Security Experts:

Why Fighting Card-Not-Present Fraud Remains an Ongoing Challenge

The recent takedown of the xDedic marketplace—where threat actors had been buying and selling access to compromised remote desktop protocol (RDP) servers since at least 2016 and that, according to authorities, had facilitated over $68 million USD in fraud—is the latest reminder that fraudulent card-not-present (CNP) transactions remain a persistent and dynamic challenge for fraud teams. 

For many fraudsters, xDedic was among the various illicit online marketplaces that helped fill a void created in recent years by payment card issuers’ migration from magnetic stripe to EMV chip-enabled cards. EMV authentication has made card counterfeiting and fraudulent card-present transactions exceedingly difficult and consequently less common in regions with high adoption of EMV. But in response, many fraudsters have since altered their targeting to CNP transactions, often via schemes such as account-takeover fraud that utilize access to the types of compromised RDP servers that were available on xDedic. 

This shift, along with the growth of ecommerce, has contributed to a substantial increase in CNP fraud—otherwise known as fraudulent transactions that occur online, via telephone, or mail. This type of fraud is typically more challenging to detect than its card-present counterpart, largely because merchants cannot access the physical cards used in CNP transactions to verify their legitimacy. As a result, many of the common verification measures for card-present transactions, such as requiring the purchaser to provide a form of identification, aren’t feasible.

While there are various largely effective verification measures for CNP transactions, some can still be circumvented by fraudsters with the right capabilities and resources. These types of transactions often require the purchaser to input the billing address associated with the card, for example, but many fraudsters are able to obtain this information fairly easily via sources ranging from public listings and social media sites, to the illicit marketplaces where stolen card data is bought and sold. Fraudsters often acquire such data long before using it to carry out a fraudulent transaction, which is why there is relatively little that merchants can do to combat the theft of payment card data aside from effectively safeguarding that which belongs to their customers.

Indeed, the abundance of compromised card data and other assets available online continues to hinder the fight against CNP fraud. Despite many gains by law enforcement in recent years, card shops and other types of illicit marketplaces similar to the now-shuttered xDedic remain facets of the underground economy and key enablers for CNP fraud. 

Card shops in particular have become the primary means through which fraudsters and cybercriminals obtain stolen payment card data. In addition to dumps—which refer to card data stolen from magnetic-stripe cards that are typically used for card-present fraud—many of these shops also offer cards, which are packages of previously stolen card numbers and other information necessary for carrying out CNP fraud and related schemes. These shops are extremely appealing in the underground because they enable fraudsters to quickly and easily obtain the stolen data they need without having to steal it themselves, thereby lowering the barriers to entry for those with less-advanced capabilities or limited resources.

It’s important to recognize that given the pervasiveness of CNP fraud and the relative ease with which many fraudsters can obtain the resources needed to carry out their schemes, this threat isn’t going away anytime soon. And although the burden of loss it causes will likely continue to fall most heavily on merchants, combating this threat needs to be a widespread, collaborative effort among organizations and defenders from across the private and public sectors. In fact, the xDedic takedown is a shining example of how collaboration and information sharing, when conducted effectively and among trusted parties, can provide immense value in the name of security—and this cooperation is something that all of us should continually seek to emulate.

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.