With an estimated 37.9% of all internet traffic attributed to bots, and bad bots accounting for more than 50% of that, retailers and financial organizations are struggling to defend against a constant barrage of account takeovers, credential stuffing, card cracking attacks and fake account creation.
The anatomy of a common bot-based account takeover using card stuffing follows the process of firstly obtaining compromised customer credentials from criminal syndicates, and then arming bots with these credentials to rapidly cycle through thousands of accounts until a successful login is achieved. Once this process has completed, the second step is the account takeover itself, where fraudulent transactions can be initiated on behalf of an unknowing customer.
Continuously screening for suspicious behavioral patterns or real-time anomalies is key to detecting bot-initiated fraud attacks. Rules-based alerts and machine learning models can be configured to provide instant notification of:
- Excessive transactions aimed at a specific API endpoint with device fingerprint IPs not seen before
- Excessive transactions from one customer ID, card, wallet or account
- A change detected in device fingerprint indicating a user changed the device
- Excessive transactions that follow the same workflow
- High number of failed log-in attempts to (an) account(s)
- Transactions that don’t follow the same geographical pattern
- An implausible distance between transactions (IP geolocation) for the same user
- Transactions originating from blacklisted devices, IP addresses or from a country on a negative list
With a real-time payment fraud detection and prevention solution, such as INETCO BullzAI, organizations can detect and stop bot initiated fraud attacks by:
- Identifying a rise in hits to the login endpoint as the botnet initiating the credential stuffing does so at a rapid pace
- Immediately picking up on the anomalous transaction behaviour and rate limiting the transactions based on device fingerprint
- Detecting the device fingerprint and IP address off the wire as being different from previous logins of the customer in question
By adopting a real-time approach to detecting bot initiated fraud attacks, risk advice and action can be assigned in milliseconds, with the option to set up blocking of these transactions at the firewall or application layer. The result is faster detection and prevention, more approved transactions and increased customer trust and safety.