experianThe need to feel safe and secure has its origins at the earliest steps of our development, which makes sense, as we most probably wouldn’t survive otherwise. The same applies for our digital world, where we have to be constantly on alert over potentially falling prey to cyber criminals. With more and more interactions and transactions taking place through anonymous online and mobile channels, cyber criminals unfortunately have a growing number of opportunities to reap financial rewards at the expense of others. Hence, the first step for those tasked with protecting their organizations and customers should make sure there has not already been a security breach or that accounts already have been compromised.


Experian, the global information services group, therefore highlights to always be aware that cyber fraud is not a point-in-time problem and data breaches should not be considered isolated attacks, which break through network defenses to abscond with credentials. Rather, data breaches are just the first stage of a more complex lifecycle that begins with a vulnerability, advances through several stages of validation and surveillance, and culminates with a fraudulent transaction or monetary theft.

“Cyber criminals are sophisticated and have a growing arsenal of weapons at their disposal to infect individual and corporate systems and capture account information: phishing, SMSishing and Vishing attacks, malware, and the like are all attempts to thwart security and to access protected information. Criminal tactics have even evolved to include physical-world approaches like infiltrating physical call centers via social engineering attacks aimed at unsuspecting representatives”, Experian explains in its whitepaper Surveillance, Staging and the Fraud Lifecycle, besides highlighting that this, and similar efforts, are all part of the constant quest to identify and exploit weaknesses in order to stage and commit financial crimes.

Malware detection is NOT the silver bullet for preventing fraud

Unfortunately, malware is only one method by which fraudsters may obtain credentials, as there is a seemingly endless supply of pristine identity and account data available in the criminal underground. Malware can indicate that an account has been compromised, but it does not really help identifying the subsequent usage of the stolen credentials by the criminals, regardless of how the credentials were compromised. By the time one realizes that credential information has been exposed, cyber criminals most probably have already captured the information they need - such as usernames, passwords, challenge responses and even token or session IDs - and have added it to their underground data repositories. With traditional online authentication controls, it is nearly impossible to detect the initial fraudulent login that uses ill-gotten credentials. This is why it is critical to operate from the assumption that all account credentials have been compromised when designing an online authentication control scheme, experts explain.

Account compromise is only one piece of the fraud lifecycle

Let’s face the truth that after accounts have been compromised, the next phase of industrialized fraud kicks into gear. Account data is packaged and sold on the underground market – for cash as well as noncash payment forms such as Bitcoin, travel reward points, prepaid cards or service trades. This highly liquid black market for stolen credentials facilitates further iniquitous activities downstream. Fact is that once an account has been compromised and the criminal has bypassed the authentication measures, there is virtually nothing that can stop them. If a threat couldn’t be previously recognized and stopped, detection is critical as attackers can start mimicking user behavior to gain even greater control over an account or to cover their tracks for the eventual theft.

Experian provides a few examples on how criminal could start the fraud lifecycle:

  • Account behavior: By monitoring an account over time, cyber criminals can determine how their intended victim uses the account so they can match their behaviors to those of their target. If a legitimate customer only does their banking in person, access from the web or a smartphone may raise a flag.

  • Check images: With a growing number of consumers using remote mobile deposit (Remote Deposit Capture), fraudsters have access to sample signatures, as well as account and routing information for other accounts.

  • Alerts and notifications: Banks, retailers and other institutions provide consumers with a wide range of control over how they receive information about their accounts. With legitimate credentials, criminals can see what amount or velocity threshold will trigger an alert and will then keep their activities within expected norms to avoid detection. They may also change the parameters of alerts or create dummy email addresses to shift alerts away from the legitimate accountholder.

  • Contact information: As with alerts and notifications, criminal organizations can change the mailing address or phone number associated with an account to further delay detection.

  • Gaming the system: Consumers are encouraged to notify banks of travel plans to decrease the possibility of unwarranted declines while on the road; but clever fraudsters - armed with an understanding of an organization’s process and procedures - can take advantage of these services.


Expect to see more disguised attempts by fraudsters in the future. We are living in a growing multichannel environment, where cyber criminals will try to blend in effortlessly, therefore it is of vital importance that you hang in there.

By Daniela La Marca