Tagged: fraud

03
Aug
2020

Credit Card Fraud: It’s a Thing

Brian Krebs has a great piece over at his Krebs on Security blog about “…Why Credit Card Fraud is Still a Thing.” The answer is can be summed up is just a few words. Because the United States lags behind the adoption of security standards the rest of the world has long since adopted.

The article is an analysis of the recent paper issued by Maxwell Aliapoulios, Cameron Ballard, Rasika Bhalerao, Tobias Lauinger, and Damon McCoyover at New York University that delves into the seedy underground of dark web data markets. Based on the data analyzed, the researchers found that

Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

Source: NYU

The authors then go further to state

Even multiple years into the U.S. EMV chip deployment, the supply of stolen magnetic stripe data continued to increase sharply.

Source: NYU

This suggests that in the US, there are still far too many merchants either not requiring the use of chip and PIN or simply have not bothered to implement the capability to use it at all.

As the paper goes on, it is clear that the buyers value magnetic stripe data significantly more so long as the data is fresh. However, after the first six weeks of the data being available, its value drops well below that of chip and PIN card data. In contrast, the chip and PIN card data does not fetch a premium early on as magnetic stripe data does, but retains a more consistent value for the long term. International account data are also valued more highly than US account data, especially from Spain, Germany, and France. This suggests that the illicit data buyers see issuing financial institutions in these countries as less likely to disable the cards in the short term than FIs in other countries.

Further on on the analysis, the crucial conclusion is reached about US card issuers by the authors:

From 2016 to 2018, however, the median remaining lifespan of non-EMV accounts increased by about 100 days; the non-EMV population was getting younger, whereas EMV accounts aged by the same amount. This suggests that new non-EMV cards continued to be issued after the liability shift.

Source: NYU

Which then leads me to believe that there is a major issue with how the card networks, like VISA, MasterCard, and others have structured their penalties for non-compliance. there have been too many exemptions and extensions for merchants that don’t need to comply with the EMV mandates. This then disincentivizes financial institutions to disallow fall back to mag stripe for transactions. This then makes more mag stripe data available via skimmers, where if people were using chip and PIN they would not have been compromised.

It’s a vicious cycle and we need to put an end to it. The industry needs to enforce compliance across all merchant categories, and financial institutions need to disable fallback to mag stripe. If this doesn’t happen soon, there is no end in sight for these types of data black markets.

If you want to read the article you can download a copy here.

10
Nov
2019

The Best Defense is a Good Offense

Krebs on Security has an article published on October 16th from this year (I know I am behind) detailing the attack of a known black market card fraud site BriansClub. What is interesting about this whole hack is that it is not some vigilante group going after the site to save consumers, but rather it is a rival black market operation trying to sabotage the operations of one of their competitors. In essence, this was a business decision made by one of BriansClub’s competitors to try and take them out of business. It’s similar two warring cartels attacking each other until the other doesn’t have the resources or the people to continue operations.

This does beg the question though, why not make offensive operations against these kinds of sites the norm, not the outlier? In the financial services industry we have a number of cybersecurity information sharing organizations, maybe it is time to establish an offensive cyber operations organization that doesn’t just share information about known threats but actively seeks them out and attempts to disrupt illegal operations. Of course there are potential pitfalls with this type of setup. The efforts of this type of group would have to be carefully watched by both the industry and law enforcement to ensure the operations were focused solely against illegal operations in the dark web. The last thing you would want would be to have a group that was supposed to protect consumers decide to go rogue.

Risks aside, it seems like it is time to open up and publicly establish more direct industry operations against these criminal elements. Sharing information will never prevent fraud, these sites have to be shown it isn’t worth operating because they will be taken down before they can ever make any money.