U.S. and Canada reported plans to invest in an identity management platform within the next three years.
By moving to a more integrated and strategic approach to identity proofing and identity authentication, banks will be able to meet customer expectations and deliver consistently positive digital banking experiences across online channels.
The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. The Europol IOCTA 2020 cybercrime report takes a look at this evolving threat landscape.
Although this crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.
Europol IOCTA 2020
Social engineering and phishing remain an effective threat to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.
Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
Encryption continues to be a clear feature of an increasing number of services and tools. One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.
The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.
Malware reigns supreme
Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance. While the pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis.
Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.
Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.
Child sexual abuse material continues to increase
The main threats related to online child abuse exploitation have remained stable in recent years, however detection of online child sexual abuse material saw a sharp spike at the peak of the COVID-19 crisis.
Offenders keep using a number of ways to hide this horrifying crime, such as P2P networks, social networking platforms and using encrypted communications applications.
Dark web communities and forums are meeting places where participation is structured with affiliation rules to promote individuals based on their contribution to the community, which they do by recording and posting their abuse of children, encouraging others to do the same.
Livestream of child abuse continues to increase, becoming even more popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children. In some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.
Payment fraud: SIM swapping a new trend
SIM swapping, which allows perpetrators to take over accounts, is one of the new trends. As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.
Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.
Criminal abuse of the dark web
In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year.
Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralized marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year.
OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.
VP for Promoting our European Way of Life, Margaritis Schinas, who is leading the European Commission’s work on the European Security Union, said: “Cybercrime is a hard reality. While the digital transformation of our societies evolves, so does cybercrime which is becoming more present and sophisticated.
“We will spare no efforts to further enhance our cybersecurity and step up law enforcement capabilities to fight against these evolving threats.”
EU Commissioner for Home Affairs, Ylva Johansson, said: “The Coronavirus Pandemic has slowed many aspects of our normal lives. But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children.
Attempted account takeover (ATO) attacks swelled 282 percent between Q2 2019 to Q2 2020, Sift reveals. Likewise, ATO rates for physical ecommerce businesses — those that sell physical goods online —jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.
According to Deloitte, ecommerce sales are forecasted to grow 25-35 percent and are expected to generate $182 billion and $196 billion this season.
When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.
Account hacking leads to brand abandonment
According to the research, ATO attacks also create significant and lasting brand damage. Based on a survey of 1,000 U.S. adult consumers, 28 percent of respondents would completely stop using a site or service if their accounts on that site were hacked.
And while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.
- Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
- Fraudsters sneak in and cash out: Of those who have experienced ATO, 41 percent of respondents reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
- Ecommerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their ecommerce (both physical and digital goods and services) accounts were hacked.
- Other online destinations on which consumers reported experiencing ATO include:
- Social media sites: 36 percent
- Financial services sites: 35 percent
- Online dating sites: 22 percent
- Travel sites: 19 percent
ATO attacks for financial gain
Like payment fraud and content abuse—two of the other links in the fraud supply chain – account takeover is typically a means to a financial end.
Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web.
While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.
Customer security as customer experience
“The surge in ATO attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust & Safety strategy, which allows for seamless transactions while preventing fraud.”
Forter released its Fraud Attack Index, delivering in-depth insight into the impact of COVID-19 on online buyer behavior and ecommerce fraud trends.
This edition revealed that:
- New customer accounts now represent 30% of transactions, five times more than they did pre-COVID-19. This is good news for retailers, but merchants using legacy fraud prevention systems could miss out on some of this revenue potential due to high false decline rates. Legacy systems lack data on new customers and cannot accurately distinguish between legitimate consumers and fraudsters.
- The growth in transactions driven by the consumer shift from brick-and-mortar stores to online purchasing is masking the fact that the number of fraud attacks has risen in real terms, leading retailers into a false sense of security.
- Omnichannel fraud is growing: Buy Online, Pick-up In Store (BOPIS) fraud rose 55% as new customer service options are subjected to significant fraud.
- With transactions falling by 97% compared with H1 2019, fraud attack rates in the travel industry more than doubled, with hotel fraud attacks rising 139% and airline fraud attacks increasing 144%.
- Account takeover (ATO) and Policy Abuse such as returns abuse, promotion abuse, and reseller abuse are set to surge during the holiday season.
Michael Reitblat, CEO of Forter, comments: “A rapid rise in new customer accounts, coupled with having to pivot quickly from brick-and-mortar to online sales channels, put unprecedented stress on merchants as they tried to perfect the ecommerce experience.
“It is clear from what we’ve seen that some retailers were more agile and prepared for this than others, quickly introducing new services such as curbside pickup and Buy Online, Pick-up In-Store, in a bid to retain new customers.
“To fully realize this new revenue potential, merchants need more accurate fraud prevention that can distinguish between these valuable new customers and fraudsters. Merchants can have a false decline rate between 5-7x higher for new customers – typical of legacy systems that do not have sufficient data on new account holders.”
Growth in transaction volumes masks increasing fraud attack numbers
There have been dramatic increases in transaction volumes across the majority of vertical sectors, but particularly those traditionally served by brick-and-mortar stores. Volumes rose 172% in home, furnishings and garden, 93% in food delivery & beverage and 119% in groceries.
Ecommerce fraud attacks decreased as a percentage of all transactions but in real terms, the number of fraud attacks has risen. This represents significant losses for retailers at a critical time.
Holiday season fraud surge expected
As retailers prepare for a critical holiday season and aim to recoup some of the year’s earlier losses, the research indicates that ATO attacks, and returns and delivery fraud will surge as fraudsters seek to exploit the increase in online shopping.
At the same time, customers will be more likely to take unfair advantage of promotions and abuse delivery and returns policies. Fraud and abuse trends that retailers need to prepare for include:
- Account takeover fraud to dramatically increase: The analysis indicates that fraudsters will seek to operationalize the data they’ve stolen and collected through data breaches and social engineering scams conducted during COVID-19 disruption. Also, new customer accounts opened by less experienced users are likely to use weaker passwords, fewer security steps, and be more vulnerable to ATO. As a result, retailers need to prepare for increasing ATO attacks during the holiday season.
