The Agency Insider with Linda McGlasson

Analysts Warn of 'Flash Attacks'

Flash or Blitz, It's Card Fraud By Any Other Name
Analysts Warn of 'Flash Attacks'

It's an ominous sign of future fraud when industry analysts describe a new method of attack.

Gartner analyst Avivah Litan recently wrote of a new kind of "flash attack" she's hearing of from banks. And last week Jasbir Anand, a fraud analyst at ACI Worldwide, described "blitz attacks," where mass data compromises of stolen card accounts are used overseas, all in a short time period, much like the card breach that led in February 2009 to $9 million being stolen from RBS WorldPay cardholders.

These attacks begin the same way, with criminals tampering with point of sale terminals to steal card data or take data from within the retailer's or business's payment network. Litan says that the twist comes when the criminals then turn and make hundreds or thousands of counterfeit debit cards and spread them among their army of accomplices, who use those counterfeit cards at the same time to withdraw as much money as they can before the issuers detect fraud and shut the cards off. In 10 minutes, the simultaneous withdrawals add up quickly -- $100,000 in stolen cash from the ATMs. Criminals repeat the same steps over a month and rack up a half-million.

These attacks are particularly worrisome because the cash transactions fly under the radar of existing fraud-detection systems -- they are typically small amounts that don't raise alarms. The only solution for institutions is to replace all of the compromised cards. Yes, it's a costly measure, but the alternative is having bank accounts drained.

FICO's senior director of global fraud solutions, Mike Urban, says debit card fraud is definitely becoming more of a concern. Compromises like the one Litan references have been taking place for many years, as have much larger-scale mass compromises of card information at merchants and processors. While the compromise of cards and PINs together is significantly less in the U.S., when compared with the compromise of the mag-stripe, criminals know they can get access to cash.

Technology to Fight Fraud

There are several effective technologies that have been developed to impact debit card fraud losses:

  • Behavior-sorted lists learn the places cardholders go and how they transact. Understanding the habits of cardholders, including preferred merchants, ATMs and recurring transaction patterns, helps issuers spot fraudulent, out-of-pattern behavior, regardless of the dollar amount.
  • Intelligent ATM profiles build on the activity at specific ATMs relative to their normal behavior. This is specifically developed to deal with flash attacks at ATMs. ATM profiles also are very useful for issuers of EMV chip cards, which can have the mag-stripe and PIN compromised in-country and used fraudulently in a non-chip-compatible country, such as the U.S.
  • Adaptive cascading models are self-learning to an issuer's real-time fraud transactions. They identify specific transaction variables, such as dollar amount, location, transaction type and merchant. These are particularly useful when it comes to identifying fast-changing fraud patterns and reducing false positives.

Criminals Lie in Wait

The stamina of the criminals doing these crimes is indefatigable. They're keeping numbers and accounts stolen from past breaches and using them months and years later. Already this year, two different institutions, a bank in Colorado, First National Bank of Durango, and a credit union in Florida, MidFlorida Federal Credit Union, have experienced losses on cards stolen during the 2009 Heartland Payment Systems breach.

One thing is for sure: The industry will continue to see these attacks, both at ATMs and retail locations. ACI's Anand says that the card fraud spree seen in Seattle's Capitol Hill section last week also shows criminals are continuing to evolve their attack methods and the technology used to commit the fraud.



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.