Discover how companies are responsibly integrating AI in production. This invite-only event in SF will explore the intersection of technology and business. Find out how you can attend here.
Attackers rely on automation to brute force card testing attacks including weaponizing botnets and scripts to force fraudulent card-not-present (CNP) transactions, inflicting $1.1 billion of fraud losses last year.
Enumeration attacks are lethal in their speed and scale, with attackers relying on any available automation technology to defraud victims faster than legacy cyber defenses can track and keep up with. Attackers’ arsenals now include large-scale networks of hacked systems that can launch thousands of automated botnet attacks in seconds.
How enumeration attacks work
Attackers are always sharpening their tradecraft with new automation techniques that defy easy detection. Weaponizing every new technology available, including fast-tracking experiments with generative AI and weaponized LLMs in combination with long-standing automation technologies, including botnets and scripts, are attackers’ goals.
“As each year passes, the sophistication of digital fraudsters increases. They are early adopters of technologies such as generative AI to improve the quality and scale of their attacks on organizations large and small,” Christophe Van de Weyer, Telesign CEO, told VentureBeat. “They’ve also gotten better at social engineering, calling company IT desks pretending to be employees, based on information they’ve gleaned online, and then ask for password and MFA device resets,” Van de Weyer explained. “These are among the reasons why global fraud has become a $6 trillion business annually – bigger than the GDPs of most countries.”
Michael Jabbara, senior vice president at VISA, told VentureBeat, “Enumeration attacks have been growing quite rapidly. With the digitization that we’ve had of commerce over the last few years, many more stores are going online. So there are more entry points for these threat actors to launch their attacks from, and I think that’s going to continue to grow.” VISA found that 33% of enumerated accounts experienced fraud within five days of an attacker obtaining access to their payment information.
What makes enumeration attacks so lethal is how they submit a unique combination of payment values, including primary account numbers (PAN), card verification values (CVV2), expiration dates and postal codes in seconds to crack CNP transactions and defraud e-commerce platforms ad merchants. Attacks often prioritize systems that provide user feedback that reveals when guesses that are automatically generated are correct.
VISA Security found that enumeration attacks most often succeed by exploiting vulnerabilities in e-commerce platforms, particularly those with inadequate rate limiting or verification processes. VISA advises its merchants to implement CAPTCHA controls at a minimum, monitor transactions for unusual activities, and use encryption and hardened multi-factor authentication to reduce the risk of an attack. More banking, e-commerce and merchant platforms are also adopting strong rate-limiting thresholds. The goal is to restrict the number of attempts a user can make to authenticate or use recovery features within a certain time frame.
Enumeration attack tradecraft has matured so quickly that a recent VISA report found attackers have progressed to the point of exploiting negligent onboarding policies within large merchant ecosystems and are actively exploiting vulnerabilities in digital payment systems. Banking systems are also under attack. By leveraging large-scale networks of infected devices, attackers are finding accounts that are the most vulnerable to CNP transactions and other forms of fraud.
VISA has created a strong use case for fighting fraud with gen AI
VISA first introduced Visa Account Attack Intelligence (VAAI) in 2019 to combat and prevent the proliferating variety of payment fraud attacks aimed at their operations and partners. Identifying CNP transactions has become a core focus on VAAI, Jabbara told VentureBeat. The VAAI solution integrates breach, cyber, and payment intelligence insights that provide a unified defense solution against fraud.
Today, VISA is adding to its arsenal of attack intelligence tools with the addition of a new genAI-powered VAAI Score. At the center of the new score’s architecture are generative AI components that identify and score enumeration attacks. Each transaction gets assigned a risk score in real time to achieve the goal of detecting and preventing enumeration attacks in CNP transactions. The goal is to enable issuers to make faster, more accurate decisions on whether to accept or deny a transaction, ensuring the safety of legitimate customer transactions while reducing financial losses. Jabbara told VentureBeat that the new VAAI Score would be communicated via VisaNet to help merchants and partners determine the likelihood of fraudulent transactions in real time.
VISA has found a perfect use case for genAI fighting fraud in their new score. The VAAI Score can provide a risk assessment within 20 milliseconds of a transaction being processed, analyzing over 182 risk attributes to determine the likelihood of fraud. Developed from an analysis of over 15 billion VisaNet transactions, the score is equipped with six times more features than previous models, significantly enhancing its capability to identify suspicious activities. It’s also showing the potential to reduce false positives by 85%. By combining gen AI and machine learning techniques, the VAAI Score will constantly learn and help VISA Security identify when attackers attempt to bypass CNP security safeguards.
In total, VISA has invested over $10 billion in AI, machine learning, and related technologies to enhance fraud prevention and network security. Investments in VAAI and its related tools have helped VISA block $40 billion in fraudulent activity in a single year.
The challenge is scaling up real-time accuracy and speed to defeat fraud
Jabbara says VisaNet relies on ISO standards for integrating with its many partners and merchants at scale to share VAAI Scores in an attempt to shut down attackers launching enumeration attacks. “We provide the VAAI Score within the transaction message itself,” Jabbara told VentureBeat. “There’s a specific field where we inject that score, and then clients themselves can build rules on that score, depending on their risk appetite and the operational playbooks that they have in-house,” he explained.
Providing real-time risk assessment scores is a rapidly innovating area of fraud detection. “Companies need to evaluate fraud risk throughout the entire customer journey,” Van de Weyer told VentureBeat. Telesign is going all-in on AI and machine learning to also take on this challenge.
“At Telesign, our Intelligence API makes it easy to understand the risks and the reasons behind it. We identify red flags based on patterns from phone number activity, email, IP addresses, and more. Intelligence looks for anomalous behavior by analyzing call velocity, duration, call patterns, and usage to help flag risky numbers,” Van de Weyer said. “This process informs the risk recommendation and score that we provide, which can be used by a customer to better understand when to step up their authentication processes.”