- Returns and delivery fraud will continue to rise: Retailers increasingly offered omnichannel customer service options such as Buy Online, Return in Store (BORIS) and BOPIS, to satisfy new customers during COVID-19. Fraud attacks exploiting BOPIS policies increased 55% compared to H1 2019, as merchants offering frictionless experiences are less likely to ask for customer identification. It is anticipated that fraudsters will increasingly target and exploit returns and delivery services as online shopping surges over the holiday season.
- Policy abuse set to spike: Merchants courting new customers with aggressive promotions and user-friendly omnichannel options, will expose themselves to greater abuse risk, including returns, promotion and reseller abuse.
Vikrant Gandhi, Senior Industry Director at Frost & Sullivan commented: “Fraud and policy abuse issues have magnified in the recent months in the global ecommerce industry. Our research indicates a rise in sophisticated fraud attempts, including promotions abuse by using synthetic identities and friendly fraud in 2020.
“The challenge for merchants is to deliver frictionless customer experiences without letting fraud prevention come in their way of doing so. Our recommendation to merchants is if they do not prioritize working with identity-based, integrated fraud prevention platforms that leverage behavioral analytics, machine learning and the power of big data that is informed and refined by highly trained analysts, they will never be able to stay ahead of fraudsters and policy abusers.”
As the economic fallout of the COVID-19 crisis continues to unfold, a research from Next Caller, reveals the pervasive impact that COVID-related fraud has had on Americans, as well as emerging trends that threaten the security of contact centers, as we head towards what may be another wave of call activity.
The company’s latest report found that 55% of Americans believe they’ve been a victim of COVID-related fraud, up more than 20% from when the company conducted a similar study in April.
Perhaps even more worrisome is the fact that 59% of Americans claim they haven’t taken any additional precautions to protect themselves from these attacks.
“Even with massive amounts of PII circulating the dark web and so many new opportunities for criminals to exploit because of the pandemic, it’s still alarming that over half of the country thinks they’ve been targeted by COVID-related fraud,” said Ian Roncoroni, CEO, Next Caller.
“Compounding the problem is COVID’s unique ability to distract and disengage people from carefully monitoring their accounts. Criminals who are already well-equipped to bypass security can now operate longer without detection, worsening the impact exponentially.”
Data has shown the clear correlation between the economic fallout of the crisis – specifically stimulus related events – and the meteoric spikes in overall call volumes and the number of high-risk calls taking place inside contact centers across today’s biggest brands.
Fraudsters eager to replicate their initial success
A pending second stimulus package, combined with a clear urgency from Americans around receiving it, indicates that another wave of activity from customers and criminals is on the horizon.
In regards to the latest findings, Roncoroni said, “We have to prepare for a more sophisticated criminal strategy this time around. Rising reports of fraud activity signal not only that fraudsters are eager to replicate their initial success, but that some of those early schemes may just be getting started.
“The phony mailing address unceremoniously added to a bank account in April is likely just the trojan horse for a scheme ready to be set in motion under the cover of the next stimulus package.”
- 55% of Americans believe they’ve been targeted by COVID-related fraud
- Despite that, 59% of Americans claiming that they have not taken any additional precautions to protect themselves from attacks
- Almost 1-in-3 Americans are more worried about becoming a victim of fraud than they are about contracting the virus
- 56% believe brands are equally responsible for providing flexible and accommodating customer service and protecting personal information
- When asked about their view of the next stimulus checks, 41% of Americans said “I really need another check”
- 53% of Americans say that they have already sought out information related to the next round of checks
CEO of NS8 Charged with Securities Fraud
The founder and CEO of the Internet security company NS8 has been arrested and “charged in a Complaint in Manhattan federal court with securities fraud, fraud in the offer and sale of securities, and wire fraud.”
I admit that I’ve never even heard of the company before.
Sidebar photo of Bruce Schneier by Joe MacInnis.
It’s complicated, but it’s basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able to convince the POS terminal to conduct the transaction without requiring the normally required PIN.
From a news article:
The researchers were able to demonstrate that it is possible to exploit the vulnerability in practice, although it is a fairly complex process. They first developed an Android app and installed it on two NFC-enabled mobile phones. This allowed the two devices to read data from the credit card chip and exchange information with payment terminals. Incidentally, the researchers did not have to bypass any special security features in the Android operating system to install the app.
To obtain unauthorized funds from a third-party credit card, the first mobile phone is used to scan the necessary data from the credit card and transfer it to the second phone. The second phone is then used to simultaneously debit the amount at the checkout, as many cardholders do nowadays. As the app declares that the customer is the authorized user of the credit card, the vendor does not realize that the transaction is fraudulent. The crucial factor is that the app outsmarts the card’s security system. Although the amount is over the limit and requires PIN verification, no code is requested.
The paper: “The EMV Standard: Break, Fix, Verify.”
Abstract: EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.
We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim’s Visa contact-less card for high-value purchases, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties.The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.
Fraudsters are decreasing their schemes against businesses, but increasing COVID-19 focused scams against consumers online, according to TransUnion.
Fraudsters less targeting businesses
The percent of suspected fraudulent digital transactions against businesses worldwide decreased 9% from the beginning of the pandemic (“phase 1,” March 11-May 18) to when businesses began reopening (“phase 2,” May 19-July 25). In contrast, consumers targeted by digital COVID-19 schemes increased 10% from the early days of the pandemic (week of April 13) to more recently (week of July 27).
“With the rush for businesses to go digital as many were forced to go completely online almost overnight, fraudsters tried to take advantage,” said Shai Cohen, senior vice president of Global Fraud Solutions at TransUnion.
“They were most likely unsuccessful in their attempts and took their scams elsewhere as those businesses ramped up their digital fraud prevention solutions while providing a friction-right consumer experience. Conversely with consumers, fraudsters are increasingly using COVID-19 to prey on those persons who are facing mounting financial pressures.”
