Effective antifraud: how to protect business from online fraud
Hello! This is our first post on Habré, where we begin a series of publications about fraud and antifraud services. We are Payture, and to be precise, an international processing company specializing in services in the field of electronic and mobile commerce, as well as providing antifraud services.
Of course, skimming (offline reading of data from the card) is also used by fraudsters to obtain personal data used in fraud operations, but in the example we are talking about phishing.
')
Maybe someone will remember that in 2007, Alfa-Bank customers using the Alfa-Click service were massively subjected to several phishing attacks. It's about phishing links and emails. After Alfa-Bank clients entered their personal data on phishing pages, attackers could use the information obtained in various monetization options.
Here we are interested in the case when criminals pay for goods or services on stolen plastic cards on the Internet. Here you have the data for fraud. After such a payment, the victim becomes not only the true holder of the compromised card, but also the merchant, who will be obliged to return the funds debited from the card to its true owner.
With the withdrawal of funds from a stolen card, the intruders participate in the fraud scheme and the trial begins (after the cardholder’s statement), in which the issuing bank (on the cardholder side), the payment system, the acquiring bank (on the merchant side) and the merchant participate.
It is worth noting that now the cards of Russian banks are not very popular with fraudsters who specialize in frode due to their relatively high security.
Therefore, the following example, which will illustrate the merchant's losses due to fraud, will be with the participation of compromised cards of a foreign bank. The incident occurred with our client, who sold tickets, as an online travel agency. The described scheme of fraudsters became possible due to the temporary absence of an antifraud system, which allowed attackers to make multiple payments on stolen cards of a foreign bank.
The scammers somehow (see above: phishing, skimming) were the data of plastic cards of clients of one foreign bank. Then, the attackers on their website and social networks, posing as employees of the airline reported that they have the opportunity to sell tickets at half price. It is curious that the criminals also found buyers for these tickets by making personal acquaintances among Russians in places where tourists gathered.
Further, by email, fraudsters made contact with people who want to take advantage of the attractive offer to buy tickets to any place at a low price. The condition for issuing such a ticket was the transfer of funds to the e-wallet fraudsters, which is an irrevocable operation.
At this time, fraudsters bought a ticket on their own, for the full price, by entering on our client’s website, an online travel agency (merchant) data of a real future passenger (ticket buyer from a fraudster at half price), as well as a stolen card of a foreign bank’s client.
Buyers received from the intruders to their e-mail e-ticket, which was officially registered with the airline. After that, the unsuspecting passengers arrived at the airport, checked in with a passport and flew.
The main condition for such a purchase was its small depth: today you buy, and tomorrow you fly away. During this time, the real cardholder did not have time to submit an application to the bank to protest a transaction, and if he did, the chargeback charging system worked out with some delay, which allowed fraudsters to continue to make multiple payments, receiving half of the money from each ticket fan.
The holders of the compromised cards applied to their issuing bank, the proceedings began with the participation of the payment system, during which the acquiring bank was found guilty. Under an agreement with the merchant, the acquiring bank held a chargeback, which caused the travel agency to incur losses equal to the cost of purchased tickets.
The bottom line :
The injured company that did not connect the fraud recognition system paid an additional penalty of 5,000 euros from international payment systems. Next, an audit of the security system of payment solutions of the gateway and acquiring bank was appointed, worth 15,000 euros, these costs were also transferred to the merchant.
As you can see, the travel agency suffered significant irrecoverable losses due to the lack of an antifraud system, because the rules and algorithms for setting up an antifraud service would allow to calculate such fraudulent payments, for example, using such indicators:
1 - in the described case, the card belonging to the issuing bank is not peculiar to the client’s audience (the bank that issued the card is, say, located in France, and the client’s audience is mainly from Russia)
2 - the payment was made for the flight, which was to be realized in the near future (special attention is paid to such operations, as this is quite a rare case, even if the anti-fraud system missed the payment, the service analysts would reveal it and contact within a few hours with the client to prevent fraud)
3 - significant variation in the distances between locations, where the device from which payment is made is located, the passenger, his address, the issuing bank (comparing these facts, we can call the operation suspicious and either not miss or recheck)
It is these “holes” where there is no protection against fraudulent operations that IT scammers use for their attacks.
As is known, the share of attempts of fraudulent transactions in online trading reaches 10% . Fraudsters very often attack online shopping sites for lack of antifraud system. And if, one day, a scammer finds such a “hole”, then this information is instantly distributed among like-minded people.
One case from our practice perfectly illustrates this situation. For reasons that we can not disclose, our client turned off the antifraud only for a day.
As a result, we observed an avalanche-like increase in transactions with this client with the participation of cards from a British bank, where a data leak occurred recently. Within a few hours there were attempts at fraud, emanating from the fraudsters themselves, drops and robots. Probably, not all of these payments were made for purchases, many simply tried to find out about the availability of funds on a particular card, because they were choosing offers in a completely random way.
Like the tapes of popular social networks are filled with viral posts, so are the social networks of fraudsters filled with messages that this or that “hole” has been discovered. For this reason, sometimes the actions of IT fraudsters (especially in the travel segment) can have disastrous consequences, even during the day.
Separately in terminology disputes: some sources describe this fraud scheme as Carding. But, in our practice, it is customary to call it fraud. The type of fraud described in the first example is considered Professional. There are also Blind, Intelligent and Friendly fraud, we will write about their features next time. Basic knowledge of terminology can be found here .
We are ready to answer practical questions on fraud, antifraud services, transaction support, since I would like to avoid excessive generality and superficiality. For obvious reasons, we are somewhat shackled in the depths of disclosing the topic, but we will try to make communication with us interesting.
Fraud and phishing go near (about where the data for fraud come from)
Of course, skimming (offline reading of data from the card) is also used by fraudsters to obtain personal data used in fraud operations, but in the example we are talking about phishing.
