Customer Resource Centre

News and insights

Card brand changes: Visa Fraud Awareness

Visa - Best practices to mitigate risk of account takeover fraud

Visa is providing information about common account takeover fraud techniques, along with best practices to mitigate the risk of such fraud.

Account takeover (ATO) fraud is a type of identity theft where fraudsters gain access to their victims’ accounts, then make non-monetary changes that may include modifying personally identifiable information (PII), requesting a new card or adding an authorised user. This can allow criminals with stolen credentials open access to victims’ accounts. ATO fraud has rapidly accelerated, with fraud losses growing from $4 billion in 2018 to $6.8 billion in 2019.

Below is an overview of different types of account takeover fraud techniques.

Digital Attacks

Digital attacks continue to pose challenges to the payments ecosystem. The proliferation of payment platforms / channels and the growing list of Internet of Things (IoT) devices provide fraudsters with an easily available and rapidly increasing range of targets. Two-factor authentication protocols requiring either email or text authentication for login have increased the criminal’s need for diversion or interception of messages.

How does a digital attack work?

• A fraudster gains access to an individual’s email account and trolls for banking information.
• The fraudster accesses the target’s online banking site and initiates a password change.
• The bank sends a one-time passcode (OTP) to the email account as part of the two-factor authentication protocol.
• The fraudster uses the OTP to complete a password change, enabling access to the individual’s bank account

Phishing, Vishing and Smishing

Phishing is the fraudulent attempt to obtain sensitive information or data such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Vishing uses phone calls and smishing campaigns use text or SMS messages to achieve the same end. Email, phone calls, social media and text messages are all solicitation methods by which criminals persuade individuals to divulge sensitive personal information.

Digital campaigns targeting public anxiety

The global health crisis has opened up new opportunities and avenues for fraudsters to take advantage of individuals by leveraging public anxiety. In April of 2020, Microsoft intercepted and stopped a phishing campaign appearing to offer information related to the United States government’s COVID-19 stimulus programs. The campaign generated approximately 2,300 unique HTML attachments over the course of a single day. In the same month, the UK’s National Fraud Intelligence Bureau (NFIB) unearthed another phishing campaign directing consumers to a fraudulent site to make donations in support of the UK’s National Health Service. A third campaign uncovered in Germany was more successful, diverting up to €100 million in stimulus funds into accounts controlled by fraudsters. That phishing campaign pointed consumers toward registration at a fraudulent replica of the official government stimulus registration website. Applicants who registered had their personal information stolen. Fraudsters used the harvested information to register at the legitimate government site but modified the registration information to include alternative banking information, directing stimulus funds to be wired into bank accounts controlled by the fraudsters.

Digital campaigns targeting corporations

“Spear phishing” campaigns target employees of companies with access to sensitive or valuable information and can lead to business email compromise. This type of opportunistic fraud often involves criminals impersonating high-level executives distributing instructions to subordinates. These types of scams can include instructions for payments to known suppliers or transfers of funds to bank accounts controlled by fraudsters. Business email compromises involving individuals in the human resources function of an enterprise can serve as the first step for more damaging attacks when the hacked account is used to send batch requests to employees for PII. Hacked email accounts of company CEOs and presidents have resulted in the theft of employee W-2 and tax information including names, addresses, and Social Security numbers.

What you need to do:

• Educate clients and employees on maintaining device and software security, with emphasis on Phishing, Smishing and Vishing campaigns.
• Do not click on hyperlinks found in emails or text messages from unknown or suspicious sources.
• Always keep a lookout for email addresses that do not match or reflect the name of the organisation or institution, and check for spelling or grammar errors as well as altered logos or images.
• When in doubt about a phone call, SMS text or email received, contact the financial institution directly by calling back using the number on the back of the card or their website, and encourage customers (where applicable) to do the same.

Device Cloning

Devices are now a significant vulnerability in the battle against ATO fraud. Device cloning, or porting, refers to the unauthorised transfer of a phone number or merchant ID number to a device controlled by a fraudster (also known as SIM swap fraud). With merchants now commonly using mobile devices to facilitate transaction processing, the number of device takeovers reported has doubled every year since 2014.

Cloning consumer devices

Devices such as mobile phones are inexpensive and easily available, and identity verification requirements for new account setup can be satisfied with compromised information available to fraudsters. This allows criminals to use stolen identities to open new accounts or port over existing legitimate phone numbers. This grants threat actors access to OTPs sent out as part of two-factor authentication. Digital wallets stored on devices now store large amounts of valuable information, including account numbers, passwords, phone numbers and email addresses. Furthermore, phone hacking software is now easily available online, eliminating or reducing technical expertise as an impediment to fraud.

How does device cloning work?

• A fraudster obtains an individual’s PII data from the dark web.
• The fraudster calls into a telecommunications provider, claiming the mobile phone is lost.
• The fraudster provides the stolen PII data to verify their identity, and requests a new SIM card for the phone.
• The telecommunications provider sends out a new SIM card and disables the one in the victim’s phone.
• The fraudster uses the newly issued SIM card to gain access to login information protected by two-factor authentication.

