Sign up to save your podcasts
Or
Share The Architecture of an Attack: NuData Breaks Down Account Takeover Attacks
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Architecture of an Attack: NuData Breaks Down Account Takeover Attacks
Looking back at the holiday season, merchants faced a
timeless struggle: stopping fraudsters. While dealing with fraud is a challenge
year-round, the holiday season makes it even more difficult.
In November and December, people shop more to prepare for
the holidays, causing eCommerce volumes to rise. Aware of the uptick in volume,
criminals launch attacks, trying to take advantage of merchants who are
struggling to keep up with all the traffic.
A common fraud vector used by criminals year around is
account takeover. This is when the fraudster gains access to a user’s account,
often by using stolen login information or through a brute strength bot attack.
In either case, once a criminal gains access to an account, they’re able to steal
more personal information, money, and goods.
A recent estimate found that merchants sustained $13 billion
in losses due to account takeovers in 2018, said Tim Sloane, VP of Payments
Innovation at Mercator Advisory Group.
“And that’s likely to get worse as criminals become more
active and smarter in the way they operate, using sophisticated tools to
perpetrate their crimes,” he cautioned.
To learn more about the types of account takeover attacks
and how companies can fight back, PaymentsJournal sat down with Robert Capps,
VP of Market Innovation at NuData, and Mercator Advisory Group’s Tim Sloane.
During the conversation, Capps and Sloane discussed the
differences between basic and sophisticated account takeover attacks, described
the commonalities of sophisticated attacks, and reviewed some relevant use
cases.
Basic versus
sophisticated account takeover attempts
Before explaining the difference between basic and
sophisticated account takeovers, Capps provided a stark warning: It’s safe to
assume that nearly every consumer in the United State has had their data stolen
in some way, shape, or form over the past five to ten years.
Sloane noted that it’s easy for criminals to buy and sell
the personally identifiable information (PII) of consumers on the dark web, a
fact made possible by the numerous data breaches occurring each year.
With vast amounts of PII floating around on the internet,
“it’s only a matter of time before that data is used to attempt to login to any
valid account,” said Capps. Criminals will take this data and go to major
retailers, such as Target or Amazon, and attempt to log into accounts in order
to make fraudulent purchases.
The manner in which a hacker tries to gain access into the
accounts reveals if it’s a basic or sophisticated attack. In a basic attack,
the hackers will try to flood as many accounts and websites as possible with
the same data, as quickly as possible. It’s high volume, and there’s not really
an effort made to pretend to look like a human.
“They’re just sending data to the form and submitting it in
the same format that a legitimate page would, and they’re doing it as quickly
as possible,” explained Capps.
He explained that the nature of basic attacks hardly changes
from year to year. “I think that the most telling thing we’ve seen about basic
attacks is that they’re more of recycling efforts,” he said. Criminals are
taking data that’s already been used and using it again to see if there’s any
remaining valuable data.
NuData’s internal numbers reveal that the number of sophisticated
attacks has been increasing, a trend that is expected to continue.
In contrast, these sophisticated attacks tend to have lower
volume, and the attacker tries to disguise the attack as a normal login
attempt. They might try to hide their IP address, create a valid device ID, and
execute JavaScript to run and render the website pages—all in an effort to
appear like a normal user who opens a page or application.
While basic attacks used to be the most common type of
account takeover, sophisticated attacks have been on the rise. The reason is
that basic attacks are easier to detect. “Frankly, they’re really obvious if
you know what signals to look for,” said Capps. Since most companies have
deployed solutions that can identify and stop the basic attacks, they’re now
largely ineffective.
In response, fraudsters have upped their game and embraced
more sophisticated approaches. By generating a valid device ID, rendering the
pages, and masking their IP address, criminals have a greater chance of
success.
“Fraudsters are realizing these more sophisticated attacks
are now more successful against organizations that have basic protections,”
said Capps. “So, they’re starting to move those attacks around other
environments and see where else they’re effective.”
Sloane added that, often times, the criminals behind
sophisticated attacks aren’t just petty criminals. Instead, it’s not uncommon
for organized crime and even state actors to be launching these sophisticated
attacks.
A real-world example
of a basic attack: Over 4 million login attempts
Capps provided an example of how NuData helped one client fend
off a basic attack at the end of 2019.
“We saw over 4 million fraudulent login attempts to a client,
and they were trying to access almost three-quarters of a million accounts,” he
said. Since NuData detected a lot of overlap with the same accounts
experiencing attempted logins multiple times, it determined that an attack was
occurring, but a careless attack. It showed the attackers were using a messy
data set with many duplicates.
