August 01, 2013

Fraudsters have proved to be creative in the ongoing security battle with banks, constantly finding new ways to circumvent banks’ defenses. Banks have been fortifying their online authentication and protections for years now in response to online fraud.

To counter those new defenses, fraudsters are now devising new ways around the online protections banks have built to thwart them. Guardian Analytics has detected two such schemes that fraudsters have been using that can help them slip by the safeguards that banks have enacted and get to their customers’ money.

Disposable Email Addresses

Everybody hates getting their email inbox overwhelmed with spam. With that in mind, some consumers have started using disposable email addresses that they can use, for example, when purchasing a product online so that any future unwanted emails from the seller are sent to the disposable address. Google and Yahoo have offered such temporary addresses for a while, says Craig Priess, Guardian Analytics' founder and vice president of products.

But Google and Yahoo aren’t the only providers, and some of the other providers like Mailinator, don’t require participants to register to sign up for one a disposable email address -- the account is automatically created when an email is received to the address. And after a period of inactivity the account is often removed from the providers’ servers.

This makes it very difficult to trace the owner of the address, and makes these email accounts a good weapon for fraudsters, Priess points out.

Over the last nine months Guardian has noticed an increase in attacks using disposable email addresses to execute fraudulent transactions that require email verification, Priess reports.

Fraudsters conducting these attacks typically begin by stealing login credential, and then changing the email address associated with an account to a disposable address, he explains. They then initiate a transaction that requires email approval, such as a wire transfer. The email confirmation then goes to the disposable email address and is then approved by the fraudster.

Guardian estimates from its own data that nearly one in three fraud cases involving a changed email address were conducted with a disposable email address, Priess says.

“There is a growth in the popularity of these disposable email addresses for legitimate purposes, so these types of addresses should be a concern for banks,” Priess notes. “They are not conducive for banking activity though -- it won’t help the customer get alerts. These addresses aren’t a clear indicator of fraud but, but they should raise a red flag.”

If a bank finds that an email address in a customer’s account has been changed to a disposable one, Priess advises the bank to look at other potential changes to the profile and be on the lookout for transactions initiated from the account that would require an email confirmation.

“Banks have worked hard to put controls in place after the authentication process has been compromised. This shows fraudsters have found ways to get around those controls and evade detection while initiating transactions once they’re inside the account,” Priess says.

Tech Support Scams

Over the last six months banks have also seen an increase in another scheme that fraudsters have used for a while to gain access to banks accounts, Priess adds.

The fraudster calls up an account holder pretending to be tech support --usually for Microsoft Windows -- and tells the victim that they have malware on their computer. Once the fraudster has gained the victim’s trust, they ask for remote access to the computer to remove the malware. Once that remote access is gained they change the security settings on the victim’s computer and then installs malware to steal the victim’s bank credentials. The fraudster then logs into the victim’s account and initiates a fraudulent transaction -- often while the victim is watching, but can’t do anything about it.

To the bank the fraudulent transaction in these cases looks like legitimate, Priess points out, because it is originating from the victim’s computer.

The fraudster sometimes also demands payment to remove the alleged hardware before trying to gain remote access, Priess adds.

Fraudsters are relying more on social engineering schemes like this one because banks have fortified their online channels and customers are becoming more aware about their online security, Priess comments. Guardian has also seen increased use of social engineering attacks by fraudsters via online chat and the call center, Priess reports. “Social engineering helps [fraudsters] pick the low-hanging fruit,” Priess says.

To help prevent these attacks banks need to pay attention to unusual behavior in customer accounts. The fraudulent transactions are generally going to be out of the norm compared to the customers’ historical behavior, Priess suggests. Banks also need to help educate customers about such social engineering schemes, as preventing these attacks is often outside of the bank’s control, Priess adds.

[See Related: Getting the Customer Involved in Fraud Prevention]

ABOUT THE AUTHOR
Jonathan Camhi is a graduate of the City University of New York's Graduate School of Journalism, where he focused on international reporting and interned at the Hindustan Times in Delhi, ...