Using Sophisticated WAF Technology to Put the Stop to Card Fraudsters: Part I

Posted by Aaron Fosdick on Apr 19, 2018 11:55:00 AM
Aaron Fosdick
Find me on:

In part I of this two-part series, we will discuss the growing issue of credit card fraud for card issuers, card holders, and merchants, including how card data is being obtained and used by today's advanced attackers.

Credit Card Fraud

Who bears the cost?

Credit card fraud has been an ongoing problem for online merchants for many years now. When ordinary users shop online, credit card purchases are indemnified by the card issuer, meaning the individual card users are not responsible for fraudulent charges made on their card as long as the user reports those charges in a timely manner, typically within one billing period. In fact, US Law limits cardholders’ liability to $50.

Due to the popularity of online shopping, card issuers have well-established programs to communicate card holder liability. What is less commonly known is that when a criminal completes a successful online purchase, and the card issuer later reverses the charge, the merchant is often responsible for the loss. Most merchants have resigned themselves to writing off this fraud as a cost of doing business online. However, loss from stolen cards can place a significant financial drain on merchants who may only make a small markup on goods. In particular, fraud loss is especially high for goods that are easily fenced or resold on Craigslist/eBay.

The cat and mouse game.

Cyber gangs and independent hackers obtain credit, debit and gift cards using various methods such as breached POS systems or identity theft. Those cards are then sold on the Dark Web (accessible via the TOR network), including on several established and highly-developed marketplaces for such information. Until just recently, there was even a marketplace on Facebook! 

To maintain demand, criminals sell with a guarantee that a certain percentage of cards are valid. The available data includes PANs (Primary Account Number) CVVs (Card Verification Value), names, addresses, and even answers to verification questions.
Over time, card issuers have developed more sophisticated anti-fraud programs, which quickly inactivate most cards once they make it onto the dark web. Unfortunately, enough remain active to make this crime viable. As anti-fraud efforts identify and close marketplaces, card sellers simply find other locations. This causes a cat and mouse game between the fraudsters and card issuers, leaving the merchants stuck in the middle.
Note: Your Credit Card Was Declined
With their block of purchased cards and a full online shopping cart, fraudsters enter one PAN after another, receiving decline after decline, until one succeeds, even if it takes 20 tries. Today, merchants simply pass the payment processing logic onto the processor and can only deduce if a transaction succeeds or fails. This lack of visibility, plus the current limitations of traditional web application firewall technology, leaves merchants essentially helpless.  
In part II of this series, we will explore the application of traditional web application firewall technology to this use case and how that differs from next generation, contextual behavioral analysis approaches in successfully detecting and neutralizing malicious card fraudsters. 
Find out if your web application security defenses are strong enough

Topics: Threat Intelligence

Threat X Labs - Blog

Arm yourself with information and insights on the latest cybersecurity trends to defend against today's most advanced cyber criminals with articles from the leader in SaaS-based web application firewall solutions.

Subscribe Here!

Recent Posts

Follow Me