A long time ago (almost 15 years!), on a fraud mitigations team far, far away (a team that has since ceased to exist), we determined:
• “Honeypotting” could be one of our best defenses against card fraud.
• Test transactions ($1 or less, so as to be unidentifiable by detection engines) would allow us to stop higher-risk fraudulent transactions later on.
We learned more about how bad actors purchased compromised card details and found how to embed our detection controls in the systemic Dark Economy ecosystem. It was a game-changer and immediately created a shift from reactive to proactive strategies.
Ultimately, we came away with a lesson that would save consumers tens of millions of dollars a year: If test transactions worked for criminals to ensure a card had “open to buy,” then we could use the same test transactions to determine whether the card would go fraud shortly thereafter.
These micro charges became a trigger (we were clear on it and had confidence in our predictive logic to ensure 100% fraud rate). We let them go through to encourage the bad actor to use the card for larger fraudulent transactions, which we could then stop, in the future – a full policy shift and one we could evangelize to our peers.
A New Hope (alternatively: It’s a trap!)
Once the fraudster set foot in their brick-and-mortar merchant of choice with our card – tested and, they thought, ready to buy whatever they liked – the trap was set. The bad actor would select the good(s) or service(s) they wished to purchase and then hand over their card for swiping. The card would be declined at this point of sale, and the fraudster would leave either empty-handed or, worse, in handcuffs.
It was a spectacular moment for us card fraud rebels, flyboys of the rebellion, signaling A New Hope in the fight against an expanding empire of fraudsters. No longer did we employ primitive defenses blocking merchants or full geographies. We could find sophisticated new strategies and build logic around how the bad guys executed their MO. We didn’t know it at the time, but this was threat hunting, the activity of finding precursors to illicit activity to be used in downstream deterrence.
Rebellions – then and now – are built on hope, and as the Empire (of new fraudsters) Strikes Back, with a near fully operational arsenal of GenAI-enabled battle stations, it pays to be armed with what we have at the ready today against online banking fraud.
The Empire Strikes Back (or: That’s no moon)
Now, a lot has transpired over the last decade and a half. The intellectual rights to our favorite furry nerf herders were transferred, and we now have new tangents of the canon, which we can stream at our leisure. Our hard-fought advancements in fraud prevention technology – like EMV chips cards – have made life harder for bad guys. Bad actors continue to find new ways to engage authorized users to participate in their fraud schemes for more reliable economic outcomes. If online/mobile banking is the new battlefield, GenAI appears the super weapon of the future.
But as with any Death Star, there is always a weakness to exploit.
Bad actors are always going to find it challenging to accomplish much without leaving a trail of breadcrumbs. We saw this in the threats of yesteryear, we see it in the threats of the present, and we’ll see it in the threats of the future. These breadcrumbs, like the test transactions we used as our honeypot so many years ago, are the points of access for an online banking account takeover, or money mule activity, and all things in between, when an online account is accessed by anyone who is not the authorized owner of the account. This leads us to the breadcrumbs we can leverage in today’s world.
The Return of the Jedi
As an industry, we have historically used visual link analytics as graphical showcases to demonstrate network activity between account-to-account payments. We have not yet leveraged behavioral biometrics to power this imagery feature set, however, and doing so could make all the difference.
Consider the power of being able to connect illicit activity between access points, individuals, and accounts – well beyond just payments. Essentially, this allows for the investigator to proactively identify relationships and intercept activity well before any money movement takes place. They can inventory the accounts that are most at risk and quarantine them before they experience any illicit or unauthorized activity. These are the Death Star plans, that our finest men gave their (work) lives for. This is what BioCatch Scout makes possible.
It’s not all that dissimilar to the old school honeypotting exercises we used to engage in, especially once you identify the accounts and use the knowledge of their compromise to understand the bad actor’s next move. So, threat hunting takes a new turn, where we can use these new tools to understand the new networks, and efficiently prioritize operational resources and the new threat intelligence acquired to be able to mitigate these risks.
Very Rogue One of us.
Do or do not. There is no try.
Essentially, what we have today is a new compounded threat. This one is payment-preferential but ultimately agnostic, cross-channel, and seeking to obfuscate its patterns to maximize the economic returns of its illicit activity. But the commonalities between these dissimilar eras are quite revealing: We can go threat hunting, acquire intelligence, and leverage it to go on the offensive, deterring bad actors from future attacks by toxifying a brand in their eyes and interdicting their illicit activity.
The more times bad actors get burned by a financial institution, which succeeds in either outmaneuvering those attackers and/or putting them on a course for apprehension, the less of a preferred target that institution becomes. Better yet, these banks are often avoided or ignored by bad actors, freeing up resources that were previously overcommitted to detection activities and creating more opportunities for threat hunting.
This is the virtuous cycle. The Jedi are now able to seek balance in the force and focus on sustaining their order, training, and further enlightenment. You might call it a hokey religion with ancient weapons when all you want is a good blaster at your side and a full stack of defensive solutions at your disposal, but gaining access to insights into threats before they’re exercised—well, the force is strong with that approach.