AFP compiles the most alarming—and informative—payments fraud news relevant to corporates in AFP Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization.
StubHub Turns the Table on Cybercriminals
Here’s an all-too-common story with an uncommon twist.
Six individuals were arrested last week in connection with an international cybercrime ring that hacked more than 1,600 customer accounts. What’s different in this case is that the company detected the cybercriminals first instead of receiving the news of the hack, as usually happens, and then it alerted law enforcement.
Eric Boles, senior manager of the Global eCrime Investigations Unit at StubHub, the online ticket broker that thwarted the cyberhackers, told the news site Card Not Present that StubHub worked closely with authorities throughout the entire process. “The way I see it, private industry needs to do more of this,” he said.
StubHub itself was not hacked. Instead, StubHub users were victims of account takeovers. Criminals intercepted customer logins and passwords by breaching other websites and installing keylogger malware on victims’ computers, StubHub explained in a statement.
According to Manhattan District Attorney Cyrus R. Vance, Jr., the criminals used the stolen credentials to purchase more than $1 million in electronic tickets for concerts, sporting events and Broadway shows, and then resold them within hours of the events. Proceeds were transferred to a global network of accomplices in the U.S., UK, Russia and Canada. The New York State Supreme Court has charged the defendants with money laundering, grand larceny, criminal possession of stolen property and identity theft.
“Today’s arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere,” said Vance. “The coordinated actions of law enforcement officials in New York, New Jersey, the United Kingdom, and Canada demonstrate what can be achieved through international cooperation.”
StubHub first detected the unauthorized transactions last year, notified authorities, and refunded affected customers.
Suspects were apprehended in New York, New Jersey, Spain, London and Toronto. Vadim Polyakov, a Russian national who police picked up in Spain, is believed to be the mastermind behind the operation. He is currently facing extradition to the U.S.
Robert Capps, senior director of customer success for RedSeal Networks, told Brian Krebs of Krebs On Security that many online retailers are still unprepared for the for the large influx of fraud that account takeovers can generate. “In the last year online retailers have come under significant attack by cybercriminals using techniques such as account takeover to commit fraud,” he said. “Unfortunately, the transactional risk systems employed by most online retailers are not tuned to detect and defend against malicious use of existing customer accounts. Retooling these systems to detect account takeovers can take some time, leaving retailers exposed to significant financial losses in the intervening time.”
SRPc Advocates Tokenization Standards
The Secure Remote Payment Council (SRPc), a national association of EFT networks, is urging the payments industry to develop tokenization standards to protect businesses and consumers from cyberattacks.
Earlier this year, EMVCo, which was formed by six major global card networks (Visa, MasterCard, American Express, American Express, Discover, JCB and UnionPay), released proposed technical specifications for a tokenization standard. The company said its standard would provide a secure and globally interoperable environment for digital payments.
However, the SRPc said it has is has “serious concerns” over EMVCo’s framework. The trade association said that EMVCo’s model does not pass the normal definitions of a standard, and is instead a specification controlled by the major card brands. “Token granting entities are limited by global brand rules and token processing is controlled by these brand rules,” the SRPc said. “Currently, global brands require that all participants, including network competitors, utilize token-generating entities that global brands approve. This restricts competition and innovation.”
Furthermore, the SRPc stressed that the EMVCo framework does not support a complete solution; use case are limited to ecommerce merchants using tokens to replace cards on file and mobile devices obtaining tokens in face-to-face merchant transactions using NFC as the transport layer. “Standards for tokenization must be flexible enough to cover all technologies, and not be limited in scope to one or two options such as NFC,” the SRPc said. “They should support dynamic tokenization, i.e., one-time or limited use tokens, rather than static, domain specific, cryptograms as proposed by EMVCo.”
Lastly, the SRPc noted that the EMVCo standard does not address card-not-present transactions, and the payments industry should not rush to market with a solution that does not address the entire problem. “The lessons learned from the implementation of EMV in other countries have shown a shift of fraud from the physical space to the online environment,” the trade association said. “As such, the industry solution for tokenization must address both the card-not-present and the card-present environments.”