Automated Enumeration Attacks: A Rising Threat in Digital Fraud
Attackers increasingly utilize automation to conduct card testing attacks, weaponizing botnets and scripts to facilitate fraudulent card-not-present (CNP) transactions. This alarming trend resulted in $1.1 billion in fraud losses last year alone.
The Speed and Scale of Enumeration Attacks
Enumeration attacks are not only fast but also operate on a massive scale. Attackers leverage advanced automation technologies, often launching thousands of automated botnet attacks in mere seconds. This capability outpaces traditional cyber defenses, making detection and prevention exceedingly challenging.
The Evolution of Cyber Tactics
Cybercriminals continuously refine their techniques, incorporating cutting-edge automation methods that evade simple detection. They utilize every new technology at their disposal, including generative AI and large language models (LLMs), alongside legacy automation tools.
Christophe Van de Weyer, CEO of Telesign, emphasized the growing sophistication of these fraudsters. "They are early adopters of technologies such as generative AI, enhancing the quality and scale of their attacks," he remarked. He added that fraudsters have improved their social engineering tactics, often impersonating employees to manipulate IT departments into resetting passwords and MFA devices. As a result, global fraud has ballooned into a $6 trillion industry, exceeding the GDP of many nations.
Michael Jabbara, Senior Vice President at VISA, noted the rapid increase in enumeration attacks, particularly due to the digitization of commerce and the proliferation of online retail. VISA data reveals that 33% of accounts enumerated experienced fraud within just five days of an attacker gaining access to payment information.
The Mechanics Behind Enumeration Attacks
What makes enumeration attacks particularly dangerous is their ability to rapidly submit unique combinations of payment values—such as primary account numbers (PAN), card verification values (CVV2), expiration dates, and postal codes—effectively cracking CNP transactions. These attacks typically target systems that provide user feedback, allowing attackers to know when generated guesses are correct.
VISA's research shows that enumeration attacks often exploit weaknesses in e-commerce platforms, particularly those lacking robust rate limiting or verification measures. The company advises merchants to implement CAPTCHA, monitor transactions for unusual activity, and adopt strong encryption and multi-factor authentication to mitigate risks.
The Role of AI in Combatting Fraud
In response to the increasing sophistication of fraud tactics, VISA launched the Visa Account Attack Intelligence (VAAI) in 2019 to combat the surge of payment fraud attacks. This solution focuses on identifying CNP transactions using a unified defense approach that integrates breach, cyber, and payment intelligence insights.
Today, VISA enhances its capabilities with the new genAI-powered VAAI Score, which evaluates enumeration attacks in real-time. Each transaction receives a risk score, empowering issuers to make informed decisions quickly and safeguard legitimate customer transactions while minimizing financial losses. The VAAI Score is shared via VisaNet, providing merchants and partners with immediate insights into fraudulent transaction probabilities.
The VAAI Score can generate a risk assessment within 20 milliseconds of a transaction being processed, analyzing over 182 risk attributes to gauge fraud likelihood. Developed from analyzing over 15 billion VisaNet transactions, the score boasts six times more features than its predecessors, significantly bolstering its fraud detection capabilities and potentially reducing false positives by 85%. By integrating generative AI and machine learning, the VAAI Score continuously adapts to identify attempts by attackers to bypass CNP security measures.
VISA has invested over $10 billion in AI and machine learning technologies to enhance fraud prevention and network security, successfully blocking $40 billion in fraudulent transactions in a single year.
The Challenge of Real-Time Accuracy and Speed
Jabbara emphasized the importance of real-time risk assessments, stating that VisaNet relies on ISO standards for seamless integration with partners and merchants to disseminate VAAI Scores. “We provide the VAAI Score within the transaction message itself,” he explained, allowing clients to tailor their risk management strategies based on their specific operational needs.
The field of fraud detection is rapidly evolving, with Jabbara highlighting the necessity for companies to assess fraud risk throughout the entire customer journey. Telesign is leveraging AI and machine learning for similar purposes.
“At Telesign, our Intelligence API provides insights into risks and underlying patterns,” said Van de Weyer. "We identify red flags by analyzing phone number activity, email usage, IP addresses, and call patterns to help flag risky numbers, informing our risk recommendations and scores for enhanced authentication processes."
Ranking
