RSA E-Commerce Fraud Trends 2013

3,218
-1

Published on

Global e-commerce sales are growing at a steady clip – and to no one’s surprise, fraud is growing, too. E-commerce fraud affects all parties in the payment card value chain – from the major card brands that sit at the top of the industry to the billions of credit and debit cardholders worldwide who shop online.

View session via http://www.emc.com/events/rsa/02-20-13-FraudTrends.htm

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,218
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

RSA E-Commerce Fraud Trends 2013

  1. 1. E-COMMERCE FRAUD TRENDS 2013 Wednesday, Feb. 20th 9:00 AM/EST Limor S Kessem Technical Lead, U.S./Canada Toll-Free 1-866-289-3291 PIN: 8272 FraudAction Knowledge Delivery International Toll Richard Booth Dial 001-503-295-8000, then Senior Fraud Technology Consultant enter 866-289-3291 and PIN: 8272 Or listen via your computer speakers: Under the Voice & Video tab select “Join Audio”© Copyright 2012 EMC Corporation. All rights reserved. 1
  2. 2. Agenda  Statistics  Where it all stems from?  How is fraud committed?  How can we protect ourselves?© Copyright 2012 EMC Corporation. All rights reserved. 2
  3. 3. Global e-commerce 2013 Expected to total almost $1 trillion worldwide in 2013.© Copyright 2012 EMC Corporation. All rights reserved. 3
  4. 4. Europeans shopping online: Top 1090%80%70%60%50%40%30%20%10%0% Source: EuroStat © Copyright 2012 EMC Corporation. All rights reserved. 4
  5. 5. Ecommerce is everywhere… Consumers are using their smartphones to bridge the gap between brick-and-mortar stores and ecommerce eBay Mobile 13,161,000 unique PayPal shoppers in 1 month +5m active new 1:04:02 hrs accounts in 4Q2012, Fastest rate in 8 years!© Copyright 2012 EMC Corporation. All rights reserved. 5
  6. 6. Losses to e-commerce fraud Cybercrime costs UK retailers over £200 million a year (British Retail Consortium). Total fraud losses on UK cards totaled £185 million between January and June 2012 Payment fraud losses are only 0.5% of all fraud losses in the UK (The UK Cards Association) Losses incurred on Irish-issued payment cards show losses of €25.7 million recorded in 2011© Copyright 2012 EMC Corporation. All rights reserved. 6
  7. 7. Intelligence = Power© Copyright 2012 EMC Corporation. All rights reserved. 7
  8. 8. Intelligence = Power© Copyright 2012 EMC Corporation. All rights reserved. 8
  9. 9. The Underground? The Underground World of Fraud© Copyright 2012 EMC Corporation. All rights reserved. 9
  10. 10. © Copyright 2012 EMC Corporation. All rights reserved. 10
  11. 11. The Fraud Underground© Copyright 2012 EMC Corporation. All rights reserved. 11
  12. 12. Fraudsters Botmasters Blackhats Hacktivists© Copyright 2012 EMC Corporation. All rights reserved. 12
  13. 13. Malware Infrastructure Data vendors Stolen Data Con artists and Con artists programmers Services thieves and thieves Vendors© Copyright 2012 EMC Corporation. All rights reserved. 13
  14. 14. E-commerce fraud – The supply chain Con artists – devise ploys – Create and deploy social engineering schemes which include: ecommerce phishing and spam tactics designed to harvest credentials. Data trafficking – Buy, sell and trade in credentials, account information, card numbers, victim contact details, PII, credit reports © Copyright 2012 EMC Corporation. All rights reserved. 14
  15. 15. E-commerce fraud – The supply chain Mule herders – Recruit and command money mules – Recruit and command item drop mules Cashout services – Offer a variety of options to fraudsters looking for exchange possibilities and monetization schemes© Copyright 2012 EMC Corporation. All rights reserved. 15
  16. 16. E-commerce fraud – The supply chain Forgery service providers – Create fake documentation – from statements to ID cards, driving licenses and passports. – Provide cloned cards that are a replica of the real plastic card Dark shoppers – Offer purchasing services – In-store pick-up – E-commerce fraud tutorials© Copyright 2012 EMC Corporation. All rights reserved. 16
  17. 17. The flow of events© Copyright 2012 EMC Corporation. All rights reserved. 17
  18. 18. The planning phase Step #1 – Plan, buy a card… or 100 This happens in deep-web venues© Copyright 2012 EMC Corporation. All rights reserved. 18
  19. 19. E-commerce fraud – Flow of events Buy data COB Reship MonetizeTime Verify Shop Resell validity © Copyright 2012 EMC Corporation. All rights reserved. 19
