Testing your loyalty
Andy Mills, VP of EMEA, Cequence Security, looks at how gift and loyalty cards are being targeted for fraud and how to combat it
Gift card and loyalty programmes can be attacked in a number of ways, from phishing attacks against customers to physical cloning of cards but often these attacks are carried out completely online by bots. Such fraud is targeted at relevant web applications and the Application Programming Interfaces (APIs) they connect with to perform login, card processing and balance checking and typically leads to carding attacks that test stolen card details, account takeover (ATO) or balance theft.
The attacker’s main modus operandi is to use business logic abuse to subvert the applications and APIs, using their functionality to do things they weren’t designed for, or they can choose a brute force attack that flood those applications and APIs with traffic. Both these types of attack are often multi-faceted, involving several tactics and techniques, which makes identifying and preventing them difficult. For example, the assault may be indirect, with an attacker using a nurtured or fake account that they have created over a period of timewhich ensures they can always login successfully before then carrying out ATO.
The aim of the attack can also vary. A ‘scrape and sell’ attack will see the attacker login to compromised accounts and request a gift card balance from the profile API, information that can then be sold on, whereas a ‘steal and purchase’ attack sees those details used to purchase goods or in the case of a loyalty scheme to purchase gift cards. Or the attacker could simply enumerate through possible gift card combinations to commit ‘shopping cart fraud’, applying any valid numbers at checkout.
Where retailers are failing
Recently, a large fashion retailer found its systems were being used to validate stolen credit cards, purchase gift cards, and then purchase products with the fraudulent gift cards, for instance, directly costing the company money and eroding customer confidence. It discovered that its existing Web Application Firewall (WAF) was unable to scale to meet attack volumes; it’s not uncommon for WAFs to become overwhelmed as attackers switch from one server to another.
The retailer then had to look at how it could detect the attack, still allow legitimate traffic to get through and block the malicious activity. At the same time, it’s also really importantthat the solution needs to be transparent and frictionless for both the application and the user and should ideally avoid the need to modify the application. Most solutions typically require some sort of CAPTCHA or other method to prove youare human which requires changes to application code, doesn’t support APIs which can be attacked directly, and perhaps most importantly, causes customer friction.
Preventing gift card attacks therefore isn’t just about spotting bursty traffic, although that is of course a factor with bot driven attacks. Determining where the traffic originates from is valuable as it can enable the IP addresses to be blocked by looking at the proxy server being used. But even then,attackers can quickly rotate IP addresses, rendering this approach ineffective.
Moving away from legacy web defence
A more detailed form of analysis is needed that looks forpatterns of activity. For instance, data in the return traffic will show if the attacker is cycling through numeric identifiers such as gift card numbers, shipping tracking numbers or IDs and this can indicate the value they are looking for when checking gift card balances.
Identifying the tools, infrastructure, and credentials used by the attacker can then be used to monitor their actions as the attack progresses, even as they change tactics to avoid detection. It’s for this reason that it’s necessary to tackle the problem through a network-based approach that provides native mitigation. Adopting this approach then provides the retailer with various options when it comes to mitigation such as log analysis, rate limiting to detect volumetric attacks, deception to exhaust the resources of the attacker which sees the assault peter out, and/or the blocking of traffic that has been determined as malicious.
What’s clear is that legacy defences are increasingly powerless against modern bot-based attacks. Since business logic abuse is based on exploiting APIs rather than breaking into these systems, its much harder to detect and the ability of attackers to pivot and change their tactics further complicates matters. Basic automated tools are no longer sufficient and so the retail sector must now consider how it can detect and block these attacks using behaviour-based threat detection and flexible, customisable mitigation techniques.