Risk & Fraud

E-skimming: The New Never-Ending War on Online Fraud

By: Jack Lynch, SVP, Chief Risk Officer, PSCU

Names like Ticketmaster, Best Buy, Delta Airlines and the Atlanta Hawks might conjure images of fun and entertainment, but they all have something more unfortunate in common – all have been victims of digital fraud.

Like physical skimmers that criminals hide in compromised POS machines, gas pumps, and ATMs, digital card skimmers have been successful at stealing plastic card data from unwitting customers via the websites of the above-mentioned businesses. But they are not alone. “E-skimmers,” as they are commonly known, have continuously ramped up in frequency, sophistication, and impact over the past several years, resulting in millions of dollars in losses from many well-known businesses and organizations.

How Does E-skimming Occur?
E-skimming occurs when hackers install a malware code in the checkout section of a merchant’s website. At a more granular level, they inject “scripts” into e-commerce websites that record the card data entered in payment forms. While the cardholder is completing their order and submitting their payment information, the malware siphons the data such as credit/debit card number, expiration date, CVV2/CVC2, name and address to a separate server. Hackers are also focusing on third-party vendors, as well as chat boxes used by online merchants to further commit e-skimming crimes. But it doesn’t stop there. To add to the ever-growing channels to commit fraud schemes, mobile devices are being used for fraud more than ever, while consumers are becoming more susceptible to social engineering attacks they receive. The reason? Everyday tasks can serve as a distraction; they essentially hinder consumers’ abilities to pay careful attention to any personal information that is being requested.

Once this information has been collected it’s either harvested and sold on underground carding websites or immediately used by the highest bidder in the fraud world. Unfortunately, once the cardholder information, along with their personal identifiable information, has been compromised, fraudsters will deploy various social engineering tactics that can lead to additional fraud schemes such as phishing, vishing, and SMShing. All of this work can result in an increase of card-not-present fraud.

Best Practices from a Financial Institution Perspective
As fraud continues to evolve and impact member security, it’s more important than ever that your financial institution take responsibility for monitoring member accounts. In this situation, you’ll want to watch for excessive or increased volume of card-not-present activity. In the event that a fraud trend has been identified, it’s crucial that you review and adjust your current authorization parameter settings in terms of daily limits, velocity, dollar amounts and merchant code blocks. Deploying this strategy in conjunction with system-based fraud options such as authorization name match and expiration date validation, Address Verification Service (AVS), and 3D Secure controls, will help combat this particular type of fraud.

The next step is to identify the number of impacted accounts. This can be done through various channels, such as daily fraud report monitoring, daily authorization reports, Fraud Detection Alerts, and any recent compromised event via the Visa CAMS and/or Mastercard ADC Alerts. Accounts that are not associated with any recent compromised events should be reviewed for a common point of purchase (CPP) analysis. This step is to identify the one commonality between all accounts impacted with the fraud trend. All confirmed CPP results should be reported to both Visa and Mastercard via their CPP reporting tool on their perspective websites. If in the event that law enforcement is involved in the case, the best course of action is to compile all fraud transaction data as financial evidence.

Hopefully your organization has a good fraud prevention and investigative strategy plan in place. Listed below are a few suggestions for those that are new to the fraud arena or need a refresher:

• Know the different fraud types that can occur in the plastic card industry.
• Deploy authorization parameter settings as needed to help combat fraud trends.
• Have a plan of action in the event of a fraud incident.
• Create a fraud toolbox.
• Manage your Visa CAMS and Mastercard ADC Alerts. We suggest creating a severity rating system based on the elements that are considered “at risk” to help aid the decisioning factor whether to block and reissue an account or monitor for fraud trends.

It’s no surprise that fraud is ever-changing, regardless of industry. Factors such as criminal motivations, methodology and victim error all play a part in the vicious cycle of financial crime. Unfortunately, there is no silver bullet when it comes to fighting fraud, but the next best solution is education and preparation. Being aware of the latest fraud trends and schemes, in addition to a robust fraud prevention and investigative strategy, will help your organization in the event of fraud.

Additional Resources:
Discover more in-depth information on e-skimming and the newest financial crimes in the below white papers. Both papers provide an array of information that is shared in both the law enforcement community and financial industry.

The Verizon Data Breach Investigations Report
The United States Secret Service Electronic Crimes Task Force Bulletin