Data hijacking, card testing and identity theft are increasingly among the main cybersecurity threats facing digital finance companies and can even deliver fatal blows to emerging fintechs, which have fewer resources with which to see off scammers.
While big fintechs are turning to data and artificial intelligence (AI) to prevent and block suspicious activity, young startups are becoming easy prey for increasingly sophisticated scammers and are putting a strain on the entire ecosystem.
The situation is particularly serious in Latin America, where attacks haven risen considerably.
A study carried out by the payment processor Stripe found that, between 2019 and 2022, fraud attempts using card testing — a process in which fraudsters make small purchases to determine if card numbers are valid — increased globally more than 100 fold.
Stripe, a paytech active in 47 countries, says it has succeeded in blocking more than 20 million card tests in a single day, a record it expects to break this year as this fraud modality expands, particularly in LatAm.
“With the increase in digital transactions, people are shopping online every day. Similarly, fraud attempts and fraudsters have also increased” in number, Desmond Mullarkey, the company’s head of revenue for Latin America, told iupana.
“This is a trend we’re seeing in particular in Mexico, which unfortunately has one of the highest digital fraud indicators in Latin America and in the world,” he adds.
According to Condusef, Mexico’s consumer protection agency, 59% of financial fraud reported during the first half of 2022 was carried out through digital channels. The situation led the government to propose a federal cybersecurity law, which could see the light of day this year.
After Mexico, Brazil is the Latin American country experiencing the most fraud attempts, according to cybersecurity firm Fortinet.
Digital kidnapping: Ransomware
Stripe detects and anticipate attacks using machine learning and AI to draw patterns, spot anomalies, and suspicious activity, tapping into huge data lakes built on its payment ecosystems.
“That is really where Stripe, everyone, wants to be on the lookout and, using technology, seek solutions, innovate, and protect consumers and merchants. Because there’s a huge associated cost,” says Mullarkey.
The company, which is valued at around US$60 billion, is one of the world’s largest payment processors — almost 90% of card transactions in the United States go through Stripe — which gives it financial strength that can be transferred to its cybersecurity management, according to Mullarkey.
But for smaller fintechs, experts paint a more complex picture. By nature, startups are especially vulnerable to cyberattacks: They’re enterprises under development and don’t always have the personnel or technological resources to shield digital vulnerabilities.
“We have detected that 60% of small and medium-sized companies [fintechs] go bankrupt after being victims of cyberattacks,” says Cristian Torres, marketing director at Lumu Technologies, a cybersecurity company of Colombian origin that’s headquartered in the United States.
The executive highlights that ransomware (or data hijacking) is the most common form of digital attack on fintech companies.
This method of cyberattack is expected to continue to grow globally considering that 63% of the affected companies paid ransoms last year, according to a study by digital security consultancy CyberEdge, encouraging cybercriminals to continue seeking out more victims.
Torres says that this form of blackmail includes a triple extortion mechanism: The target company is asked to pay a ransom or risk having sensitive financial information made public, which can place suppliers and end users in jeopardy.
APIs and phishing in Latin America
Route that digital criminals use to access a company’s information is integration with third-party services through APIs. It’s commonplace for open and embedded finance fintechs to use other technology firms to enhance their solutions. However, that can represent another security risk.
“When we use these third-party libraries or third-party software, we don’t audit them and we’re not able to establish whether that software is safe or not,” says Felipe Gómez, Latin America manager at Fluid Attacks, a company specialized in ethical hacking.
“Therefore, any vulnerability in this software that we’re using internally makes the organization vulnerable,” he says.
On the other hand, Gómez points out that digital fraud techniques haven’t changed for several years, but they’ve been adapted to new technologies in use.
For example, a report by Russian antivirus software provider Kaspersky, describes phishing as “the great villain of LatAm.” Fraudsters use this method to exploit the weakest link in transactions —people— by tricking them into revealing their card or app credentials. They take advantage of messaging services such as WhatsApp to reach more users.
The cybersecurity company says it blocked 110 phishing messages per minute in LatAm during 2022.
Impersonation for $75
Fintechs are devising new protection methods that are less onerous than data mining, in an effort to block fraud attempts. For example, Mexican fintech Trully offers a service that uses collective intelligence to prevent fraud via impersonation.
In Mexico, identification documents can be bought on the black market for just $75, according to the company. And presenting an is one of the basic requirements for any digital onboarding process, says Fernando González, the fintech’s CEO and founder.
“Companies that have a higher digitalization rate are more likely to succumb to impersonation fraud,” he says.
The fintech offers companies access to a shared database where images of faces identified as fraudulent are stored, allowing users to thwart criminals looking for weak digital onboarding systems.
“If I’ve already got past a company with that fake ID, I’ll most likely go and buy 10 other IDs and go back to get more loans from the same company,” says González.
Trully’s collective intelligence acts as a cross-checking bureau to notify its customers if a face has been tagged as fake. “It’s pointless creating isolated solutions for each bank, each financial entity, if knowledge is generated in silos. If we really aspire as a technological ecosystem, a financial system, to eradicate fraud, we have to be as —or more— organized as the fraudsters,” says González.