Cloning merchant devices

Merchant device cloning and payment gateway takeover is increasingly common. This fraud vector unfolds in a two-step process, occurring through the cloning of POS devices along with the use of illegitimately acquired credentials. Fraudsters obtain POS devices or terminals through theft, online resellers or directly from acquirers by impersonating legitimate merchants. Once in possession of POS devices, threat actors connect these terminals to third-party processor hosts, fraudulently authenticating the connection between the host and the cloned POS devices. This fraud type also requires access to compromised merchant credentials including merchant descriptors, merchant identification numbers (MIDs) or terminal identification numbers (TIDs). Merchant credentials can be stolen through phishing campaigns or brute force campaigns, where fraudsters send high volumes of authentication credential variations to the host. The takeover of the payment gateway allows criminals to push through large volumes of fictitious purchase return transactions. The fraud is monetised when the proceeds are posted to gift cards or credit cards and rapidly cashed out at ATMs.

What you need to do

• Educate clients and employees on maintaining device and software security, with emphasis on Phishing, Smishing and Vishing campaigns.
• Do not click on hyperlinks found in emails or text messages from unknown or suspicious sources.
• Watch for unexpected and/or extended periods of phone silence.
• Use a layered validation approach, employing both Card Verification Value 2 (CVV2) and Address Verification Service (AVS).
• Print only required information and ensure no sensitive information is included on customer receipts.
• Insert random pauses in transaction processing to throttle accounts and slow down brute force attacks.
• Monitor accounts for excessive bandwidth consumption.
• Monitor for failed login events and login attempts with device and session data elements that differ from known user device information (IP address / geolocation, device ID, language, time zone, etc.). Multiple transactions using different cards with the same email address and device ID or multiple logins coming from many different IP addresses should trigger an alert and automatic review.

Credential Stuffing

Technological advancements in the payments industry have led to the automation of fraud attacks. New, inexpensive tools are now easily available, allowing for coordinated and multi-prong attacks. Fraudsters use bots to attack multiple servers simultaneously, running scripts using login credentials stolen during prior security breaches. The exponential growth of low-cost credentials available for purchase has led to decreasing costs and increasing pay-off potential in this fraud vector. This in turn has attracted more sophisticated, well-funded and better-organized fraud rings, increasing the difficulties associated with controlling this type of fraud.

How does credential stuffing work?

Given the common practice of consumers using a single “favourite password” across most of their accounts, credential stuffing is an attractive and successful method for fraudsters.

• A fraudster uses scripts to steal credentials from a targeted entity.
• The fraudster uses scripts to test the stolen credentials on many merchant sites simultaneously

What you need to do:

• Educate clients and employees on maintaining device and software security, with emphasis on Phishing, Smishing and Vishing campaigns.
• Do not click on hyperlinks found in emails or text messages from unknown or suspicious sources.
• Do not use the same password for multiple sites.
• Develop strong up-front identification and verification procedures.
• Use third-party tools to assess the risk of consumer session data elements such as email, IP address, phone number and device fingerprint.
• Monitor consumer session data elements for use across multiple accounts to identify atypical access patterns.
• Use behavioural biometrics to differentiate between legitimate consumer behaviour at login and fraudulent or bot-driven behaviour.
• Monitor high-risk account changes and logins, coupled with high-risk transaction or authentication activity

Social Engineering

Call Centres and Consumers Social engineering exploits human psychology rather than technology to gain access to sensitive information. It relies on persuasion, manipulation or deception to induce individuals to break normal security procedures and best practices.

Call or contact centres remain an essential component of the customer service experience, with 35% of customer contact channelled through inbound calls to contact centres.

Fraudsters use persuasion or phone spoofing to impersonate clients in order to manipulate call centre employees into divulging sensitive information. Tasked primarily with the handling of problems and disputes, and focused on customer satisfaction, call centre service representatives are not always well-trained or equipped for the detection of fraud.

Caller identification and authentication should happen before any customer call reaches a telephone agent. Criminals are increasingly going beyond call / contact centres to target consumers directly. Direct-to-consumer social engineering involves fraudsters getting sensitive information directly from consumers through phone calls in which they pose as representatives of banks or government institutions. For example, a fraudster in possession of enough information on a consumer’s account could call the consumer directly and convince them to provide the OTP received on their phone, effectively bypassing identity authentication protocols.
 

What you need to do:

• Educate clients and employees on maintaining device and software security, with emphasis on Phishing, Smishing and Vishing campaigns.
• Do not click on hyperlinks found in emails or text messages from unknown or suspicious sources.
• When in doubt about a phone call, SMS text or email received, contact the financial institution directly by calling back using the number on the back of the card or their website, and encourage customers (where applicable) to do the same.
• Organise call / contact centres into separate sections based on expertise, with regular operations separated from calls considered high risk for fraud detection.
• Monitor call centres for spikes in calls from account holders regarding unauthorised changes to their accounts.
• Be diligent with account holder verification processes. Ask less commonly-used questions or questions regarding other accounts the customer may have or transactions they may have made.
• Invest in multi-factor authentication and layered background risk assessment tools for channelling calls. Phone printing technologies to detect spoofing, synthetic voices and behaviour anomalies are available for use and encouraged in high-risk call centres. Additional available tools include natural language understanding (NLU), geolocation, voice biometrics, behavioural analysis and validation, and continuous authentication.
• Establish authentication hubs to fortify caller identity authentication processes and controls.