2016 felt like the breakout year for awareness of online fraud. High level cases like Tesco Bank, Instagram, Yahoo! and more led to sensationalist headlines. But what many headline writers miss is the reality of dealing with the consequences of these breaches. For online businesses dealing with the the deluge of small-time criminals possessed of bogus credit cards and stolen identities is a constant battle. Take this chilling offer, one of thousands anyone can find with a few seconds' browsing:
So how do we see it evolving? Here are some predictions:
1. Police will need need new legislation in order to make prosecution viable
The longer that crimes committed with card details purchased on the dark web go unpunished the more incentive there is for people to participate. It’s already the most common crime in the UK with 2.3M estimated incidents in 2015-2016. There needs to be a way for businesses to report these crimes to police and have offenders face the consequences of what is, unambiguously, the crime of theft. This will require not just legislation but determination on the part of the legal authorities to act.
2. Account Takeover is going to rival card fraud for frequency
Credit card details bought on the dark web with Bitcoins is the typical source of cybercrime and will continue to be so. However we are now seeing the emergence of widespread account takeovers focused at the weak points of security - often user passwords. Details are cheap to buy, the takeover is relatively simple to execute, and the rewards can be rich.
3. Data breaches will target passwords as much as credit cards
While credit cards details will remain the top target for breaches, increasingly the login details to popular services and a username and password combinations that can be tried in multiple environments are valuable, especially as credit card checks toughen up.
4. The growth in payment options will increase the fraud opportunity
Android Pay, Apple Pay, PayPal; while no individual payment scheme launches without thinking seriously about security, for a merchant and its payment processing the plethora of payment choices means complexity. And complexity inevitably means an opportunity for something to go wrong, an opportunity rarely missed by a fraudster. While no-one wants to slow the emergence of alternative ways to pay, they do need to be considered in the aggregate rather than as discrete services.
5. Declined good payments will increase as systems struggle to cope with fraud volumes
Most of the world’s transactions are still being screened for fraud by a combination of rules and manual review. These processes are struggling to cope with the volume and the sophistication of the fraud threat that is out there. 2017 will see the continued transition to more scaleable methods of managing fraud but the cost while that happens is the frustration (for everyone) of increased declines of good transactions.
6. We’ll see companies fail specifically due to fraud threat
Some companies in high risk industries will cease trading specifically due to their inability to manage the volume of fraud that they are seeing. This will either be because of losses to fraud or because their merchant accounts are suspended.
7. Manual review of transactions rapidly decline
It’s a surprising fact that the majority of high risk transaction reviews at the merchant level are undertaken by human analysts. Human insight is a vital tool in the battle with crime, but the actual review of transactions at anything approaching a scaled-up business is difficult to support. 2017 will see the transition of that activity into the creation, correction and maintenance of algorithms that will automate the approval process.
8. Fraud detection algorithms will need to broaden their horizons
Algorithms, or more likely combinations of algorithms will need to cope with the threats that merchants face. Customers and orders will need to be assessed not just for a single threat vector (e.g. card crime) but also whether there is a risk of account takeover or a breach of some policy that the business has in place. An analyst’s instinctive feel that something is ‘wrong’ with an order is a challenge to replicate but one that data science needs to work hard to do so.
9. Social media will become an increased focus or criminals and detection
Both cybercriminals and fraud detection tools will increase their usage of social media. Fraudsters will use social media for reconnaissance and identity theft. Fraud detection tools would leverage social media to prove your online identity. Following BYOD, bring your own identity will grow as people will use their private accounts in multiple sites, making social media attacks even more popular
10. The Rise of the AI fraud attacks
As criminals become more organised we will start to see the rise of services whose purpose is to trawl the web in search of vulnerabilities. The level of technical skill required and relative cost of computing power has limited the extent that AI has been used by criminals. But bot attacks will evolve and become hard to differ from ‘normal’ human activity, which in turn will require more sophisticated approaches to detect and prevent these attacks.
A version of this article first appeared at Information Age