The Q1 Cybercrime Report from ThreatMetrix, published today, reveals that attackers are paying particular attention to the 'cross-border' transactions of payment processors.
That ecommerce transactions should be riskier than financial services transactions is no great surprise; that, with 820 million bot attacks in the first quarter of 2018 alone, attack rates were ten times higher perhaps more surprising.
Across some 9.3 billion transactions this quarter, analysed for legitimacy based on attributes including behavioural analytics, the risk landscape has broadened: attack growth out-paced transaction growth by some 83 percent compared to just two years ago.
Ecommerce payment processors are certainly in the cross hairs for threat actors according to data from this real-time analysis of cyber-crime attacks detected by the ThreatMetrix Digital Identity Network. With 150 million rejected ecommerce transactions in Q1, that's an 88 percent increase in attacks over the same period last year.
Organised bot attacks, hitting a billion for the first time this quarter, were predominantly aimed at ecommerce merchants. Ten percent, or 100 million if you prefer, of those bot attacks came from mobile devices. Transaction volumes among payment processors hit 360 million in Q1, and 43 percent of them were from mobile devices; making this a particular target for the bad guys.
That payment processors are firmly in the cross hairs is perhaps best illustrated by the fact that 'cross-border' transactions between processors, which comprise around 50 percent of all transactions, are subject to attack rates some 30 percent higher than domestic transactions.
Alisdair Faulkner, chief products officer at ThreatMetrix, told SC Media UK that "vast lists of stolen identity data are available for purchase on the dark web following numerous global data breaches. This data is increasingly filtering down to countries across the globe, prompting large networks to operate with ease across country borders, using location spoofing tools and techniques to hide their true whereabouts"
Dr Guy Bunker, SVP of products at data security company, Clearswift suspects that it may well just be the natural attraction of low-hanging fruit to the criminal mindset. "Processors in the US and Europe have spent a lot of time and money improving security" he says "whereas other parts of the world have yet to catch up."
According to Vikrant Sant, payments product manager at Volante Technologies, what makes cross-border transactions much more attractive to attackers is the slim chance of recovery banks have once the money is out of the bank. "The lack of transparency for the path the transaction traverses to reach the beneficiary is exploited by these hackers" he said, in conversation with SC Media UK, adding "bank technology teams have been focusing more and more on the channels through which payments are initiated by customers." Sant suggests the back-end systems by which payments are being distributed to correspondent banks, via bilaterally agreed transfer mechanisms such as FTP or networks like SWIFT, are given less priority when it comes to tightening the security and access mechanisms.
So are the measures payment processors have in place to combat cross-border attacks working well enough? Remember that the numbers quoted in the report are attack rates, not successful breaches. "Given that payment processors service a global customer base, and fraud patterns are constantly changing," Alisdair Faulkner says, "company fraud policies need to be constantly enhanced and maintained using global shared intelligence for optimal fraud detection."
Rachna Ahlawat, co-founder of Ondot, however, says the solutions that are most effective at combatting cross-border attacks are those that bring more control to consumers themselves to "leverage mobile and online apps and allow consumers to personalise and control when, where and how their cards are used."
Weds 21st Nov, 3pm
A practical risk-based approach to implementing GDPR and building a security-aware culture in your organisation.
Brought to you in partnership with Metacompliance
Mon 19th Nov
Brought to you in partnership with Mimecast