August 19, 2016
Crashing Waves: Security Breaches, Fraud Detection and What’s Next for CNP
CardNotPresent.com presents a three-part series stemming from a conversation with industry executives about the recent spate of massive security breaches that have exposed the payment-card information of more than 40 million U.S. consumers. The breach did not occur in a vacuum—there were warning signs. And, the story is not over. While news from Target, Neiman Marcus and Michael’s is devastating, the next 18 months could be worse. And, beyond that are even more waves that will rock the CNP industry. Part I of the series will examine the increase in fraudulent activity in advance of the breach disclosures—what some knew, when they knew it and how they came by the information.
Part I – The Storm before the Calm
By D.J. Murphy, Editor-in-Chief, CardNotPresent.com
When news of the Target security breach first reached the ears of the public, it confirmed rumors that many in the security community were hearing and what Boise, Idaho-based antifraud technology provider Kount had been seeing for months. There had been a huge uptick in e-commerce transactions the company was able to identify as fraud, but that were utilizing very high-quality information that would confound most fraud filters and rules-based engines. As they moved into the holiday season, what Kount was seeing made it apparent that a huge breach had occurred. They weren’t, however, able to identify where the tsunami of data causing these fraudulent transactions were coming from, just that their merchant clients were at risk.
“The analogy that I used to explain it to our customers was: we’ve walked into the kitchen and there’s an inch of water,” says Don Bush, vice president of marketing at Kount. “We don’t know where the leak’s coming from, but we know that there’s a problem and we have to protect our customers from it. The fact that the leak turned out to originate with Target, well, we really don’t care. It doesn’t matter where the bad actors come from, we just know it’s fraud.”
Kount was able to identify the fraudulent transactions despite the fact that the data fraudsters had lifted from Target was of very high quality. What they knew to be fraudulent purchases were getting approved by issuing banks at a very high rate. But, if the quality of the information being used was good, how could Kount ascertain these transactions they were seeing—transactions that were growing more numerous by the hour in the days leading up to Christmas—weren’t legitimate?
“If you’re a merchant acting by yourself it’s near impossible to catch because the data’s good,” says Bush. “One of the things that’s unique about these recent breaches is they’re selling this data now in custom packs. And those custom packs are distributed by geography, quality of credit based on the card and things like that. The banks don’t know they’re compromised, the clients don’t know they’re compromised, the cardholders don’t know they’re compromised. So if you’re a merchant, it would be next to impossible to figure this out by yourself.”
As part of its comprehensive fraud prevention solution, Kount had introduced a feature called Persona Technology. To create a persona, Kount looks for indirect deep linkages between transactions that seem fine and others that are known to be fraudulent across its entire network of thousands of merchants. As Kount’s overall system collects information about individual transactions, it compiles and assesses hundreds of variables to create a persona.
“Say one transaction uses a particular credit card and we find another transaction that uses the same card,” explains Rich Stuppy, vice president of operations at Kount. “But, the second transaction that used that same credit card is related to three transactions that used the same device. And of those three transactions that used the same device, they relate to many other transactions in some other way. The end result is end-to-end, indirect linking in real-time. This is a very challenging computational task.”
Then, no matter how many transactions Kount has linked the original transaction to through the persona, the system analyzes all of them in real time giving the original merchant a data profile that is hundreds or thousands of times larger than what they could have done on their own, Stuppy says. And, when the data from Target, Neiman Marcus and Michael’s started hitting the street, the personas Kount was seeing exploded.
“Normally, these personas are indicative of people working together to commit fraud,” Stuppy says. “They can contain twenty transactions, a thousand transactions, or, a hundred thousand transactions. The bigger the persona gets, the more indicative of rapid and organized fraud. So if I’ve got a hundred thousand transactions and new ones are rolling in every second across multiple merchants, that’s fraud happening with tremendous size and tremendous speed. And over the past several months we saw the personas grow immensely in number of transactions and velocity.”
Combined with the fact that the quality of data being used by the personas was so good, it made detection difficult and it was an incredibly dangerous environment for merchants. For Kount, though, it was obvious there was a huge problem brewing.
“When you distill it down and you’re able to see the linkages, the fraud just kind of jumps out at you,” Stuppy says. “That’s what we really started to see when these breaches started happening, and we’ve been tracking them for quite a while, but it really started to get big when the Target stuff started weaponizing.”
For a merchant community hoping for relief, however, what Kount is seeing in the near-to-medium term is not reassuring. Stuppy says Kount watched the activity emanate from Eastern Europe where it has been reported that not only the individual credit-card numbers scraped from Target and Neiman Marcus were being sold and used, but copies of the malicious code were being sold as well. And, it’s not slowing down. The storm may have broken for now, but Bush says wave after wave of chaos is still waiting to unfold.
One of the ways Kount can determine this is by “disintegrating” the personas. When they break the links between the transactions, if the persona isn’t reestablishing the linkages with new fraudulent transactions, the problem has passed its peak. Unfortunately, according to Bush, the opposite is happening now.
“Once a persona gets to a certain size—we’re talking over 100,000 connections—we disintegrate it to measure the rebuild rate,” he says. “In this case we’ve watched them rebuild in a matter of about 48 hours almost back to their full size. What that means is there’s still lots of activity. They’re still doing bad things.”
In Part II of the series, as our conversation with Kount continues, see what’s in store for the next year and a half. A recent FBI report distributed to retailers estimated up to 20 undisclosed breaches may still be out there waiting for discovery. See if Kount agrees and hear what’s driving the increase in illicit activity.