  20. 20. A market…Deep (web) conversations Before… IRC Today… Organized boards© Copyright 2012 EMC Corporation. All rights reserved. 20
  21. 21. The planning phase© Copyright 2012 EMC Corporation. All rights reserved. 21
  22. 22. Where are these details purchased?© Copyright 2012 EMC Corporation. All rights reserved. 22
  23. 23. What feeds the stolen data supply? Classic phishing – aimed at Phishing attacks ecommerce merchants SMShing Trojan logs Hacked payment processors Trojan Hacked online retailers injections Big breaches that expose financial data for that ask victim card Data traffickers who have “warehouses” of details information Trojan plugins designed to grab and parse CC data© Copyright 2012 EMC Corporation. All rights reserved. 23
  24. 24. Verify card validity: CC Checking Check via phone merchants Check via online merchants Check via adapted checking services Check inside the CC shops Check via rogue merchant infrastructures© Copyright 2012 EMC Corporation. All rights reserved. 24
  25. 25. Obtain additional details Get online access to the card’s account Attempt to guess/reset the VBV/MSC Password if need be Call the bank as needed© Copyright 2012 EMC Corporation. All rights reserved. 25
  26. 26. Get an item-drop mule (reshipping) The fraud underground has a number of options to offer thieves: – Accomplices – Dark shopper services – In-store pick up of ordered goods – Pick your own item drop mule – A full-service turnkey solution: from buy to monetize© Copyright 2012 EMC Corporation. All rights reserved. 26
  27. 27. Reshipping mules: Pick one The herder recruits people to work Each new “employee” is added to the list The mule can be picked out online Each mule is available for a number of shipments according to the herder’s rules© Copyright 2012 EMC Corporation. All rights reserved. 27
  28. 28. E-commerce fraud – Flow of events Buy data COB Reship MonetizeTime Verify Shop Resell validity © Copyright 2012 EMC Corporation. All rights reserved. 28
  29. 29. The COB – Change of Billing Goal: change the billing address on the acct “Enrolls” – attempt to access the card online Add a shipping address/mailing address Look for details on the victim Add a mobile number and email address Non-native speakers contract underground services to help them achieve the goal© Copyright 2012 EMC Corporation. All rights reserved. 29
  30. 30. What is ‘Carding’ The fraudulent use of payment cards is dubbed ‘Carding’ Fraudsters are after easy-to-card merchants They usually avoid secure, large merchants Prey on smaller shops and tell their friends about them Usually card high-value electronics and popular goods© Copyright 2012 EMC Corporation. All rights reserved. 30
  31. 31. The action phase: Go shopping Step #2 – Theft Happens in e-commerce sites© Copyright 2012 EMC Corporation. All rights reserved. 31
  32. 32. Dark shopper services© Copyright 2012 EMC Corporation. All rights reserved. 32
  33. 33. E-commerce fraud – Flow of events Buy data COB Reship MonetizeTime Verify Shop Resell validity © Copyright 2012 EMC Corporation. All rights reserved. 33
  34. 34. Item drop and reship Step #3 – Ship the goods – Happens at item drop addresses© Copyright 2012 EMC Corporation. All rights reserved. 34
  35. 35. The mule… The mule receives the goods at home The mule prints and re-tickets the item The mule will reship the item(s) The fraudster will receive it – or… The mule herder will receive and sell the item, then share the loot In-store pick up mules will go to the shop and then reship…© Copyright 2012 EMC Corporation. All rights reserved. 35
  36. 36. E-commerce fraud – Flow of events Buy data COB Reship MonetizeTime Verify Shop Resell validity © Copyright 2012 EMC Corporation. All rights reserved. 36
  37. 37. Monetize Step #4 – Monetize – Happens between accomplices online/on the streets© Copyright 2012 EMC Corporation. All rights reserved. 37
  38. 38. Fighting Fraud© Copyright 2012 EMC Corporation. All rights reserved. 38
  39. 39. Protecting cardholders - Prevention Banks can tighten security around COBs Fraudsters fail when VBV/MSC codes cannot be reset or bypassed, blacklisting BINs Fraudsters will steer clear of secure platforms that provide them no added information (enrollment phase security) Identity verification over the phone Card-cloning criminals fail when last 4 digits of the card must match their plastic© Copyright 2012 EMC Corporation. All rights reserved. 39
  40. 40. Fighting back!© Copyright 2012 EMC Corporation. All rights reserved. 40
