CnP Fraud impact on industry and how to prevent it.

Do you worry about CNP-attacks?

Then it is for good reason! “Card Not Present” attacks have been on a steady climb for years!

CnP  fraud is still rising

With a boost in online banking services,  CnP fraud has grown to be the largest fraudulent threat in banking industry. A report from Juniper Research states that retailers are to loose $130 BN to CnP fraud in 2018-2023 (increase from previous years).  The reason behind the increase being that

1) Fraudsters are getting more sophisticated

2) Businesses slacking in updating their security

Hackers are being more sophisticated by improving their methods , ex. in their ways of eSkimming through 3-party distributors, a campaign that targeted 800+ retailers in 2019 – the biggest incident begin the attack on British Airways that costed them a £183M fine, 380.000 stolen credit-cards and ~50% market value. This graph made by Statista shows the rise of CnP fraud , while Counterfeit is decreasing.

The top 5 industries being hit by CnP fraud is Airlines, Retail, Entertainment, Gambling and Gaming

eSkimming – the spy in your browser:

Diving into the CnP fraud, in many cases the sensitive information is stolen with eSkimming. Criminals places a trojan in the browser, and from there the trojan can view and sometimes edit everything in the browser – that also includes logging in to banking services and do online payment on retailer websites.  The attack exploits javascript and is hard to detect because  of javascript’s ability to occur beyond the corporate network. Therefore new security strategies are needed to face the threat of the new-world CnP fraud.

How can you counter attacks without changing your website significantly (and expensively)?

CodeSealer Connect is a cloud-based security service for your website, that works for you out-of-the-box.

You let your customers connect seamlessly on to your site via CodeSealer Connect and a secured tunnel. Nettiher your customers nor you will see or feel any difference, while CodeSealer Connect adds security to your existing website.

Among other things, CodeSealer Connect protects your site and JavaScript from tampering, and it runs real-time diagnostics as well.

CNP-fraud is leveraged in three ways:

Local injection:

Malware operates within the customer local browser and injects code (HTML and JavaScript) into your site, f.i. replacing your card fields. This way the customer believes she is entering card details to you and/or your card data provider, but the data is stolen and sent to the attacker for CNP-attack use.

CodeSealer Connect protects your JavaScript from tampering and detects whenever unprotected JavaScript attempts to run – depending on your preferred configuration, it will then warn against or simply block the attack.

Server injection/infection:

Hackers manage to take over (part of) the web server and injects code, that will run from the server itself, and stealing card details in much the same way as above.

CodeSealer Connect scans your website for indications of tampering on several parameters, e.g. unexpected changes, unwanted URLs present, minified/obfuscated JavaScript, etc. and can report back to you to let you inspect your site and determine, if it was indeed breached.

Phishing Site:

Your customer may be lured to a completely different site that looks like yours and be prompted for card information there.

CodeSealer Connect will not be able to do anything about that. For this you should go to a reputation protection service.

However, this is rarely seen, as this attack type require much more effort from the attacker with significantly less probability of success with somewhat more ease of spotting it – and also due to the existence of reputation protection services.

CodeSealer Connect can mitigate the majority of these attack vectors on an OPEX-like value proposition, likely well within your fraud budget range, not to mention the less measurable effects to your image.



Get in touch            Read more