Fraud trends from the latest ThreatMetrix cybercrime report

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec, the weekly podcast where industry thought leaders share their knowledge and experiences in order to help us all stay one step ahead of the bad guys. Rebekah Moody is a Director of Fraud and Identity at LexisNexis Risk Solutions. She is also the coauthor of ThreatMetrix's H2 2018 cybercrime report. For today's episode we're going to take a deep dive into the findings of the report and lay out some of the practical takeaways that your company or personal network and implement based on this report.

Rebekah Moody has been part of the ThreatMetrix Fraud and Identity team for nearly four years, helping to develop product strategy and market positioning to better understand and solve for the complex fraud, identity and authentication challenges of the company's varied customer base. Rebekah works with the sales team, prospects, customers and analysts to better understand the current and emerging threat landscape developing thought leadership articles as well as showcasing customer success stories. Rebekah has been involved with the development of the ThreatMetrix cybercrime report for over three years, tracking the ever evolving cybercrime landscape by looking at transaction and attack patterns and trends across industries and global geographies. Rebekah brings over 12 years of marketing and strategy expertise to ThreatMetrix following time at two large London agencies. Rebekah, thank you for taking time today for us.

Rebekah Moody: Thanks very much for having me. I'm really pleased to be here.

Chris: That's fantastic. So let's start right at the very beginning. Tell us about your security journey. How and when did you first get started in cybersecurity, cybercrime? How did you get interested in it? And were computers kind of always part of your life or did that happen later in life?

Rebekah: I came to it a sort of probably relatively later than some say. My background was actually kind of product strategy and planning, and I kind of fell into the security business via the fraud channel. I've been at ThreatMetrix now for four and a half years and have kind of relished the challenge of learning a new area of expertise. I have been involved in the cybercrime report now for sort of most of its lifetime. So I sort of fully immerse myself in everything fraud and cybercrime related now. So yeah, it was a slightly later in life start to fraud from a kind of planning and strategy background.

Chris: Okay. So how long has the ThreatMetrix cybercrime report been going out and you said you've been doing it for three years, is that right?

Rebekah: Yeah, so it's, our first report I think was 2015, so about three and a half years. When we first started the report, obviously we were much younger company, we were analyzing sort of millions of transactions as opposed to billions of transactions. I think one of the really interesting trends for me is that when I first started working on the report, about 20% of all network traffic came from a mobile device. Actually now, in the report that we've just read the East 61% of our traffic is now coming from a mobile device. So I find it really kind of intriguing to follow those kind of customer trends and to understand how and why consumer behavior is changing and to see how that has an influence on kind of the [inaudible 00:03:27] cybercrime.

Chris: To sort of give a top down view of the cybercrime report. How is the data compiled? Where do the numbers come from? What are you looking for and what are you sort of like sifting from the big data?

Rebekah: So we analyze all of the transactions in our global network. So to give you an idea of scale, that's about 35 billion transactions a year. We're looking at transactions from our global customer base and those customers span most industries. So financial services, e-commerce, media, gaming and gambling, insurance, government. We're looking at transactions across the customer journey. So from new account creation. So when someone's setting up a new account, either with an e-commerce merchant or a bank, or a media site, for example, through to logins. So authenticating identities at logins, through to payments and understanding whether a payment is trusted or high risk.

Likewise, we will say looking at transactions such as change of details or any other kind of high risk points in the customer journey, and in terms of how we analyze those transactions, we're using digital identity intelligence. Say by that, I mean intelligence relating to someone's device, their location, their behavior, their identity, and any threat intelligence that we might have on that transaction to really understand the legitimacy of an online transaction, and we're looking at that across our kind of global network. So when we're talking about attacks in the cybercrime report that I write, that's based on high risk transactions as scored by our customers.

Chris: Now, let's start with where you mentioned before 61% of all transactions now take place on a mobile device but constitute only 42% of overall volume attacks, according to the infographic that I was sent. Also mobile payment transaction saw 24% year-on-year growth. Can this uptake be explained by things like interpersonal payment systems like Venmo or is this just sort of where things are going? People are going towards sort of mobile payment processing for all kinds of things?

Rebekah: Yeah, I think it's a bit of both. I think your point about kind of new mobile payment platforms is a good one. Particularly in some of the growth and emerging economies and in parts of APAC for example, we see a big proliferation of kind of different methods of mobile payments, and obviously a lot of those are being facilitated by digital transactions. I also think that there is a kind of a wholesale shift in transacting of consumers onto the mobile channel. So it's really interesting because when I was working on the report sort of a couple of years ago, mobile tended to be the domain as a kind of login transactions. So someone would just use mobile to kind of do the checking functions of a kind of an online journey, whereas now-

Chris: Checking a bank statement or whatever?

