VISA, a global digital payments company, shared an updated look at how fraud had evolved since the height of the pandemic, with criminals simultaneously targeting online and offline vulnerabilities as our daily lives return to a blend of in-person and e-commerce experiences.
Paul D Fabara, Chief Risk Officer at Visa said that as in-person commerce returned to pre-pandemic levels, crooks were back to exploiting the physical points of vulnerability in retail stores, while continuing to capitalise on e-commerce through malware, ransomware and phishing attacks, amongst others.
“In fact, we are continuing to see high rates of skimming, growing over the already elevated levels of the winter of 2021, where fraudsters are jumping on the rise of in-person activity,” Fabara said.
Two new pieces of research – the latest Visa Biannual Threats Report and MIT’s Technology Review Insights study “Moving Money in a Digital World,” were released on this week in partnership with Visa – highlighting new and returning threats to the post-pandemic economy.
While fraud early on during the Covid-19 pandemic was concentrated on online scams, the firm said in-person attacks were now trending higher as criminals widened their scope to once again capture physical targets.
The past year experienced an increase in card-present threats such as physical skimming on ATMs and point-of-sale terminals – a trend that would likely persist. For instance, from June – November last year, Visa saw a 176% increase in physical skimming devices over the previous 12-month period.
Still, the digital commerce environment–vastly accelerated by the pandemic–remained the richest target for cybercriminals. Nearly three-fourths of fraud and data breach cases investigated by Visa’s Global Risk team involved e-commerce merchants–often social engineering and ransomware attacks. Digital skimming attacks targeting e-commerce platforms and third-party code integrations were common.
These were said to shine a light on the urgent need for stringent security controls on merchant websites and checkout pages, ensuring external code was not enabled in sensitive card holder environments. In fact, 42% of respondents in the MIT report said security measures were important for their customers, with 59% acknowledging that cybersecurity threats were the biggest challenge to expanding digital payments. Many were prioritising advanced security capabilities like digital tokens (32%), artificial intelligence and enhanced authorisation (43%).
Beyond attacks on traditional currency, threat actors were employing new tactics to defraud cryptocurrency users, including new malware focused on browser extension wallets for crypto users as well as innovation in phishing and social engineering schemes. Crypto bridge services were also a target.
From January through February this year, three sizeable thefts exploiting vulnerabilities in various bridge services were said to have netted cyber thieves over $400 million.
While cybercrime persists, Visa said it had increased its efforts to mitigate fraud. Over the past five years, the firm said it has invested more than $9 billion on network security.
“Visa employs more than a thousand dedicated specialists protecting Visa’s network from malware, zero-day attacks and insider threats 24x7x365. Visa also deploys AI-enabled capabilities and always-on experts to protect its ecosystem, pro-actively detecting and preventing billions of dollars of attempted fraud. In fact, Visa’s real-time monitoring with AI blocked over $4.2 billion in fraudulent payments volume in the last 12 months, preventing many from ever knowing they were at risk of a potential fraudulent transaction,” the company said.
Last month, Martin Potgieter, CIO at Nclose, a South African cybersecurity specialist, warned about the zero-day exploit a cyber-attack that exploits a previously unknown vulnerability to gain access to a system, platform, business and data, which were the tastiest treats known to hackers. Last year, the 0-Day Tracking Project found nearly double the number of vulnerabilities that were discovered in 2020, and this year, half of the zero-days found have been variants of previous ones. Furthermore, Google’s Project Zero, a team that was dedicated to hunting for zero-day attacks and vulnerabilities, declared in April this year that, it turned out that “the more you know, the more you know you don’t know”, and that, in a nutshell, that was why everyone should be worried.
BUSINESS REPORT