Concerns raised over holiday cybercrime attacks.(Source: Shutterstock)

Two cybersecurity reports paint a dreadful end-of-the yearpicture: one forecasts major data breaches fueling a holiday retailcybercrime spree; the other suggests financial institutions on thehook for any incidents.

Fraud increased 30% overall in the third quarter 2019 andbot-driven account registration fraud is up 70% as cybercriminalstest stolen credentials in advance of the holiday retail season,according to "The Q4 Fraud and Abuse" by San Francisco based ArkoseLabs, which provides a platform combining telemetry with anadaptive step-up challenge to identify bad actors. The studyprovided insights into the cybercrime ecosystem and how criminals are preparing for large-scale digitalcommerce attacks in this year's last quarter.

The report analyzed over 1.3 billion transactions spanningaccount registrations, logins and payments, in the financialservices, e-commerce, travel, social media, gaming andentertainment industries, from July 1, 2019 to Sept. 30, 2019.

Arkose Labs found one in five account openings were fraudulentand an elevated attack rate on retail payment transactionsforecasts a record-high holiday fraud season. Account takeoverattacks are a precursor to payment fraud. Eighty-one percent of allretail attacks were fraudulent payments transactions.

Kevin Gosschalk, CEO of Arkose Labs, said, "One thing is clear:the way fraudsters are weaponizing compromised data from recenthigh-profile breaches highlights the deep connectivity of theglobal cybercrime ecosystem that goes way beyond selling stolendata or knowledge sharing. One attack is a precursor to anotherattack, and they can be in two different industries, across twodifferent geographies."

Among the other findings:

• Digital account registration on social, tech and gamingcompanies has become the identity testing mechanism for fraudsters.Even when an account creation attack fails, it can provide valuableinsight into an account's existence. Within the tech industry, fakeaccount creations, nine times more likely attacked compared tologin attempts, increased five-fold from the second quarter.
• Attacks from malicious humans – both lone perpetrators andorganized fraud sweatshops — increased 33% over the previousquarter; and nearly one in every five attacks (every third attackon financial services) is human-driven.

"Our report exposes the monetization roadmap criminals take tocommit an attack," Vanita Pandey, vice president of Strategy atArkose Labs, said. "First, fraudsters test credentials – which weare witnessing in profusion across all industries. Next, they takeover accounts. Payment fraud is usually the last step in the attackcycle and the overwhelming volume of fraudulent retail paymenttransactions in quarter 3 forecasts a very ominous holiday shoppingseason."

Gosschalk noted, "Digital commerce has made it easy to launch aglobal business but at the same time, it has never been easier fora fraudster to target businesses across the globe." He added, withaccess to sophisticated tools, complete identities harvestedthrough breaches and phishing attacks, anyone can launchsophisticated attacks.

"How Fraud Stole Christmas," a study from Baltimore-basedTerbium Labs, which provides a digital risk protection platform,suggested fears of data loss, identity theft and fraud are leavingAmerican consumers on edge this holiday season, and they areprepared to hold their financial institution responsible for thedamages.

Terbium Labs surveyed over 1,000 consumers in October 2019 inthe U.S. to better understand their shopping behaviors andpreferred payment strategies during the 2019 holiday shoppingseason.

They discovered American consumers on high alert heading intothe busy holiday season, as 66% believe they could easily become avictim of fraud, while another 65% believe they are at a higherrisk of having their financial information exposed as a result oftheir holiday shopping. Sixty-eight percent would hold theirfinancial institution at least partly responsible for fraudulentactivity, regardless of how the compromise occurred.

"Financial institutions are under heavy scrutiny by consumersduring the holiday season, and should be taking customer trust andloyalty very seriously," Emily Wilson, vice president of researchat Terbium Labs, said. "Cybercriminals thrive during peak holidayshopping – the hustle and bustle of transactions and unusualshopping patterns create countless opportunities to capture paymentdata and attempt fraudulent transactions." Wilson pointed out nothelping the situation are distracted consumers, who prefer reactivemeasures to account for fraud, while holding financial institutionsto a high standard in keeping their data safe.

Consumers made it clear they expect their financial institutionto be accountable, even if it was not the original source of thedata breach. Fifty-one percent said they would blame both theoriginal source of the data compromise, such as a retailer, and thefinancial institution issuing the card, while another 17% said theywould only hold their financial institution responsible regardlessof how the compromise occurred.

According to the data, this will directly impact the bottom lineas financial institutions stand to lose 45% of their customer baseif a holiday data breach occurs. Nineteen percent said they wouldleave the financial institution and close their account following adata breach; and another 26% indicated they would only keep theiraccounts if their financial institution improved security.

Consumers are most concerned over the compromise of SocialSecurity numbers (23%). Following closely, compromised debit card(22%) and credit card numbers (21%).

Meanwhile, consumers do not seem proactive in limiting their potentialexposure. More than a third (35%) plan on using a mix of bothdebit and credit cards, while nearly half (49%) said that they willuse between two and three cards. This creates far more opportunityfor cybercriminals to capture payment data. Additionally, only 7%plan on using two-factor authentication when shopping online.Instead, more than a third (38%) plan to prioritize monitoringtheir transaction history, even though 14% indicated frustrationwhen too many unsuspicious purchases get flagged.

Wilson said, "The wave of massive breaches exposing personaldata in recent years has left consumers more worried than everabout protecting their identity information – making the stakeseven higher for financial institutions who need to secure thatdata."