July to December 2020
EXPERT COMMENTARY
Mike Nathan - Senior Director LexisNexis Risk Solutions
Banks’ ‘mobile-first’ campaigns are beginning to get significant traction in the user bases; in the LexisNexis® Digital Identity Network®, 85% of transactions now originate from a mobile device, with the majority of these transactions coming from people logging in to their accounts. This low friction path, generally using device identification and biometrics, means on average, people log in to their banks 6 days in every 7 days.
On the fraud side, the UK remains a targeted market and reported fraud losses remain at high levels compared to the rest of Europe; this is particularly evidenced for scam fraud, which is often being targeted from fraudulent call centres in South Asia. Despite the large volume of mobile banking events, it remains the most secure channel for online banking, with a 10x lower attack rate than mobile and desktop browsers. The main point of vulnerability of the mobile app remains device registration, compromise here leads to the keys to the kingdom. In terms of how fraudsters have behaved in the UK, there has been a huge increase in the utilisation of scripts and automated bots to test people's compromised credentials. Fraudster tools have become significantly more available on the dark web and mainstream internet, as have 'how-to' videos. Fraudsters seem to have more time to automate their jobs, so when purchasing ‘dumps’ off the internet, they have quick ways to test credentials.
Particularly scripts targeting media organisations and eCommerce.
Rebekah Moody – Director LexisNexis Risk Solutions
Automated bot attacks offer fraudsters the opportunity to mass-test stolen credentials at scale, deploying armies of computers controlled by a general who can minimise effort while maximising gains. Validated credentials offer the chance for the fraudster to make more money, either by selling the credentials for a higher price on the dark web, or using them in a more lucrative attack elsewhere.
They could, for example, form the linchpin to a cleverly engineered financial services scam, making the fraud appear more credible to the victim by arming the fraudster with credentials that “only the bank would know”. Regardless, the UK has seen a growth in the volume of bots that are targeting eCommerce and media organisations’ login journeys, which represents potential risk for all industries. The eCommerce and media organisations being targeted have to manage a surge in transaction volume that might cripple otherwise finely-tuned online services. They risk not only the validation, but also the further leak, of sensitive customer data. And while financial organisations typically have more robust login protocols, this data leak may provide the missing link that convinces a good customer to fall victim to a carefully composed scam that compromises their bank account.
HUMAN-INITIATED ATTACKS
AUTOMATED BOT ATTACKS
TOP 5 ATTACK DESTINATIONS FROM THE UK
Dan Holmes – Director LexisNexis Risk Solutions
Adoption of fraud controls at UK institutions are typically different to other regions, with UK businesses often opting for layered defenses rather than relying on a single point solution. This culture has been driven by the high historic and current attack rates, and puts the UK ahead of the global curve in terms of technology utilisation in fraud detection.
A consequence of bolstered controls within our region has seen UK-based attackers start to also target large overseas western economies, such as the U.S. and Australia. With attacks from their own respective nations showing no signs of slowing down, this will increase the pressure on fraud practitioners in these regions, and will demand that controls remain current and effective.
Interestingly, the UK was also responsible for the 2nd largest volume of automated attacks globally. Bots and automated attacks allow fraudsters to perform mass testing across various websites using credentials that they have managed to compromise via a variety of different methods. Automating this testing process means they can remain efficient in their operation, focusing their time on legitimate opportunities to monetise, rather than wasting effort on credentials that are either incorrect or offer very little incentive to burn a mule account or a device.
Farah Nain – Engagement Manager Fraud and Identity Professional Services LexisNexis Risk Solutions
We can see that customers are using their mobile devices more than ever to bank and shop online - so why have we seen a decline in attacks from the previous year?
With a high proportion of the world’s population being confined to their homes for most of 2020, there was less opportunity for devices to become vulnerable to attacks from the outside world, such as malicious malware on open/public wi-fi, man-in-the-middle attacks in coffee shops, and even physical theft of mobile devices. There has also been a concerted effort across industries to strengthen their mobile channels, implementing biometric authentication, for example.
The Digital Identity Network® continues to record a strong pattern of cross-organisational, cross-industry and even cross-regional fraud.
It’s likely that each network comprises several groups of fraudsters using the same lists of stolen identity data, which are being exploited across regions and industries.
Devices associated with confirmed fraud events are likely tied to the same individual or fraud ring, given that hardware is not shared in the same way as stolen data.
The analysis in this report includes:
The key links between devices and stolen identity data, including email addresses and telephone numbers.
Transaction volumes that make up the fraudulent networks to illustrate the size and scale of fraudulent behaviour.
The assigning of monetary values to the entire fraud network based on known payment transaction amounts.
The Digital Identity Network allows organisations to share intelligence related to confirmed fraud events so that an entity that is marked as high-risk or fraudulent by one organisation, can be reviewed by subsequent organisations before further transactions are processed.
Michael Brooks – Data Scientist LexisNexis Risk Solutions
It has been common for years to investigate links to known fraud. The focus now is network analysis to automate and visualise this process, both after the fact and on risky links in near real time too. The benefit is it is much easier for fraud analysts and operators to spot connections in a network rather than a table. The shape and properties of the network point towards information that is more central to the case, like a fraudster's main device or mule account.
Triggering on the riskiest links in near real time productionises this process for immediate and automatic reviewing of live fraud cases. That's an unprecedented standard of immediacy, coverage and relevancy of fraud intelligence for the UK banks now. We've seen intelligent fraudsters try to change as much of their digital identity as possible to evade detection, but it only takes one overlap of information anywhere across the Digital Identity Network to join new events to the chain of networked fraud. All that's needed is being deployed on key touchpoints in a user journey; the data unravels the story from there.
Fraudster using 3 different devices at 3 different banks.
3 fraudulent transactions cannot be linked as there is no common identifier.
Links Device A and B by an email address.
Links Device B and C by telephone number.
An online digital identity can be built in the Digital Identity Network by linking the 3 fraudulent transactions via the email address and telephone number. When any of these individual entities is seen in a new transaction, the history of the digital identity can be checked for fraud.
