Credit card fraud: What you need to know now

Credit and payment card thieves are getting more sophisticated as chipped cards drive them to account takeover and card-not-present schemes.

Maritza Dominguez has seen some impressive attempts at payment fraud in her 18 months as trust and security lead at Patreon, a site that allows online artists and web content creators to get paid by running membership businesses for their fans. The scheme she uncovered this summer proved to be one of the most impressive to date, not only for its innovation but for its sheer complexity.

In a multi-account takeover scheme, fraudsters would take over a content creator’s account, then take over dozens of patrons’ accounts, which they would use to make fraudulent pledges using stolen credit card data. The fraudsters would then create a PayPal account, change the artist’s payment method to the account and then cash out. “It takes a lot of skill” to pull off a fraud like this one, Dominguez says.

She was tipped off when a patron noticed his account showed a pledge that he didn’t make. A day or two later, a creator notified Patreon that his account information had been changed. “We realized the patron had made a pledge to that creator’s account, and then noticed that all the IPs were the same between these two and a bunch of other accounts,” Dominguez says. “It took a lot of investigative work.”

Patreon has since moved to a machine learning platform that helps them root out malicious behavior, but the reality of today’s credit and payment card fraud is clear. It’s hard to stay ahead of the constant barrage of new and innovative fraud tactics being pumping out by bad actors worldwide, security experts say. While hacking tactics have evolved, such as last year’s Magecart, which injected JavaScript code into ecommerce sites running exploiting older, un-updated shopping cart software, the latest version of fraudster capitalizes on false identities and deception to commit elaborate money laundering schemes or establish online resale shops for stolen credit cards.

E-commerce fraud attack rates spiked more than 30 percent in 2016 over the prior year, according to Experian. The credit reporting agency attributes the rise in part to the switch to EMV (Europay, Mastercard and Visa) chips in credit cards, which reduced counterfeit card fraud at the point of sale, but has driven fraudsters online with account takeover and card-not-present schemes. Account takeovers similar to the one experienced at Patreon rose 31 percent in 2016, according to a report by Javelin Strategy & Research.

“Fraudsters never rest, and when one area is closed, they adapt and find new approaches,” said Al Pascual, senior VP, research director and head of fraud and security at Javelin, in a statement.

Fraud and security experts offer a sampling of today’s biggest credit and payment card fraud tactics and tips on how to prevent them.

Account takeovers

Online account takeovers, where hackers steal passwords instead of credit cards, and then log onto other more lucrative sites where even more money is at stake, cost consumers $2.3 billion in 2016, a 61 percent increase from 2015, according to Javelin.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!