Prepare for holiday cybercrime spree
A new report also shows that consumers are "prepared to hold their financial institution responsible for the damages."
Two cybersecurity reports paint a dreadful end-of-the-year picture: one forecasts major data breaches fueling a holiday retail cybercrime spree; the other suggests financial institutions will be on the hook for any incidents.
Fraud increased 30% overall in the third quarter 2019 and bot-driven account registration fraud is up 70% as cybercriminals test stolen credentials in advance of the holiday retail season, according to “The Q4 Fraud and Abuse” by San Francisco-based Arkose Labs, which provides a platform combining telemetry with an adaptive step-up challenge to identify bad actors. The study provided insights into the cybercrime ecosystem and how criminals are preparing for large-scale digital commerce attacks in this year’s last quarter.
The report analyzed over 1.3 billion transactions spanning account registrations, logins and payments in the financial services, e-commerce, travel, social media, gaming and entertainment industries from July 1, 2019, to Sept. 30, 2019.
Arkose Labs found one in five account openings were fraudulent and an elevated attack rate on retail payment transactions forecasts a record-high holiday fraud season. Account takeover attacks are a precursor to payment fraud. Eighty-one percent of all retail attacks were fraudulent payments transactions.
Kevin Gosschalk, CEO of Arkose Labs, said, “One thing is clear: The way fraudsters are weaponizing compromised data from recent high-profile breaches highlights the deep connectivity of the global cybercrime ecosystem that goes way beyond selling stolen data or knowledge sharing. One attack is a precursor to another attack, and they can be in two different industries, across two different geographies.”
Among the other findings:
- Digital account registration on social, tech and gaming companies has become the identity testing mechanism for fraudsters. Even when an account creation attack fails, it can provide valuable insight into an account’s existence. Within the tech industry, fake account creations, which are nine times more likely to be attacked compared to login attempts, increased five-fold from the second quarter.
- Attacks from malicious humans — both lone perpetrators and organized fraud sweatshops — increased 33% over the previous quarter, and nearly one in every five attacks (every third attack on financial services) is human-driven.
“Our report exposes the monetization roadmap criminals take to commit an attack,” Vanita Pandey, vice president of strategy at Arkose Labs, said. “First, fraudsters test credentials, which we are witnessing in profusion across all industries. Next, they take over accounts. Payment fraud is usually the last step in the attack cycle, and the overwhelming volume of fraudulent retail payment transactions in quarter three forecasts a very ominous holiday shopping season.”
Gosschalk noted, “Digital commerce has made it easy to launch a global business, but at the same time, it has never been easier for a fraudster to target businesses across the globe.” He added, with access to sophisticated tools, complete identities harvested through breaches and phishing attacks, anyone can launch sophisticated attacks.
“How Fraud Stole Christmas,” a study from Baltimore-based Terbium Labs, which provides a digital risk protection platform, suggested fears of data loss, identity theft and fraud are leaving American consumers on edge this holiday season, and they are prepared to hold their financial institution responsible for the damages.
Terbium Labs surveyed over 1,000 U.S. consumers in October 2019 to better understand their shopping behaviors and preferred payment strategies during the 2019 holiday shopping season.
They discovered American consumers are on high alert heading into the busy holiday season, as 66% believe they could easily become a victim of fraud, while another 65% believe they are at a higher risk of having their financial information exposed as a result of their holiday shopping. Sixty-eight percent would hold their financial institution at least partly responsible for fraudulent activity, regardless of how the compromise occurred.
“Financial institutions are under heavy scrutiny by consumers during the holiday season, and should be taking customer trust and loyalty very seriously,” Emily Wilson, vice president of research at Terbium Labs, said. “Cybercriminals thrive during peak holiday shopping — the hustle and bustle of transactions and unusual shopping patterns create countless opportunities to capture payment data and attempt fraudulent transactions.” Wilson pointed out that not helping the situation are distracted consumers, who prefer reactive measures to account for fraud while holding financial institutions to a high standard in keeping their data safe.
Consumers made it clear they expect their financial institution to be accountable, even if it was not the original source of the data breach. Fifty-one percent said they would blame both the original source of the data compromise, such as a retailer, and the financial institution issuing the card, while another 17% said they would only hold their financial institution responsible regardless of how the compromise occurred.
According to the data, this will directly impact the bottom line as financial institutions stand to lose 45% of their customer base if a holiday data breach occurs. Nineteen percent said they would leave the financial institution and close their account following a data breach, and another 26% indicated they would only keep their accounts if their financial institution improved security.
Consumers are most concerned over the compromise of Social Security numbers (23%), followed closely by compromised debit card (22%) and credit card numbers (21%).
Meanwhile, consumers do not seem proactive in limiting their potential exposure. More than a third (35%) plan on using a mix of both debit and credit cards, while nearly half (49%) said that they will use between two and three cards. This creates far more opportunities for cybercriminals to capture payment data. Additionally, only 7% plan on using two-factor authentication when shopping online. Instead, more than a third (38%) plan to prioritize monitoring their transaction history, even though 14% indicated frustration when too many unsuspicious purchases get flagged.
Wilson said, “The wave of massive breaches exposing personal data in recent years has left consumers more worried than ever about protecting their identity information — making the stakes even higher for financial institutions who need to secure that data.”
Related: