Visa applies generative AI to clamp down on brute force attacks
Visa is introducing a generative AI tool to assign real time risk scores to transactions in a bid to stop enumeration attacks that use automated scripts and botnets to test for vulnerabilities.
Better known as brute force attack, an enumeration attack occurs when a hacker attempts repeatedly — using automated scripts or software — to submit card-not-present transactions through a combination of payment values, such as a primary account number (PAN), a card’s verification value (CVV2), expiration date and postal code.
When they get an approval response, they know they have legitimate payment account details, which they can use to drain bank accounts or rack up a credit card bill. Visa says such attacks are responsible for $1.1 billion annually in fraud losses.
Threat actors are leveraging sophisticated technologies, like automated scripts and botnets, to amplify their card testing attacks, allowing them to exploit vulnerabilities at an unprecedented scale and speed. These attacks, known as enumeration attacks, inflict operational expenses and $1.1B annually in fraud losses accounting for a significant portion of global fraud[1].
To combat this threat, The card scheme is updating its Visa Account Attack Intelligence (VAAI) offering with the addition of the VAAI Score, a new tool that uses generative AI components to identify and score enumeration attacks. The VAAI Score, which will be available to U.S. issuers first and will go live in Europe in April 2025 for both issuers and acquirers, assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card not present (CNP) transactions.
Thirty three percent of enumerated accounts experienced fraud within five days of a fraudster obtaining access to their payment information says Visa
By using generative AI components to learn normal and abnormal transaction patterns, Visa’s VAAI Score identifies the likelihood of complex enumeration attacks in real-time.
Paul Fabara, chief risk and client services officer at Visa says the tool has been able to reduce the false positive rate by 85% compared to other risk models, as the VAAI Score focuses on specific signals for enumeration allowing for a stronger performance.
“Enumeration can have lasting impacts on our clients and there’s an immediate need for tools that can better detect and prevent these attacks in real-time,” he says. “With the VAAI Score, our clients now have access to real-time risk scoring that can help detect the likelihood of an enumeration attack so issuers can make more informed decisions on when to block a transaction.”