Security Lessons From a Payment Fraud Attack

Companies need to detect and counteract brute-force and enumeration attacks before fraudsters run away with their customers’ funds.

On April 10, 2020, Atlanta-based fintech firm Brightwell was navigating more than the deadly COVID-19 pandemic.

It all started with a series of customer phone calls. That morning sometime between 7 a.m. and 8 a.m., Brightwell received word from the customer service team that customers called to complain about missing funds, says Ernie Moran, at the time Brightwell’s senior vice president of risk. Under normal circumstances, if users noticed a discrepancy upon logging into their app, the company typically would look into the problem to determine whether the customer mistakenly overspent or fraud had occurred. Unfortunately for Brightwell, it was the latter.

“I would say the next 24 hours was the most insane 24 hours I think we’ve ever had at Brightwell,” Moran says. “From that point forward, we started hearing from more and more customers. And you start the research process, and you start going into the platform, the processor platform, and looking at the data.”

Brightwell spent the following weeks dissecting the damage of an attack that resulted in $2.5 million stolen in the span of four hours, Moran says. With the pandemic pushing more transactions online, more online fraudsters are targeting e-commerce platforms and payments companies. Sources advise payments providers to implement multiple measures prior to and during the transaction process to detect brute-force and enumeration attacks before fraudsters run away with customers’ funds.

During the first five days of Brightwell’s investigation, the company assessed how widespread the fraud was. First, they reviewed its authorization reports generated by its payments processor and the reports generated by its card brand. Then it cross-checked its internal data with the external reports, Moran says. The threat actor used the stolen credentials to buy cryptocurrency at an exchange, he said.

Over the course of its investigation, Brightwell discovered that a fraudster deployed a bot to guess the prepaid debit card numbers, expiration dates, and CVV numbers for 41,000 cards, which were guessed after 100,000,000 authorizations, Moran says. The bot guessed the credentials across seven merchants; one merchant, in particular, was used to steal “a large dollar amount,” he says. Brightwell didn’t name the sellers affected by the attack, nor did it disclose the general amount stolen per customer.

The ordeal led the company to create its fraud alert system, Arden, which stands for “AI risk detection engine.” Despite all the data collected, Moran, now senior vice president of Arden, says the company couldn’t figure out who was responsible for the attack. Read more:

You can also read this: Fraud Is On the Rise, and It’s Going to Get Worse

Leave a Reply

Your email address will not be published. Required fields are marked *