Rebekah: Exactly. Checking your bank statement, going into your mobile app and seeing what your bank balance is. Whereas now we're actually starting to see really strong growth in other areas of the customer journeys. So people are actually opening new accounts on their mobile device, for example. Or they're making mobile payments on a mobile phone for example. So I think this kind of shift is sort of happening now across everything. It's not just across the kind of easier to manage transactions and the facilitation of mobile payments is obviously making that easier because we're designing and developing technology that sits really nice seal mobile devices.

But then of course the converse, kind of how that influences attack patterns is also kind of a point that we've been watching really carefully. So you make the point that mobile transaction is a safer because they make up a larger proportion of our volume, but the attacks make up less than half of our volume. So they all still definitely safer than desktop and obviously a large part of that is down to kind of the security of mobile apps and that sort of thing.

But we all starting to see a bit of a kind of shift in the way that fraudsters are attacking the mobile channel. So we're starting to see a growth, for example, in mobile account takeovers, in financial services. We're also seeing a growth in some mobile attacks in certain regions, for example, in kind of growth economies and that sort of thing. So I think yes, mobile is still safer, but for us it feels like there is a perceptible shift of fraudsters moving across to the mobile channel because they understand that that's where the customer transaction volume is going and obviously they have to follow seat.

Chris: Right. There's a quantity game.

Rebekah: Yeah. Exactly.

Chris: So I mean were you surprised by just what a jump there was in mobile financial transactions like this? I mean it's obviously a number, but it seemed, based on the sort of findings of the report that it was more than you were expecting?

Rebekah: Yeah. I am surprised by the fact that we're seeing growth in mobile attacks. I suppose it does feel like that's the way that the attack patterns are going. I suppose probably what we found more surprising was the fact that a lot of the attack patterns that we've historically seen on desktop transactions are now starting to migrate over to mobile.

So for example, we used to see a lot of remote access attacks on desktop and we're now picking up remote access attacks on the mobile channel, and likewise bot volume, although we see a relatively small mobile bot volume is there and it is a perceptible shift that we're starting to see mobile bot volumes.

So I think for me it's probably less of a surprise on the numbers and more of a surprise in the kind of modus operandi, if you like, of mobile attacks and the fact that the mobile channel is not a mean tour if the attacks that we've seen on desktop in the past.

Chris: So of the many changes that happened in the second half of 2018, what findings in your report did you find the most troubling and why?

Rebekah: I think for me, one of the things I was surprised by is, the really high bot traffic volume. So interestingly-

Chris: 3 billion transactions was it?

Rebekah: That's right. So interestingly, we've seen a slight downturn in the number, the upstate number of human initiated attacks. By that I mean anything that isn't an automated bot attack. But conversely, we've seen a growth in automated bot attacks and I think when you look at some of the regions where those bots are originating, we're seeing bots coming from places like Malaysia, Vietnam, Brazil, some of the kind of growth economies. It almost feels to me like stolen identity data that is kind of feeding these bots attacks is giving these countries almost like a growth economy of cybercrime. It's actually fueling a kind of an industry and it's own right, if you like, of cybercrime.

So I think for me, that huge growth in volume of automated traffic was quite a worrying one, and obviously something that we want to kind of monitor over time. But it definitely feels like that bot traffic is almost like the lowest common denominator and the easiest option, cyber criminals are using that information to kind of slice down lesser stolen identity data and then launch these kind of fast automated attacks on say, an eCommerce merchant's login process, to try and kind of hack into good user accounts. So I think yeah, that kind of growth in bot traffic is definitely one to watch for us.

Chris: Yeah. You were saying also that the number of human initiated attacks has gone down as bot traffic has exponentially risen. So is there like a sudden like ease of being able to sort of set bots like, like a change in the technology that makes it easier for you to sort of just like initiate these things and have done with it whereas before you'd have to-

Rebekah: Yeah, I don't know whether I would make a direct correlation between the fact that human initiated attacks have fallen and bots have grown. I think the fact of life now is that stolen identity data is out there. Most of us have probably had some item or some element of our identity credentials stolen at some point and it is available and it's fairly cheap to buy on the dark web. So that stolen identity data that is being fed by data breaches is becoming a kind of part and parcels of these automated bot attacks. So they represent a kind of a quick and easy, well relatively easy, way to sort of monetize that data. So yeah, I don't know that I'd make a direct correlation. I think for me, I want to see what happens to the trends in our next half year report to see how these trends are kind of playing out to see whether it's something that we continue to see.

Chris: Right. We don't have enough points on the line yet. So explain to me the concept of cross network activity. You noted that the cross organizational fraud is particularly strong within banking, gaming, gambling, lending and retail, and at the same bots are targeting multiple organizations often outside the country where the bot originated. How does that change what we understand about addressing cybercrime?

