So-called sophisticated attacks monitored by Mastercard Inc. subsidiary NuData Security jumped 430% in late 2019, with fraudsters deploying more human-aided online attacks rather than fully automated ones in order to fool the defenders.
Those findings come from NuData’s “2019: Fraud Risk at a Glance” report released Thursday. NuData is a Vancouver, British Columbia-based antifraud specialist Mastercard bought in 2017 that uses behavioral biometrics to spot attempts at account takeovers, e-commerce fraud, or other suspicious activity. Behavioral biometrics is a science that tries to detect imposters’ fraudulent activity in real time by comparing their online behavior with the known patterns of a genuine user, such as the speed and rhythms of the way a person types on a keyboard, the way the legitimate account holder uses a smart phone, and numerous other related metrics.
The report, which tracks attacks on NuData’s network of clients from January to October, says human-driven attacks jumped from about 1,000 in July to nearly 28,000 in September before falling off in October. In all, human-driven attacks remained steady for more than half the year before increasing by 330% in the last four months of the study period.
In many such attacks, fraudsters pay workers in developing countries to complete logins and enter other information manually in order to bypass a bank’s or e-commerce site’s defenses against bad bots—malicious software applications designed to run repeated code on their own. Bots can unleash massive attacks on the login pages of retailers, banks, and credit unions, or any organization with personal or financial data accessible through the Internet.
NuData also says “sophisticated attacks, those focused on quality rather than volume, have grown 430% since July, compared to the previous seven months.” One sign of a sophisticated automated attack is forcing a software script to type account information—usernames and passwords, for example—on a keyboard even when it doesn’t need to, in order to seem human.
Other signs, according to NuData, include use of irregular pauses and keystroke patterns that indicate a person rather than a bot is entering the data, and pairing up Internet Protocol and location data so that all signs point to one location for the user. Such pairings are more costly than commonly used randomized IP and location data, which is more likely to trigger a fraud alert.
“Bot-detection tools, improved CAPTCHAS, and other technologies that mitigate automation are starting to affect bad actors,” NuData’s report says. “As expected, fraudsters look for alternatives to bypass these bot challenges, especially when targeting high-value accounts, such as financial accounts or merchant accounts with stored value.”