Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/9/2020
02:00 PM
John Briar
John Briar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Holiday Shopping Season: A Prime Opportunity for Triangulation Fraud

As e-commerce sales increase, so does the risk of hard-to-detect online fraud.

As with everything else in 2020, this year's holiday season will be unlike any other. Public health authorities are warning that crowded malls and shopping centers pose a high risk for exposure to COVID-19 and are advising caution. We experienced a swift shift to digital channels in every sphere this year, and nowhere has that been more impactful than e-commerce. Demonstrating this point, Deloitte forecasts that holiday e-commerce sales will grow by 25% to 35%, or between $182 billion and $196 billion, over 2019's figures.

While online shopping reduces consumers' risk of contracting COVID-19, it introduces another danger: the increased risk of falling victim to online fraud. If predictions ring true, the volume of transactions will grow, making it easier for cybercriminals to hide and perpetuate fraud.

Related Content:

How Retailers Can Fight Fraud and Abuse This Holiday Season

The Changing Face of Threat Intelligence

New on The Edge: 5 Signs Someone Might be Taking Advantage of Your Security Goodness

The risk of e-commerce-related fraud stems from several problems:

  • Companies often do not know the entirety of their attack surface.
  • Each entry point may require a different type of protection, which can be challenging from a resource perspective.
  • Users' cyber hygiene remains a problem (e.g., reusing username and password combinations).
  • Fraud is becoming more and more sophisticated.

The last point is notable. Even if companies know every entry point into their infrastructure and have airtight security and perfectly secure users, the evolving sophistication of fraud remains a fundamental issue. Predicting the next iteration of attacks is "often too little too late" — where the threat is found only after accounts are hijacked, money is withdrawn from bank accounts, and gift card values are stripped. This is because too many security vendors rely on detection-first technology.

How Triangulation Fraud Escapes Cyber Defenses
In the retail industry, triangulation fraud is a prime example of cybercriminals escaping detection despite robust cybersecurity measures in place.

A triangulation fraud scheme begins when a fraudulent seller posts an enticing below-market-price item, often on an online auction or marketplace. An unsuspecting customer places an order for the item and pays for it using a legitimate credit/debit card or other online payment tender. The fraudulent seller then uses stolen credit card credentials to purchase the product through a legitimate e-commerce website and ships it to the customer.

In the end, the customer receives the product, the fraudulent seller collects the payment, and the victimized credit card holder gets stuck with the bill. This makes the scheme hard to detect until the credit card holder disputes the charges as a fraudulent transaction. Because humans with legitimate credentials and payment details are involved in every step of the three-way transaction, defense measures can't stop the fraud because they don't detect it. 

How to Stop Triangulation Fraud
If retailers want to reduce and mitigate triangulation fraud, they should start at the login page since the common denominator in these attacks is stolen credentials. While bots are not the main perpetrator of triangulation fraud, bots do allow criminals to complete transactions at a scale that makes them highly profitable. 

Credential cracking and related attacks are simplistic bot attacks that act as a springboard to more sophisticated fraud, including triangulation. Conventional security wisdom would suggest adding CAPTCHA or multifactor authentication to the login page to deter bots, but we know that fraudulent credentials are widely available on the Dark Web, and bots can easily bypass CAPTCHAs using tools like DeathbyCaptcha. 

To mitigate these sophisticated schemes, retailers must be able to judge user legitimacy in real-time. For example, on a computer, does the user type too quickly to be human? Is the mobile device real or a device emulator? 

These kinds of biometrics, along with hundreds of additional network signals and device profiles, provide the data needed to determine who or what is behind a transaction. And this insight enables businesses to fingerprint users and track their behavior once inside accounts. If the same fingerprinted user begins logging into dozens, hundreds, or even more legitimate accounts but then drops off, there is a high likelihood there's a bot behind the logins. The company must freeze the accounts before the bot can hand the scheme off to a human to complete a manual attack. Only then can we cut off inroads before these schemes proliferate.

John Briar is a proven leader with a strong track record of building new revenue streams for emerging software and hardware solutions. John has been in a leadership role in eight startup companies, and three of them have gone on to successful IPOs. He has more than 10 years ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.