In contrast to the recent suspected fraud decrease against businesses, when comparing phase 1 (March 11-May 18) to right before the pandemic (Jan. 1-March 10), there was a 6% rise in suspected digital fraud against businesses.
Fraudsters shifting industries
When comparing digital transactions pre-pandemic to during the pandemic (March 11-July 25), suspected fraud against businesses remained relatively flat, increasing 1%.
“It appears fraudsters assume travel & leisure companies are scrutinizing transactions less in order to capture more revenue as the pandemic continues to severely negatively impact their business,” said Melissa Gaddis, senior director of customer success, Global Fraud Solutions at TransUnion.
“Another interesting note is that telecommunications, e-commerce and financial services companies – all industries that have fared relatively well during the pandemic – were targeted with the most digital fraud early in the pandemic but are now among the least targeted. This shows us that fraudsters initially targeted the hottest industries with the most money to be had early in the pandemic in order to hide behind the rush of transactions but have now made an obvious shift.”
Globally across industries, the countries with the highest percentage of suspected fraudulent transactions were: 1) Kazakhstan, 2) Greece and 3) Cyprus. In the U.S. overall, the cities with the highest percent of suspected fraudulent transactions were: 1) Livonia, Mich. 2) Akron, Ohio and 3) Jackson, Miss.
Consumers targeted by COVID-19 schemes
To better understand the impacts of COVID-19 on consumers, 8,265 adults in Canada, Colombia, Hong Kong, South Africa the U.K. and the U.S. were surveyed the week of July 27.
32% of respondents said they had been targeted by digital fraud related to COVID-19, with Gen Z (age 18-25) being the most targeted at 36%. Among consumers reporting being targeted with digital COVID-19 schemes globally, the top pandemic-themed scam is phishing with 27% saying they were hit with it.
Despite the survey showing Baby Boomers were the generation least targeted with digital COVID-19 scams, among consumers reporting being targeted they were the age group saying they faced the highest percentage of COVID-19 themed phishing scams.
“Phishing shows fraudsters aren’t after a quick hit, but rather looking for the long haul,” said Gaddis. “Once a fraudster steals consumer credentials, the wave of disruption they can cause with a stolen or synthetic identity is endless from compromising multiple online accounts to significantly impacting credit scores.”
Brand impersonation is a go-to tactic for attackers, especially for credential phishing and BEC attacks
Trends in BEC and email security during Q2 2020 included a peaking and plateauing of COVID-19-themed email attacks, an increase in BEC attack volume and acceleration of payment and invoice fraud, according to an Abnormal Security report.
The report also reveals that Zoom supplanted American Express as the most impersonated brand in email attacks.
There have been surges in COVID-19-themed email security attacks, which continued in Q2, with weekly campaign volume increasing 389% between Q1 and Q2. There has also been a continued increase in BEC attacks targeting finance department employees over C-level executives, which grew by 50% quarter-over-quarter.
A spike in payment and invoice fraud attacks
Payment and invoice fraud attacks, largely driven by vendor fraud, grew by 112% over the last quarter, spiking at the end of June. For the first time, a surge in payment and invoice fraud related to the pandemic has been detected.
BEC-specific attacks also saw an acceleration of attack campaign volume, growing by 11% over Q2 as hackers took advantage of new work-from-home scenarios. As BEC attacks are highly targeted and sophisticated, designed to dupe key targets with the potential to lead to big payouts, this increase is substantial in nature.
The shift to remote work makes employees more susceptible to BEC attacks and gives threat actors the opportunity to apply tactics likely to be successful given these working conditions.
“The pandemic has ignited digital transformation efforts at a breakneck pace and cybercriminals are moving just as fast, taking advantage of a new work-from-home landscape amid great business uncertainty,” said Even Reiser, CEO, Abnormal Security.
“Keeping pace with change is critical, as attackers have continued to exploit enterprises’ weak links – such as vendor and partner relationships – and are pushing more sophisticated and targeted BEC attacks than we’ve seen previously.”
Changing trends in brand impersonation attacks
The report also uncovered changing trends in brand impersonation attacks, a form of fraud where a bad actor assumes the identity of a trusted or known entity. These attacks tend to follow the zeitgeist, which may help explain why Zoom became the most impersonated brand in Q2 due to its instant popularity and ubiquity.
Rounding out the top three were two other brands very much associated with COVID-19 shifts toward e-commerce and delivery: Amazon and DHL. For comparison, the three most impersonated brands in Q1 2020 were American Express, Amazon and iCloud.
“Our analysis of BEC and email security trends in Q3 will certainly prove to be interesting as we expect a downward trend in COVID-19-related attacks, an uptick in attacks related to the 2020 election and a continued rise in BEC, as attackers find success with socially-engineered techniques that evade traditional email security defenses,” said Reiser.
“Business leaders need to continue to focus on reviewing email security measures, most importantly examining BEC defenses, to ensure protection against attackers who are gaining steam.”
RiskIQ released a research report revealing a large-scale digital scam advertisement campaign spread through fraudulent news sites and affiliate ad networks that cater to highly partisan audiences.
Scammers are taking advantage of COVID-19 to spread fake news
The report details how misleading, false, and inflammatory news stories about the COVID-19 pandemic are developed on a massive scale by “content farms,” which monetize through ads served by ad networks targeting highly partisan readership. Some of these ads are purpose-built to lure readers into misleading ‘subscription traps’ for products billed as remedies or cures for the virus.
How does a subscription trap work?
A subscription trap works by offering a free or deeply discounted trial of a product while hiding clauses in the terms of service that sign victims up for costly payments remitted on a repeated basis, usually monthly. These subscriptions are often difficult, if not impossible, to escape.
The report clearly defines an ecosystem between partisan content farms that monetize through ad revenue, ad networks that take a cut of the profit, and advertisers that use the generated traffic to ensnare victims in subscription traps. These traps fraudulent subscriptions are for products such as dietary supplements or beauty products, and more recently, supposed remedies to COVID-19 in the form of CBD oil.
“Scam ads leading to subscription traps seem to be endemic to content farm sites, but there’s a particular network of companies and individuals using the COVID-19 pandemic for financial gain,” said Jordan Herman, threat researcher, RiskIQ.
