How VISA uses generative AI to combat account fraud attacks

Attackers rely on automation in brute force attacks on card testing, including the use of botnets and scripts to force fraudulent card-not-present (CNP) transactions, resulting in $1.1 billion in fraud losses last year -Dollar caused.

Enumeration attacks are deadly in their speed and scale, as attackers rely on every automation technology available to defraud victims faster than traditional cyber defenses can track and keep up with them. Attackers’ arsenals now include large networks of hacked systems that can launch thousands of automated botnet attacks in a matter of seconds.

This is how enumeration attacks work

Attackers are constantly honing their craft with new automation techniques that evade easy detection. The attackers’ goal is to weaponize every new technology available, including rapid experiments with generative AI and weaponized LLMs combined with tried-and-tested automation technologies, including botnets and scripts.

“With each passing year, digital fraudsters become more and more sophisticated. They are the early adopters of technologies such as generative AI to improve the quality and scale of their attacks on companies large and small,” Christophe Van de Weyer, CEO of Telesign, told VentureBeat. “They have also become better at social engineering by calling corporate IT departments pretending to be employees based on information they have collected online and then asking to reset passwords and MFA devices.” , explained Van de Weyer. “This is one reason why global fraud has become a $6 trillion annual business – larger than the GDP of most countries.”

Michael Jabbara, senior vice president at VISA, told VentureBeat: “Enumeration attacks have been increasing quite rapidly. With the digitalization of retail in recent years, more and more businesses are going online. So there are more entry points for these threat actors to launch their attacks from, and I think that will continue to increase.” VISA found that 33% of enumerated accounts were within five days of an attacker gaining access After receiving their payment information, fraud occurred.

What makes enumeration attacks so deadly is the fact that they transmit a unique combination of payment values, including primary account numbers (PAN), card verification values ​​(CVV2), expiration dates and zip codes, within seconds to crack CNP transactions and e-commerce Platforms to defraud merchants. Attacks often prioritize systems that provide user feedback that indicates when automatically generated guesses are correct.

VISA Security has found that enumeration attacks are most often successful by exploiting vulnerabilities in e-commerce platforms, particularly those with inadequate rate limiting or verification processes. VISA recommends its merchants implement at least CAPTCHA controls, monitor transactions for unusual activity, and use encryption and hardened multi-factor authentication to reduce the risk of an attack. More and more banking, e-commerce and retailer platforms are also introducing strict tariff limitation thresholds. The goal is to limit the number of attempts a user can make to authenticate or use recovery features within a given time period.

The craft of enumeration attacks has matured so quickly that a recent VISA report found that attackers have become so advanced that they are exploiting negligent onboarding policies within large merchant ecosystems and are actively exploiting vulnerabilities in digital payment systems. Banking systems are also under attack. By leveraging large networks of infected devices, attackers find accounts most vulnerable to CNP transactions and other forms of fraud.

VISA has created a compelling use case for combating fraud with genetic AI

VISA first introduced Visa Account Attack Intelligence (VAAI) in 2019 to combat and prevent the increasing variety of payment fraud attacks targeting its operations and partners. Identifying CNP transactions has become a key focus of VAAI, Jabarra told VentureBeat. The VAAI solution integrates breach, cyber and payment intelligence insights to provide a unified fraud defense solution.

Today, VISA expands its arsenal of intrusion detection tools with a new genAI-based VAAI score. At the heart of the new score’s architecture are generative AI components that identify and evaluate enumeration attacks. Each transaction is assigned a risk score in real time to achieve the goal of detecting and preventing enumeration attacks in CNP transactions. The aim is to enable issuers to make faster and more accurate decisions about accepting or rejecting a transaction, ensuring the security of legitimate customer transactions while reducing financial losses. Jaberra told VentureBeat that the new VAAI score will be communicated via VisaNet to help merchants and partners determine the likelihood of fraudulent transactions in real time.

VISA has found a perfect use case for combating fraud with genAI in its new score. The VAAI score can provide a risk assessment within 20 milliseconds of processing a transaction and analyze over 182 risk attributes to determine the likelihood of fraud. Developed based on an analysis of over 15 billion VisaNet transactions, the score has six times more features than previous models, significantly improving its ability to identify suspicious activity. It also shows the potential to reduce false positives by 85%.. By combining genetic AI and machine learning techniques, the VAAI score continually learns and helps VISA Security detect when attackers are attempting to bypass CNP security measures.

In total, VISA has invested over $10 billion in AI, machine learning and related technologies to improve fraud prevention and network security. Investments in VAAI and its associated tools have helped VISA block $40 billion worth of fraudulent activity in a single year.

The challenge is to increase accuracy and speed in real time to prevent fraud

Jabbara said VisaNet relies on ISO standards to integrate with its many partners and vendors at scale to share VAAI results to eliminate attackers launching enumeration attacks. “We provide the VAAI score in the transaction message itself,” Jabbara told VentureBeat. “There is a specific area where we bring that score and then the customers themselves can build rules based on that score depending on their risk appetite and the operational policies that they have internally,” he explained.

Providing real-time risk assessment results is a rapidly evolving area of ​​fraud detection. “Companies need to assess the risk of fraud throughout the entire customer journey,” Van de Weyer told VentureBeat. To meet this challenge, Telesign relies fully on AI and machine learning.

“At Telesign, our Intelligence API makes it easier to understand the risks and why. We identify red flags using patterns from phone number activity, email, IP addresses, and more. Intelligence looks for anomalous behavior by analyzing call speed, duration, patterns and usage to detect risky numbers,” Van de Weyer said. “This process feeds into the risk recommendations and assessments we provide, which can be used by a customer to better understand when they should strengthen their authentication processes.”