This is the first in a three-part series diving into how fraudsters, scammers, and identity thieves have an unfair advantage, and what can be done to level the playing field.
Global cybercrime proceeds from fraud, identity theft, and scams are estimated in the hundreds of billions of USD. If these cybercriminals formed their own country, their GDP would be in the top 50. There’s a rich economy of people assembling stolen identities, distributing impersonation software, and building global-scale networks from which to launch attacks.
The attacks themselves are actually the easiest part. Security and testing tools like Sentry MBA have made launching multi-step credential stuffing attacks as simple as filling out a form. If you get stuck, there’s no shortage of YouTube tutorials on how to correctly configure the tool.
Checkout bots, and their source code, are free to download on the open internet -- no dark web required. Some bots enable users to rent access to clean IPs in specific locations with a few clicks. This is especially useful if the attacker has bought a list of stolen credit cards, called “fullz,” and wants to appear to be coming from the location of the actual cardholder.
Attackers aren’t concerned with Captchas and other bot detection mechanisms. The challenges that can’t be solved automatically are routed to challenge solving platforms staffed gig-economy-style by people working around the world and around the clock. These people break through hundreds of challenges an hour for small (sub-cent) rewards per challenge defeated.
What’s telling is that a remarkable number of attackers are teens and twentysomethings with no formal programming training or experience. While their focus is usually on sneakers, fashion items, gift cards, and digital goods, they use the same tools and techniques needed for any fraud and identity abuse attack.
A person doesn’t need training, software development skills, high-cost tools, or specialty infrastructure to become an effective cybercriminal. They just have to commit to it.
In contrast, protecting a modern application requires teams of specialized engineers and careful planning. Losses take weeks, sometimes months to detect, afterwards software development lifecycles take months to isolate a problem, develop a solution, and put it into operation. The net result is it takes a few days for an unsophisticated attacker to launch an attack that will require months of effort from enterprise teams to shut down.
What drives this asymmetry? Modern applications offer rich interactions and focused customer experiences that lead them to fracture into a distributed set of product areas. These vary from application to application, but the setup generally looks something like this:
The segmentation of applications causes user data to sprawl across multiple product areas, making it difficult or impossible to effectively protect the user experience in any one product area by using data beyond its borders. To combat this, businesses need to develop defenses that cut across the entire customer journey, but constantly changing business needs, customer experiences, and attack patterns make this incredibly challenging.
The gold standard is a practice called continuous adaptive risk and trust assessment, or CARTA for short. In this practice, each interaction serves to build trust (or suspicion) of a user’s true identity and intent so that applications can provide a differentiated customer experience.
Capturing each interaction and data point and performing continuous risk assessments is a heavy task that requires buy-in and prioritization from the entire organization. In our observations, the time and cost of running CARTA practice is beyond the reach of most businesses.
In the face of a losing battle against cybercriminal activity, many businesses are forced to reduce the scope of their offerings in order to avoid the attention of attackers and to give their teams a chance at keeping up. With an effective risk strategy, online businesses could:
It can be a radical shift to achieve this. Business leaders need to get broad alignment across operations and technology teams and prioritization over traditional growth initiatives. It can be hard to reframe the view that the outcome isn’t an incremental improvement in fraud detection, but a fundamental change in how the business ensures customer trust online and isolates malicious users while providing a better good-user experience than ever before.
At SpecTrust, we believe the future of cybercrime defense is code-free. Our no-code platform unifies teams, data, and technology in the fight against fraudsters, scammers, and identity thieves without requiring engineering teams to lift a finger. By instantly unlocking the capability to perform continuous adaptive risk and trust assessments across the entire customer journey, we empower businesses to outmaneuver cybercriminals and deliver world class experiences to their customers.