Ambitious Cybercriminals are Going Big with FaaS: Fraud as a Service
Table of Contents
- What is fraud as a service?
- What makes FaaS different from ordinary fraud?
- How can merchants protect themselves from FaaS?
- What you need to know about Faas
- What is the dark web?
As tempting as it can be to imagine online fraudsters as maladjusted basement-dwellers who resort to a life of cyber crime due to a lack of any other marketable skills, this is simply not the case.
The fraudsters who are consistently finding hidden vulnerabilities, devising new scams, and stealing billions per year are smart, sophisticated, and organized. In fact, online fraud has become a thriving business model—“Fraud as a Service,” or FaaS. How does FaaS work in practice, and what can merchants to do to defend themselves when fraudsters join forces to launch organized attacks?
Fraud remains one of the most persistent and damaging problems for eCommerce merchants, and the cost keeps going up: For every fraudulent dollar spent, the true cost to the merchant is more than three times as much, and for many merchants that ratio increased increased by an average of 7% in 2020. Meanwhile, fraud attempts and success rates are increasing as well.
One reason fraud is so costly is because it almost always results in chargebacks. When a fraudulent purchase is disputed and granted a chargeback, the merchant loses the cost of the goods, the transaction amount, the chargeback fees, and the time and labor they spent making the sale and dealing with the dispute. Worst of all, every chargeback counts against the merchant’s chargeback ratio. An excessive chargeback ratio can lead payment processors and acquirers to sever ties with the merchant, leaving them unable to accept card payments without agreeing to the exorbitant fees charged by “high-risk” payment processors.
Knowing that fraudsters are organizing and optimizing their schemes may make the problem seem even more daunting, but remember that knowledge is power. When you understand how fraudsters operate, you can strategize against them more effectively.
What is fraud as a service?
What a FaaS operation offers is essentially a fraudster-for-hire service. If a cyber-criminal wants to take over an online account, access stolen credit card numbers, or launch a botnet attack, they don’t have to learn how to phish, hack, and program bots on their own. They can just contact a FaaS provider who will handle all the messy details for them.
Buying bots and stolen payment credentials from other cyber-criminals is nothing new, but what makes FaaS different is that it's designed to run just like a legitimate business would.
FaaS organizations offer customer service and support, provide free trials and money-back guarantees, and engage in research, development, and training in new and more effective forms of fraud. FaaS providers are typically found on the dark web, operating out of countries and jurisdictions that are less likely to shut them down and prosecute them. Wherever the individuals behind them happen to reside, their reach is global, and they often cooperate with each other to make it easier to convert stolen digital data into cold hard cash.
While this type of business is relatively new to the realm of payments, you may already be familiar with some of its predecessors. The most common one is fake social media followers. A motivated individual can create thousands of fake accounts run by bots on any social media platform. For the right price, those fake accounts can follow you or share your posts.
There are also hackers with access to botnets, large numbers of computers infected by a virus that's designed to go unnoticed by the user. These botnets can be hired to conduct a DDoS attack on a particular website, shutting it down temporarily. FaaS is the logical next step, combining these dark web business models with the already-common buying and selling of stolen payment information.
What makes FaaS different from ordinary fraud?
Merchants on the receiving end of fraud won’t always be able to tell whether they’ve been victimized by a lone wolf or a sophisticated FaaS organization. The methods and attacks they use aren’t different or unique—although FaaS groups are more likely to have access to the latest and most insidious methods and software.
The real danger of FaaS is that by providing organization, consistency, and accessibility to anyone unethical enough to hire them, it creates an infrastructure and culture that allows fraud to grow and become even more profitable.
It’s not hard to imagine a scenario where a small merchant with a unique, highly sought-after product suddenly becomes overwhelmed by FaaS attacks on a large scale. We've already seen similar crises take place with video game consoles and computer graphics cards, where individuals and teams used sophisticated programs to buy up all the available stock of these products. While these people were scalpers rather than fraudsters, it's not hard to imagine a FaaS organization doing basically the same thing, but this time with stolen payment information.
Due to their more long-term outlook on fraud as a business, FaaS providers are usually clever and high-tech enough to choose their clients and targets carefully and cover their tracks well. In the vast majority of incidents, merchants will never have a good way to find out whether or not a FaaS group was behind any given instance of fraud.
How can merchants protect themselves from FaaS?
Because FaaS uses the same methods, tools, and tactics as ordinary fraud—albeit usually in a more efficient and organized manner—there aren’t any special tricks for fighting it. What merchants must do in the face of this new threat is use the same best practices for fraud prevention that have always been recommended, supplemented with anti-fraud tools chosen and calibrated to fit their business.
Here are some of the easy steps merchants can take to reduce fraud:
- Protect customer accounts by requiring strong passwords.
- Don’t authorize payments without an AVS/CVV match
- Watch out for common fraud indicators (or use a tool that does this automatically) and manually review flagged orders before processing
- Keep your shopping cart software (and other programs that handle sensitive processes) updated and patched regularly
When it comes to protecting customer accounts, typical password requirements are insufficient. While many online business are getting more and more specific about the kinds of characters that must be included, the most important factor for password security is length. Setting a 10 or 12 character minimum for passwords will help prevent cracking and discourage password re-use. In fact, directly telling customers during account creation not to re-use a password they use for another service is probably a good idea, even if many customers will ignore that warning.
Two-factor authentication is another important way to protect customer accounts, and new authentication methods are popping up all the time. Merchants can now offer customers the ability to authenticate themselves using a text message, the Google Authenticator app, or biometric information such as a fingerprint or selfie.
If anti-fraud measures fail, as they inevitably will from time to time, and a fraudulent transaction is processed, the real cardholder is sure to file a chargeback once they realize what has happened. When true fraud has occurred, the merchant has no standing to fight the chargeback and represent the transaction. The only way to avoid the chargeback and prevent the increase to your chargeback ratio is to prevent fraud from happening in the first place.
What you need to know about Faas
FaaS is yet another evolution in the ever-growing problem of eCommerce fraud. Every time merchants and cybersecurity firms learn how to patch up a vulnerability or identify a new fraud scheme, the fraudsters set to work figuring out how to circumvent the most up-to-date defenses or trip up consumers who have caught wise to the latest phishing scheme.
Fraud prevention is one of the cornerstones of any strong chargeback defense strategy. While many chargebacks are themselves fraudulent in nature and can be fought and beaten with the right evidence, true fraud chargebacks have a legitimate basis and merchants have to take a proactive stance toward warding them off. Reputable chargeback management firms will always work with merchants to evaluate their fraud risk profile and come up with recommendations for tools, prevention practices, and other solutions that can help them avoid becoming victims of run-of-the-mill fraudsters, sophisticated FaaS syndicates, and everything in between.
What is the dark web?