itnews.com article sheds a different and interesting light on the methods now being deployed by the fraudsters. Basically these latest tactics are designed specifically to outwit the Risk Engines. Risk Engines work on the principle that if a transaction
seems “normal” the risk engine will generally approve the transaction. Of course there are other checks that the risk engine will perform, but transactions that “appear” to originate from the locality of the normal use of the card will not generally appear
unusual to the risk engine and the probability that the transaction will be approved is considerably improved.
So, the Target hackers have undertaken to selling location usage data alongside the card data, and can charge a premium for such data. Value added service to the fraudsters and clearly a strategy that is paying off. Fraudsters are paying anything
between $20 and $100+ for a skimmed Target payment card – location data has added a premium to what the fraudsters charge. That’s puts the “value” on the 40million+ payment cards stolen from Target at between $800million and $4billion! If we assume that
their ROI is a minimum of 10 times their “investment” then we are looking at a fraud value of between $8bn and $40bn. Who says that crime does not pay? The cost to the industry is substantially more and it is estimated that the absolute cost of fraud (the
$value) is only 30% of the total cost to the industry. So, now we are looking at between $27bn and $134bn for the Target breach. Ok, they won’t be 100% successful, but even if the only achieve 20% success we can expect the industry to wear costs between $5billion
and $27bn. A staggering $impact for a single data breach! No wonder that we hear that Class Actions are being prepared and knives being sharpened. The outlook for Target, an unfortunate company name to say the least, is bleak!
So, the fraudsters decision to add location data is a clever extension to the old skimming techniques (which of course will continue). The current implementation is simplistic but already proving to be successful and as we have seen, the fraud community
is quick to exploit opportunity. We should therefore expect that as their methods evolve, they will become more sophisticated. The tools to achieve this are already out there in various forms, and the ability of the fraud community to mobilise such resources
is without question.
Industry analysts seem surprised by the evolution of payment card data + location data, but we predicted this progression some time ago, and it is of course a logical progression to current skimming techniques. The solution to this type of attack requires
real-time, reliable (ie trusted), granular location data, where the information to validate a transaction within the Authorisation Step is immediately available, invisible to the consumer, and totally privacy sensitive. Such counter technology is already available
in the market today. Mind sets need to change. If your defence security mechanisms are based solely on keeping the bad guys out, then you have already lost the battle, and possibly the war!