According to a 2023 Gallup survey, approximately 42 million US adults have experienced identity theft, making it the primary concern among survey respondents, surpassing even fears of violent crime. The issue of identity fraud is intensifying, partly due to the availability of sophisticated AI tools that cybercriminals can utilize. However, these same tools are also employed by financial institutions and cybersecurity firms to combat fraud.
Visa, for example, has adopted generative AI technology to enhance its ability to detect and potentially prevent one of the most prevalent types of fraud. This initiative aims not only to mitigate financial losses but also to alleviate the associated inconveniences for consumers. Unlike AI chatbots used for tasks like resume enhancement, image creation, or poetry generation, Visa’s technology is specifically trained on financial transaction data. This focus allows the tool to better understand and predict fraudulent activities within the realm of finance.
An enumeration attack, also recognized as a brute force attack, involves a perpetrator deploying automated scripts and botnets to execute hundreds of thousands of card-not-present transactions, typical in scenarios such as online purchases where the physical card is not required at the point of sale.
The offender aims to test numerous combinations of account numbers, expiration dates, and three-digit security codes to identify valid credentials. Once a transaction is approved, it indicates that the credentials are authentic, allowing hackers to either sell these details on the dark web or use them for unauthorized transactions.
Michael Jabbara, senior vice president and global head of fraud services at Visa, reported that enumeration attacks have led to over $1 billion in losses on Visa’s network in the past year, highlighting them as one of the most significant fraud challenges faced by the company.
The specific role of GenAI
Introduced in 2019, the Visa Account Attack Intelligence (VAAI) tool utilizes deep learning to analyze card-not-present transactions and identify which financial institutions and merchants are being targeted by fraudsters. Visa has recently enhanced this tool with the addition of the VAAI Score, a feature designed to more accurately assess the probability of enumeration attacks by assigning a real-time risk score to each transaction. This score aids issuers in making more informed decisions about whether to block a transaction, according to Paul Fabara, Visa’s chief risk and client services officer. This development aims to minimize the inconvenience to cardholders by reducing the likelihood of legitimate purchases being declined as a security measure.
“Enumeration can have lasting impacts on our clients and there’s an immediate need for tools that can better detect and prevent these attacks in real-time,” stated Paul Fabara, Chief Risk and Client Services Officer at Visa. “With the VAAI Score, our clients now have access to real-time risk scoring that can help detect the likelihood of an enumeration attack so issuers can make more informed decisions on when to block a transaction.
Google GenAI course equips professionals for the AI workplace
Initially, the VAAI Score will be available to U.S. issuers, although the specific rollout date has not yet been disclosed. The scoring system has been developed through the analysis of over 15 billion Visa transactions, which has trained it to distinguish between normal and unusual transaction patterns. Each card-not-present transaction is evaluated against established spending behaviors to determine its risk score.
“With access to advanced technology, fraudsters are monetizing stolen credentials faster than ever before,” stated Michael Jabbara, SVP Global Head of Fraud Services, at Visa. “Enumerated transactions impact the entire ecosystem, and with the VAAI Score, we’re giving our clients a sophisticated tool that can help prevent cardholder accounts from being compromised and stop fraudulent transactions before they happen.”
Michael Jabbara also noted that fraudsters conducting enumeration attacks, such as on online stores, are not actually interested in purchasing goods but rather in verifying stolen credit card information. This creates a significant challenge for card issuers trying to differentiate these fraudulent attempts from legitimate transactions.
Featured image credit: CardMapr.nl/Unsplash
