Even Strong Defenses May Contain Weaknesses

One could argue that fraudsters’ tactics are not novel and that investing in specialized products with machine learning and artificial intelligence should solve the issue of fraud. But somehow fraudsters still manage to outsmart security defenses. In a recent discussion that F5 Labs had with the head of the fraud risk and compliance team at a major bank, a question was posed: Is your product capable of blocking the malicious transactions by itself?

On the surface, this seems like a normal question that any security-minded professional would ask, but the question definitely had a deeper meaning for organization fraud and compliance teams. As fraud is a complicated issue that cuts across various groups in an organization, including governance risk and compliance (GRC), network, security, and application teams. By the time the teams reach a consensus, fraudsters have met their objectives and have moved on to a different tactic or target.

Building on this understanding of organizational silos, the potential for gaming an ecommerce business’s security controls would look like the following:

• Run credential-stuffing campaign using leaked data from credential spills.
• Take over accounts and check for stored payment information and, if needed, add a stolen credit card for payment.
• Purchase expensive luxury items.

The fraudster wins the goods; the retailer loses in the form of inventory, chargebacks, and customer trust. Nike was hit with similar fraud.

In this potential method, the fraudster would cross paths with the information security team and the fraud and risk team and would capitalize on the gap between the two organizational functions:

• The information security team would battle the fraudster’s bot by attempting to block credential-stuffing attacks and has valuable information on accounts being tested, the origin of the request etc.
• The fraud and risk team would get involved after a customer lodges a complaint, when the retailer is hit with a chargeback, or when monitoring system alerts.

By narrowing the barriers between these teams, the fraud and risk team could monitor the accounts and other identifiers flagged by the information security team. This would greatly reduce the likelihood of the fraudster’s success.

Building an Effective Antifraud Platform