Move over traditional card fraud, there’s a new kind of attack in town: nuanced authorization fraud.
This new form of attack has emerged in recent weeks, and it’s sophisticated and strategically executed to thwart standard protocols.
A new fraud scenario
Picture this: You see a transaction for $14.99 come through, and it’s not flagging as a velocity transaction because it’s a single transaction that moved through 3D Secure (3DS). To your systems, it looks and feels like a legitimate transaction.
Fraudsters then are taking that initial authentication, and they are reusing it, pushing through trailing transactions for hundreds of dollars to a completely different merchant. As the issuer, we're blind to it, because we're writing our rules within 3DS, and it's not triggering the transactions that are coming through on the back end.
By the time we see these new transactions in our authorization systems and wonder why they aren’t also replicated in 3DS, it’s too late to stop them. Essentially, in this scenario, fraudsters figured out how to hit 3DS and double-down on the damage.
We discovered it when our fraud strategist realized the new transactions weren’t in 3DS. Anything that comes through as secure will show in 3DS; if it’s not there, something is amiss. Data doesn’t lie, and the information should match apples to apples. When it doesn’t, well, that’s our newest red flag.
Protecting your bank
Unfortunately, scenarios like this are becoming far too common, and community banks need to take steps to level up their fraud prevention programs. The following tips will help your bank navigate not just this type of attack, but other forthcoming scenarios that will leverage increasingly complex approaches to avoid standard detection.
-
Once you have identified an occurrence of authorization fraud, block the specific acquiring BIN. In diving deeper into these attacks, we’ve discovered that the acquiring BIN is the common link between fraudulent transactions. Once you get it and block it, you’re able to stop the hemorrhage. Of course, they will likely move on to a new BIN, but you will be on the lookout now.
-
Alert your peers. As new attacks emerge, our best resource remains one another. Make sure the different departments within your bank are watching out for minute anomalies like systems not matching up. If the transaction doesn’t match in 3DS, escalate it to your supervisor or analyst. Flag unusual behavior for one another. Also, utilize ICBA Community and relevant industry forums to share your experiences and offer a heads up to your community bank peers. In short, if you see something, say something within your bank, to your peers, and to ICBA. Because working together, we are more likely to stave off emerging attacks.
-
Learn from the scenario. If this had happened to you, when would you have noticed? What steps can you put in place to double-check anomalies or when systems don’t align? What other similar scenarios can you imagine emerging, and how do you protect against them? Having a strategic discussion with your fraud team can lead to stronger protocols and safeguards.
-
Submit merchant complaint forms to Mastercard and Visa. It’s relatively easy for a merchant to be set up with 3DS, and the networks know that. When these new fraud scenarios arise, make sure to report the merchant involved. The more people who report it, the more data the networks have, and the more likely the fraud will be shut down. Also, please don’t rely solely on your processor. Community banks need to take matters into their own hands in these scenarios and submit the complaint.
-
Take advantage of ICBA Payments’ Fraud Loss Protection Plan (FLPP). In today’s environment, it’s not if you will suffer a fraud loss but when. One of the best ways to mitigate that risk is to have some protection in place to lessen your potential for losses when they occur. FLPP helps banks recuperate losses on credit and debit card fraud, including lost, stolen, or counterfeit cards, as well as account takeovers and eCommerce fraud.
The moral of the story: Attacks are no longer just transactional fraud. This form of fraud is complex and nuanced, and by the time the analyst figures out what happened, the money is already gone. Community banks have to be quicker and better at raising red flags early to ensure we protect our banks and customers against this new type of strategic, operational attack. Working together, we can make strides toward protecting our banks and our customers.
For more information or to discuss fraud prevention measures, contact the ICBA Payments Team.