Speaking of Security – The RSA Blog and Podcast

One of the common criticisms of the evolution theory by those who side with intelligence creation is that it is improbable for natural selection to create structures as complex as those that are observed in nature. However, science has proven over and over that these claims aren’t true – and evolution is in fact a viable process of creating complex structures. It isn’t just life that continuously evolves, but fraud as well.

Everyone who follows this blog probably knows that. Over time, fraud has become more and more sophisticated, reaching levels that make it extremely hard to suppress – from drive-by-downloads and man-in-the-browser attacks to rootkits. However, evolution isn’t just about making things better but to adjust living creatures to their ever changing surroundings. The giraffe’s long neck doesn’t make it better or more sophisticated in general (although giraffes are generally awesome), it just makes it more adaptable to theSavannah. Fraud in that sense is also adapting, but instead of searching for food, it adapts to obtaining as much money as possible. If money from one fraud chain depletes, it would adapt and create a different one.

As I’ve mentioned in the past, in order to discover these new fraud-chains (part of fraud’s natural selection process), fraudsters use trial-and-error. This is why from time to time we would see phishing attack campaigns on surprising targets, which will never appear again once taken offline. Fraudsters attempt something new, fail, and move to try other things. In some cases, however, they do succeed. This is where it all comes back to the same false criticism of natural selection – this process can be responsible for creating very complex fraud chains, or alternatively reveal very hard to find vulnerabilities at organizations that can be exploited.

This is how fraudsters used to discover specific BIN numbers (first six digits of a credit card’s number, identifying the issuer) that had the CVV loophole. Other fraud chains span multiple channels. One of the fraud chains that I found interesting used premium numbers (numbers the caller pays for every minute, such as sex lines). The country was using EMV technology yet some payphones accepted mag-stripe cards. So, in order to cash out credit cards, fraudsters would set up these premium lines, go to the phone booth and start calling using cloned cards. When money from in-store carding has been depleted thanks to EMV technology, fraudsters simply evolved to using premium lines and phone booths. As I mentioned in previous posts, other means of adapting to EMV included the cashout of cloned cards in countries that are yet to support this technology.

The underground economy, in that regards, is a catalyst of change. On one hand, it allows the quick distribution of knowledge about newly discovered fraud chains. Since fraudsters aren’t exactly ready and willing to give away their trade secrets, even if the knowledge isn’t shared – it allows an entire community to benefit from one’s personal discovery. Thus, allowing fraudsters as a community to much rapidly benefit from advancements thanks to fraud’s version of natural selection.

•