Concerns raised over holiday cybercrime attacks.(Source: Shutterstock)

Two cybersecurity reports paint a dreadful end-of-the yearpicture: one forecasts major data breaches fueling a holiday retailcybercrime spree; the other suggests financial institutions on thehook for any incidents.

Fraud increased 30 percent overall in the third quarter2019 and bot-driven account registration fraud is up70 percent as cybercriminals test stolen credentials inadvance of the holiday retail season, according to "The Q4 Fraudand Abuse" by San Francisco based Arkose Labs, which provides aplatform combining telemetry with an adaptive step-up challenge toidentify bad actors. The study provided insights into thecybercrime ecosystem and how criminals are preparing for large-scale digitalcommerce attacks in this year's last quarter.

Related: A billion people's data left unprotected on GoogleCloud server

The report analyzed over 1.3 billion transactions spanningaccount registrations, logins and payments, in the financialservices, e-commerce, travel, social media, gaming andentertainment industries, from July 1, 2019 to Sept. 30, 2019.

Arkose Labs found one in five account openings were fraudulentand an elevated attack rate on retail payment transactionsforecasts a record-high holiday fraud season. Account takeoverattacks are a precursor to payment fraud. Eighty-one percent of allretail attacks were fraudulent payments transactions.

Kevin Gosschalk, CEO of Arkose Labs, said, "One thing is clear:the way fraudsters are weaponizing compromised data from recenthigh-profile breaches highlights the deep connectivity of theglobal cybercrime ecosystem that goes way beyond selling stolendata or knowledge sharing. One attack is a precursor to anotherattack, and they can be in two different industries, across twodifferent geographies."

Among the other findings:

• Digital account registration on social, tech and gamingcompanies has become the identity testing mechanism for fraudsters.Even when an account creation attack fails, it can provide valuableinsight into an account's existence. Within the tech industry, fakeaccount creations, nine times more likely attacked compared tologin attempts, increased five-fold from the second quarter.
• Attacks from malicious humans – both lone perpetrators andorganized fraud sweatshops — increased 33 percent over theprevious quarter; and nearly one in every five attacks (every thirdattack on financial services) is human-driven.

"Our report exposes the monetization roadmap criminals take tocommit an attack," Vanita Pandey, vice president of Strategy atArkose Labs, said. "First, fraudsters test credentials – which weare witnessing in profusion across all industries. Next, they takeover accounts. Payment fraud is usually the last step in the attackcycle and the overwhelming volume of fraudulent retail paymenttransactions in quarter 3 forecasts a very ominous holiday shoppingseason."

Gosschalk noted, "Digital commerce has made it easy to launch aglobal business but at the same time, it has never been easier fora fraudster to target businesses across the globe." He added, withaccess to sophisticated tools, complete identities harvestedthrough breaches and phishing attacks, anyone can launchsophisticated attacks.

"How Fraud Stole Christmas," a study from Baltimore-basedTerbium Labs, which provides a digital risk protection platform,suggested fears of data loss, identity theft and fraud are leavingAmerican consumers on edge this holiday season, and they areprepared to hold their financial institution responsible for thedamages.

Terbium Labs surveyed over 1,000 consumers in October 2019 inthe U.S. to better understand their shopping behaviors andpreferred payment strategies during the 2019 holiday shoppingseason.

They discovered American consumers on high alert heading intothe busy holiday season, as 66 percent believe they couldeasily become a victim of fraud, while another 65 percentbelieve they are at a higher risk of having their financialinformation exposed as a result of their holiday shopping.Sixty-eight percent would hold their financial institution at leastpartly responsible for fraudulent activity, regardless of how thecompromise occurred.

"Financial institutions are under heavy scrutiny by consumersduring the holiday season, and should be taking customer trust andloyalty very seriously," Emily Wilson, vice president of researchat Terbium Labs, said. "Cybercriminals thrive during peak holidayshopping – the hustle and bustle of transactions and unusualshopping patterns create countless opportunities to capture paymentdata and attempt fraudulent transactions." Wilson pointed out nothelping the situation are distracted consumers, who prefer reactivemeasures to account for fraud, while holding financial institutionsto a high standard in keeping their data safe.

Consumers made it clear they expect their financial institutionto be accountable, even if it was not the original source of thedata breach. Fifty-one percent said they would blame both theoriginal source of the data compromise, such as a retailer, and thefinancial institution issuing the card, while another17 percent said they would only hold their financialinstitution responsible regardless of how the compromiseoccurred.

According to the data, this will directly impact the bottom lineas financial institutions stand to lose 45 percent oftheir customer base if a holiday data breach occurs. Nineteenpercent said they would leave the financial institution and closetheir account following a data breach; and another26 percent indicated they would only keep their accountsif their financial institution improved security.

Consumers are most concerned over the compromise of Social Security numbers (23 percent).Following closely, compromised debit card (22 percent) andcredit card numbers (21 percent).

Meanwhile, consumers do not seem proactive in limiting their potentialexposure. More than a third (35 percent) plan on usinga mix of both debit and credit cards, while nearly half(49 percent) said that they will use between two and threecards. This creates far more opportunity for cybercriminals tocapture payment data. Additionally, only 7 percent plan onusing two-factor authentication when shopping online. Instead, morethan a third (38 percent) plan to prioritize monitoringtheir transaction history, even though 14 percentindicated frustration when too many unsuspicious purchases getflagged.

Wilson said, "The wave of massive breaches exposing personaldata in recent years has left consumers more worried than everabout protecting their identity information – making the stakeseven higher for financial institutions who need to secure thatdata."

Read more: 

• Cybersecurity: There's always more you cando
• Capital One security breach exposed data of 100million users
• Report: Executives likely to be targeted forcybercrime