Skip to main content

Sifting the haystack: what are the must-have datasets for fraud teams?

(Image credit: Image Credit: Gustavo Frazao / Shutterstock)

It’s hard to overstate the impact of financial fraud. It is pervasive, destructive, and distressing for victims. It erodes trust in business and society, and exposes organisations to high levels of regulatory, reputational, and financial risk. According to UK Finance, in 2018, /£1.2 billion/ was stolen through fraud and scams.  That stolen money may be used to fund illegal activity that further damages society.

The problem is large and growing. Payment card-related fraud has seen a huge surge in the UK in the past year. Incidents of card-not-present (CNP) fraud grew 49 per cent between 2017 and 2018, while card ID theft rose by an incredible 119 per cent. This isn’t just a problem for card issuers and banks. Much of the data stolen to carry out this fraud has been taken via breaches of third parties. We’ve seen high-profile examples at retailers, transport, and utility companies.  

Fraud teams face a herculean task to identify fraud risk, track incidents, and predict where future risk will emerge. Big data gleaned from internal systems offers a vast hunting ground in which to detect evidence of fraud that has already taken place, but its sheer volume adds to the “needle-in-a-haystack” challenge. It’s tough for teams to know where to direct their efforts. External datasets provide crucial context about where threats are emerging, and help teams understand how these vectors will be used by the criminal community. Let’s look at what we consider to be the must-have external datasets for fraud teams.

Visibility of card shop data

Given the huge scale of payment card-related fraud it’s not surprising that there is a sophisticated underground industry fuelling the surge. In fact, in the case of CNP fraud, the illicit economy has matured to a degree that stolen data has become a commodity that can simply be sold and bought in a deep & dark web (DDW) marketplace.

Card shops are platforms where previously stolen card data is offered for sale. One of the most (in)famous is /Joker’s Stash/, but that’s just one of many underground platforms with links to stolen payment card data providers. This data includes sets of payment card numbers that are often packaged together with the information needed to validate transactions such as CVV codes, expiry dates, cardholder names and addresses. Buying stolen data means the fraudster doesn’t need the skills and risk appetite required to steal it, so the barriers to entry for this type of crime are lowered. Selling the data also means the actor who originally stole it can extract maximum profit from their theft.

Stolen card data is typically listed on card shops by its Bank Identification Number (BIN). This specifies the bank that issued the payment card. Fraudsters use this information to refine their tactics by analysing the security measures in place at that institution and adopting strategies to work around them.

Visibility of the data for sale in card shops can alert bank fraud teams to the compromised cards associated with their institution that are in the wild. However, further intelligence and context is needed to fully understand the threat immediacy and severity.

For example, some card shops are more reputable than others. Some are well-respected among the criminal community, with direct links to data thieves and confident enough in their product to even offer money-back guarantees if it doesn’t do the job. Finding compromised card data here is likely to indicate a recent breach and immediate risk. Less reputable card shops simply copy data from other marketplaces, with no regard to how recent or valid it is - they just want to make a quick buck. Finding data here does not necessarily mean a new breach has occurred. If fraud teams are not aware of this, they could waste time investigating a slew of cards that have already been cancelled.

Deep and dark web intelligence

While card shops are the go-to source for buying stolen payment card data, they’re not the only source for datasets that should interest fraud teams. DDW forums are also a mine of valuable information – if you know where to look.

These types of illicit forums are where cybercriminals share tips and discuss tactics on how to evade security protocols, as well as rate the various card shops. Analysing the chatter here can allow fraud teams to identify the card shops they need to prioritise, spot new tactics, and adjust their fraud prevention measures accordingly.

Intelligence from DDW forums can also be linked to internal data to uncover chains of activity associated with fraud. For example, in the case of account takeover activity, chatter might indicate that a mass phishing campaign is underway by a particular group. If this can be linked to the discovery of customer addresses for sale on a dark web marketplace, that raises the risk and teams should look for evidence of unusual activity patterns around the accounts related to those email addresses.

Encrypted chat platforms

With the takedown of various Dark Web sites, threat actors are moving illicit activities to other online venues that facilitate cybercrime. One such venue are encrypted chat platforms, like Telegram and Discord, among others. Threat actors are using these platforms to communicate more securely and to share mirrors, which are sites that contain nearly identical information to a DDW site, but hosted on different platforms.

In the case of card shops, DDW forums, and encrypted chat platforms, fraud teams are cautioned against attempting to access them first-hand. Doing this safely requires in-depth experience in navigating cybercrime communities. Many are invite-only and password protected, meaning only an intelligence agent with a trusted persona in the community will be able to gain access. Retrieving compromised data from card shops also usually requires a purchase, meaning the agent must procure cryptocurrency and engage directly with threat actors. This is a high-risk activity that is out of scope of most fraud teams. At this point we recommended that teams seek the guidance and assistance of trusted experts.

Information-sharing communities

Another key resource for fraud teams is cyber threat intelligence information-sharing communities. These are the defensive counterpart of DDW forums. They aim to alter the balance of power, which currently favours cybercriminals, by enabling a safe environment for information exchange on the latest attack types, vectors, and tactics experienced by targeted organisations.

Intelligence sharing communities have taken some time to gain traction, due to companies’ reluctance to admit that they have been attacked and reveal the methods which have highlighted weaknesses. However, realisation of the sheer scale of the threat is leading more businesses to engage with information-sharing communities and they should be a pillar of fraud team activity.

The right datasets deliver

With any intelligence programme, the value of the analysis is only as good as the data from which it is derived.  Business risk intelligence (BRI) provides fraud teams across all industry sectors visibility into must-have external datasets that provide essential context around the indicators of compromise that may be uncovered in internal data analysis. While internal data provides visibility into current and past activity, external data derived from card shops, DDW forums, encrypted chat platforms, and information-sharing communities, can shine a spotlight on emerging risks and help teams sift the “haystack” more effectively to proactively identify and prevent fraud.

Josh Lefkowitz, Flashpoint