The latest online fraud figures are in and they make for pretty concerning reading. Total card-not-present (CNP) fraud losses rose 24 percent between 2017 and 2018 to exceed £506 million, according to UK Finance. They accounted for over two million recorded cases, a 47 percent year-on-year increase.
The question is: are banks, payment providers, retailers, and other industry stakeholders giving the problem the urgent attention it deserves?
For the companies that still view card fraud as an inevitable cost of doing business, it’s worth remembering the increasingly nefarious uses to which stolen funds are being put. Only by acting with greater purpose to combat the rising tide of fraud can we hope to disrupt the drug smugglers, people traffickers, terrorists, and state agitators that pose a growing threat to society.
A perfect storm
It’s easier than ever to commit payment card fraud. Digital transformation initiatives have made personal data the new currency of a vast online economy. If organisations aren’t storing and processing financial details directly, they’re handling huge volumes of customer data — something the EU has sought to regulate and secure via the GDPR.
Inevitably, breaches occur. But they’re doing so on an epic scale thanks to a perfect storm of ineffective corporate security, a growing enterprise attack surface, and the simple supply-and-demand economics of the cybercrime underground.
The problem comes when organisations are breached but don’t discover it until weeks or months later. This provides a lengthy window of opportunity for card data or personally identifiable information (PII) to make its way onto the dark web and be exploited by fraudsters, before customers or their banks even find out.
In EMEA, this "dwell time" stood at an average of 177 days in 2018, with the vast majority of incidents requiring notification by an external party.
Although stolen card data has flooded the dark web, fraudsters can also choose to stitch together PII to open new accounts in the victim’s name or even combine this with fake data to create synthetic identities.
All of this activity helps explain why UK card fraud is soaring. E-commerce scams alone hit nearly £400 million in 2018, a sizeable part of a European problem costing an estimated €1.8 billion (£1.5 billion) back in 2016.
So, are we doing enough as an industry to prevent it? Most people today have experienced card fraud. It’s certainly annoying, but once we’ve spotted the suspect transactions, informed our bank, changed our cards and been refunded our funds, few of us really care. We simply update our online accounts and carry on as usual.
The financial institutions obviously pay greater heed to and invest significant sums in fraud detection. But unless they reach extreme levels, fraud losses are more often than not written off as a cost of doing business. Certainly, tackling the problem is not funded or prioritised in the same way as other initiatives.
A platform crime
This is a dangerous trend. In many ways, card fraud can be described as a "platform crime" — one used to fund more destructive criminal attacks without leaving any kind of audit trail tracing back to the perpetrators. It has now become "the crime of choice for terrorists", according to Dr Nicholas Ryder, Professor of Financial Crime at the University of the West of England.
A US Treasury report from last year warned that members and supporters of Hezbollah and other terror groups "continue to raise funds from small-scale criminal activity, such as bank or credit card fraud".
In the UK, fraud has been used as a financing tool by terrorists as far back as the IRA, which used tax and VAT fraud to fund its crimes. It’s just easier now, thanks to online commerce and the ready availability of stolen card and PII details.
The link between card fraud and terrorists is so strong that even the UK governments’ National Counter Terrorism Security Office lists it as a key indicator of suspicious behaviour. Most worryingly, the bad guys don’t need much in the way of stolen funds: one report claimed the 2015 ISIS attacks in Paris cost less than US$ 30,000.
It’s not all about terrorism, though. UK Finance also mentions that drug trafficking and people smuggling -- "illicit acts that damage our society" -- were facilitated by card fraud. Two individuals were arrested in Germany and Sweden last year on suspicion of using stolen payment card data to book hundreds of airline and train tickets in a major people smuggling operation.
State actors are at it too. State-linked operatives at the infamous Internet Research Agency in Russia are said to have paid for Facebook ads used to spread disinformation via fraud and identity theft.
Law enforcers are doing their best to catch cyber-fraud groups when they can. But their efforts are just a drop in the ocean when viewed against a cybercrime economy that could be worth over US$ 1 trillion annually. It also fails to address the problem of terrorists and organised criminals simply buying and using stolen card data and PII off the dark web. So what can be done?
As an industry, we need to get more proactive in tackling card fraud. Real-time, contextual and dynamic fraud prevention solutions can help businesses block transactions with more accuracy.
But we can do even better than this, by focusing on narrowing that window of opportunity between the initial breach and the moment stolen details appear on dark web sites. Improved visibility via intelligent dark web scanning services is key here. Banks can also go further by being more proactive about shutting down compromised accounts.
We might be waiting a while for the financial institutions to take these steps unless there is a clear competitive advantage to be gained from it. In the end, it may come down to customers, the media, and lawmakers to shine a light on the problem and drive change. No matter how innocuous card fraud seems, it can actually be a platform for something far more destructive to society.
Contributed by Danny Rogers, founder at Terbium Labs.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.