Visa fraud expert outlines the many faces of payment ecosystem fraud

In this Help Net Security interview, Michael Jabbara, the VP and Global Head of Fraud Services at Visa, delves into digital skimming attacks, highlighting their common causes, and provides insights into what measures merchants can take to prevent them. He also covers the steps payment processors and e-commerce merchants can take to safeguard themselves against enumeration attacks, and much more.

digital skimming attacks

What are some common causes of digital skimming attacks, and what can merchants do to help prevent them?

For context, digital skimming attacks occur when threat actors deploy malicious code onto a merchant website where they target their checkout pages to scrape and harvest consumer payment account data, such as primary account number (PAN), card verification value (CVV2), expiration date and personally identifiable information (PII). We’ve seen a major uptick in skimming over the past six months. In fact, skimming cases increased 174% in the June 2022-November 2022 period when compared to December 2021 May 2022.

Successful digital skimming attacks are often the result of misconfigurations or lack of security controls within a merchant’s environment, which threat actors exploit to deploy the malicious skimming code. To prevent falling victim to this kind of attack, e-commerce merchants must prioritize updating and maintaining their security software to ensure they are properly protected.

Did the payments ecosystem experience an increase or decrease in one-time-password bypass schemes in the past six months? What is the cause of this situation?

Over the past six months, the payments ecosystem experienced an increasing trend in one-time-password (OTP) bypass schemes across nearly every global region. In fact, we recently identified a crypto-focused phishing campaign that successfully applied this tactic, where the threat actors used emails to impersonate a crypto exchange company to trick account holders into clicking on a malicious link. Once clicked, threat actors can harvest their victim’s account login data to get access to their accounts on legitimate crypto exchange sites.

As cryptocurrency and DeFi platforms continue to develop, and more virtual asserts are held in customer wallets, threat actors will continue to leverage new tactics and expand their attempts at stealing money and assets through exploring these kinds of vulnerabilities.

Luckily, eCommerce security continues to improve to protect digital payments such as card holder authentication, tokenization, secure checkout pages and merchant website implementations. Another highly effective method for reducing OTP bypass schemes and other forms of ecommerce fraud is leveraging multi-factor authentication (MFA) and behavioral analytics of consumers at the point of website logins or during the transaction process.

What is the potential impact of developing cryptocurrency and DeFi platforms on the threat landscape for virtual assets held in consumers’ digital wallets?

As cryptocurrency and DeFi platforms continue to develop, consumer adoption is expected to continue to rise with users holding more assets in their digital wallets. As a result, threat actors following the money will increasingly target these kinds of platforms, as it provides them with yet another opportunity to exploit consumers for their own financial gain.

Last year alone was a record–breaking year for cryptocurrency thefts targeting blockchain-based entities, and as of November 2022, there was over $3B stolen in on-chain thefts. Cryptocurrency bridge services were a favored target for threat actors in 2022 and from January through early October 2022, the cryptocurrency ecosystem experienced 13 separate bridge attacks totaling $2B.

What can payment processors and e-commerce merchants do to help protect themselves against enumeration attacks?

Enumeration, which is the programmatic testing of common payments data elements to predict payment credentials (i.e., account number, CVV2. etc.), continues to be one of the top threats in the payment’s ecosystem. Unfortunately, these kinds of attacks typically occur when threat actors target third-party merchant services providers who are susceptible due to insufficient security controls in their onboarding and authorization processes. In fact, over the past six months, the US region was the most heavily targeted from both the acquiring side (63.5% of total acquiring enumeration) and issuing side (38.8% of total issuer enumeration).

To prevent these kinds of attacks, acquiring banks are advised to conduct thorough due diligence during the merchant onboarding phase to ensure the validity of the merchant, as many fraudulently onboarded merchants are used for enumeration and the subsequent monetization of enumerated PANs. They should also monitor for transaction activity and velocity with enumeration characteristics and act rapidly to block it.

Does Visa have further insights as to how processors and merchants can protect themselves against enumeration attacks?

To combat enumeration, issuing and acquiring banks can take a number of actions – for example, acquiring banks can also take measure to protect merchant credentials and transactions but using Point-to-Point Encryption (P2PE), issuing strong user IDs and passwords for payment gateway portals, and more.

They can also leverage tools like CAPTCHA controls to prevent automated transactions, as well as monitor the velocity of various data elements (i.e., IP addresses, emails, etc.) used at checkout. Similarly, issuing banks can diligently monitor for common indicators of enumeration, such as repeated CVV2 failures, invalid expiration data and invalid PAN.

What changes do you anticipate in the fraud threat landscape over the next few years? What should CISOs be worried about?

We expect the threat landscape to continue to evolve and increase in complexity. In the near term, the number of applications for Unemployment Insurance (UI) and Small Business Administration (SBA) loan programs, and other government disbursement programs, will likely increase over the next six to twelve months due to the current global economic environment. With the increase in UI and SBA applications, threat actors will almost certainly attempt to take advantage of states’ government disbursement programs.

In the longer term, CISOs in particular should also watch out for how current day encryption is implemented in quantum computing. Researchers believe fault-tolerant quantum computing will be able to crack the many secure forms of cryptography, especially asymmetric algorithms, used today, including the RivestShamir-Adleman (RSA) algorithm. As fault-tolerant quantum computing becomes more commonplace, encrypted data, such as passwords or credit card details, may be at risk of compromise by threat actors.

Criminal activity conducted by threat actors via encrypted communications or money transfers are also at risk of being discovered with emerging quantum technology. We recommend staying current on news pertaining to quantum-safe encryption and be sure to transition to new encryption methods, once implemented.

Don't miss