“We wanted to do a deep dive into this ecosystem to expose how these shady practices are taking advantage of people on a massive scale and making the schemers a lot of money in the process.”
Leveraging fear, anxiety, and uncertainty around COVID-19
These content farms generate traffic by creating politically charged articles leveraging the fear, anxiety, and uncertainty around COVID-19 and gearing them toward a specific audience. These articles, often misleading or patently false, target readers the creators have assessed will likely read, share, and engage with them.
The content farm operators publish these articles on their websites, which use social media accounts and spam email campaigns to further their reach and generate more traffic they can monetize.
Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.
“From the impacts of phishing and other well documented COVID-19 scams like unemployment fraud, it’s clear that fraudsters have the data and increasing opportunities to create synthetic identities and utilize stolen identities,” said Shai Cohen, senior vice president of Global Fraud & Identity Solutions at TransUnion.
“Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.”
To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.
It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:
Top global online COVID-19 scams targeting consumers
Online COVID-19 scams targeting consumers by country
“Although the schemes may vary by country, a new approach to identity verification that supplements traditional authentication methods is needed to defend against their impact,” said Cohen. “The key is creating a friction-right experience where consumers are confident they are dealing with a legitimate organization or business.”
Online voting is likely to shape future election cycles, according to a study from OneLogin. 59% of respondents expect online voting will become a reality within five years.
Online voting demographics
Though various demographics differ in their opinions about online voting, respondents shared concerns about the possibility of fraud and compromised data security.
49% of millennial and 55% of Gen Z voters believe that online options would make them more likely to vote while only 35% of those ages 74+ felt the same. Digital voting might also assist during the pandemic as 26% of respondents indicated COVID-19 could impact their likelihood of voting in the general election this fall.
An online voting option could also boost voter turnout among minority groups: 55% of black and 54% of Hispanic voters said an online voting option would make them more likely to vote this fall, compared to 42% of whites.
By party lines, 37% of Republicans do not want online voting compared to 12% of Democrats. Additionally, 43% of self-identified Trump supporters do not want online voting, compared to 12% among non-supporters.
Online voting and cybersecurity
Regardless of these divisions, respondents came together around two issues: convenience and security. Among those in favor of moving to online voting, 68% liked the potential convenience and 61% believed it would increase voter turnout. For those against it, the opportunity for fraud (77%) and lack of security (75%) were major concerns.
“We were curious to understand the opinions around online voting and cybersecurity. The results speak to the demand and call for safe and secure identity management, today, in the 2020 election, and beyond.”
Most security experts agree that the process to cast a secure online vote would require multiple steps of authentication. Although 61% of respondents were willing to take up to three steps, 13% weren’t willing to take any security steps at all if voting online.
Similarly, 48% of voters would spend no more than five minutes logging in to vote, with only 5% willing to take more than 30 minutes, even though there are often long waits for in-person voting.
Who is the most trustworthy?
Trust will be another hurdle, as voters are uncertain which group is the most trustworthy to manage and administer online voting. Only 25% felt the government was best equipped, while 21% believed a private company could do it best and 20% would rely on a big tech company. Over 35% stated they wouldn’t trust any of the choices listed.
Other findings from the study include:
- Pandemic politics: 31% of those who disapprove of President Trump say the pandemic is influencing them towards not voting compared to only 17% among Trump supporters.
- Online turnout: 45% say that if they could vote online, they would be more likely to vote in the general election this fall while only 6% say they would be less likely to vote. 49% were the same either way.
- Disenfranchisement: Out of those who are not in favor of moving to online voting, 44% believe it would disenfranchise people who are computer illiterate. 61% of those ages 74+ have this concern.
- Voting by mail: 1 in 3 rural voters have security concerns with voting by mail, compared to 1 in 4 from urban/suburban areas. 46% of Trump supporters are worried about security and fraud with voting by mail, compared to just 16% among those who don’t support Trump.
There has been a 200 percent increase in BEC attacks focused on invoice or payment fraud from April to May 2020, according to Abnormal Security. This sharp rise continues the trend.
Also, according to the report, invoice and payment fraud attacks increased more than 75 percent in the first three months of 2020.
Larger dollar amounts are involved
During invoice and payment fraud BEC attacks, attackers pose as vendors, suppliers or customers in order to steal money using tactics such as initiating fraudulent wire transfers or hijacking vendor conversations to redirect vendor payments. These types of attacks typically involve much larger dollar amounts compared to other types of BEC attacks since they target business to business transactions.
In one example, the Abnormal Security team detected and stopped an attempted invoice fraud targeting a telecommunications provider, preventing more than $700,000 in losses. The attacker impersonated a real vendor and methodically engaged numerous employees over the course of two months, eventually convincing the target to change banking details and redirect the payment of a legitimate invoice of over $700,000 to the attacker’s account before the transaction was prevented.
Increasing number of attacks
An increasing number of these attacks were tracked, both in the number of organizations targeted and the number of attacks received per organization. The research team observed:
- A 200% increase in the average rate of invoice and payment fraud BEC attacks each week
- A 36% increase in the number of organizations experiencing these attacks
- Out of all types of BEC attacks, invoice and payment fraud BEC attacks are increasing in popularity. In April, these types of attacks comprised 14% of all BEC attacks, increasing to 17% in May.
“While all business email compromise attacks can lead to significant financial loss, those focused on invoice and payment fraud can have an even greater financial impact,” said Evan Reiser, CEO and co-founder, Abnormal Security.
“Even when an organization has established best-in-class security, third-parties represent a weak link. As these types of attacks continue to climb, it’s more important than ever for companies to implement technology that detects and stops them.”
Many people are using COVID-19 quarantine to get projects done at home, meaning plenty of online shopping for tools and supplies. But do you buy blind? Research shows 97% of consumers consult product reviews before making a purchase.
Fake reviews are a significant threat for online review portals and product search engines given the potential for damage to consumer trust. Little is known about what review portals should do with fraudulent reviews after detecting them.
A research looks at how consumers respond to potentially fraudulent reviews and how review portals can leverage this information to design better fraud management policies.