  41. 41. Cardholder education is key Fraudsters will try to enroll cards – they can be stopped! – Encourage customers to register their cards to the online service and be sure to review them regularly. Fraudsters dread the premature discovery of a pending fraudulent delivery/transaction – Encourage customers to use the alerting services you offer (email, SMS)© Copyright 2012 EMC Corporation. All rights reserved. 41
  42. 42. Informed customers help prevent fraud Inform customers about phishing for card information Inform customers about shopping via mobile devices and through apps – Mobile devices can be just as easily targeted by phishing and rogue shopping apps as the PC – Warn customers about downloading shopping and banking apps from third party websites© Copyright 2012 EMC Corporation. All rights reserved. 42
  43. 43. Cardholders have the power … to avoid phishing scams by never divulging financial information online … to call their bank when they are unsure of the source of a suspicious email … to control the shipping process of orders they placed© Copyright 2012 EMC Corporation. All rights reserved. 43
  44. 44. Cardholders have the power … to monitor their card when they hand it to a shop attendant … to only buy from well-known, reputable merchants …to choose to receive alerts when purchases are processed on their cards … to regularly review their accounts, especially during the holidays© Copyright 2012 EMC Corporation. All rights reserved. 44
  45. 45. Deception is only deception© Copyright 2012 EMC Corporation. All rights reserved. 45
  46. 46. Managing Fraud Risk© Copyright 2012 EMC Corporation. All rights reserved. 46
  47. 47. Threats Occur Across the Entire UserSession InfoSec Pre-Authentication Threats Fraud Post-Authentication Threats Beginning of Login Transaction Web Session and Logout Account Takeover Parameter Injection Site Scraping Man In The Browser High Risk CheckoutVulnerability Probing Password Guessing Unauthorized Account New Account DDOS Attacks Registration Fraud Activity Fraudulent Money Movement Phishing Attacks Access From High Risk Country Man In The Middle Promotion Abuse© Copyright 2012 EMC Corporation. All rights reserved. 47
  48. 48. RSA FraudAction Services • Anti-Phishing Service Detect and shut down phishing sites • Anti-Trojan Service Detect and shut down malware targeting customers • Anti Rogue App Service - Detect and shut down rogue mobile apps • FraudAction Intelligence Reports about fraud activities, trends in the underground© Copyright 2012 EMC Corporation. All rights reserved. 48
  49. 49. SilverTail Web Session Intelligence Criminals Behave Differently Than Customers Velocity Page Sequence Origin Contextual Information © Copyright 2012 EMC Corporation. All rights reserved. Anomalous Behavior Detection 49
  50. 50. RSA Adaptive Authentication Transparent real-time fraud detection and authentication without sacrificing user experience Monitor and authenticate both login and post login activities Risk based self-learning engine which rapidly adjusts policies and controls to predict and protect against future attacks Collaborative real-time cross- institution fraud intelligence sharing© Copyright 2012 EMC Corporation. All rights reserved. 50
  51. 51. RSA Adaptive Behavior Device Fraud Authentication 937 271 Policy Mgr. Authenticate Continue Risk Engine Activity details Knowledge Challenge Out-of- Others band Feedback Step-up Authentication Feedback Case Mgmt© Copyright 2012 EMC Corporation. All rights reserved. 51
  52. 52. RSA Adaptive Authentication for eCommerce• Balance risk, cost and convenience with no enrollment• Transparent real-time fraud detection with minimal impact to card holders user experience• Risk based system that learns from past behavior and rapidly adjusts to predict and protect against future attacks• Collaborative real-time cross-institution sharing of fraud-connected data via RSA eFraudNetwork• Worldwide availability to issuing banks as centrally hosted service © Copyright 2012 EMC Corporation. All rights reserved. 52
  53. 53. RSA Adaptive Authentication for eCommerce Transparent • Low risk transparently authenticated - no cardholder engagement Auth Mandatory • Risky transactions challenged via KBA, OTP SMS, Data Elements Auth Decline • Highest risk transactions are declined© Copyright 2012 EMC Corporation. All rights reserved. 53
  54. 54. RSA’s Layered Protection for Fraud Prevention© Copyright 2012 EMC Corporation. All rights reserved. 54
  55. 55. Q&A© Copyright 2012 EMC Corporation. All rights reserved. 55

×