The dark web.
It deserves its name as it conjures images of illegal services, illegal goods and fraudsters lurking behind every Tor browser’s URL. In fact, one company has even posted a warning to consumers about the amount of fraudulent activity on the dark web complete with a price menu. For example, online banking credentials with login name and address of the account holder, as well as specific details on how to access the account, can be had for a mere $40.
How to deal with the dark web? Kevin Lee, head trust and safety architect at Sift, told PYMNTS that a proactive, collaborative approach is critical in spotting and stopping fraud. To illustrate the potential pitfalls, Sift uncovered a network of fraud marketplaces on the Telegram messaging app that allowed fraudsters to exploit stolen user data — with the dark web as the source — in plain sight. It was one of the more visible hacks that exposed data tied to millions of users on the darknet.
With the increasing popularity of messaging apps like Telegram, accessing that data no longer means you need to be super tech savvy, he said.
“You can get this information and create these different exploits with that info,” he said. “Even from platforms like Reddit and Telegram.”
The lure of platforms is that they exist as places where pretty much anyone can get together in a relatively anonymous fashion to trade, buy or sell different goods and services, and in particular, to traffic in information. Dig a bit, and you’ll find “bibles” for hackers, said Lee — essentially, “how-to” guides that show how to exploit a business.
The vulnerabilities are certainly there — as Lee told PYMNTS, roughly two-thirds of online users re-use passwords and other data when logging into any of the myriad apps and platforms they use on a daily basis. Gain access to one, and it’s more than likely the fraudsters will gain entry somewhere else. And, fraudsters love to share their findings with other criminals.
“All of this stuff is being presented on apps like Telegram, and then essentially being bought and sold via bitcoin,” said Lee.
Welcome, then, to the flourishing fraud economy, where everything from credit cards to account takeovers and abuse of loyalty points are the hallmarks.
Although fraud by and large is industry agnostic, recent verticals targeted by the bad actors have included online sports betting and food delivery, he said. Sift has found that fraud rates among restaurants apps and food delivery services were up 14 percent from the third quarter to the fourth quarter of 2020.
Food Delivery Stokes Fraudsters’ Appetites
“What we found was many food delivery companies were being targeted by bad behavior,” said Lee.
Bad guys get the munchies, too, and sometimes, they pivot to mobile apps to satisfy their cravings. Food and delivery apps are becoming savory fraud targets simply because they are the easiest to infiltrate when it comes to instant gratification, said Lee.
As Lee described it, here’s how the dark web process can unfold. Suppose a dark web user goes on a Telegram forum looking for a fraudster “selling” food from a popular app at a cheap price (30 cents on the dollar, for example). He finds one. That person would then go to the legitimate food app and take a screenshot of their desired meal, send it to the dark web fraudster and pay 30 percent of the total true bill in bitcoin. The fraudster collects the bitcoin, places the full price food order with a stolen credit card and sets the delivery address as the original shopper’s.
No matter the vertical, merchants lose out because they are being hit — and will be hit — by chargebacks. There is other damage accruing to those merchants as well, said Lee. The consumer who sees his or her loyalty points drained away will feel cheated and may vote with their feet.
Big Tech and Big Questions
For the Big Tech firms themselves, and specifically their platforms, questions arise over liability, noted Lee. At present, it’s uncertain what will happen with Section 230, part of the Communications Decency Act of 1996, which in effect provides tech firms immunity from third-party content.
Then there’s the question of ethics.
“If you ask the question, ‘What is misinformation? What is fake news? What is objectionable content? Who watches the watcher?’ It is very, very gray when it comes to figuring out what is right and what is wrong,” Lee said. “Ultimately, I do believe that it’s in the best interest of the company to both protect their users and their platform against this type of abuse. Trust is earned in drops and lost in buckets here.”
He added that “it’s incredibly difficult to get that trust back once it’s broken.”
Sift, he noted, offers products called Content Integrity and Account Defense, in addition to its Payment Protection offering, which can be leveraged to reduce those incidences of fraud.
“We approach [fraud prevention] with machine learning, so businesses can go from a reactive stance that depends on deploying a rules-based system to stop this abuse,” he said.
A machine learning and high-tech approach promotes a proactive stance, where an ecosystem can be created that’s difficult for fraudsters to penetrate, he said. Merchants within the Sift network collaborate and essentially share a “big brain” that alerts all merchants to attacks. Collaboration within firms is also important, he said. Gone are the days when the risk team might be one or two people in a corner of a firm, detached from other operations.
“These people need to collaborate internally with their own teams and develop some really strong cross-functional relations,” he said.
A strong fraud prevention ecosystem and cross-functional teams within enterprises can help build a “trust and safety” mindset that ultimately leads to a better customer experience, he said.
It’s a mindset that is not only involved at the end when a chargeback does come in, but also at beginning of a specific journey, when an enterprise is launching a product or introducing a new feature.
“It’s trust and safety by design,” he told PYMNTS.