Layering fraud prevention – Using dark web monitoring to protect payment card data

Cardholders are constantly targeted by fraudsters using a full arsenal of attack methods, including data theft, transactional fraud and identity fraud. From skimming at the gas pump and self-checkout kiosks to dialers with fake phone numbers and spoofed websites, account holders expect their bank or credit firm to protect their cards and personally identifiable information (PII). Financial institutions (FIs) that do it well earn the respect of cardholders with loyalty and brand affinity. For issuers that fail to keep up with ever-changing fraudsters, however, the costs can rise exponentially.

FIs often focus primarily on fraud prevention, detection and mitigation. It’s also important to consider how cardholder data is used, particularly in proactive identification and mitigation of fraud risks.

Why is dark web monitoring for fraud prevention critical?

FIs should routinely scan for their account holders’ PII and issued card numbers or payment card industry data on the dark web. Dark web monitoring is the process of continuously searching for any compromised information on the dark web and taking necessary action if such data is found.

Dark web monitoring can be used to classify risks from unknown sources. As an issuer, when you receive an alert that your cardholders' data is on the dark web, you’re better able to connect those instances to other threat detection sources and use that information to profile and mitigate threats faster. Acting quickly to identify your cardholders’ exposed data and the length of time it’s posted gives cybercriminals less time to work against you, exploiting confidential information.

Additional data and information leaks may also be avoided by searching the dark web for patterns of personal account numbers. Once compromised accounts are identified, FI fraud analysts take necessary action according to their fraud strategy: flagging accounts, reissuing cards, contacting cardholders, feeding data into fraud scoring solutions and sending fraud markings back into their fraud ecosystem.

What types of payment card data appear most on the dark web?

According to Fortra data,¹ FIs continue to be the primary focus of criminal groups and through underground channels who target more than 90% of malicious activity at either credit unions, banks, financial services or payment services. The most recent threats on the dark web include credit card data (81% of overall volume), "how to" toolkits and phishing kits (12%), customer credentials (6%) and corporate credentials (1%).

Stolen payment card information sells for an average of $10 per compromised card worldwide, with U.S. payment cards bringing between $1 and $12 per card, according to a NordVPN report.² The research also found 1.5 million sets of payment card details for sale on the dark web. Half of the total is from the U.S., led by Visa, Mastercard and American Express card data. More than half (52%) is debit card data, which is striking because fraudsters can drain money directly from debit card accounts. A little less than half constitute credit card data (48%).

Fraudsters buy and sell cardholder data on the dark web sourced from cyberattacks, phishing emails that imitate legitimate emails and similar spoofing on websites. They skim for cardholder data at gas stations and at retail point-of-sale devices, with many cases now being reported at standard self-checkout stations. Cardholder data may also be compromised when customers use insecure networks for sensitive information. Keylogging and screen scraping are also techniques used to grab information without a user knowing.³

How do fraudsters buy and exploit stolen card data?

A fraudster may spend $1,000 or more to pick up a few hundred compromised card credentials. They then may test the cards with small purchases, with most resulting in failed transactions. But, on the 5 or 10 cards for which they are able to make insignificant but successful purchases, they can quickly ramp up spending to max out the cards, raking in returns that far exceed the $1,000 originally spent.

How can issuers manage and act on exposed card credentials?

In your fraud ecosystem, you could create a list of cards (either individual or in a BIN range) to include or exclude in an evaluation of a particular rule. From rule decisioning, issuers can generate lists of exposed cards and either place an indicator to monitor such cards or reissue the set of cards altogether. Taking this to the next level, issuers may integrate dark web monitoring services within existing traditional fraud scoring systems to identify if activity looks consistent with actual cardholder spending through transaction history and scoring profiles of cardholders. Data analysis helps you determine when to take action.

Combining 3-D Secure (3DS) risk analysis for cardholder authentication for card-not-present (CNP) online purchases, as well as other cardholder authentication journeys, aids in identifying if it is the cardholder that’s attempting to make the purchase.

How can issuers keep pace with evolving dark web fraud tactics?

Monitoring helps issuers keep pace even as dark web forums share information. Dark web forum communities have grown and matured exponentially by sharing knowledge, tools and technologies that enable fraudsters to expand spoofing and other large-scale bot attacks through automated and simplified operations. Issuer fraud prevention strategies must keep pace with continually changing patterns to increase operational inefficiency.

Machine learning helps build scale to take pressure off fraud teams. By training models with large data sets, these types of fraud prevention systems spot patterns that fraud analysts may miss. Plus, models can continuously monitor transactions, which takes pressure off human resources at FIs.

What fraud prevention best practices help protect cardholders?

FIs should strive to expand their capabilities in their fraud ecosystem on three ground levels, routed in best practice:

• At the base data level, feed compromised data found on the dark web to rules and decisioning tools using transactional fraud scoring solutions.
• At a protecting level, combine this with authenticating all transactions on the front end and throughout the account holder lifecycle journey, using 3DS for CNP transactions and other authentication methods depending on purchase type.
• Finally, at a third and preventative level, manage compromised data by monitoring and stopping or blocking compromised transactions, communicating with the cardholder, and then feeding the data and fraud markings back into the fraud ecosystem.

With these three best practices, FIs have the potential to better protect themselves and their cardholders.

Disclaimers: