If the payments industry is expecting a sharp rise in online fraud, it can stop holding its breath. It’s already happening, and with the official holiday-shopping season getting under way, it’s going to get a lot worse. Yet, just as attacks are growing more numerous, funding for firms that combat online fraud is slowing down.
Fraudsters are attacking online merchants and financial-services firms at ever-rising rates both to steal goods and services and to test stolen identity data for future attacks. Increasingly, criminals are flooding their targets with sophisticated bot attacks to place illicit orders or to complete stolen identities.
ThreatMetrix Inc., a San Jose, Calif.-based identity and access-management firm, shut down 130 million such online attacks in the July-through-September period, up 40% from the same quarter in 2015, according to the company’s third-quarter report, released Tuesday. This follows a 90% year over year increase in attacks stopped by the firm in the second quarter.
That works out to between 10 million and 11 million attacks per week at the current rate. But ThreatMetrix says the fourth quarter will see an even more stepped-up barrage, with weekly attacks on so-called key retailers reaching 50 million at the peak of the shopping frenzy.
Observers have been expecting an increase in online fraud since the conversion of the nation’s point-of-sale system to the more-secure EMV chip card standard started in earnest more than a year ago. But that increase has clearly been in progress for some time, and with a sophistication and frequency perhaps few foresaw. "Attacks have evolved from being one-dimensional with a singular purpose to being a Frankenstein's monster of attack vectors, using bots, social engineering, and remote access stealth in various combinations," Vanita Pandey, vice president of strategy and product marketing at ThreatMetrix, said in a statement.
Along with the rise in fraud comes a dramatic shift among consumers away from desktop shopping to mobile usage. Mobile accounted for 43% of all transactions analyzed by ThreatMetrix in the third quarter, up from 29% in the year-ago period. In financial services alone, mobile accounted for more than half of all transactions. More than half of all new accounts were started through mobile devices, according to the report.
Fraudsters have taken note. ThreatMetrix reports “bot attacks on e-commerce merchants were pervasive and widespread” in the third quarter, at times outnumbering legitimate traffic. In the hands of online criminals, bots are scripts that act automatically to access accounts with stolen user names and passwords or create wholly new accounts with fake credentials. Much of the bot barrage, indeed, is aimed at confirming stolen identities for future use, the report says.
Yet, while fraudsters are stepping up their attacks, investors are pulling back on funding firms, especially startups, that specialize in technology to detect and defeat stolen and faked identities. Financing for such companies peaked in 2014 at $667 million on 56 deals in 2014, according to data from CBInsights, a New York City-based firm that tracks technology investment. Funding was more or less flat at $659 million on 40 deals last year, but has slid to $362 million so far in 2016 on 34 deals. CBInsights forecasts that number will hit $452 million by the end of the year, below the level seen in 2012.
Meanwhile, funding for cybersecurity generally has also declined. “The trend in [identity and access] funding parallels the funding contractions we’ve been seeing across the cybersecurity industry as a whole this year, amid investor worries that the cybersecurity space has been overfunded,” CBInsights notes.