A zero-tolerance approach to downstream fraud from 2019 data breaches

We have seen a steady stream of major data breaches, with Forbes estimating that 4.1 billion records were compromised in the first six months of the year alone. No industry has escaped unscathed, and your digital identity is likely to have been compromised whether you have applied for a credit card, ordered food through a delivery app, bought cosmetics online, played video games or you were born in the country of Ecuador. And the list could go on.

Arkose Labs’ customers see surges in automated bots attacks hitting digital commerce sites and apps in the wake of major data breaches, with fraudsters primarily using fake account registrations to test stolen credentials at scale. Verified credentials are then used to launch more sophisticated human-driven account takeover attacks, often targeting lucrative banking and payments transactions.

We have entered a new age, where fraudsters have the ability to mimic trusted customer behavior with unnerving accuracy – leveraging stolen credentials, spoofing digital identifiers and exploiting intel on individual transactional habits, obtained by unauthorised access to online accounts.

Detailed knowledge of the parameters used by data-driven fraud detection systems is informing fraudsters of the characteristics they need to spoof or disguise, and we are seeing a rise in single request attacks, which synthetically manipulate each request to obfuscate IP addresses and mimic legitimate consumer fingerprints.

Due to unpredictable consumer behaviour and these advanced tactics from fraudsters, there is a growing grey area in fraud detection – in between the clear cut cases that are flagged as either trusted or suspicious. Uncertainty leads to a certain tolerance of existing levels of fraud, in order to avoid interfering with too many potentially good customers using more thorough checks.

However, this means that many consumers end up with their accounts hacked, and are left with the headache of trying to reclaim their losses and ensure their digital presence is made secure once again. Additionally, tolerance of fraud actively feeds the vicious cycle of successful cybercrime, as this provides the financial incentive for fraudsters worldwide to continue and expand their operations, and gives them the opportunity to learn from past attempts and replicate attacks elsewhere.

An entire shadow ecosystem has sprung up in support of global fraud, including identity farms, which create synthetic identities and test stolen credentials, click-farms and sweatshops, which provide humans to carry out nuanced attacks, and ‘arms dealers’ selling toolkits.

These cybercrime outfits exist because there is relatively easy money to be made with little-to-no risk. The fraudsters’ business model leverages global economic disparities in income and currency strengths, which incentivise individuals to get involved in cybercrime, and provide access to cheap resources.

Fraud levels will continue to rise indefinitely unless we can disrupt fraud to the point that it ceases to be a lucrative option for cybercriminals – no matter where they are in the globe.

Step one – Disrupt cybercriminals’ tools

Taking down the tools and automated programs and bots that support fraud at scale requires businesses to move beyond an arms-race mentality, to focus on the steps which will increase the time, cost, and effort it takes for fraudsters to carry out attacks in the long term. By increasing the burden in these three areas, it will lead to more bad actors abandoning the process earlier.

Businesses need sophisticated analysis of traffic from the very beginning of the customer journey to triage between legitimate customer behaviour and suspicious activity. Whereas trusted customers are provided with a seamless, friction-free journey, those sessions that raise red flags can then be sent to targeted step-up authentication that slows down attacks and drives up the investment needed to carry out fraud at scale.

Step two – Increase the strain on fraudsters’ resources

Focusing on defenses that ensure fraudsters requires a real human being behind every single attack is a surefire way to undermine the financial incentive of fraud, by slashing potential ROI.

Adaptive step-up challenges targeted at suspicious traffic will wipe out attacks that rely on automated bots. Effective solutions are those that constantly update the type of challenge presented in order to keep moving the goalposts and prevent fraudsters scripting their way round your defenses to carry out duplicate attacks.

Step three – Shift the attack surface

Fraudsters rely on being able to control decision points when on a business’ digital property and deploying the appropriate tactics to evade established anti-fraud measures. To take the control away from fraudsters for good, we need to shift the attack surface by redirecting suspicious sessions to an intermediate platform which provides independent identity verification.

This provides a buffer between the fraudsters and the sites they are so practiced in attacking, rewriting the rulebook on how to successfully launch attacks. Reclaiming control of these decision points means fraudsters will quickly become frustrated when their tried and tested methods cease to work.

While many businesses have come to accept fraud as an operational cost of doing business in the digital age, we believe that the only long-term way to stop cybercrime is to adopt a zero-tolerance approach that focuses on disrupting the economic drivers leading individuals to cybercrime. Companies on the Arkose Labs platform benefit from this zero-tolerance attitude, with a 100% Service Level Agreement (SLA) guaranteeing that no inauthentic requests make it through.

To find out more on the latest insights from the Arkose Labs network, read the Q1 Fraud and Abuse Report.

This editorial was first published in the Fraud Prevention and Online Authentication Report 2019/2020. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Kevin Gosschalk

Kevin Gosschalk is the CEO and Founder of Arkose Labs, where he leads a team focused on telling computers and humans apart on the Internet. Before Arkose Labs, Kevin developed gaming hardware for the intellectually disabled at the Endeavour Foundation and built a unique device incorporating Microsoft’s Kinect Camera technology.

About Arkose Labs

Arkose Labs is an authentication system with two key components: Telemetry and Enforcement. Telemetry refers to our decision platform that recognises the context, behaviour, and past reputation of a request using machine learning, while Enforcement refers to our proprietary challenge–response mechanism that classifies the authenticity of unrecognised requests, and provides real-time feedback to Telemetry.