“We find consumers have more trust in the information provided by review portals that display fraudulent reviews alongside nonfraudulent reviews, as opposed to the common practice of censoring suspected fraudulent reviews,” said Beibei Li of Carnegie Mellon University.
“The impact of fraudulent reviews on consumers’ decision-making process increases with the uncertainty in the initial evaluation of product quality.”
Fake reviews aid decision making
A study conducted by Li alongside Michael Smith, also of Carnegie Mellon University, and Uttara Ananthakrishnan of the University of Washington, says consumers do not effectively process the content of fraudulent reviews, whether it’s positive or negative. This result makes the case for incorporating fraudulent reviews and doing it in the form of a score to aid consumers’ decision making.
Fraudulent reviews occur when businesses artificially inflate ratings of their own products or artificially lower the ratings of a competitor’s product by generating fake reviews, either directly or through paid third parties.
“The growing interest in online product reviews for legitimate promotion has been accompanied by an increase in fraudulent reviews,” continued Li. “Research shows about 15%-30% of all online reviews are estimated to be fraudulent by various media and industry reports.”
Platforms don’t have a common way to handle fraudulent reviews. Some delete fraudulent reviews (Google), some publicly acknowledge censoring fake reviews (Amazon), while other portals, such as Yelp, go one step further by making the fraudulent reviews visible to the public with a notation that it is potentially fraudulent.
This study used large-scale data from Yelp to conduct experiments to measure trust and found 80% of the users in our survey agree they trust a review platform more if it displays fake review information because businesses are less likely to write fraud reviews on these platforms.
Transparency over censorship
Meanwhile, 85% of users in our survey believe they should have a choice in viewing truthful and fraudulent information and the platforms should leave the choice to consumers to decide whether they use fraudulent review information in determining the quality of a business.
The study also finds that consumers tend to trust the information provided by platforms more when the platform distinguished and displayed fraudulent reviews from nonfraudulent reviews, as compared to the more common practice of censoring suspected fraudulent reviews.
“Our results highlight the importance of transparency over censorship and may have implications for public policy. Just as there are strong incentives to fraudulently manipulate consumer beliefs pertaining to commerce, there are also strong incentives to fraudulently manipulate individual beliefs pertaining to public policy decisions,” concluded Li.
When this fraudulent activity information is made available to all consumers, platforms can effectively embed a built-in penalty for businesses that are caught writing fake reviews.
A platform may admit to users that there is fraud on its site, but that is balanced by an increase in trust from consumers who already suspected that some reviews may be fraudulent and now see that something is being done to address it.
There were seven major application DDoS attacks over the previous month — two of which lasted 5-6 days, Imperva reveals.
Additionally, the team found that 47% of account takeover (ATO) attacks were aimed at loyalty programs and streaming services, where bad actors attempted to use stolen credentials to gain unauthorized access to online accounts to carry out malicious actions such as data theft, identity fraud or fraudulent e-commerce transactions.
The report also showed continued signs of site traffic recovery across various industries following the lift in shelter-in-place orders, as schools across the world reopened and employees returned to workplaces.
Increasing length of application DDoS attacks
Seven major application DDoS attacks over 150,000 requests per second (RPS) were identified. Two of the attacks lasted five and six days consecutively — an unusual occurrence, as most (70% of those in May) DDoS attacks typically last less than 24 hours.
Additionally, while the average DDoS event in April originated from 300 IPs, these two major events were from 28,000 and 3,000 unique IPs. Additionally:
- The most targeted industries overall were news (38%), business (25%) and financial services (19%).
- Top countries from which DDoS attacks originate are China (26%), US (15%) and the Philippines (7%).
ATO attacks are focused at loyalty program cards and streaming services
Out of the total ATO attacks, 47% were aimed at loyalty programs and streaming services. In one example, 13.5 million ATO attempts were registered over three days.
Across all ATO attacks, the average attack size per site was about 100,000 attempts, distributed over 2,000 IPs on average. This means that each IP sent no more than two requests per day, classifying as a “low and slow” attack — where a botnet uses multiple devices, each sending only a handful of requests, to masquerade its attack with legitimate traffic.
COVID-19 affects cyber traffic and attack trends, while recovery continues
As the coronavirus crisis escalated, changes in traffic and attack trends across multiple industries and countries were previously examined. In May, as more countries reopened schools and less students were at home, overall traffic to education sites went down by 20%.
Additionally, with many returning to work and spending more time commuting, the use of entertainment sites — specifically radio streaming services — increased by 11% overall.
Cloud platforms and automated tools: The main source of attacks against govt sites
Cloud platforms and automated tools are the main source of attacks against government sites in the United States. A total of 65% of the attacks against law and government sites in the US originated from cloud platforms using automated tools written in the Python programming language.
Database vulnerabilities spike
Ten new database vulnerabilities were published in May, and almost half held a high severity score of greater than seven, with one reaching a critical score of greater than nine per the Common Vulnerability Scoring System (CVSS). Most of the vulnerabilities were published on May 12, 2020 as part of SAP Security Patch Day.
Overall Cyber Threat Index score remains at a ‘high’ level
Although the number of attacks declined by 28%, the Cyber Threat Index score went up by 32 points due to more high- and medium-risk vulnerabilities and an increase in high volume and longer duration DDoS attacks.
“In May, we were surprised to find two unusually long DDoS attacks lasting 5-6 days. As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact,” said Nadav Avital, head of security research at Imperva.
“For example, in Imperva’s 2019 Global DDoS Threat Landscape Report, we found that about 29% of attacks lasted 1-6 hours while 26% lasted less than 10 minutes. Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults.”
Researchers from CSIRO’s Data61 have developed a new technique to protect consumers from voice spoofing attacks.
Fraudsters can record a person’s voice for voice assistants like Amazon Alexa or Google Assistant and replay it to impersonate that individual. They can also stitch samples together to mimic a person’s voice in order to spoof, or trick third parties.