Rebekah: Yeah, this is a really kind of key point for us. So this was the first time since we've been doing the cybercrime report where we've actually been able to prove existence of cross organizational, cross industry fraud. So our assumption is, as you would expect, that there is an element of kind of networked fraud that you would naturally see fraudsters operating in networks across industries as cross organizations.

But actually this was the first time that we were able to prove with digital identity data that we could see the same fraudster operating across a number of different organizations, both within the same industry. So the highest correlation that we see is like you say between one bank and another bank, but also between different industries. So between a bank and a crypto currency, for example. So what really interests me is, what path is that fraudster taking across those organizations, which bank or crypto currency are they going to first, what are they doing when they get to those organizations and how are they perpetrating that fraud?

So that's almost like the next story that I wanted to kind of delve into is to really understand that the kind of critical path of the fraudster. But for us, it was a really key way of showing the importance of looking fraud risk on a global level. I think we have quite a unique vantage point because we have this label network of shared intelligence across our customers to be able to say, "Let's look globally at the intelligence that we have and let's really understand the kind of global footprint of fraud."

Chris: Are there any ... Again, I know we're sort of like in the middle of it now and more data might be needed, but are there any security policy changes that these industries in particular need to implement to address these new challenges?

Rebekah: No. I think for us it goes back to having a kind of layered defense. So looking beyond the single point solutions and actually kind of layering in different kind of pieces of intelligence and different capabilities so that you're not just pointing to kind of one isolated solution.

I think that's the way that we've tended to always focus on our product development is kind of building this layered defense of intelligence. It's looking holistically at kind of a person's digital identity intelligence and really using everything we know about how that is a transaction, how, where, why, what, what their behavior is like so that you can accurately detect any unusual or high risk anomalies to that behavior.

Chris: Okay. You noted that Latin America in particular has emerged as a hotbed of new account creation fraud in the past several years with a payment attack rate that's increased from 18% from 2017, and that the greatest risk is associated with mobile payments with the tax increasing 52% than just one years before. So what factors have caused Latin America to rise in prominence as a hotbed of cybercrime in the past few years? Are there tech changes? Social changes?

Rebekah: Yeah, I think it's a combination of lots of things. I mean we can surmise that as a lot of those countries in South America are kind of growing in technological capability so to is the kind of capability to commit fraud. So I think in a lot of growth and emerging economies, not just South America, but you're looking at India and some APAC countries where you have a high percentage of unbanked and under-banked customers digital, particularly mobile is really facilitating access to new financial services products that customers might not have had access to in the past. So I think that creates a kind of an interesting melting pot of kind of customers who are new to digital transacting, who might also not be kind of as technologically savvy as say some customers who've been transacting online for a long time. So I think sometimes that can create an environment of heightened risk.

I think as well. It's just an interesting point that we're assuming that stolen identity data from data breaches that we're seeing globally is also trickling down to some of these growth and emerging economies. So we see this kind of dissemination of stolen identity data, which I think specifically points to the fueling of new account creation attacks because that's where the stolen identity data is really being used, at that kind of point of creating a new account. So I think that those kind of emerging economies are obviously a kind of key target, almost like a key test bed for some of that stolen identity data.

Chris: Well that leads into my next question, also I just wanted to sort of get a clarification on, what is it about like new account creation that is especially like a hot point for fraudsters to kind of like take over? Is it just that you haven't set a reasonable password? Or I mean, there seems to be like older accounts, maybe you don't have the same sort of vulnerability that new accounts do? How does that explain?

Rebekah: Yeah, I mean, I suppose creating a fraudulent new account, if you managed to do it, is often kind of opens up a pathway to future fraud. So you're creating a kind of a trusted identity online via a fraudulent new account, which can potentially give you opportunity to do various other fraudulent activities. So I'm thinking things like for example, if I set up a fraudulent account for a travel platform and then I'm able to either create fake reviews or create a fake listing maybe for a holiday home, which might then allow me to monetize a stolen credit card because I'm creating a fake new host account, that sort of thing. So I think it almost feels like it's the start of a potential further fraud. So yeah, I think that that's probably what I'd say with new account creations.

Chris: Sort of eventual means testing if an account's been around for a while and it hasn't done anything terrible than you're probably likely ... Okay. So another interesting finding of the report was that the media industry in particular still sees the highest penetration of new account creation attacks, of all industries, and you speculated that fraudsters likely see media companies with their lower barriers to entry as ideal testbeds for stolen credentials and that one out of every six new account creations is fraudulent. Why do you think this is? What is it specifically about the media industry that makes it such a free for all of fraudulent account creation?

Rebekah: I think it's a couple of things. I think it's the fact that generally there's less stringent security measures when you're opening a new account for a media company because often there is a lower perceived risk and I think the likes of financial services companies and banks obviously have very stringent security measures and are very highly regulated. So I think that's the first thing. I also think that media companies say maybe social networks, dating sites, that sort of thing, they're often the kind of entry point for a person's digital journey.

