GRADUATION: JUST ANOTHER OPPORTUNITY FOR TRIANGULATION FRAUD

Share This Post

2020 has been full of disappointments. But that hasn’t stifled the will to find silver linings and make the best of a crummy situation. For families and friends of graduates—from college to preschool—that has meant shopping online for decorations to adorn homes and vehicles, gifts, and gift cards. And according to the National Retail Federation’s annual survey conducted by Prosper Insights and Analytics, 30% of respondents will buy a gift for a graduate in their life this year. Total spending is expected to reach $5.1B with an average spending of $112.30. While 2017 topped the graduation spending charts at $5.59B, it’s far more likely that consumers and companies will be impacted by fraud in 2020.  

Effects of COVID-19 are still in full swing. Even as retailers begin to reopen, stay-at-home mandates and social distancing measures have moved lives online—including shopping. Now even baby boomers are buying mostly or entirely online as a direct result of the pandemic. But it’s not just online shopping that has grown, its other avenues for these transactions like buy online and pickup in stores, too.  

When More Transactions Breed Bad Behavior  

One thing we know for sure is that when the volume of transactions increases and technologies to support those transactions expand, it is far easier for cyber criminals to hide and perpetuate fraud. This stems from several problems: 

  1. Often companies do not know the entirety of their attack surface 
  2. Each entry point may require a different type of protection, which can be challenging to achieve from a resources perspective 
  3. User cyber hygiene remains a problem (e.g. reusing username/password combinations) 
  4. Fraud is becoming more and more sophisticated

The last point is one to note. Even if companies knew every entry point into their infrastructure, had tight security, and had perfectly secure users, the evolution of sophisticated fraud remains an outstanding issue. Predicting the next iteration of attacks is often too little too late—only finding the once unknown threat after money is withdrawn from bank accounts, gift card values stripped, and accounts hijacked—and this is because so many security vendors rely on detection-first technology. For the retail industry, Triangulation Fraud is a prime example of escaping detection despite cybersecurity measures in place. 

What is Triangulation Fraud? 

Triangulation Fraud begins with an all too common denominator in attacks—stolen credentials. Do we bemoan credential stuffing attacks here? Perhaps. But for good reason. The simplistic bot attack is a springboard to a variety of sophisticated attacks. 

During Triangulation Fraud, a fraudster uses stolen credentials to gain access to a legitimate retailer account—let’s use Amazon as an example. Once inside the Amazon account, the criminal then has access to a bounty of personal and financial information. Now if this were any old fraud, an illegitimate purchase could be made at this point in the attack, but there would be a trail. And as we said, fraud is getting more sophisticated. So instead, the fraudster creates a listing for an in-demand item on another site—let’s use eBay in this example—but the item is marked at a bargain price to entice deal seekers. 

Once the unsuspecting shopper stumbles across the product and purchases on eBay, the fraudster then buys the Amazon product with the original credit card on file, but changes the shipping address to the eBay buyer. 

In the end, the eBay buyer receives the product, the Amazon account holder’s credit card is charged, and the fraudster gets away with the value of the payment from eBay. All without a trace. 

How to Mitigate Triangulation Fraud 

During prime graduation shopping time, if retailers want to reduce and mitigate Triangulation Fraud, they should start at the login page. This doesn’t mean adding CAPTCHA or multi-factor authentication. Instead, it’s less about verifying the credentials or testing humanness. We already know usernames and password combinations are widely available on the Dark Web and bots can easily bypass CAPTCHAs using tools like DeathbyCaptcha. In this case, to mitigate sophisticated schemes, retailers need the ability to judge user legitimacy in real time. On a computer, does the user type too quickly to be human? Is the mobile device real or just a device emulator? These kinds of passive biometrics along with hundreds of additional network signals provide the data needed to determine who or what is behind the transaction. Only then can we cut off inroads before schemes proliferate. 

For more on this, be sure to read our blog, Why MFA Defeat Shouldn’t Be Ignored.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore