Examining 1 billion transactions for fraud

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

ThreatMetrix analyzed nearly one billion transactions and is able to provide a representative summary of activity including account creation, payment and login fraud across industries.

The identified card-not-present, account takeover and fraudulent account registration attacks are in no small way associated with the countless high profile data breaches in the past year and will no doubt accelerate during the upcoming $600 billion holiday shopping season.

“In addition to payment fraud this holiday shopping season, our biggest concern is the spike in the number of account takeovers we are seeing on retail websites. Data shows an upswing in account takeover activity in the wake of recent massive data breaches – and most retailers will be caught unprepared,” said Alisdair Faulkner, chief products officer, ThreatMetrix.

“Previously, guest checkouts represented the highest risk, but due to the prevalence of data breaches and the convenience of storing credit cards to make mobile purchases easier, fraudsters have found it just as easy to use a stolen username and password as it is to use compromised credit card information that has a shorter life span before being shut down. Even strong PCI compliance and encryption means little when cybercriminals utilize stolen password and email combinations to compromise customer accounts. Retailers need to leverage a shared global network of trust intelligence to differentiate between trusted and suspicious transactions.”

In comparison to other industries, e-commerce falls in the middle when it comes to high-risk transactions, with four percent of all transactions being labeled as high-risk. E-commerce transactions broken down consist of the following percentages and risks:

  • Seven percent of transactions were account creation, with 5.2 percent high risk
  • 14 percent of transactions were account logins, with 5.5 percent high risk
  • 79 percent of transactions were payments, with 3.4 percent high risk.

While only one percent of transactions and logins are labeled as high-risk, financial services tolerate a higher threshold of risk at point of login and instead intercept attempted money transfers or rely on intrusive step-up authentication solutions to provide extra assurances. Financial services transactions broken down consist of the following percentages and risks:

  • Two percent of transactions were account creation, with 1.7 percent high risk
  • 83 percent of transactions were account logins, with 0.7 percent high risk
  • 15 percent of transactions were payments, with 0.5 percent high risk.

“Attacks aimed at financial services are more targeted and result in much higher losses and possible brand damage than e-commerce “spray-and-pay’ attacks – meaning randomly targeting as many victims as possible,” said Faulkner. “Financial services businesses are dominated by higher authentication requirements, making it more difficult for fraudsters to attack. As a result, attacks leveraging malware are much more common and the challenge for most financial institutions has shifted from the detection of anomalous account access to stopping valid customers from being caught in the fraud net.”

One trend both the e-commerce and financial services industries must keep in mind is new in-store technologies such as Europay-MasterCard-Visa (EMV) and Apple Pay. While such technologies will cut down on point-of-sale fraud caused by recent data breaches, more secure in-store payments will increasingly push fraud online and e-commerce and financial services executives must be prepared to protect against such risks.

The media industry, consisting of social media, content streaming and online dating websites, consists of nine percent high-risk transactions, the highest percentage of all industries examined. Broken down, media consist of the following percentages and risks:

  • Six percent of transactions were account creation, with 4.6 percent high risk
  • 66 percent of transactions were account logins, with 6.2 percent high risk
  • 28 percent of transactions were payments, with 3.7 percent high risk.

“The media industry has the highest incidence rate of high-risk transactions due to the low authentication threshold – often only consisting of a username and password combination,” said Faulkner. “Such identities can easily be compromised due to using the same login credentials across websites and a significant number of data breaches exposing these login combinations.”

While Android represents much higher percentage in terms of market and browser share, iOS (a combination of iPhone and iPad) generates nearly twice the number of payments, logins and authentications of all mobile operating systems combined. Specifically, 64 percent of mobile transactions are either iPhone or iPod transactions. Additionally, 48 percent of mobile attacks target iOS devices.