So if you're thinking of either people who haven't translated to online before, maybe younger teenagers for example, it's often the first point that they start transacting online. So I think that also creates a kind of a potential heightened risk because they have less kind of background in kind of digital transactions. So I think it's probably both. I think it's the fact that media companies in general have a lower kind of barrier to kind of setting up a new account. Also, because of this kind of representing the first stage in a kind of new users customer journey.

Chris: Yeah, that's interesting. I mean on one hand there's that sort of push to make the internet available to all. But on the other hand, by doing that you sort of have this sort of gaping breach that is just asking for people to exploit it and so forth. So what do you think that the media industry, I mean that's obviously a big umbrella term, but what can they do to tighten up security and how can the lessons learn from these media insecurities apply to other industries?

Rebekah: I guess again, it's being able to access as much identity data on a new applicant as you can. I think that's a combination of fiscal identity data and digital identity data, to understand whether the person who is coming to your site and asking to sign up for an account is a genuine person or whether it is potentially a stolen or synthetic identity. I think that's really about kind of layering in those different solutions and looking at any kind of risk knowledge that you may have on those kinds of entities to understand whether they're a genuinely good user or a potential risk.

Chris: Yeah. So you think we should like be ramping up like two-factor things or are there other sort of barriers that we can use that still don't sort of push people away?

Rebekah: Yeah, I mean I definitely think multifactor authentication is part of the overall solution in certain scenarios. But I also think that using kind of risk based analysis is also a really key part of the solution so that you're looking at what information you can currently find out about the user as well as potentially using multifactor authentication.

Chris: Okay. So tell me a little more about the sort of risk-based testing like that. What are you looking for in a new account or whatever or I guess, how do you go about looking for this?

Rebekah: So again, going back to how we use digital identity intelligence, where at the point at which someone transacts, we're looking at everything relating to their device. So what kind of device they're using and does it have any high risk markers on it? We're looking at things relating to their location, whether that's consistent with their device behavior, anything that we might know about the identity data and whether that correlates to things that we know about their device that we might have seen elsewhere in the network, for example, any known threat intelligence on those particular entities. So really looking at kind of information that we already might know about that transacting user from elsewhere in the network to understand whether their current transaction might be high risk or not.

Chris: Right. So this type of data is pretty universally collected then with users? It's just a matter of sort of utilizing it to sort of do extra level of forensics? Or are there a lot of places that don't sort of look at the data that closely?

Rebekah: So this is part of our ThreatMetrix Digital Identity Network. Yeah so it's customers who are using our solution, our part of that network.

Chris: Okay. So based on the findings of the second half 2018 report, what recommendations are you making to reverse the course of the exponential growth about a tax crossover activity and emphasis on mobile hacking?

Rebekah: Yeah, I mean I think it's all about kind of using the layered defense that I mentioned earlier. With regard to bot attacks, it's obviously about the capability of being able to detect those kinds of high velocity attacks at the front door before they're impacting a merchant or a company's ability to accept good customer transactions. So really stopping them before they're kind of impacting business practices.

But in terms of kind of how to mitigate against other cybercrime attacks, again, I think it's going back to looking at holistically at kind of the information that you know about a transacting user, looking at everything you know about their digital identity and being able to detect potential high risk scenarios or anomalies that don't look like normal user behavior.

Chris: And are you currently working on the H1 2019 report? Do you have any sort of predictions for what you think, you know any of this is going to change? Or is it still up in the air?

Rebekah: We all working on the H1 report and I've seen a couple of interesting fraud stories that we're going to be including in the report. Again, looking at different kind of modus operandi of how fraudsters are working across the network. We don't have any kind of hard and fast numbers yet, in terms of what the trends are, but I'm kind of keen the anticipating looking at particularly the mobile story and how mobile attacks are evolving, and likewise, I'm interested to see whether that bot volume is consistent with what we saw in H2 2018.

Chris: Okay. As we wrap up today, if people want to know more about ThreatMetrix and maybe get a copy of the H2 2018 report themselves, where can they go?

Rebekah: They can go to our website threatmetrix.com. The report is available from the website. There's lots of other kind of detailed information about some of the stuff that I've spoken about today.

Chris: Okay. Rebekah, thank you very much for being here today.

Rebekah: Thank you. It's been great talking to you.

Chris: And thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in CyberSpeak with InfoSec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search CyberSpeak with InfoSec in your favorite podcast app. See the current promotional offers available for podcast listeners and to learn more about our InfoSec Pro live bootcamps, InfoSec skills, on demand training, library and InfoSec IQ security awareness and training platform, go to infosecinstitute.com/podcast or click the link in the description. Thanks once again to Rebekah Moody and thank you all for watching and listening. We'll speak to you next week.