5 Things CISOs Need to Know About Card Fraud
Payment and credit card fraud are constant concerns for security leaders, holding major financial and reputational consequences for card-issuing financial institutions. For threat actors, card fraud schemes are often low-hanging fruit as prices for stolen card data continue to rise, increasing by more than 228% since 2018
The Market for Stolen Credit Cards Is Alive and Well in 2021
Payment and credit card fraud are constant concerns for security leaders, holding major financial and reputational consequences for card-issuing financial institutions. For threat actors, card fraud schemes are often low-hanging fruit as prices for stolen card data continue to rise, increasing by more than 228% since 2018.
Dark Web Marketplaces Drive the Supply and the Demand for Card Fraud
Even for the novice cybercriminal, there are few barriers to entry and near-infinite resources in illicit forums and marketplaces to learn new tactics and guide their campaigns.
This low barrier to entry and the increasingly-high prices for stolen cards make it abundantly clear that card fraud threats aren’t going away anytime soon. In fact, the threat is likely to get worse, as even when a top carding marketplace shuts down—like the notorious, now-defunct Joker’s Stash—multiple alternative shops arise to take its place.
Five Things CISOs Must Know About Card Fraud Today
In order to keep pace with the card fraud threat landscape, financial institution CISOs must continually refresh their awareness and understanding of card fraud tactics, techniques, and procedures (TTPs). To support our card fraud customers achieve their missions and mitigate card fraud rapidly and comprehensively, we unveiled our new, dedicated Flashpoint Card Fraud solution. In addition to Flashpoint intelligence and capabilities, there are five major factors that CISOs must account for as they face today’s fraud threat environment.
1) It’s Not “If” But “How Much” Card Fraud Impacts Your Organization
First, CISOs and their teams should get their hands around the size of the potential problem for their own organization: On the business side, what card products and offerings do we have as an organization? How much of a target is my organization for card fraud, and how much of our card data has likely been compromised? And (roughly) what is it costing us on an annual basis?”
A snapshot inventory of the problem is another crucial early step that, when done well, will effectively push forward all additional actions that follow. It may be necessary to attach nominal dollar values to compromised cards for your organization in this process, and that’s fine. The point of this quantification step is not to obtain exact numbers, but rather to produce relational, ballpark ranges to develop a more accurate and holistic portrayal of the size and scale of the card fraud problem facing your organization.
2) Card Fraud TTPs Evolve Faster Than Your Prevention Systems and Controls
Leaders and their teams also need to develop a solid understanding of the evolving TTPs and shifting landscape related to underground carding activity. While this is most crucial for working-level practitioners with hands-on-keyboards, it is also critical that CISOs have a basic and current understanding of these trends, as they must provide planning and direction to the teams charged with detecting and mitigating card fraud. To support this effort, CISOs should engage a reputable and experienced threat intelligence vendor to provide the needed visibility.
3) Card Fraud TTPs Adapt Alongside Payment Technology Innovation
CISOs also need to track and keep abreast of developments on the payment technology front, as threat actor TTPs will often mirror and evolve based on new technology innovations. Chip-and-pin was obviously a major technological advancement in this area and, while compliance-related concerns were important, the most important aspects once implemented were enhancements in terms of organizational security, processing security, and consumer security. CISO’s must be aware of planned organizational / industry innovation around payment cards, and consider both the security and budgetary implications to their area of responsibility.
4) Fraud-Loss Tolerance Levels Improve Cross-Functional Coordination
CISOs and their security and fraud teams also need to arrive at a decision on what an “acceptable” level or amount of fraud loss might be for their organization and must be prepared to modify and adjust this amount when counterbalanced with potential consequences for consumer confidence and brand trustworthiness. With the sheer number and variety of media outlets consumers now have at their fingertips, every organization is potentially just one tweet away from unwelcome scrutiny. It’s crucial to maintain open lines of communication with consumer confidence and brand trust elements within your organization, as what CISOs oversee and action can often directly impact how a company is viewed in the broader marketplace.
5) Early Identification of Compliance Issues Beats Later Regulator Scrutiny
CISOs and other security leaders may at times have disdain for the more monotonous legal, compliance, and regulatory components of their work, but it is an important and part of the card fraud security environment. Is your organization compliant or not? How important is your compliance? Those that never have had an issue might perhaps grow complacent, while those that have been stung by the compliance gap might well view this area as a top priority.
Discussions are often held as hushed internal huddles, but shining the bright light of transparency on potential compliance-related issues can often provide additional budget, technology, and organizational support. Moreover, these scenarios are far preferable to their alternatives of answering questions after-the-fact, which often begin with: “Did we know this beforehand?” or “Why didn’t we do something to rectify at that time?”
Try Flashpoint’s New-Improved Card Fraud Solution!
For over a decade now, Flashpoint has been helping financial institutions of all sizes address card fraud threats—including many of the top global banks and FIs worldwide. Earlier this week, we unveiled our new, dedicated Flashpoint Card Fraud solution that further equips teams with the tools, dashboards, and actionable intelligence they need to address the pain-points outlined above and further reduce the costs associated with card fraud today.
Sign up for your demo today! Experience firsthand the power of Flashpoint’s best-in-class threat intelligence and learn how many ways we can help you solve all your critical missions.