E-Skimming to Crypto Fraud, the Modern Ways Fraudsters Steal Money

Posted: 25th August 2022
By: Sam Langrock

Part 2 in a 3-part interview series with former Gemini Advisory CEO and current Recorded Future VP of Fraud Solutions, Andrei Barysevich

On March 16th, 2021, revolutionary fraud analytics provider Gemini Advisory was acquired by Recorded Future, and recently rebranded as Recorded Future Payment Fraud Intelligence. I sat down with Andrei Barysevich, the former Gemini Advisory CEO and current Recorded Future VP of Fraud Solutions to discuss the early trials and tribulations of Gemini, the transition to Recorded Future Payment Fraud Intelligence, and his thoughts on the future of payment fraud for an exclusive three-part interview series.

This interview has been lightly edited for clarity and brevity.

There are many solutions out there (passive biometrics, contextual fraud analytics, etc.) that promise to help reduce fraud. What makes Recorded Future different?

To begin, none of the tech described is truly prevalent in the market. We do see some early adoption across different geographies, but then again, every market is different. For example, the chip-and-pin has been a staple of the in-person payment card industry in Europe for many, many years. However, it wasn't truly deployed across the US until a couple of years ago. We're now seeing some legislative efforts made in the UK and Europe to at least attempt to limit fraud in online transactions. It has been years in the making, and it's still going to be some time before both merchants and their customers accept it.

Looking more specifically at the United States, we've always been lagging in terms of any sort of fraud prevention measures when compared with other countries, despite being a dominant player in the market and having a buying power that is significantly higher than anywhere else in the world. The levels of fraud in the US are extremely high, while the technology used is, in some respects, incredibly rudimentary when compared to other countries.

To answer the heart of the question, what Recorded Future has shouldn't be viewed as a standalone product where you have to choose if I'm going to use passive biometrics or I'm going to use Recorded Future. It's one of those cases where the combined power of several tools increases significantly when you layer them together. For example, we know our solution helps improve fraud detection tools, such as FICO Falcon, which has been around for 20 years and is used by pretty much every second bank in the US, maybe even globally. We've seen from our client success stories that the tool's effectiveness has increased significantly once they added intelligence on compromised payment cards for sale on the dark web. A customer even lowered their false positive rate for declines by 5x. We're not just another tool to collect dust in the shed; our intelligence is purpose-built to fit in with what our clients are already using and help them understand what cards are in danger of seeing fraudulent transactions.

One of the solutions under the Payment Fraud Intelligence umbrella is geared towards finding Magecart infections on e-commerce sites. Why do you think it's important that both financial institutions and merchants have a solution to detect these infections?

If you want to solve the problem of payment fraud, you need to cut the head off the snake, and the head of the snake comes in the form of Magecart attacks. (Magecart refers to cyberattacks in which hackers implant malicious code into websites and third-party suppliers to steal credit card info.) The leading cause of stolen payment card data now comes from Magecart infections.

If you've noticed, very rarely nowadays do you hear about attacks against large multinational corporations. Probably the biggest one we've heard of was the attack on British Airways, but that was about four or five years ago. The results of our intelligence show that the level and the quality of attacks have increased year over year, and correspondingly the number of victims has increased year over year. Yet, the size profile of the companies that are victims remains very small, especially compared to some of the larger institutions out there.

Hackers know the big companies have resources to protect their website and their e-commerce businesses, to the point where it would be very difficult and take a long time for an attacker to manage to break in. However, many mid-sized businesses don't have the resources, and looking further down the ladder, small family businesses have zero resources. They have no idea what a Magecart infection is, and the vast majority of stolen card data we find on the dark web these days comes from these smaller data breaches. On top of that, in the past, it was much easier for banks to identify the source of compromise when all the cards came from a single log data breach. It was very easy for them to analyze the data, to see where all the cards were coming from. Now, when you're dealing with thousands of smaller websites – exposed on a monthly basis – it's almost impossible for a single bank to identify the source of a compromise.

This is where our Magecart Overwatch solution comes into play. It allows us to identify data breaches almost in real-time and monitor them so we can alert our clients not only when a data breach has occurred but also when it has been fixed. There's no more data exfiltration on the exposed website, enabling the bank to be more accurate and prescriptive in their fraud mitigation efforts.

Given the privacy laws that have been rolled out over the past few years, such as GDPR and CCPA, do you foresee these payment breaches leading to more lawsuits?

Certainly, I think we've already seen several examples of online businesses being fined for data breaches. The amount of the fines was significantly smaller compared to some other types of data breaches where highly sensitive Personal Identifiable Information (PII) data got compromised; for example, Equifax comes to mind. Yet, if we start seeing government agencies going after smaller businesses for data breaches, then most likely, it will ring the alarm bell; and, they'll have to start looking into the problem and examine solutions that can provide visibility into their own assets. I think it's only a matter of months – not years – before we start seeing the first evidence of lawsuits happening on a more prevalent basis.

Fraudsters are using a number of methods to skim payment data. What method are they using that's most surprising to you?

When the criminals are using legitimate, trusted infrastructure, like for example Google Tag Manager. Even though it's a legitimate service offered by Google, the bad guys have found an ingenious way to leverage it for their Magecart attacks. They have been putting it to use very successfully.

We see a lot of criminal and fraudulent activity in the crypto space. What kind of companies need to be wary of this activity, and what kind of solutions do they need to combat malicious crypto activity?

We all know crypto is a highly decentralized asset and has been enjoying a pretty loose compliance environment. However, we are now starting to see more and more regulation coming from governments across the globe, especially where companies are willing to deal with crypto. For example, Fidelity announced a few months ago that they plan on using crypto to support their retirement funds. They're investing in hiring hundreds of people, and I would say the foremost thing the business needs to be aware of is the compliance issue. They need to make sure they're not facilitating criminal activity, and are not getting caught up in money laundering -- this is what Bitcoin and some other cryptocurrencies are well known for. Nobody associates decentralized payment systems with a halo and angel wings. Everybody talks about criminals, bad guys bypassing traditional financial systems and easily transacting millions of dollars without any fear of repercussions or any fear of law enforcement action. But now, as we see more and more legitimate businesses investing in crypto and more and more established financial organizations exploring crypto as the next frontier, my opinion for them is that their highest priority needs to be compliance and making sure that they're not facilitating criminal activity.

To do that, they need to understand their customers. They need to understand the whole chain of a single transaction. This is the beauty of a blockchain world. We were always talking about blockchain as something nefarious, at least a lot of times, we're talking about blockchain being nefarious. However, we forget that blockchain has a positive aspect to it, which is full transparency. You can always check the full cycle of transactions. Only because you get in money now doesn't mean the trail stops with the sender; you can actually track twenty transactions behind to see the full flow of funds. Being able to track the full cycle and having visibility on if the funds have ever been linked to criminal activity in the past is incredibly powerful. This is where Recorded Future's cryptocurrency monitoring offering comes into play. We're building on the experience we've accumulated when gathering compromised card data from the cyber underground – and are now delivering the same quality of intelligence for the crypto industry.

Book a demo of Recorded Future Payment Fraud Intelligence to begin disrupting fraudsters at every step of the compromised payment card lifecycle.