')
Maybe someone will remember that in 2007, Alfa-Bank customers using the Alfa-Click service were massively subjected to several phishing attacks. It's about phishing links and emails. After Alfa-Bank clients entered their personal data on phishing pages, attackers could use the information obtained in various monetization options.
Here we are interested in the case when criminals pay for goods or services on stolen plastic cards on the Internet. Here you have the data for fraud. After such a payment, the victim becomes not only the true holder of the compromised card, but also the merchant, who will be obliged to return the funds debited from the card to its true owner.
Merchant often becomes a victim in fraud cases
With the withdrawal of funds from a stolen card, the intruders participate in the fraud scheme and the trial begins (after the cardholder’s statement), in which the issuing bank (on the cardholder side), the payment system, the acquiring bank (on the merchant side) and the merchant participate.
It is worth noting that now the cards of Russian banks are not very popular with fraudsters who specialize in frode due to their relatively high security.
Therefore, the following example, which will illustrate the merchant's losses due to fraud, will be with the participation of compromised cards of a foreign bank. The incident occurred with our client, who sold tickets, as an online travel agency. The described scheme of fraudsters became possible due to the temporary absence of an antifraud system, which allowed attackers to make multiple payments on stolen cards of a foreign bank.
How is professional fraud going?
The scammers somehow (see above: phishing, skimming) were the data of plastic cards of clients of one foreign bank. Then, the attackers on their website and social networks, posing as employees of the airline reported that they have the opportunity to sell tickets at half price. It is curious that the criminals also found buyers for these tickets by making personal acquaintances among Russians in places where tourists gathered.
Further, by email, fraudsters made contact with people who want to take advantage of the attractive offer to buy tickets to any place at a low price. The condition for issuing such a ticket was the transfer of funds to the e-wallet fraudsters, which is an irrevocable operation.
At this time, fraudsters bought a ticket on their own, for the full price, by entering on our client’s website, an online travel agency (merchant) data of a real future passenger (ticket buyer from a fraudster at half price), as well as a stolen card of a foreign bank’s client.
And then they flew
Buyers received from the intruders to their e-mail e-ticket, which was officially registered with the airline. After that, the unsuspecting passengers arrived at the airport, checked in with a passport and flew.
The main condition for such a purchase was its small depth: today you buy, and tomorrow you fly away. During this time, the real cardholder did not have time to submit an application to the bank to protest a transaction, and if he did, the chargeback charging system worked out with some delay, which allowed fraudsters to continue to make multiple payments, receiving half of the money from each ticket fan.
What were the consequences of fraud?
The holders of the compromised cards applied to their issuing bank, the proceedings began with the participation of the payment system, during which the acquiring bank was found guilty. Under an agreement with the merchant, the acquiring bank held a chargeback, which caused the travel agency to incur losses equal to the cost of purchased tickets.
The bottom line :
- air ticket buyers used them for half the price
- fraudsters got part of the money on stolen cards
- true owners of compromised cards returned written off funds
- while the travel agency's problems were just beginning
The injured company that did not connect the fraud recognition system paid an additional penalty of 5,000 euros from international payment systems. Next, an audit of the security system of payment solutions of the gateway and acquiring bank was appointed, worth 15,000 euros, these costs were also transferred to the merchant.
How to minimize losses?
As you can see, the travel agency suffered significant irrecoverable losses due to the lack of an antifraud system, because the rules and algorithms for setting up an antifraud service would allow to calculate such fraudulent payments, for example, using such indicators:
1 - in the described case, the card belonging to the issuing bank is not peculiar to the client’s audience (the bank that issued the card is, say, located in France, and the client’s audience is mainly from Russia)
2 - the payment was made for the flight, which was to be realized in the near future (special attention is paid to such operations, as this is quite a rare case, even if the anti-fraud system missed the payment, the service analysts would reveal it and contact within a few hours with the client to prevent fraud)
3 - significant variation in the distances between locations, where the device from which payment is made is located, the passenger, his address, the issuing bank (comparing these facts, we can call the operation suspicious and either not miss or recheck)
It is these “holes” where there is no protection against fraudulent operations that IT scammers use for their attacks.
Holes in security systems are viral posts in social networks of scammers
As is known, the share of attempts of fraudulent transactions in online trading reaches 10% . Fraudsters very often attack online shopping sites for lack of antifraud system. And if, one day, a scammer finds such a “hole”, then this information is instantly distributed among like-minded people.
One case from our practice perfectly illustrates this situation. For reasons that we can not disclose, our client turned off the antifraud only for a day.
As a result, we observed an avalanche-like increase in transactions with this client with the participation of cards from a British bank, where a data leak occurred recently. Within a few hours there were attempts at fraud, emanating from the fraudsters themselves, drops and robots. Probably, not all of these payments were made for purchases, many simply tried to find out about the availability of funds on a particular card, because they were choosing offers in a completely random way.
Morality
Like the tapes of popular social networks are filled with viral posts, so are the social networks of fraudsters filled with messages that this or that “hole” has been discovered. For this reason, sometimes the actions of IT fraudsters (especially in the travel segment) can have disastrous consequences, even during the day.
Separately in terminology disputes: some sources describe this fraud scheme as Carding. But, in our practice, it is customary to call it fraud. The type of fraud described in the first example is considered Professional. There are also Blind, Intelligent and Friendly fraud, we will write about their features next time. Basic knowledge of terminology can be found here .
We are ready to answer practical questions on fraud, antifraud services, transaction support, since I would like to avoid excessive generality and superficiality. For obvious reasons, we are somewhat shackled in the depths of disclosing the topic, but we will try to make communication with us interesting.
Source: https://habr.com/ru/post/237803/
All Articles