A human touch to fraud

The rapid growth and evolution of human farms calls for an evolving solution

When many hear the term “human farm” they think of The Matrix’s human power plant, where, as anyone with a sci-fi-loving bone in their body knows, the machines grow humans as batteries to provide a source of power. Human (or click) farms are indeed a real thing but they are not quite what is portrayed in the 1999 science fiction film, we can be thankful. Though, like the movie, human farms are seen as a very real threat in the real-world online fraud and risk community. According to Europol’s 2016 Internet Organised Crime Threat Assessment, the threat of human farms and crime-as-a-service rings are growing substantially. And this is something that we should all pay attention to.

Human farms are comprised of low-cost, typically low-skilled workers and have a low barrier to entry. Rather than a sole hacker or a bot that controls tens of thousands of machines, a human farm is a group of real people who are hired, often by larger criminal crime-as-a-service organizations, to bypass security barriers because they will not trigger warnings that are set to detect machine based attacks.

Human farm workers can have a wide range of tasks, including creating fake social media accounts used to boost follower counts, clicking online ads to push false revenues, and creating accounts that seem to be legitimate. Fake account creation fuels the engine of many fraud problems, including credit card testing, false reviews, account takeover, and application fraud where a human fraudster may pose as a legitimate online applicant with stolen credentials.

And the problem is growing. According to nudata’s intelligence, 60% of account creations in 2016 were illegitimate (compared to 40% the year prior). While this data point spans multiple verticals, fraudulent new account creation is rising rapidly and is a direct result of the surge in personally identifiable data and legitimate user credentials so cheap and readily available from numerous hacks to crime rings and fraudsters willing to pay for it on the dark web.

Frequently called low velocity attacks, malicious human farm activities are often difficult to pinpoint, even with healthy fraud protection systems in place because they are set to trigger at the sign of machine automation, not human activity. In addition, fake accounts created might be used tested for valuable content immediately, or they may remain dormant for a special occasion, especially during high volume periods like the holidays where they plan carefully planned strike that can be hidden within the increased volume.

Maybe we do need Neo to save us, but until he shows up in real life we live in a world where human farms exist and they are a genuine problem for our online security that we must contend with. One way to protect against account takeover and account creation fraud is by implementing the power of user behavioral analytics and passive biometrics. Until recently, human farm attacks have been difficult to detect due to their slow speed and small scale, whereas passive biometrics can detect such activity because it uses behavioral biometric intelligence to detect whether the user is behaving in a way that correlates to fraudulent activity and whether that behavior is human or machine. In this way NuDetect literally knows who is a bad human or machine, and who is a good human or machine by what they are doing. In this way behavior biometrics undermines the power of human farms to conduct much of their fraudulent business by taking away the usefulness of what they value most — stolen data.

nudata’s FinovateSpring 2016 seven-minute live demo to learn more about how your company can be protected from human farms and crime-as-a-service.   — Want to read more posts like this? See our full blog here.