Detecting when hackers are attempting to spoof a system
The new solution, called Void (Voice liveness detection), can be embedded in a smartphone or voice assistant software and works by identifying the differences in spectral power between a live human voice and a voice replayed through a speaker, in order to detect when hackers are attempting to spoof a system.
Consumers use voice assistants to shop online, make phone calls, send messages, control smart home appliances and access banking services.
Muhammad Ejaz Ahmed, Cybersecurity Research Scientist at CSIRO’s Data61, said privacy preserving technologies are becoming increasingly important in enhancing consumer privacy and security as voice technologies become part of daily life.
“Voice spoofing attacks can be used to make purchases using a victim’s credit card details, control Internet of Things connected devices like smart appliances and give hackers unsolicited access to personal consumer data such as financial information, home addresses and more,” Mr Ahmed said.
“Although voice spoofing is known as one of the easiest attacks to perform as it simply involves a recording of the victim’s voice, it is incredibly difficult to detect because the recorded voice has similar characteristics to the victim’s live voice. Void is game-changing technology that allows for more efficient and accurate detection helping to prevent people’s voice commands from being misused”.
Relying on insights from spectrograms
Unlike existing voice spoofing techniques which typically use deep learning models, Void was designed relying on insights from spectrograms — a visual representation of the spectrum of frequencies of a signal as it varies with time to detect the ‘liveness’ of a voice.
This technique provides a highly accurate outcome, detecting attacks eight times faster than deep learning methods, and uses 153 times less memory, making it a viable and lightweight solution that could be incorporated into smart devices.
Void has been tested using datasets from Samsung and Automatic Speaker Verification Spoofing and Countermeasures challenges, achieving an accuracy of 99 per cent and 94 per cent for each dataset.
Research estimates that by 2023, as many as 275 million voice assistant devices will be used to control homes across the globe — a growth of 1000 percent since 2018.
How to protect data when using voice assistants
- Always change your voice assistant settings to only activate the assistant using a physical action, such as pressing a button.
- On mobile devices, make sure the voice assistant can only activate when the device is unlocked.
- Turn off all home voice assistants before you leave your house, to reduce the risk of successful voice spoofing while you are out of the house.
- Voice spoofing requires hackers to get samples of your voice. Make sure you regularly delete any voice data that Google, Apple or Amazon store.
- Try to limit the use of voice assistants to commands that do not involve online purchases or authorizations – hackers or people around you might record you issuing payment commands and replay them at a later stage.
COVID-related attacks increased 436% between the second and third weeks of March 2020, with an average 173% week-over-week increase during the quarter, according to Abnormal Security.
A trend toward payment fraud
There has also been a shift from individual to group BEC attacks, with campaigns with more than 10 recipients up 27% compared to Q4 2019. Attackers also adjusted their targets, with attacks on finance employees increasing more than 75% as attacks on C-Suite executives decreased by 37%. This illustrates a trend away from paycheck and engagement fraud and toward payment fraud, specifically invoice fraud attacks, which increased more than 75%.
“The email security trends we witnessed during Q1 are most certainly related to the COVID-19 pandemic and the shift to work from home, but they also reflect greater sophistication and attack strategy by threat actors,” said Evan Reiser, CEO, Abnormal Security.
“By increasing campaign target size, attackers increase the opportunity for social validity and by targeting finance employees who manage third-party payments, they’ve found a new vector for payouts.”
COVID-19-related attacks capitalizing on fear and uncertainty
COVID-19-related attacks during Q1 2020 capitalized on fear and uncertainty, leveraging trusted entities and using spoofed and compromised accounts to scam recipients, steal credentials or install malware.
Attack themes followed the pandemic news cycle, using lures such as testing and vaccines and financial relief and stimulus payments, as attackers impersonated trusted entities such as the CDC.
“With employees largely working from home and a daily inundation of information related to the pandemic, attackers saw multiple areas of vulnerability in Q12020 and they took swift advantage of them,” said Reiser.
“Without sophisticated BEC security measures in place, the likelihood of business and email compromise increases significantly. The good news is that technology exists to thwart these attacks before they reach their intended targets.”
Ransomware gangs targeting businesses are currently getting more public attention, but scammers trying to trick employees into performing fraudulent wire transfers are once again ramping up their efforts, US-headquartered law firm BakerHostetler has warned.
BEC scams and fraudulent wire transfers
The same tactics have been employed by BEC scammers for years, but businesses of all sizes continue to fall for them.
The scam is usually discovered when the accounting department of a company starts seeing an increase in accounts receivable for one or more customers, then follows up on the outstanding invoices.
The customer reports that they have already paid the invoices and provides proof of the wire transfer, but the document shows that the money transfer was made to the worn bank account. The customer says they’ve followed the accounting department’s instructions, after receiving an email with “new” wire instructions from them.
“The email, of course, is not from the accounting department but from a fraudster,” the lawyers explained.
“Sometimes the bad actor compromised an accounting department employee’s email account to find customers, steal invoices and gain an understanding of the cadence and manner of billing emails. Sometimes the bad actor compromised the customer’s email account for the same purpose and then used an email that looked enough like the vendor’s accounting department email address to trick the customer. But whatever the method of access and communication, the two entities share the same outcome: Money has been paid to bad actors, and it is highly unlikely that it will be recouped, even with law enforcement intervention.”
The worst thing about these schemes is that they are easily thwarted by setting up certain policies and low-cost technical measures.
For example: companies should consider enabling multi-factor authentication for web-based email access so that scammer can’t exploit phished credentials to take over business email accounts.
Blocking access to company email accounts from internet provider addresses that resolve to countries where the company does not have employees is also a good idea, and so is setting up alerts that are triggered when the email account is accessed from two locations within a time span that would not allow for travel between the two locations, the lawyers advise.
On the other hand, scammers may choose not to compromise legitimate business email accounts but set up rogue ones that are made to look like they are owned by the business.
Employees who deal with payments should be taught about the danger presented by these emails, instructed on how to spot red flags, and regularly reminded to always verify all requests to change bank account information by calling a known telephone number for that customer, vendor or business partner (definitely not a phone number included in the email!).