NuData stopped the bulk of the attempts right away; of the over
4 million attempts, only around a thousand accounts were accessed. “And those
accounts were high enough risk that we passed them on to our customer and they
mitigated those transactions using their downstream risk engines,” explained
Capps.
An example of a
sophisticated attack: Fewer accounts and a human farm
The example of a sophisticated attack consisted of roughly
under 30,000 login events. And unlike the basic attack, which we saw
overlapping attempts to get into the same account, this attack was cleaner and
more precise. “It was very focused on this one company,” said Capps.
When NuData detected an element of automation in the login
attempts, it used CAPTCHA technology to test those users. Critically, all the CAPTCHA
challenges were solved correctly.
The team at NuData dug a little deeper and discovered that
the CAPTCHAs were being taken from the device where the page was rendered and
the login was occurring, and passed off to a second device where a human
actually solved them.
This was a great example of how humans and computers
interact to overcome countermeasures from a company, said Capps. This is a
hallmark of sophisticated attacks. The CAPTCHAs
were being solved correctly, which led NuData to conclude that the criminals
were using humans, in what is typically known as a human farm. A human or click
farm is an office somewhere, often in the developing world, where people sit
all day behind computers, creating accounts, solving CAPTCHAs, or placing fraudulent
orders.
Of the thousands of login attempts, under 300 needed further
evaluation—evidence that NuData’s approach reduces the amount of manual review
needed to stop sophisticated fraud attacks.
However, both Sloane and Capps warned that many companies
are not utilizing the technology necessary to stop such an attack.
“Without the proper techniques and tools, most organizations
will be drowning under these volumes of attack,” said Capps.
Since criminals are becoming more sophisticated, companies
looking to stop fraud need to become more sophisticated as well.
Companies can leverage existing technologies that detect suspicious activity by harnessing data from different stages of the consumer journey and connecting it together to make a probabilistic determination of whether fraud is occurring. You can learn more about this approach on the recent Mercator report “Authentication, Intelligence, and the Consumer Journey, a Multi-Layered Approach to Reduce Digital Fraud.”
The post The Architecture of an Attack: NuData Breaks Down Account Takeover Attacks appeared first on PaymentsJournal.
View all episodes
By The PaymentsJournal PodcastLooking back at the holiday season, merchants faced a
timeless struggle: stopping fraudsters. While dealing with fraud is a challenge
year-round, the holiday season makes it even more difficult.
In November and December, people shop more to prepare for
the holidays, causing eCommerce volumes to rise. Aware of the uptick in volume,
criminals launch attacks, trying to take advantage of merchants who are
struggling to keep up with all the traffic.
A common fraud vector used by criminals year around is
account takeover. This is when the fraudster gains access to a user’s account,
often by using stolen login information or through a brute strength bot attack.
In either case, once a criminal gains access to an account, they’re able to steal
more personal information, money, and goods.
A recent estimate found that merchants sustained $13 billion
in losses due to account takeovers in 2018, said Tim Sloane, VP of Payments
Innovation at Mercator Advisory Group.
“And that’s likely to get worse as criminals become more
active and smarter in the way they operate, using sophisticated tools to
perpetrate their crimes,” he cautioned.
To learn more about the types of account takeover attacks
and how companies can fight back, PaymentsJournal sat down with Robert Capps,
VP of Market Innovation at NuData, and Mercator Advisory Group’s Tim Sloane.
During the conversation, Capps and Sloane discussed the
differences between basic and sophisticated account takeover attacks, described
the commonalities of sophisticated attacks, and reviewed some relevant use
cases.
Basic versus
sophisticated account takeover attempts
Before explaining the difference between basic and
sophisticated account takeovers, Capps provided a stark warning: It’s safe to
assume that nearly every consumer in the United State has had their data stolen
in some way, shape, or form over the past five to ten years.
Sloane noted that it’s easy for criminals to buy and sell
the personally identifiable information (PII) of consumers on the dark web, a
fact made possible by the numerous data breaches occurring each year.
With vast amounts of PII floating around on the internet,
“it’s only a matter of time before that data is used to attempt to login to any
valid account,” said Capps. Criminals will take this data and go to major
retailers, such as Target or Amazon, and attempt to log into accounts in order
to make fraudulent purchases.
