Information Security Today Home

New Books

Securing Cyber-Physical Systems edited by Al-Sakib Khan Pathan; ISBN 978-1-4987-0098-6
Leading the Internal Audit Function by Lynn Fountain; ISBN 978-1-4987-3042-6
Global Information Warfare: The New Digital Battlefield, Second Edition by Andrew Jones and Gerald L. Kovacich; ISBN 978-1-4987-0325-3
Mathematical Foundations of Public Key Cryptography by Xiaoyun Wang, Guangwu Xu, Mingqiang Wang, and Xianmeng Meng; ISBN 978-1-4987-0223-2
The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture by Kerry Ann Anderson; ISBN 9781482220070
Honeypots and Routers: Collecting Internet Attacks by Mohssen Mohammed and Habib-ur Rehman; ISBN 9781498702195

Top 5 Predictions for Online Fraud in 2016

By Yinglian Xie, CEO and Co-Founder, DataVisor

As 2015 comes to a close, all of us fighting fraud may start preparing for the upcoming fraud battle in 2016. As mobile apps and web services continue to increase in number and functionality, they remain an attractive target for fraudsters. Meanwhile, cyber attackers have continued to adapt to evade traditional security defenses using the latest mobile hacker tools and cloud technology to impersonate legitimate users. If you are a consumer-facing web or mobile app, you are up against a much more numerous and advanced adversary than ever before. Here are some online threat trends we anticipate to encounter in 2016.

Prediction #1: Social sites become bigger targets as lines between social and e-commerce blur.

In 2015, many traditional social networking sites such as Pinterest, Facebook and Twitter announced plans [1,2,3] to add "Buy" buttons to their platforms in an effort to increase stickiness with their users and help monetize their user base. Adding e-commerce functionality is a continuing social media trend. However, this will attract more fraudsters looking to conduct fraudulent transactions on these platforms.

In 2016, we expect to see a spike in the overall amount of commerce online for social sites, making it easier for malicious campaigns to hide amongst the billions of legitimate social users. If you have a social property with e-commerce features, you should consider adding security that has the ability to detect both social fraud (fake likes & reviews, spam) and financial fraud (fraudulent transactions, identity theft and promotion abuse).

Prediction #2: EMV cards and digital wallets to shift more fraudulent credit card attacks online.

2016 stands to be a record year for Card-Not-Present fraud. According to Javelin Research, CNP fraud is expected to grow from $10B in 2014 to over $19B in 2018 [4]. The increasing adoption of the new EuroCard, Mastercard, and Visa (EMV) cards and new digital wallet solutions, such as Apple Pay and Google Wallet, will have the unfortunate consequence of moving fraudsters online to monetize fake and stolen credit cards. While these new technologies are expected to reduce the amount of point-of-sale system fraud and counterfeit credit cards, they will have little to no effect in helping prevent fraudulent transactions online in card-not-present attacks.

In 2016, we expect to see a perfect storm that is bound to result in a high level of fraudulent transactions, powered by the following three trends: a significant increase in e-commerce websites and mobile apps [1,2,3], growing comfort amongst consumers to transact online given 45% of the world’s three billion online users now buy things online [14], and the adoption of EMV cards and digital wallets. You can tip the scales back in your favor with new advanced online security analytics technologies to keep up with the increased credit card attacks.

Prediction #3: Global O2O wars will increase the rate of user acquisition promotion fraud.

In 2015, we saw the war between online-to-offline (O2O) companies heat up as these services made huge investments to expand their footprint across US, China, India and other countries. For example, in an effort to gain marketshare, Uber has invested more than $2B to expand in China [6] and India [5]. Not to be outdone, rival car share service Didi invested over $2B in China and is also funding Lyft in the US and Ola in India [7].

Much of this money is intended for promotions to attract new drivers and users. Unfortunately, we have seen reports of a huge volume of user acquisition fraud, where drivers make hundreds to thousands of dollars per month in subsidies by registering multiple driver accounts and conducting fake rides [9]. The combination of strong financial incentive and the wide availability of mobile hacking tools such as mobile emulators and GPS location fakers create an ideal environment for fraud to continue to grow in 2016. As O2O companies are considering their global expansion strategies, they need to incorporate online fraud detection into their plans, so they can grow fast without being fleeced in the process.

Prediction #4: Account takeovers will rise as result of continued large data breaches.

