In this exclusive opinion piece, Shahnawaz Backer, Principal Security Advisor at F5 elaborates on ihe art of gaming the system with complicity.
Companies like Uber, Airbnb, PayPal and others with platform business models have flourished over the past few years by matching up service providers such as restaurants and drivers with consumers while hiding the complexity of the underlying processes.
The rapid adoption of this business model has brought it into the crosshairs of fraudsters, who are always scheming to game the system and illegally monetize legitimate business processes. Recently, F5 Labs has found that attackers are occasionally defrauding digital systems by colluding with other participants who play different roles on the platform.
What is going on?
Collusion fraud occurs when two or more participants conspire to defraud another participant during a digital business transaction that involves multiple participant groups. It is growing in prominence as more businesses embrace digital platforms that serve multiple purposes.
For example, an online e-commerce provider’s digital platform allows a consumer to select items from a seller of their choice and have it delivered. A single business transaction on that platform provides online processing, payment, preparation of goods, logistics, and delivery. Completing these activities involves services from multiple providers specializing in different areas, which at times takes the processing out of the platform’s control. The collaborative act of completing these multistep business transactions provides an avenue for malicious players.
Fraudsters design hacks so they can quickly make money and target returns that are generated as by-products of the main transaction, such as a cashback or gratuity. These by-products are usually managed separately from the main transaction and are often hard to reclaim post fraud detection if the consumer or other participant has already used them.
Case one: leading food and beverage company
As part of our research, F5 Labs zoomed in on a leading food and beverage (F&B) company, where collusion fraud manifested as gratuity, or tip, abuse. The company’s digital platform provides a convenient service to customers by bringing together the restaurant outlet, logistics requirements, and online payments. Figure 1 explains the legitimate process of completing an online transaction that includes a tip.
In this case, the consumer-fraudster and a delivery person colluded to monetize stolen credit cards. They achieved the collusion fraud through the following steps:
• Using a stolen card, a fraudster places an expensive order (more than $300) that includes a generous tip (usually more than 30%).
• The order goes through the standard, legitimate lifecycle, as described in Figure 1.
• The credit card owner detects the transactions and disputes the charges with the bank. This leads to a chargeback—a transaction reversal by a bank for a disputed fraudulent transaction—on the F&B platform for the full amount of the order, including the tip.
• The tip amount that was paid out for the delivery service cannot be recalled.
Shape’s security data revealed that in a period of three months this particular F&B online platform received almost 3,000 collusion fraud orders with a cumulative value of USD $1.5 million and gratuities/tips amounting to about USD $350,000.
Case two: leading online payment wallet
The second case involved a leading online payment wallet that was defrauded of cashback rewards due to collusion. Figure 2 documents the legitimate flow of a transaction initiated by a consumer.
In this case, the consumer and Merchant X conspired to defraud the payment wallet platform of rewards points in the following manner:
• Consumer purchases goods from Merchant X using a payment wallet platform.
• As shown in Figure 2, the consumer earns rewards points, which are then used to purchase goods from Merchant B. After the cashback reward has been used, Merchant X refunds the original sum to the consumer, citing reasons such as unavailability of stock.
• The payment wallet platform refunds the original sum to the consumer, but the cashback rewards are not recoverable.
Conclusion
As the adoption rate of digital services and platforms increases, consumers will be enticed by various incentives beyond cashback rewards. Fraudsters will find a way to collude to steal these incentives, resulting in a greater variety of collusion fraud.
It is important to note that detecting collusion is difficult and will require artificial intelligence to weed out such transactions at scale. This should include using artificial intelligence-powered analytical models, clustering groups and transactions to detect collusion fraud. Organisations will need to train and retrain the AI models as fraud techniques evolve.