When “BidenCash” fraudsters released the details of 1.9 million Visa credit and debit cards in December, about a third of them were put at risk, according to the card network giant's biannual “threats” report released last week.
That financial data for Visa’s customers was exposed when the underground cybercrime ring BidenCash posted its fourth free dataset of stolen credit card and debit card information online last December, Visa’s said in the report, citing an article from the online publication Bleeping Computer regarding the criminal activity.
The criminal organization, which emerged in 2022, has previously released payment account data and sold the verified data to bad actors. Visa’s payment fraud disruption department found that the most recent data set contained CVV numbers, card numbers and expiration dates.
BidenCash “is known to release vast amounts of free payment account data to gain recognition in the cybercrime community, and in turn, bring in paying customers for their shop of verified stolen payment account information,” Visa said in its report.
Of the Visa accounts exposed, the card network giant’s payments fraud disruption department identified about 556,000 Visa accounts that were put at risk, according to the report. It’s possible that some of them had been previously disclosed.
Visa “found the majority of payment accounts in the previous free releases were recycled from other stolen data sets, so it is probable the December 2023 release contains mostly recycled data as well,” the report said.
About half of the tainted accounts had been identified as problematic by Visa in the three months prior to the December incident due to what the company suspected were “enumeration” incursions. In enumeration, fraudsters attempt to hack into accounts by using automatic programmatic methods to guess account details by using e-commerce transaction information. In the report, Visa said that enumeration remains one of the “top threats to the payment ecosystem.”
The card network can detect “digital skimming malware” on e-commerce sites and can sometimes alert merchants to such trouble before fraudsters obtain data through such enumeration.
Once Visa spotted those card accounts had been targeted by enumeration, it put merchants on notice so to try to prevent fraudulent use of the cards, the report said. Separately, Visa also notified bank card issuers of the at-risk BidenCash-attacked accounts.
The company didn’t see a strong correlation between the BidenCash data and Visa’s compromised account management system notifications, suggesting that the stolen data wasn’t used, or didn’t trigger the notices.
Crime rings like BidenCash aren’t the only fraud headaches for card companies. Such incursions are part of a growing list of threats putting consumers and businesses at risk, Visa noted in a statement regarding its 2024 report. The biannual report provided a laundry list of fraud types threatening accounts and provided an update on trends in that area.
“With the use of Generative AI and other emerging technologies, scams are more convincing than ever, leading to unprecedented losses for consumers,” Paul Fabara, Visa’s chief risk and client services officer, said in a March 20 statement that accompanied the release of Visa’s report.
Visa stopped $40 billion in fraud during fiscal year 2023, up from $23 billion in 2022, according to a summary of the report. As part of its payment fraud prevention efforts, Visa’s risk operations center has blocked 49.8 million transactions between June through December 2023 valued at more than $5.6 billion. The company has also hired some 1,000 cybersecurity professionals, per its report summary.
In another type of fraud, the company spotted about 327,000 primary account numbers and connected nearly 5,000 businesses with high-risk purchase return authorizations, which amounted to $58.6 million worth of transactions, the company said in its report summary.
Though the company pointed to generative AI usage as a contributing factor in the rise of payment fraud, the company has been using its own tools to recognize suspicious activity. During an RBC Capital Markets investor conference earlier this month, Visa CEO Ryan McInerney said the company has developed synthetic datasets, scoring algorithms and fraud mitigation tools that can function in “entirely different payment ecosystems.” “We’re doing this with large at-scale, real-time payment networks and banks all around the world,” he said.
Similarly, Mastercard has also been identifying new forms of payment fraud. This month, the card network detailed the emergence of “friendly fraud,” which encompasses customers seeking credit for purchases they approved, but ultimately regret or want to receive for free, Mastercard said. It also includes customers mistakenly forgetting about a purchase, companies billing customers under an unfamiliar name or a child using their card without their permission, the company noted in a blog post.
To prevent such fraud, Mastercard said it has launched a program that enables businesses to share data on first-party misuse transactions. The company is introducing the service to U.S. companies later this year and expanding the service to international markets, according to Mastercard’s statement.