Consumers are more aware than ever when it comes to protecting their credit card accounts and online payments. But even as there are new solutions, fraudsters are always evolving their techniques.
The rise of social media posts has, for example, created a goldmine for breaking down secure payment systems by homing in on certain emotions, according to Christopher Novak, director of investigative response at Verizon Enterprise Solutions.
Hackers are “more crafty in ways that involve more social interaction. By looking at social media posts, they can find like-minded consumers, gain trust, and then approach (targets) in ways that are easy, by asking them certain questions.”
It’s about building a profile of habits, opinions and schedules and then identifying what vulnerabilities, such as fear or excitement, might spark an action that could yield compromising information.
Fraudsters piggyback on companies as they reach out to customers via an increasing array of platforms such as texting and messaging apps.
“You might get a message from your bank or your travel agent, saying that you need to call right away, and that your account has been compromised or that your vacation plans have changed,” said Novak.
Other scenarios include phishing messages such as ones to loyal brand followers about a limited-time offer or “flash sale” that exploit a rushed sense of passing opportunity. Busy, multi-tasking executives might get a phishing message just as they are making several flight connections or hurrying to be on time for a meeting.
These are deliberate attempts to tap emotional lapses “when someone is less likely to think” carefully before passing on personal information, said Novak.
Another tactic growing in use involves ransomware. This is also spread through phishing emails, texts and messages and involves the encrypting and holding of access to files or information or accounts as hostage until a payment is made.
“The only option is to pay in Bitcoin,” said Novak. “In the old days, it would be payment via Western Union,” the cash transferring company.
Novak spoke on the sidelines of a conference presented this week in Vancouver by PCI Security Standards Council. Cybersecurity experts from around the world gathered to discuss new “threat trends.”
On Wednesday, PCI’s council announced a partnership with the Women’s Network in Electronic Transactions to create greater diversity in leadership within the payment security industry.
“A team of people with different backgrounds and perspectives is better equipped to identify solutions than a team made up of people with common backgrounds and experiences. Hackers and cybercriminals also come from all types of background, and having a variety of perspectives and experience is good,” said Emma Sutcliffe, the council’s newly appointed Global Head of Standards. She is based in Vancouver and the first woman to hold the position, which focuses on setting security guidelines for the North American payment industry.
Novak said technology can play an important role in mitigating payment fraud. The use of multi-factor authentication requiring an additional password or code sent to a different device is helpful. Many people use these for certain transactions, but don’t know it can be set as an option on a wider range of apps and accounts.
There have been suggestions that using personal fingerprints or iris recognition could provide the ultimate level of personal verification when it comes to making credit card or online payment transactions, but Novak isn’t convinced.
“It’s not a silver bullet,” said Novak. While passwords can be changed and changed, “you can’t change your palm or your eyes. What happens if that information gets hacked?”