Finally, a business might be wise to these tricks, but it costs them nothing to raise awareness and educate customers and business partners by sending an email delineating all this information and good advice.
You’ve been scammed, now what?
Recouping the fraudulently transferred funds once an employee falls for the scam might end up to be a challenging endeavor.
The sooner the company discovers the incident, the better for your chances of getting back the money. You have to notify your bank immediately and report the incident to law enforcement.
If you’re in the US and the fraudulent wire transfer has been made to a domestic bank account, the FBI’s Internet Crime Complaint Center (IC3)’s Recovery Asset Team might be able to get it back for you. “During its inaugural year, the team assisted in the recovery of over $300 million lost through on-line scams, boasting a 79% return rate of reported losses,” the FBI boasted earlier this year.
It’s also important to find out whose email account was compromised by the scammers.
Not only is this important to decide who will “eat” the loss if the money can’t be recovered, but also because companies whose email account(s) have been compromised might have more to lose than just money: the scammers might have accessed personal and business information residing in the account and might use it to perpetrate additional fraud.
Also, the lawyers noted, “the business whose email was compromised may have additional legal obligations based on state or federal data breach notification laws or contractual clauses with other business partners.”
“The customer comes first” started out as the secret to success in business. Now it’s the secret to 21st century cybersecurity and fraud prevention, too.
The phrase always seemed more like an empty platitude, but a growing number of banks and other financial institutions now understand that optimizing convenient consumer experience with risk and safety across all their channels is a strategic differentiator.
Dealing with fraudulent transactions
Financial institutions have been on the lookout for fraudulent transactions in hopes of preventing customers from falling victim to illegal fund withdrawal since the dawn of the digital age. Things like usernames and passwords have become less of a proof of identity and ownership in a world of endless data breaches.
Cybercriminals today easily harvest all manner of personal identity credentials from the dark web as well as through social engineering schemes. They gain access to customer accounts and make transfers or payments with the legitimate customer none the wiser—at least until their next login or they encounter a declined transaction due to insufficient funds.
Automated bots increasingly spur fraudulent transactions by allowing fraud to occur at unprecedented speed and volumes. The goal for fraudsters using bot attacks is to compromise accounts and harvest stolen data, leading to ever-greater risk in new channels and services and for recently digitized and experienced digital channel companies alike.
Efforts to stop these nefarious activities have sometimes led to either a one-size fits all approach or overly aggressive policies and additional identity proofing requirements. Customers get frustrated when they need to jump through hoops to log in or complete a transaction.
The lengthy process seems especially frivolous when cybercriminals continue to find inventive new ways to bypass these same controls. Consumers do not expect a “no-friction” transaction every time. They want the incremental steps to be commensurate with the risk of the transaction (e.g., checking an account balance vs. a large balance withdrawal).
Organizations should look beyond the disruption of fraudulent financial transactions and stop viewing the consumer as a financial event or a financial risk to contain. Instead, organizations should treat the consumer at every customer interaction and not as a single touchpoint or a stand-alone transaction. Only then can organizations effectively protect consumers throughout their experience.
Data insight = Consumer satisfaction and safety
Data insight drives greater consumer satisfaction and safety. To a financial institution, both digital and physical data is often as valuable as a consumers’ financial worth – at least when it comes to visibility into fraud and how to stop it.
Criminals use information within a banking relationship to commit fraud at multiple points during the customer journey. Compromised consumer information exposes the consumer to wider risks outside of specific applications, increasing the risk for the consumer and the organization.
For instance, a fraudster could use compromised customer data to open additional accounts or new lines of credit. Fraudsters with access to online banking information can easily circumvent security questions that require information ostensibly known only to the customer. Then criminals often add their phone number to the account or use account information to re-direct the consumer’s phone calls back to them when users return bogus “security” checks by the financial institution.
The mess left behind in the fraudster’s wake entangles banks who do not employ adequate risk controls. Customers do not like that kind of breach. Neither do regulators.
Banks can benefit from risk signals that can identify this kind of fraud and stop it in its tracks.
When organizations use a combination of data and customer insights (such as pinpointing the last time a device accessed a specific account) measured against transaction risk (whether an account was accessed to change personally identifiable Information or to check a balance), it can tailor each consumer’s experience with the right risk controls.
Also critical is real-time and historical intelligence of the customer’s legitimate identity usage in other interactions on other sites or apps around the world. Organizations should shift emphasis to establishing “the good” in terms of normative devices and behaviors informed by global-scale intelligence instead of focusing on trying to ferret out “the bad.” This practice uncovers anomalies instantly. The key then is to ensure the identification of anomalies and a proactive response at every decisive moment – not just when the financial transaction is taking place.
For all of this, the other side of the equation is just as important. Recalling “the customer comes first,” this focus on protecting the customer also pays serious dividends for the institutions they do business with. Finally, the brand experience matches the brand marketing.
Cybersecurity and fraud risk controls enable significant differentiation for the brand through consumer loyalty and convenience. According to Forrester, less than 10% of organizations ever crack that code.
Institutions that use data insights to coordinate risk and fraud control strategies across channel and consumer journey silos inevitably deliver a faster, more consistent experience across the entire omni-channel spectrum.
Account Takeover (ATO) attacks happen when a bad actor gains access to a legitimate customer’s eCommerce store account and uses that account for fraud.
The impact of ATO attacks
A new Riskified survey shows that ATO attacks have a huge negative impact on customers and merchants, damaging brand reputation and hurting merchants’ bottom lines. Despite that, many merchants lack security measures, and 35% of merchants report that at least 10% of their accounts have been taken over in the last 12 months.
Both merchants and customers value secure store accounts. Customers cite their convenience and the opportunity to earn rewards as notable benefits. Merchants report that account holders shop more often and spend more per purchase than other customers.
But accounts can also increase risk if they are not properly secured. Sixty-six percent of merchants and 69% of customers say they are concerned about their accounts getting hacked. Purchases made using compromised store accounts are hard for merchants to detect, because they look like they are made by legitimate returning customers.
