informa

Cybersecurity In-Depth

6 min read
article

Security Lessons From a Payment Fraud Attack

Companies need to detect and counteract brute-force and enumeration attacks before fraudsters run away with their customers' funds.

On April 10, 2020, Atlanta-based fintech firm Brightwell was navigating more than the deadly COVID-19 pandemic.

It all started with a series of customer phone calls. That morning sometime between 7 a.m. and 8 a.m., Brightwell received word from the customer service team that customers called to complain about missing funds, says Ernie Moran, at the time Brightwell's senior vice president of risk. Under normal circumstances, if users noticed a discrepancy upon logging into their app, the company typically would look into the problem to determine whether the customer mistakenly overspent or a fraud had occurred. Unfortunately for Brightwell, it was the latter.

"I would say the next 24 hours was the most insane 24 hours I think we've ever had at Brightwell," Moran says. "From that point forward, we started hearing from more and more customers. And you start the research process, and you start going into the platform, the processor platform, and looking at the data."

Brightwell spent the following weeks dissecting the damage of an attack that resulted in $2.5 million stolen in the span of four hours, Moran says. With the pandemic pushing more transactions online, more online fraudsters are targeting e-commerce platforms and payments companies. Sources advise payments providers to implement multiple measures prior to and during the transaction process to detect brute-force and enumeration attacks before fraudsters run away with customers' funds.

During the first five days of Brightwell's investigation, the company assessed how widespread the fraud was. First, they reviewed its authorization reports generated by its payments processor and the reports generated by its card brand. Then it cross-checked its internal data with the external reports, Moran says. The threat actor used the stolen credentials to buy cryptocurrency at an exchange, he said.

Over the course of its investigation, Brightwell discovered that a fraudster deployed a bot to guess the prepaid debit card numbers, expiration dates, and CVV numbers for 41,000 cards, which were guessed after 100,000,000 authorizations, Moran says. The bot guessed the credentials across seven merchants; one merchant, in particular, was used to steal "a large dollar amount," he says. Brightwell didn't name the sellers affected by the attack, nor did it disclose the general amount stolen per customer.

The ordeal led the company to create its fraud alert system, Arden, which stands for "AI risk detection engine." Despite all the data collected, Moran, now senior vice president of Arden, says the company couldn't figure out who was responsible for the attack.

Watching for Red Flags
As e-commerce transactions skyrocketed during the coronavirus pandemic, online fraud appears to have increased also. A LexisNexis Risk Solutions Analysis of data from July 2021 to December 2021 found that bot attacks against companies have risen 32% from 2020, and human-initiated attacks have grown 46% compared with 2019. From March 2020 to February 2022, U.S. consumers spent about $1.7 trillion online, up $609 billion compared with the prior two years, according to research from Adobe.

Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions, advises cybersecurity teams to look for a high volume of transactions coming from a device within a short period of time. Seeing the same device return to transact isn't a red flag because it could be a repeat customer. However, if one device is attempting a transaction multiple times, perhaps thousands of times per second, it's likely an attack, she says.

In addition to paying attention to the device that managed to circumvent a company's defenses, Sutherland also advises companies to mitigate suspicious activity during the authorization process. They must, for example, pay attention to whether the device has malware on it, she adds.

"We talk consistently about having a layered approach to prevent unauthorized access, so that means ensuring that they have fortified their new account opening processes to prevent any application fraud, to prevent account takeover fraud as well — everything from not just that payment but that login," Sutherland says. "There's all types of avenues that a fraudster will try to be able to have a successful fraud attack, and an attack is just one of many things that concerns us in the payment ecosystem."

Another step payments providers must take is issuing their card numbers randomly rather than sequentially, says Curtis Franklin, senior analyst at Omdia and a former editor at Dark Reading. Issuing card numbers randomly prevents online fraudsters from easily route-forcing accounts. (Moran clarified that Brightwell does not issue cards sequentially.)

If the card issuer sees hundreds of guesses of card credentials in rapid succession, cybersecurity teams must alert the vendor and monitor the reasons for rejection. The card issuer could, for example, check to see whether the card number has not yet been issued. If an online fraudster guesses a card number that hasn't been issued yet, it's a good indicator that they are sequentially guessing the credentials using an algorithm, Franklin says.

Besides monitoring for rejections of sequential numbers, rejections of unissued card accounts, and rapid-fire rejections from a single merchant, companies should also determine ahead of time how high their risk tolerance is. There's a chance that companies could reject legitimate customers who are inputting the wrong card information while screening for fraudulent activity.

Managing the Risks
In 2021, cybercriminals used cryptocurrency to launder $8.6 billion, a 30% increase from 2020, according to a report from the blockchain data firm Chainalysis. The cryptocurrencies, particularly Monero, have attracted cybercriminals seeking to transact anonymously; however, their fluctuating speculative value complicates criminals' ability to monetize the crime.

"Criminals hate losing money," Franklin says, but "they like the idea of making it harder for national governments to find them."

"In this case, the vast majority of the fraud losses and risk ended up being on Brightwell for a number of reasons that [were] outside of our control in many cases," Moran says. "We had a small portion of the losses that were actually not our responsibility ... and then we had a larger portion that was our responsibility. However, in the end there was enough risk and fall to go around that we ended up being made whole for the losses."

As merchants and payment providers face these attacks, card providers such as Visa and Mastercard will usually bear the liability, but customers can suffer the inconvenience when their card is frozen. Thus, the vendor and member bank can lose income, as well as the trust of their customers.

"The thing that keeps all of this rolling along so well is the understanding among consumers and merchants and everyone else that this is, in fact, a secure way to do business. If that confidence is shaken, then that can have a more profound impact," Franklin says. "That's the cost that they really want to solve."