The digital revolution has given rise to incredible innovation in consumer experiences, but the same innovation creates a double-edged sword, working on the dark side of commerce.
Advanced computing, open banking, the evolution of software-as-a-service (SaaS) models that lower barriers to entry, and the rise of crypto and blockchain have all opened opportunities for fraudsters. Additionally, the debut of ChatGPT and other publicly available large language model applications are creating even more access to sophisticated tools for cybercriminals.
At Visa, our researchers track and analyze top payment ecosystem threats for novel ways threat actors are innovating on long-established attack methods and seizing upon new ones. The digital commerce environment remains the richest target for cybercriminals, yet card-present threats such as physical skimming on ATM and point-of-sale terminals persist. Consider the following.
New Takes on the Tried-and-True
While in-person fraud at point-of-sale terminals is at historic lows thanks to EMV chips, there’s still wiggle room for crafty fraudsters. For example, US retailers have been targeted by threat actors presenting a counterfeit card at checkout, most likely with a defective chip forcing the transaction to be conducted using a fallback reading of the card’s magnetic stripe. The mag-stripe transaction generates a response from the issuing bank to retry the transaction, which an acquirer or processor improperly interprets as an approval. The result: The threat actor walks away with fraudulently purchased goods, reaffirming the importance of presenting and handling proper response codes within a transaction.
Amassing a Nest Egg for the Quantum Age
Artificial intelligence can be used to detect fraud in real time by analyzing large amounts of transaction data, yet fraudsters can leverage the same technology to threaten the security of modern-day encryption. As quantum computing becomes less science fiction and more accessible and scalable, threat actors are amassing vast amounts of encrypted personally identifiable information (PII) as they await the breakdown of prominently used encryption methods through quantum computing.
Even today, maximum monetization occurs almost five years from when an original data breach happens. Just last year, the National Institute of Standards and Technology (NIST) published the first set of standards for quantum-resistant cryptographic algorithms. Some 20 billion devices will face upgrades or replacement over the next 20 years to use quantum-safe encryption algorithms, according to the World Economic Forum.
PII Is the Golden Ticket for Synthetic Identity Fraud
While e-commerce security continues to improve through advances in cardholder authentication, tokenization, secure checkout pages, and more, the generation of data at increasingly high rates brings challenges with securing it in the open banking era. For example, fraudsters are purchasing stolen customer credentials on the Dark Web and opening fraudulent accounts through synthetic identity fraud, which pieces together individually legitimate data elements to create a person that doesn’t exist. Over the past six months, the payments ecosystem experienced an increasing trend in one-time-password (OTP) bypass schemes across nearly every global region.
Exploiting the Shift to SaaS
In the software-as-a-service world, every node in the ecosystem you’re interacting with is a point of vulnerability increasingly being targeted by threat actors. In just one example, a digital-only bank suffered a data breach not from its own internal servers but from a service provider it had connected to through an API. In this environment, it becomes important to have a robust third-party monitoring program in place because any provider with a weak security profile can be an entry point into your own data environment.
Crypto and Blockchain Scams
While blockchain technology can help organizations conduct business more effectively, it can also be a source for fraudsters to target users through crypto-related scams, social engineering, and ransomware attacks. In one recent crypto phishing campaign, an account holder would get an email that appeared to be from their crypto exchange. Clicking on a malicious link took the victim to a spoofed website to enter their account details, leading to theft of assets within the account. Tools like ChatGPT can heighten the sophistication of phishing email messages even more by incorporating publicly available information that can make them much more highly targeted to you.
What Innovations Put You at Risk?
As a security professional, whenever I look at the advances that are making our lives easier with new products and capabilities, my first thought is: How are the threat actors going to use that same innovation to carry out more complex, more sophisticated fraud attacks? It is a question you should be asking yourself as well. Hack your own capabilities to assess how robust and comprehensive your security controls are. Educate internal stakeholders and customers on the role that they play. Empower them with knowledge, and the tools will help them understand that they are on the front lines.