All You Have to Do Is Look—Cybercrime in Social MediaPeter Reville |
Global Insights research has consistently indicated that given a choice between rock-solid security (the “turn-off-the-faucet” of risk management) and convenience, consumers will choose convenience.
That predilection leaves gaping holes in security, one that consumers’ current eCommerce behaviors do little to mitigate. Prior to the advent of card-number tokenization, those consumers who do not have security at the center of their focus were likely to use Card on File as their default position when venturing out of on the Web. Time was when merchant sites were the major repositories of Card on File, and mighty attractive to fraudsters. Merchants have now been joined by social media, and that leaves even a wider hole, one that only tokenization can plug.
Thereby hangs a tale.
Back in the spring of 2012 MasterCard unveiled a social media monitoring tool that had all the bells and whistles. You could see sentiment, reach, influencers and all the rest of those cool social media measures. While all that stuff is cool and important, what caught my eye was what people were actually saying. When I had an extra few minutes, I would read actual Tweets and Facebook comments and the like from around the world. I was fascinated by how much noise the payments business could kick up.
Not too long in to my obsession du jour, I began to find the more nefarious side of social media. I started to see actual Facebook posts advertising stolen credit card data. I am not just talking account numbers. I am talking about name, address, account number, cvv2 codes, date of birth and sometimes even Social Security number.
After a while I got pretty good at creating searches that would guarantee finding access to stolen data. Our Fraud team here at MasterCard assured me that if this information was so easy to get, it was probably already too old—stale if you will. So much for my crime fighting days.
Fast forward to the present and RSA has published a fascinating report entitled “Hiding in Plain Site – the Growth of Cybercrime in Social Media, Part 1”. In this paper the security token gurus explore the seamier side of social media. In the report they describe how they have found over 500 fraud-dedicated social media groups with over 220,000 members.
These groups are openly sharing credit card information like the ones described above, as well as malware and malware tools, and cybercrime tutorials. And the bulk of this (approximately 60 percent) is going on in Facebook of all places and they are doing it with relative impunity. What’s more, once you join one of these Facebook groups, Facebook actually suggest similar groups for you to join.
While reading the report the passage below stood out to me:
While one would assume that fraud dedicated groups might logically set their privacy settings to “secret” in an attempt to operate stealthily, we found that most groups operate under public or closed setting. Even in the closed groups, a simple join request is all that is required to gain access, without the vouching process or references typically needed to join a fraud forum in the deep web.
I find the relative openness of these groups to be dumbfounding and very scary. What other types of crimes are so “out in the open” on social media?
There is so much more content in the report I could write about—like the geographic differences—but time and my editor will not allow it. Take a look: it is worth a read.
Social media is only one area where card information is available to fraudsters. Tokenization largely puts that problem to rest, and it’s the way the industry has to go if it doesn’t want to remain stuck. EMV at the point of sale, and tokens on the website plug the biggest holes in the system.