Fraudster is Just a Nice Word for Cybercriminal
If you think web fraud is the red-headed stepchild of cybercrime think again. Get ready CSOs and IT security pros because the new black hat is here and you won’t see him wearing a black hat—he’s disguised as anyone using stolen or synthetic identities to rob banks, rip-off internet retailers with stolen credit cards, and deface your Facebook wall—just for sport. Yes, the new new cybercriminal you better start worrying about is the fraudster, aka scammer. These soft labels that sound almost quaint belie the serious and growing threat they pose to every private organization and government on the Internet.
The multi-billion dollar IT security industry was spawned by attacks against computers or networks: malware, viruses, denial-of-service attacks—all the deep dark hacker stuff that keep the big IT security vendors cranking out products and updates to help organizations and consumers keep bad guys out of their networks and off their computers. The security faithful gather annually at conferences by RSA, Gartner, and Black Hat to stay up on the technologies and techniques used on the dark side of cybersecurity—but they don’t talk a lot about fraud—yet.
Is web fraud so different than traditional IT security that it requires a different set of technologies and people to defend against it? Hackers analyze systems to find backdoors that you didn’t know were there, while fraudsters use the front door in ways that you never intended. The challenge is to secure the front door better without inconveniencing good customers. Determining who in an organization owns fraud prevention today largely depends on the industry and/or the individual company. Large internet retailers, for example are fairly sophisticated in their anti-fraud measures. Most have a department devoted to controlling web fraud with a budget, analysts and tools assigned to deciding whether to accept, reject or review a web transaction—typically a credit card purchase (card-not-present, or CNP). Online payment facilitators like payment gateways and payment processors like CyberSource know more than a thing or two about fraud offering their internet retailer customers technology solutions to help prevent fraud. Newer web businesses that facilitate social connections online like dating and casual gaming are quickly getting up to speed on fraud as it rears its ugly head in their business putting their customers and their brands at risk. Banks are pushing hard for consumers and businesses to do their banking online—thereby creating more risk for all parties and opening more doors for cybercriminals to break in with stolen or synthetic credentials; why waste your time using brute force to break into the backoffice bank systems when you can create new accounts or use the automated clearing house (ACH) to score? But with more consumers and businesses relying on banks to keep them safe comes more responsibility on the part of banks to do more to prevent online fraud. Mainstream businesses and industries aren’t the only targets for fraudsters who leave no stone unturned or online business untouched when it comes to practicing their trade.
How about not-for-profits? If you want to test stolen credit cards you can donate a buck to your favorite charity using a stolen credit card—then repeat and rinse for hundreds or thousands of stolen credit cards and you’ve got serious costs to charities racked up in chargebacks. Here’s one you probably hadn’t thought of: online surveys. A friend of mine that does research for clients to help them in their product designs uses online surveys as a method to gather data. Last week she was surprised to see survey takers claiming to be in one place using IP addresses that reported them in location hundreds or thousands of miles away from where they claimed to be—and those are the fake survey takers who aren’t using a hidden proxy to try and mask their true location. Yes, fraudsters are signing up to take surveys to collect the fees. The losses are measured in wasted fee payouts and even worse—misleading product design inputs from unqualified survey takers that can derail a study. These crimes are largely being committed off-shore by unsophisticated fraudsters creating bogus accounts—not technically sophisticated hackers trying to penetrate a firewall. They don’t account for the growing number of sophisticated criminals on and offshore using botnets to siphon bank accounts, but they reveal a very different and more frightening picture of global fraud and its negative consequences.
Web fraud is the downstream effect of stolen or lost data and identity cybercrimes. When a couple of college friends in the UK stole personal identities, the alleged teen cyber crooks profited by selling the stolen identities online. Their efforts resulted in losses estimated at $12 million dollars before they were caught. Stolen identities and credentials let anyone be anyone online. If someone has enough of your personal data (date of birth, passwords, social security number, mother’s maiden name, etc.) they can use your identity to open new accounts anywhere they want: banks, insurance companies, almost anywhere. How do the bad guys get your identity? They take over your computer (malware), steal personal data in bulk by penetrating IT security systems—they look over your shoulder at Starbucks while you’re typing and they even go through your trash.
There’s a multiplier effect from online fraud that should raise the alarm for any organization doing business online. The multiplier effect results from the mushrooming population of globally connected fraudsters armed with mainframe capabilities hitting you at new account origination, logins and/or online purchases from all over the globe all the time. The web fraud problem scales much faster than hacker-centered security risk because it offers unique advantages that make it more appealing to more people.
Which is a bigger threat to organizations: hackers or fraudsters? Fraud—the new face of cybercrime would prefer to remain anonymous on the question.