Big data and artificial intelligence (AI) are proving to be beneficial to businesses of all kinds and in many ways. However, there’s a downside: Cybercriminals are taking advantage of both big data and AI to find and exploit new vulnerabilities. According to a recent bulletin from Visa, “Through scalable and programmatic automated testing of common payment fields, also known as account enumeration…cybercriminals are able to successfully monetize e-commerce transactions, resulting in hundreds of millions of dollars in fraud losses across the payments ecosystem.”
What’s more, in another bulletin issued in mid-August 2021, Visa noted that it had “observed a sustained increase in enumeration attacks and account testing” attacks. The bulletin included a reminder of the need for merchants (and other entities) to “maintain appropriate controls to block such fraud attacks as part of their obligation to safeguard payment information and payment system participants.”
Let’s delve into this issue.
The Facts Behind the Attacks
Enumeration and account testing attacks happen when fraudsters obtain or validate payment account information using automated scripts or software. They occur most often on e-commerce-enabled websites, where criminals submit automated transaction attempts.
Criminals’ aim in committing enumeration attacks and account testing attacks has remained consistent over the past few years, according to Visa. However, they’re becoming increasingly sophisticated in their tactics and targets, making it more important than ever for merchants to harness safeguards against both types of attacks.
Not surprisingly, Visa advocates a “prudent approach” to mitigate account enumeration and account testing schemes. This approach involves a “layered method” that includes:
- Protecting the payment system from unauthorized access. Reducing entry point vulnerabilities is a start. For example, fraudsters’ first line of attack often involves using bots for the automated injection of payment account information into legitimate merchants’ checkout pages. Merchants should implement stronger fraud controls—and insist that their service providers do the same—to prevent attackers from “getting through” at this level.
Safeguarding the payment system from unauthorized access also means squelching account takeovers by resisting phishing schemes (and training employees to recognize them). Utilizing stronger customer validation and identification as a means of preventing fraudsters from successfully targeting payment gateways is equally important. So, too, is harnessing technology to ensure or minimize the chance that perpetrators can execute merchant account takeovers by gaining access to merchants’ credentials through phishing or other schemes.
- Monitoring for, detecting, and blocking attacks. Visa names merchants in its list of entities that are obligated to “maintain adequate controls to detect and block fraudulent transactions, enumeration, and account testing attacks from entering the payment system.”
Other best practices merchants should harness in the fight against enumeration attacks and account testing attacks encompass:
- Using CAPTCHA controls on checkout/payment pages to prevent automated transaction initiation by bots or scripts.
- Monitoring host and network traffic for unauthorized or suspect connections and probing activity.
- Leveraging Point-to-Point encryption (P2PE) or PCI-validated cryptographic keys for all host and transaction session activity.
- Employing periodic password changes, avoiding the use of default login credentials, and educating staff on the risks of phishing scams and social engineering.