ATO attacks are also very costly for merchants. When fraudsters use compromised accounts to make fraudulent purchases, not only does the merchant lose the revenue and the value of the goods sold, but it also often suffers serious damage to its brand reputation and diminished customer lifetime value.
65% of customers say they would likely stop buying from a merchant if their account was compromised. 54% of customers say they would delete their account, 39% would go to a competitor, and 30% say they would tell their friends to stop shopping with the merchant.
Preventing ATOs presents unique challenges
Because ATOs require only a login and stolen password, merchants have less data with which to evaluate the action, making detection and prevention difficult. Many merchants are failing to do so:
- 27% admit that they do not have measures in place to prevent ATOs.
- 24% of merchants can’t identify an ATO during a purchase.
- 14% of merchants say they are not even aware that an ATO has occurred unless a customer contacts them.
- Only 7.5% of customers learn their accounts were compromised from the merchant. The vast majority spot changes to their accounts or learn of unauthorized purchases.
Merchants that take steps to reduce ATOs risk hurting the customer experience. The most common approach to prevent ATOs is two-factor authentication for login attempts (62%), which can frustrate legitimate customers and increase cart abandonment.
Many merchants also require complex passwords to increase security, with 73% reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters.
This can help security, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. That’s a real concern, as 47% of customers admit to using the same password for two or more online stores.
Embracing advanced technology may offer a solution
Because of their potential for serious financial and reputational harm – combined with the difficulty in detection – merchants need to use as much available data as possible to avoid ATOs. For example, merchants should look at the device and network details, proxy usage and previous logins to determine if the entity attempting to access the account is the rightful owner.
If the device or network is unfamiliar or exhibiting characteristics consistent with fraudsters, merchants should exercise caution by notifying the account owner or applying two-factor authentication.
Merchants also need to recognize that the account takeover isn’t the end goal. Fraudsters use ATO attacks to then place fraudulent orders, and merchants have the advantage of seeing that whole process.
An unfamiliar login or a change of details might seem suspicious initially, but if the cart that reaches checkout is low risk, then merchants can likely safely approve the order.
Similarly, if a safe-looking account event is followed by a chargeback, then merchants should take another look at the account activity and, likely, prompt the customer to change their password. When merchants ensure that these parts of the shopping journey – and the teams and solutions that manage them – are coordinated, they can decrease risk and increase revenue.
“Our survey shows that merchants are aware of and concerned with ATO attacks, but they usually lack the ability to identify and prevent them,” said Assaf Feldman, CTO at Riskified.
“Without a dynamic approach that evaluates all relevant data, merchants risk significant financial losses, frustrated customers and damaged brand reputations. Advanced machine-learning solutions can instantly recognize legitimate customers and ease their path to checkout.
“Suspicious actions can be verified or blocked to minimize damage. By doing so, merchants maximize revenue while giving their customers a great experience.”
The importance of accounts
Accounts are an important shopping tool for customers:
- 3% of customers say they have accounts on individual sites for shopping.
- 75% do most or all of their online shopping with merchants where they have accounts.
- 42% said they shop more frequently when they have an account.
Merchants get a significant portion of their business from customers with accounts:
- More than 67% of the merchants surveyed say at least half of their orders come from customers with accounts.
- 58% of merchants report that account holders spend more per purchase than customers who use guest checkout.
- 61% say that account holders purchase more frequently than customers who use guest checkout.
“Companies can combat lateral phishing threats by adopting advanced security solutions that identify suspicious logins and take actions before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as MFA, which can limit an attacker’s chance of hijacking a corporate email address in the first place. Additionally, all companies can learn that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” said Anurag Kahol, CTO at Bitglass.
A large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online, FICO reveals.
As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics.
Do you use a password manager?
The study found that a large percentage of Americans are not taking the necessary precautions to secure their information online. For example, only 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and 4 percent use a single password across all accounts.
Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high risk strategies such as writing their passwords down in a notebook. If you’re a security leader and your organization is still not using a password manager, find out how to evaluate a password management solution for business purposes.
“We’re seeing more cyber criminals targeting consumers with COVID-19 related phishing and social engineering,” said Liz Lasher, vice president of fraud portfolio marketing at FICO.
“Because of the current situation, many consumers are only able to access their finances digitally, so it’s vital to remain vigilant against such scams and take the right precautions to protect themselves digitally.”
A forgotten password can affect online purchases
The study shows that consumers struggle with maintaining their current passwords as 28 percent reported abandoning an online purchase because they forgot login information, and 26 percent reported being unable to check an account balance.
Forgotten usernames and passwords even affect new account openings, 13 percent said that it has stopped them from opening a new account with an existing provider.
This is a notable trend as consumers are more willing than ever to do business digitally. The study found that the majority of respondents would open a checking (52 percent) or mobile phone (64 percent) account online, while an overwhelming majority of respondents (82 percent) said they would open a credit card account online.
Consumers trusting physical and behavioral biometrics
However, while there is significant room to improve how consumers protect their login credentials, the survey also found that Americans are becoming more trusting of using physical and behavioral biometrics to secure their financial accounts.
The survey found that 78 percent of respondents said they would be happy for their bank to analyze behavioral biometrics – such as how you type – for security and 65 percent are happy to provide biometrics to their bank; while 60 percent are open to using fingerprint scans to secure their accounts.
Additionally, when logging into their mobile banking apps, respondents are now considering alternative security measures beyond the traditional username and password. The five most widely used security alternatives are:
- One-time passcode via SMS (53 percent)
- One-time passcode via email (43 percent)
- Fingerprint scan (39 percent)
- Facial Scan (24 percent)
- One-time passcode delivered and spoken to mobile phone (23 percent)
“Digital services are currently playing a critical role in daily life. It is a good time to evaluate how we protect ourselves and our information online,” said Lasher.
“Customers have been happy to adopt security such as one-time passcodes, and are now showing that they are willing to adopt additional options, such as biometrics, to protect their accounts.
“There are no magic bullets and the ability to layer and deploy multiple authentication methods appropriate to each occasion is key. Financial services organizations and consumers need to continue to keep security best practices top of mind to help combat fraudsters now and in the future.”