4 minute read
Layering fraud prevention: Monitoring the dark web for data points
Cardholders are constantly being targeted by fraudsters using a full arsenal of attack methods: data theft, transactional fraud and identity fraud. From skimming at the gas pump and self-checkout kiosks to dialers with fake phone numbers and spoofed websites, account holders expect their bank or credit firm to protect both their cards and personal identifiable information (PII). Financial institutions (FIs) that do it well, earn the respect of cardholders with loyalty and brand affinity. For issuers that fail to keep up with ever-changing fraudsters, however, the costs can become exponential.
FIs are often focused on fraud prevention, detection and mitigation. It’s also important to consider how cardholder data is used, particularly in proactive identification and mitigation of fraud risks.
Compromised account data
FIs should routinely scan for their account holders’ PII and issued card numbers — or Payment Card Industry (PCI) data — on the dark web. Dark web monitoring is the process of continuously searching for any compromised information on the dark web and taking necessary action if such data is found.
Why use dark web monitoring? Dark web monitoring can be used to classify risks from unknown sources. As an issuer, when you receive an alert that your cardholder data is on the dark web, you’ll be better able to connect those instances to other threat detection sources, and use that information to profile and mitigate threats faster. Acting quickly to identify your cardholders’ exposed data and length of time it’s posted will give cybercriminals less time to work against you, exploiting confidential information. Additional data and information leaks may also be avoided.
How is this best performed? By searching the dark web for patterns of personal account numbers. Once compromised accounts are identified, FI fraud analysts take necessary action according to their fraud strategy — flagging accounts, reissuing cards, contacting cardholders, feeding data into fraud scoring solutions and sending fraud markings back into their fraud ecosystem.
What the numbers indicate
According to Fortra data1, FIs as a whole continue to be the primary focus of criminal groups and through underground channels who target more than 90% of malicious activity at either credit unions, banks, financial services or payment services. The most recent threats on the dark web include credit card data (81% of overall volume), "how to" toolkits and phishing kits (12%), customer credentials (6%) and corporate credentials (1%).
Stolen payment card information sells for an average of $10 per compromised card worldwide, with American payment cards bringing between $1 and $12 per card, according to a NordVPN report.2 The research also found 1.5 million sets of payment card details for sale on the dark web. Half of the total is from the U.S., led by Visa, Mastercard and American Express card data. More than half (52%) is debit card data, which is striking because fraudsters can drain money directly from debit card accounts. A little less than half constitute credit card data (48%).
Credit card data accounts for
81%
of all dark web targets
Key Terms
Dark web - A hidden network of websites constituting a small portion of the deep web that you cannot source through standard search engine responses. Cybercriminals use the dark web to buy and sell stolen card and PII in primarily two forms:
- PCI card data (name, card number, expiry date, CVV and personal account numbers)
- PII data (personal information like name, address, email, Social Security number, bank account numbers, login credentials and passwords)
Dark web forums - Illicit communities that have grown and matured exponentially by sharing knowledge, tools and technologies which enable fraudsters to expand spoofing and other large-scale bot attacks through automated and simplified operations.
Fraudsters buy and sell cardholder data on the dark web sourced from cyberattacks, phishing emails that imitate legitimate emails, and similar spoofing on websites. They skim for cardholder data at gas stations and at retail point-of-sale devices — with many cases now being reported at standard self-checkout stations. Cardholder data may also be compromised when customers use insecure networks for sensitive information. Keylogging and screen scraping are also techniques used to grab information without a user knowing.3
Dark web fraud case: Selling and buying data
A fraudster may spend $1,000 or more to pick up a few hundred compromised card credentials. They then may test the cards with small purchases, with most resulting in failed transactions. But, on the 5 or 10 cards for which they are able to make insignificant, but successful purchases, they can quickly ramp up spending to max out the cards, raking in returns that far exceed the $1,000 originally spent.
Decisioning with compromised data
How does an issuer combat what fraudsters can do with access to the dark web? In your fraud ecosystem you could create a list of cards (either individual or in a BIN range) to include or exclude in an evaluation of a particular rule. From rule decisioning, issuers can generate lists of exposed cards and either place an indicator to monitor such cards or reissue the set of cards altogether. Taking this to the next level, issuers may integrate dark web monitoring services within existing traditional fraud scoring systems to identify if activity looks consistent with actual cardholder spend through transaction history and scoring profiles of cardholders. Data analysis will help you determine when to take action. Combining 3-D Secure risk analysis for cardholder authentication for card-not-present (CNP) online purchases — as well as other cardholder authentication journeys — aids in identifying if it is the cardholder that’s attempting to make the purchase.
Monitoring and machine learning
Monitoring helps issuers keep pace even as dark web forums share information. Dark web forum communities have grown and matured exponentially, by sharing knowledge, tools and technologies that enable fraudsters to expand spoofing and other large-scale bot attacks through automated and simplified operations. Issuer fraud prevention strategy needs to keep pace with continually changing patterns to increase operational inefficiency.
Machine learning helps build scale to take pressure off of fraud teams. By training models with large data sets, these types of fraud prevention systems spot fraud patterns that fraud analysts may miss. Plus, models can continuously monitor transactions which takes pressure off of human resources at FIs.
“Protecting the end customer is best executed when you think of the outcome or result you are looking to achieve based on the continuous shifts in fraud. Back that into your rulesets for the optimal decision within the appropriate journey, and then analyze the available data points to help prevent what you can on the front end,” said Kasey Boyd, Head of Fraud, TSYS Issuer Solutions.
Takeaways: Three best practices
FIs should strive to expand their capabilities in their fraud ecosystem on three ground levels, routed in best practice:
- At the base data level, feed compromised data found on the dark web to rules and decisioning tools using transactional fraud scoring solutions.
- At a protecting level, combine this with authenticating all transactions on the front end and throughout the account holder lifecycle journey, using 3DS for CNP transactions and other authentication methods depending on purchase type.
- Finally, at a third and preventative level, manage compromised data by monitoring and stopping or blocking compromised transactions, communicating with the cardholder and then feeding the data and fraud markings back into the fraud ecosystem.
With these three best practices, FIs have the potential to better protect themselves and their cardholders.
If you are interested in learning more about how to grow your fraud and risk mitigation strategies with TSYS and take it to the next level, click here.
1. Fortra PhishLabs. “Dark Web Actors Overwhelmingly Target Card Data,” March 2024
2. NordVPN report, 2021
3. Crowdstrike, “Dark Web Monitoring,” April 2023
Latest articles
Never Miss an Insight
Get the latest from TSYS a Global Payments Company