The manner in which a hacker tries to gain access into the
accounts reveals if it’s a basic or sophisticated attack. In a basic attack,
the hackers will try to flood as many accounts and websites as possible with
the same data, as quickly as possible. It’s high volume, and there’s not really
an effort made to pretend to look like a human.
“They’re just sending data to the form and submitting it in
the same format that a legitimate page would, and they’re doing it as quickly
as possible,” explained Capps.
He explained that the nature of basic attacks hardly changes
from year to year. “I think that the most telling thing we’ve seen about basic
attacks is that they’re more of recycling efforts,” he said. Criminals are
taking data that’s already been used and using it again to see if there’s any
remaining valuable data.
NuData’s internal numbers reveal that the number of sophisticated
attacks has been increasing, a trend that is expected to continue.
In contrast, these sophisticated attacks tend to have lower
volume, and the attacker tries to disguise the attack as a normal login
attempt. They might try to hide their IP address, create a valid device ID, and
execute JavaScript to run and render the website pages—all in an effort to
appear like a normal user who opens a page or application.
While basic attacks used to be the most common type of
account takeover, sophisticated attacks have been on the rise. The reason is
that basic attacks are easier to detect. “Frankly, they’re really obvious if
you know what signals to look for,” said Capps. Since most companies have
deployed solutions that can identify and stop the basic attacks, they’re now
largely ineffective.
In response, fraudsters have upped their game and embraced
more sophisticated approaches. By generating a valid device ID, rendering the
pages, and masking their IP address, criminals have a greater chance of
success.
“Fraudsters are realizing these more sophisticated attacks
are now more successful against organizations that have basic protections,”
said Capps. “So, they’re starting to move those attacks around other
environments and see where else they’re effective.”
Sloane added that, often times, the criminals behind
sophisticated attacks aren’t just petty criminals. Instead, it’s not uncommon
for organized crime and even state actors to be launching these sophisticated
attacks.
A real-world example
of a basic attack: Over 4 million login attempts
Capps provided an example of how NuData helped one client fend
off a basic attack at the end of 2019.
“We saw over 4 million fraudulent login attempts to a client,
and they were trying to access almost three-quarters of a million accounts,” he
said. Since NuData detected a lot of overlap with the same accounts
experiencing attempted logins multiple times, it determined that an attack was
occurring, but a careless attack. It showed the attackers were using a messy
data set with many duplicates.
NuData stopped the bulk of the attempts right away; of the over
4 million attempts, only around a thousand accounts were accessed. “And those
accounts were high enough risk that we passed them on to our customer and they
mitigated those transactions using their downstream risk engines,” explained
Capps.
An example of a
sophisticated attack: Fewer accounts and a human farm
The example of a sophisticated attack consisted of roughly
under 30,000 login events. And unlike the basic attack, which we saw
overlapping attempts to get into the same account, this attack was cleaner and
more precise. “It was very focused on this one company,” said Capps.
When NuData detected an element of automation in the login
attempts, it used CAPTCHA technology to test those users. Critically, all the CAPTCHA
challenges were solved correctly.
The team at NuData dug a little deeper and discovered that
the CAPTCHAs were being taken from the device where the page was rendered and
the login was occurring, and passed off to a second device where a human
actually solved them.
This was a great example of how humans and computers
interact to overcome countermeasures from a company, said Capps. This is a
hallmark of sophisticated attacks. The CAPTCHAs
were being solved correctly, which led NuData to conclude that the criminals
were using humans, in what is typically known as a human farm. A human or click
farm is an office somewhere, often in the developing world, where people sit
all day behind computers, creating accounts, solving CAPTCHAs, or placing fraudulent
orders.
Of the thousands of login attempts, under 300 needed further
evaluation—evidence that NuData’s approach reduces the amount of manual review
needed to stop sophisticated fraud attacks.
However, both Sloane and Capps warned that many companies
are not utilizing the technology necessary to stop such an attack.
“Without the proper techniques and tools, most organizations
will be drowning under these volumes of attack,” said Capps.
Since criminals are becoming more sophisticated, companies
looking to stop fraud need to become more sophisticated as well.
Companies can leverage existing technologies that detect suspicious activity by harnessing data from different stages of the consumer journey and connecting it together to make a probabilistic determination of whether fraud is occurring. You can learn more about this approach on the recent Mercator report “Authentication, Intelligence, and the Consumer Journey, a Multi-Layered Approach to Reduce Digital Fraud.”
The post The Architecture of an Attack: NuData Breaks Down Account Takeover Attacks appeared first on PaymentsJournal.