Gett fights evolving payment fraud attacks

Corporate transportation company Gett connects private and corporate riders with ground travel and delivery services. Operating in Israel, the UK, and Russia, the SaaS solution consolidates multiple vendors on a single booking platform while clients access this service using an app. 

Gett reached out to SecuredTouch because they had a problem with payment fraud attacks that were evading their fraud controls. Thus, they were looking for a solution that could adapt and flag unknown attacks in real-time before transactions could be completed – a solution that needed to be implemented and up-and-running as soon as possible. Once the initial attack flow of the payment fraud was addressed, fraudsters pivoted to alternative sophisticated evasive tactics.

Exploiting new account creation to execute payment fraud

Emulator-based new account fraud

As Gett had been experiencing increasingly damaging payment fraud, almost immediately following the implementation, SecuredTouch identified emulators as the attack vector. 

The emulators were being utilised to mimic devices and create new accounts easily at scale without any large investments in devices. The analysis looked at correlations between device attributes such as battery, gyroscope, and storage that indicated the use of an emulator. Rides were being paid for maneuvering stolen credit cards acquired from the dark web. 

Once detected, attacks evolved 

With the emulator attacks blocked, fraudsters leveled up their assaults. Three alternative methods were used:

• new account creation that they aged and/or built up the account reputation; 

• shadow apps using messaging services to collect payment from real users and pay Gett with stolen credit cards;

• manipulation of device attributes to circumvent typical security hurdles. 

New account fraud using manual tactics and real devices

At this next stage, fraudsters availed themselves of real devices and adopted manual evasive techniques to avoid tripping any alerts – as technology evolves, so too do the attack strategies. Behavioural anomalies within the user journey of the Gett app were identified by SecuredTouch to determine user intent – in this case, suspicious behavioural and usage patterns indicative of fraud. The solution analysed the correlation between the anomalies and shared device identifiers and despite fraudsters’ move to real devices, the sessions were flagged.

New accounts were created and ‘aged’ – by letting them sit or by taking real rides using legitimate credit cards to build account reputation. Only then would they add stolen credit cards to the accounts or benefit from them to make further small purchases to validate the cards. These tactics allowed fraudsters to hide their activities from detection algorithms that weigh actions taking place when an account is first created more heavily than those that occur in more established accounts. 

Shadow apps and automated messaging services

In the following iteration of attacks, fraudsters took advantage of an advanced monetisation scheme that manipulated user and session data to evade detection using a shadow app that mimicked Gett’s UI. SecuredTouch uncovered gaps in the data that lacked standard attributes found on a normal mobile device. Correlations between user, device, and session data also showed large amounts of taxi orders that allegedly came from various users and locations that all had the same device.

The shadow app advertised low prices to legitimate users, taking a below-market-rate payment from the customer while Gett was being paid utilising stolen credit cards. Ride requests were automated to Gett using Telegram – a messaging service – with a legitimate Android package. In some cases, even the driver was in on the scam. When the chargebacks were claimed on the stolen credit cards, Gett had to deal with the fallout. 

Manipulating device attributes within real devices 

SecuredTouch then started to receive alerts that indicated device manipulation. A closer look at the data exposed another attack that used specialised apps on real devices to manipulate device data. Yet, they were unable to manipulate the device footprint which was easily picked up by SecuredTouch. This data also aimed to optimise Gett’s custom machine learning models so that these instances could be flagged more readily. 

The application for this attack alters device data on Android gadgets (e.g. device ID, device type, etc.) to make it look like different users on different devices were performing transactions. Fraudsters are well versed in the typical actions that trip alerts, as they know that using the same device to create an account, using different accounts or adding multiple credit cards, sometimes in rapid succession, are strong indicators of fraud. After all, no good user would do this. 

Outcome: dramatically increased fraud detection and reduced payment fraud

With each new evolution of attacks, SecuredTouch captured increasing numbers of suspicious events. After the initial detection of emulators, fraud detection raised by 62%. As fraudsters became more sophisticated, executing progressively intricate evasive tactics, SecuredTouch doubled that recall to 120%.

To find out more on how to break down the fraud flows of the most pervasive attacks, download SecuredTouch’s eBook here.

About Mark Freeman

A veteran sales professional, Mark leads an international team of fraud experts to deliver solutions to customers worldwide. He is also responsible for developing new and existing business initiatives. Mark holds a BSc in Optometry from Glasgow Caledonian University and a MSc in Disaster Management from Tel Aviv University.

About SecuredTouch