While one could reasonably infer for oneself that digital fraud is on the rise due to pandemic conditions, a new report from fraud detection firm DataVisor looks at current trends and finds a confluence of causes. Massive moves to work and online shopping due to security and movement restrictions are certainly part of the picture, but criminals are also rapidly developing sophisticated new techniques to take advantage of a more general and long-term shift to handle matters both of personal and business finance. online.
Digital fraud increases on social media, jailbroken mobile devices
The report observes three main factors driving the current jump in digital fraud attempts: a significant shift from offline transactions to online transactions in retail sales (4% in the first two quarters of 2020), the turnaround widespread towards remote work (and education) that was done so quickly that security holes inevitably developed, and a long-term shift towards the use of mobile devices for shopping and banking that continued during this period.
Financial services, e-commerce, and travel platforms experienced huge spikes in digital fraud activity during various parts of 2020, and there was consistent growth across all of these verticals in terms of event volume. However, the most consistent growth in digital fraud rates in 2020 was seen on social media platforms.
Digital fraud on financial platforms is a unique pattern. This is the only vertical where fraud rates started high in March 2020, but then declined substantially for the rest of the year. Additionally, the vast majority (79-90%) of this activity consists of account acquisition attempts. New account fraud and transaction fraud had some spikes throughout the year, but overall they have been substantially lower than attempts to obtain bank credentials or find some other back door to an existing account.
Although social media is under heavy attack and mobile devices play an increasingly important role in digital fraud attempts, most of these attempts (just over 50%) still come from Windows computers. The fraud rate among all desktop computer users is 7.4%, while it remains at just 0.5% for users of mobile operating systems. This is logical, as computers provide criminals with more powerful tools to perpetrate schemes. However, the report estimates that the rates of fraudulent user accounts operating on the web are more balanced: 34% for computer web browsers versus 26% for mobile browsers.
That explains the main social and economic trends contributing to the current jump in digital fraud, but it is not the complete picture of fraud risk. Criminals have also been developing (and making use of) more sophisticated identity fraud techniques lately. These new attacks are overwhelmingly targeting “rooted” or “jailbroken” mobile devices; one of these devices is 22 times more likely to be a source of attempted fraud than any other category. For criminals, the main attraction of this attack is being able to “spoof” a physical device to obtain all the permissions and personally identifiable information that it would normally have if it were held in hand (such as passing the device’s fingerprint checks and ability to intercept calls and messages). 10% of the initial wave of financial fraud in March 2020 came from devices like these. When criminals compromise one of these unlocked devices, they can run a special emulator that essentially creates a virtual clone of the device that can be used in almost all the same ways.
Fight against digital fraud
What can organizations do to stop these emerging digital fraud techniques and prevent data breaches? The report finds that “reputation scoring” fraud detection systems, or those that assign a value to accounts based on previous indicators of questionable activity, have limited usefulness in modern environments and only detect about 4% to 6%. % of financial fraud. A more useful tool for e-commerce fraud prevention is software that looks for “profile reuse” elements, given that around 40% of accounts that commit digital fraud reuse some contact information, such as an email address. email or phone. number.
Criminals have been using more sophisticated identity fraud techniques lately. These new attacks are overwhelmingly targeting rooted or jailbroken mobile devices. #cybersecurity #respectdata
The report also finds that 100% of fraudulent accounts are making use of automation or machine learning at some point in the execution of financial crimes. Most of the time, it involves using bots to do things like automate multiple attempts to create new accounts or coordinate attacks that involve multiple devices. The report finds that between 55% and 90% of new accounts created for the purpose of digital fraud were made with some form of automated scripting. With financial institutions having stronger than usual identity verification elements for new account creation (such as banks and investment brokers), 10% of fraudulent accounts were created by a counterfeit or emulated device. CAPTCHAS still provide strong protection against these scripting elements, but they are not perfect; 2% of fraudulent accounts were found to have passed a CAPTCHA, and systems tend to have an 8% false positive rate increasing to 29% when case sensitive.