It takes more than data validation to stop a Magecart

Posted by IdentityMind Global on Jul 27, 2017 6:00:00 AM

Many associate credit card fraud with data breaches or point of sale hardware and malware, but the recent proliferation of stolen credit card information on the dark web is largely owed to Magecart, a kind e-commerce malware that injects malicious JavaScript code directly into the platform’s website, affecting sites such as OpenCart, Magento, and Powerfront CMS. Magecart captures keystrokes as customers type in their credit card and billing information. What’s more, the code allows the attacker to add fake fields to the form, giving fradusters the opportunity to collect even more information.

The main victims of this malware appear to be smaller e-commerce sites who haven’t updated their software. As Security Intelligence and Enterprise Times reported, “This isn’t messy, quick-hitter malware. Attackers use secure HTTPS connections to exfiltrate data and then host it on remote sites, which also encrypt via HTTPS.”  

Once the credit card and other personal data is stolen, Brian Krebs, in a recent blog post, notes that it often appears on cybercrime forums such as McDumpals or Uncle Sam’s dumps shop. These types of blackmarket identity marketplaces specialize in selling identity data including credit card information in bulk. We've written about why the existence of these online marketplaces render data validation as a standalone methodology in onboarding and authentication largely inadequate, you can read more by clicking below.

Snowden & KYC: why Data Validation is not enough

Fraudsters are getting smarter and better at collecting rich identity information and bypassing identity validation. The very existence of these online identity marketplaces threatens the integrity of your digital onboarding and authentication processes, because it makes it easier for fraudsters to pose as trustworthy customers through the use of valid identity information. So, what’s the best way to onboard and authenticate customers online? While the real answer is, “it depends”, in all cases it is clear that data validation by itself is not enough, and should actually be the start of your processes and procedures. After all, in the case of stolen identity data, the data is valid, its just being used by the wrong person. We believe that a broader approach is in order – there is no time like the present to enhance your risk mitigation techniques.

 

How we can help

At IdentityMind, we have engineered our solution around digital identities, and we view them as more than just a collection of standalone data points. Because, as you can see from Magecart, the data may be valid, but the transaction and the person behind it may not be. Our approach is that, when you deal with digital identities (either individuals or businesses), you have to look at whether:

  1. The identity parameters are consistent, uncompromised, and part of a real identity
    • Based on the hundreds of millions of transactions that have gone through the IdentityMind platform, we have put together templates of what real users and their behavior look like. When we see a user, we will compare their information and their transaction information, using graph intelligence and machine learning, against these templates to determine if they are real users. We can also verify the individual data, based on our integrations with 20+ data providers.
  2. The identity belongs to the individual that is presenting it
    • Using graph intelligence and machine learning, we look at user behavior across phone, email and transactions over a period of time to determine the validity of transactions over time. We’ll even consider the type of chargeback involved, for instance to detect identity theft, or vulnerable victim fraud.
  3. You can do business with that identity from the regulatory perspective 
    • There are a variety of reasons why you can’t do business with an entity. It might be their age, their state of residence (you might not be able to do business there), their presence on a PEP list and more. We check them all.
  4. How risky it is to do business with this person
    • We create a reputation score that allows you to assess the amount of risk you are willing to take on. We also look at other factors such as known associates to provide you with other views into the risk of doing business with a specific entity.

Being able to answer these questions provides you with the best protection for your business. You can read more about how to implement these question downloading the Digital Identity Evaluation Guide below.

Get the Digital Identity Evaluation Guide

At IdentityMind we offer a SaaS platform for assembling and continuously validating digital identities to bring trust to your online transactions. Our machine learning and advanced analytics can build on data validation by analyzing each identity to create a reputation score; and by helping you create, set, and adjust the KYC tests and fraud rules necessary to safely onboard potential customers. Ultimately we help you ensure that your customers are who they say they are, and are good to work with, keeping your business safe from criminals while you focus on delivering value to your customers. 

 

Subscribe to Our Blog

Related posts