2019 could be the worst year ever for holiday retail cybercrime
Online fraud increased 30 percent overall in the third quarter of this year and bot-driven account registration fraud is up 70 percent as cybercriminals test stolen credentials in advance of the peak holiday retail season.
These are among the findings of the latest Fraud and Abuse report from Arkose Labs, its analysis of over 1.3 billion transactions spanning account registrations, logins and payments, reveals that one in five account openings were fraudulent.
Digital account registration has become the identity testing mechanism for fraudsters, as evidenced in the sharp increase in account creation attacks. Even when an account creation attack fails, it can provide valuable insight into the existence of an account with the business. This information is then used for more sophisticated account takeover attacks.
"Our report shows the evolving nature of the global cybercrime ecosystem. The monetization channels of fraud have become increasingly complex, which means the incentive and victim is not always immediately obvious," says Kevin Gosschalk, CEO of Arkose Labs. "One thing is clear: the way fraudsters are weaponizing compromised data from recent high-profile breaches highlights the deep connectivity of the global cybercrime ecosystem that goes way beyond selling stolen data or knowledge sharing. One attack is a precursor to another attack, and they can be in two different industries, across two different geographies."
The report observed a 30 percent increase in account takeover attacks in the retail industry compared to the previous quarter. Account takeover attacks are a precursor to payment fraud, as most ecommerce companies encourage consumers to create accounts and store payment details to remove friction in the path-to-purchase. 81 percent of all retail attacks were fraudulent payments transactions, with fraudsters targeting this sector to monetize identity and payment credentials that have been breached.
Interestingly attacks from malicious humans -- both lone perpetrators and organized fraud sweatshops -- increased 33 percent over the previous quarter and nearly one in every five attacks are now human-driven rather than automated. Every third attack on financial services is human-driven, with the most sophisticated attacks coming from lone fraudsters with access to stolen identity information and the latest tools.
"The increase in human-driven fraud highlights why businesses need to rethink the role of friction within their authentication strategy. We have spent so much time focusing on acceptance rates, but a little friction is not bad if it allows organizations to properly protect their attack surfaces while giving consumers a simple way to prove they are legitimate," says Vanita Pandey, VP of strategy at Arkose.
The full report is available from the Arkose site.