Loading...
Search results:


January 24, 2015

Evolution of fraud over the last years: Industrialization and profesionalization

Evolution of fraud over the last years: Industrialization and profesionalization

The retail trade figures show that the share of e-commerce in the retail trade rose from 0.8 % in 2000 to 6.4 % in the first quarter of 2014 (est.) in the United States [1].

Revenue from the e-commerce have therefore increased exponentially of 17 % per year. In contrast when, during the same period, fraud has progressed only of 10%/year that is 70 % slower.

In fact this delta emphasizes the gains due to fraud prevention in the course of this period. In particular, while in 2001 for twenty dollars of income, there was one dollar of fraud (5%), in 2012 this ratio fell to a five to sixty ratio (1.5% that's 3x less).

It remains that in 2014 the global volume losses will amount to 14 billion (est.), i.e. 140,000 jobs to $100,000/year. These figures reflect the scale of the losses and the constant need for technological advances to prevent fraud.

However it is also good to remember that the losses for some are incomes for others. Indeed such annual volume of fraud is not the work of a few isolated groups of fraudsters but a real (black) market, relatively efficient and which has, among others:

  1. Miners who ex-filters the raw material (credit cards, demographical data)
  2. The refiners who test cards (e.g. on micro-payments),
  3. The fraudsters who try to use these bits of information on the real market.

Industrialization and profesionalization. Recently players in the financial world and the e-commerce agree on the fact that fraud gets more and more professional and industrial [2].

To realize that, lets just mention the case of Redbox Instant by Verizon, which shut down in October 2014 [3], probably because of robots entering registering real customer data in the online video, and using stolen lists of credit card data.

But we can also mention the impressive series of ex-filtrations of financial data from US stores, in just a year...

  1. Stapple 1.16 million credit card numbers, summer 2014 [5].
  2. Sears, number of ex-filtered cards undisclosed, October 2014 [6].
  3. Neiman Marcus, 350,000 exposed cards [7].
  4. Supervalu, number of ex-filtered cards undisclosed, summer 2014 [8].
  5. Dairy Queen, 395 stores summer 2014 [9].
  6. Target, 70 million numbers, in December 2013 [10].

Finally in August 2014, JP Morgan Chase, the largest US bank whose size his bigger than the GDP of France, also announced that it underwent a massive ex-filtration of (non-financial) data. [11]

  • 76 million private clients,
  • 7 Million companies.

In summary. So fraudsters have access to astronomical amounts of real customer data from repeating massive ex-filtrations of stores, financial institutions, and phising attempts.

These data are available on the black market and can contain name, address, phone numbers and, possibly, card numbers, CVC, and in some cases, 3D Secure password.

The data available on the black market represents a time bomb because fraudsters can now move to industrial scale, create user accounts that are increasingly difficult to distinguish from those of real customers since all the data is real...

In our next post will discuss the solutions available on the market to prevent fraud in e- commerce.

References

Illustration by Marina Jolivet

  1. Global Online Fraud Losses = 140,000 Jobs,
  2. Livre Blanc, Fraude à la Carte Bancaire, Certisim, 2013
  3. Why the writing may be on the wall for Redbox Instant, Sep 30, 2014
  4. World's Biggest Data Breaches. Selected losses greater than 30,000 records,
  5. Staples data breach unlikely to dampen holiday shopping
  6. Sears Owned Kmart Discloses Data Breach
  7. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data
  8. Data Breach Bulletin: Supervalu, Jimmy John's, Shellshock, American Family Care
  9. Dairy Queen lists stores hit by nationwide data breach
  10. Target Data Breach Spilled Info On As Many As 70 Million Customers
  11. Neglected Server Provided Entry for JPMorgan Hackers