Enumeration attacks, where threat actors use automated scripts or botnets to repeatedly submit card-not-present (CNP) transactions using different combinations of payment values, such as a primary account number (PAN), a card’s verification value (CVV2), expiration date and postal code, cause as much as $1.1billion annually in fraud losses.
Recognising the significance of this type of fraud, payments giant Visa has updated its Visa Account Attack Intelligence (VAAI) with a new tool that uses generative AI components to identify and score enumeration attacks: ‘VAAI Score’.
VAAI Score will be available to US issuers first and looks to help reduce fraud and operational losses by assigning each transaction with a risk score in real-time to detect and prevent enumeration attacks in card-not-present (CNP) transactions.
Paul Fabara, chief risk and client services officer at Visa, explained the impact the new tool could have: “Enumeration can have lasting impacts on our clients and there’s an immediate need for tools that can better detect and prevent these attacks in real-time. With the VAAI Score, our clients now have access to real-time risk scoring that can help detect the likelihood of an enumeration attack so issuers can make more informed decisions on when to block a transaction.
Visa explains that 33 per cent of enumerated accounts experienced fraud within five days of a fraudster obtaining access to their payment information.
By leveraging generative AI Visa’s VAAI Score identifies the likelihood of complex enumeration attacks in real-time to help reduce fraud without compromising the integrity of Visa’s performance and accuracy. The tool has reduced the false positive rate by 85 per cent compared to other risk models, as the VAAI Score focuses on specific signals for enumeration allowing for a stronger performance.
Helping issuers reduce fraud levels
VAAI Score hopes to help issuers with:
- Reduced fraud and operational losses: Helps identify complex enumeration attacks in real time which can help reduce follow-on fraud from validated accounts and operational losses due to enumeration such as customer center calls and card reissuance and help safeguard clients.
- Improved cardholder experience: Helps identify when legitimate cardholder transactions are not impacted, while giving issuers a tool to proactively decline transactions at risk for enumeration attacks.
- Real-time transaction scoring: Provides a real-time risk score in 20 milliseconds which can help clients in identifying enumeration and using it in their authorisation decisioning when used with a rules engine.
Visa has trained the VAAI Score model on over 15 billion VisaNet transactions and has six times the number of features compared to previous VAAI models to help better assess suspicious enumeration transactions.
Visa’s approach uses noisy data to train the highly accurate real-time AI model. By evaluating each CNP transaction against enumeration patterns, the new risk scoring model derives a two-digit risk score that helps predict the likelihood of enumeration to help better determine when to approve, and when to decline, a transaction.
Putting a stop to billions of dollars of fraud
Michael Jabbara, SVP global head of fraud services at Visa, also commented: “With access to advanced technology, fraudsters are monetising stolen credentials faster than ever before. Enumerated transactions impact the entire ecosystem, and with the VAAI Score, we’re giving our clients a sophisticated tool that can help prevent cardholder accounts from being compromised and stop fraudulent transactions before they happen.”
At Visa, security and reliability are top priorities year-round. Over the past five years, the company has invested more than $10billion in technology, including to reduce fraud and increase network security. More than a thousand dedicated specialists protect Visa’s network from malware, zero-day attacks and insider threats 24x7x365.
In FY23, Visa helped to proactively block $40billion in fraud, preventing many from ever knowing they were at risk of a potential fraudulent transaction using their information.