We are now operating in the era of "peak data breach." Whether it is your healthcare provider, your university, your favorite retail store or the government, your personal data has probably been stolen by now as a result of one or multiple of these high profile breaches. According to a recent study, the 600+ reported data breaches this year, including major attacks against Anthem, T-Mobile, and the Office of Personnel Management, have resulted in the theft of more than 175 million records [10].

What does this mean for 2016? The bad actors will look to monetize the stolen user credentials and credit cards over the next year via fraudulent credit card attacks. More seriously, they could launch account takeover (ATO) campaigns leading to identity theft that could drain bank accounts and buy fake goods on your dime. As a result, online merchants and consumers alike need to be on high alert for anomalous purchases and ATO activity in 2016, and take measures to detect these attacks before they do any major damage. Given the wealth of personal data that has already been stolen, the industry needs more attention to the prevention of bad actors from using these stolen credentials as opposed to just trying to stop the breach from occurring in the first place.

Prediction #5: Cyber attackers will move to the Cloud.

Businesses and consumers are not the only ones moving to the cloud. In 2016, we expect to see the continued migration of cyber attack infrastructure to the cloud, as cloud services become more pervasive and cost-effective. Cloud services such as AWS, Azure and Google Cloud are already victims as fraudsters register a massive number of free, trial accounts and use their computation infrastructure to conduct attacks. Other popular cloud services, including dedicated/virtual hosting (e.g., OVH, Quadranet, Ubiquity Hosting, etc.) and anonymous proxies (e.g., PureVPN, ZenMate), will also become increasingly common among online criminals. Cloud allows cyber attackers to significantly increase the number of attack campaigns they can conduct, attributed to the elasticity and compute capacity of these services, and allows them to easily hide behind legitimate network sources and thus remain anonymous [12,13].

In order to protect yourself from attacks launched from the cloud, you need to go beyond simple IP reputation databases and rules/models-based systems to detect these well-organized attack campaigns, since one cannot naively block traffic from the cloud infrastructure. In fact, in our observation, the traffic from cloud infrastructures are highly mixed with both good user and bad user activities. The industry needs to change to more advanced solutions that can distinguish malicious traffic emitted from cloud infrastructure precisely.

About the Author

Yinglian Xie has over 10 years of experience in security. Her work has been focusing on fighting large-scale attacks, where she combines parallel-computing techniques, algorithms for mining large datasets, and security-domain knowledge into a new theme of solutions in "big data for security." In the past, Yinglian worked at Microsoft Research and collaborated with many product groups to improve the security of hundreds of millions of online users. She received her Ph.D. degree from the Computer Science Department of Carnegie Mellon University.

References


[1] Karissa Bell, "Twitter's 'Buy' Buttons: Now Open to Anyone." Mashable, September 14, 2015.
[2] Matthew Lynley, "Pinterest's Tim Kendall Talks Monetization and Commerce." TechCrunch, August 13, 2015.
[3] Lucas Matney, "Facebook Adds Buy Button Integration as It Continues to Reinvent Pages." TechCrunch, July 15, 2015.
[4] Javelin Strategy & Research, "Point-of-Sale Card Fraud Predicted to Decrease as Card Not Present and New Account Fraud Increases." Business Wire, June 11, 2015.
[5] Jon Russell, "Uber Is Investing $1B to Grow Its Business in India to 1M Rides Per Day." TechCrunch, July 31, 2015.
[6] Jon Russell, "Uber Is Raising $1B to Crack China, Soon to Be Its Largest Market Worldwide." TechCrunch, June 11, 2015.
[7] Liyan Chen. "Meet Uber's Mortal Enemy: How Didi Kuaidi Defends China's Home Turf." Forbes, September 23, 2015.
[8] Liyan Chen, "Uber Wants to Conquer The World, But These Companies Are Fighting Back (Map)." Forbes, September 9, 2015.
[9] Josh Horwitz, "Fake drivers and Passengers Are Boosting Uber's Growth in China." Quartz, June 9, 2015.
[10] Identity Theft Resource Center. "2015 Data Breach Category Summary." November 3, 2015.
[11] Information is Beautiful, "World's Biggest Data Breaches." October 2, 2015.
[12] Eduard Kovacs, "Amazon Web Services Increasingly Used to Host Malware." Security Week, July 16, 2014.
[13] Robert Sheldon, "Cybercrime - the Dark Edge of the Internet." Simple Talk, May 12, 2015.
[14] Statista, "Digital Buyer Penetration Worldwide from 2011 to 2018."

 
Subscribe to
Information Security Today







Bookmark and Share


© Copyright 2015 Auerbach Publications