Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
John Briar
John Briar
Connect Directly
E-Mail vvv

The Holiday Shopping Season: A Prime Opportunity for Triangulation Fraud

As e-commerce sales increase, so does the risk of hard-to-detect online fraud.

As with everything else in 2020, this year's holiday season will be unlike any other. Public health authorities are warning that crowded malls and shopping centers pose a high risk for exposure to COVID-19 and are advising caution. We experienced a swift shift to digital channels in every sphere this year, and nowhere has that been more impactful than e-commerce. Demonstrating this point, Deloitte forecasts that holiday e-commerce sales will grow by 25% to 35%, or between $182 billion and $196 billion, over 2019's figures.

While online shopping reduces consumers' risk of contracting COVID-19, it introduces another danger: the increased risk of falling victim to online fraud. If predictions ring true, the volume of transactions will grow, making it easier for cybercriminals to hide and perpetuate fraud.

Related Content:

How Retailers Can Fight Fraud and Abuse This Holiday Season

The Changing Face of Threat Intelligence

New on The Edge: 5 Signs Someone Might be Taking Advantage of Your Security Goodness

The risk of e-commerce-related fraud stems from several problems:

  • Companies often do not know the entirety of their attack surface.
  • Each entry point may require a different type of protection, which can be challenging from a resource perspective.
  • Users' cyber hygiene remains a problem (e.g., reusing username and password combinations).
  • Fraud is becoming more and more sophisticated.

The last point is notable. Even if companies know every entry point into their infrastructure and have airtight security and perfectly secure users, the evolving sophistication of fraud remains a fundamental issue. Predicting the next iteration of attacks is "often too little too late" — where the threat is found only after accounts are hijacked, money is withdrawn from bank accounts, and gift card values are stripped. This is because too many security vendors rely on detection-first technology.

How Triangulation Fraud Escapes Cyber Defenses
In the retail industry, triangulation fraud is a prime example of cybercriminals escaping detection despite robust cybersecurity measures in place.

A triangulation fraud scheme begins when a fraudulent seller posts an enticing below-market-price item, often on an online auction or marketplace. An unsuspecting customer places an order for the item and pays for it using a legitimate credit/debit card or other online payment tender. The fraudulent seller then uses stolen credit card credentials to purchase the product through a legitimate e-commerce website and ships it to the customer.

In the end, the customer receives the product, the fraudulent seller collects the payment, and the victimized credit card holder gets stuck with the bill. This makes the scheme hard to detect until the credit card holder disputes the charges as a fraudulent transaction. Because humans with legitimate credentials and payment details are involved in every step of the three-way transaction, defense measures can't stop the fraud because they don't detect it. 

How to Stop Triangulation Fraud
If retailers want to reduce and mitigate triangulation fraud, they should start at the login page since the common denominator in these attacks is stolen credentials. While bots are not the main perpetrator of triangulation fraud, bots do allow criminals to complete transactions at a scale that makes them highly profitable. 

Credential cracking and related attacks are simplistic bot attacks that act as a springboard to more sophisticated fraud, including triangulation. Conventional security wisdom would suggest adding CAPTCHA or multifactor authentication to the login page to deter bots, but we know that fraudulent credentials are widely available on the Dark Web, and bots can easily bypass CAPTCHAs using tools like DeathbyCaptcha. 

To mitigate these sophisticated schemes, retailers must be able to judge user legitimacy in real-time. For example, on a computer, does the user type too quickly to be human? Is the mobile device real or a device emulator? 

These kinds of biometrics, along with hundreds of additional network signals and device profiles, provide the data needed to determine who or what is behind a transaction. And this insight enables businesses to fingerprint users and track their behavior once inside accounts. If the same fingerprinted user begins logging into dozens, hundreds, or even more legitimate accounts but then drops off, there is a high likelihood there's a bot behind the logins. The company must freeze the accounts before the bot can hand the scheme off to a human to complete a manual attack. Only then can we cut off inroads before these schemes proliferate.

John Briar is a proven leader with a strong track record of building new revenue streams for emerging software and hardware solutions. John has been in a leadership role in eight startup companies, and three of them have gone on to successful IPOs. He has more than 10 years ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...