The great reopening is upon us. Life is returning to normal, in many parts of the world.
In the process, it’s reopening some lucrative channels for fraudsters and other criminals seeking to co-opt our personal and card-level data to keep their schemes chugging along.
“The fraudsters are really innovative, and very adaptive. They’ve responded to shifts in consumer behavior just as quickly as legitimate businesses do.”
So Visa’s head of fraud services, Michael Jabbara, told PYMNTS in a recent conversation. The move back to pre-pandemic ways of shopping is boosting efforts to use skimmers and other means of stealing data at the point of sale.
In-Person Commerce in the Crosshairs
The conversation came as Visa shared an update on how payments fraud has evolved over the course of the pandemic. Foot traffic has risen at stores, bars and restaurants — and at the gas pump — and criminals have started setting up shop again at those locations, too.
The payments network elaborated on those trends in the latest Visa Biannual Threats Report, as well as the MIT Technology Review Insights study “Moving Money in a Digital World,” (in partnership with Visa).
Visa, for example, has noted that from June to November 2021, the payments network giant saw a 176% increase in physical skimming devices over the previous 12-month period.
None of this is to say that the shift to in-person fraud has come at the expense of card-not-present (CNP) fraud. Far from it: The bad news continues on the digital side of the ledger, where CNP fraud still is growing, matching the growth rates of digital commerce in general.
E-Commerce, Jabbara said, is still a sticky trend, and three quarters of large scale fraud attacks and data breaches that Visa combats on a global basis are still coming from the CNP channels —online skimming of digital checkout pages, for example. Small and midsize businesses are proving especially vulnerable here, he said, as many companies have simply pivoted online in a bid to ride the great digital shift but do not have the tech, or the resources in terms of security know-how, to secure their online footprints.
The fraudsters themselves are shifting things up a bit in the very pieces of the transaction chain they’re targeting. Jabbara noted that there’s been greater attention into probing the processing logic that payment players have put in place for approving or declining the transactions in the first place. The fraudsters are getting adept at “fooling” entities that, with the right codes sent along, can release funds at the ATM (in what’s known as a cash-out attack).
“When the fraudsters see such vulnerabilities,” he said, “they go and jump on them.”
Jabbara said the scammers and criminals are also pivoting to exploit third-party vulnerabilities, where companies rely on outside providers for everything from marketing services to payments functionality to email notifications.
“Every one of those firms has an integration to your payment environment — and to cardholder information,” Jabbara said.
Traditional fraud tactics are also finding some success in the cryptocurrency realm, Jabbara said, representing avenues of ill-gotten gains well beyond the confines of traditional currency. Would-be fraudsters are targeting the bridge services that help senders and receivers convert one type of crypto into another, as those holdings make their way across the blockchain.
“There is a lot of complex infrastructure, complex coding and a lot of room for vulnerabilities to be exploited,” Jabbara remarked.
Regardless of the various means and modes of attack, Jabbara noted that the best lines of defense lie in a multitiered approach, where firms like Visa can “see” (through high-level analytics) behavior that spotlights whether a transaction is legit or not. There’s the ability to create customized, personalized profiles of users transacting on the network in order to offer a seamless, secured payment experience. Educating consumers is also critical, he said, as we move into the all-important holiday shopping season.
“The consumer can be part of the front line of defense,” he said, “and there’s the continued need for collaboration across all members of the ecosystem.”