SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Collusion Fraud: The Art of Gaming the System with Complicity

By Shahnawaz Backer, F5

April 16, 2021

Companies like Uber, Airbnb, PayPal, and others with platform business models have flourished in the past few years by matching up service providers (such as restaurants and drivers) to consumers and hiding the complex, behind-the-scenes processing (like payments) from users The rapid adoption of this business model has brought it into the cross hairs for fraudsters, who are always scheming to game the system and illegally monetize legitimate business processes. F5 Labs has found that attackers are defrauding digital systems by colluding with other participants who serve different roles on the platform. This article discusses this phenomenon, which we call collusion fraud.

What Is Collusion Fraud?

Collusion fraud occurs when two or more participants conspire to defraud another participant in a digital business transaction that involves multiple participant groups. This type of fraud is growing in prominence as more digital businesses pivot to become platforms that serve more than just one purpose. For example, an online e-commerce provider’s digital platform allows a consumer to select items from a seller of their choice and have it delivered. A single business transaction on that platform provides online processing, payment, preparing goods, logistics, and delivery. Completing these activities require services from multiple providers specializing in different areas, which at times takes the processing out the platform’s control. The collaborative act to complete these multistep business transactions provides an avenue for malicious players. Fraudsters design these hacks so they can quickly make money and target returns that are generated as by-products of the main transaction, such as a cashback rewardAn incentive given to a consumer for using a system, such as applying for or using a credit card. or gratuity. These by-products are usually managed separately from the main transaction and are often hard to reclaim post–fraud detection if the consumer or other participant has already used them.

Collusion Fraud in Action

Collusion fraud can happen in any industry vertical. F5 Labs and Shape Security researchers followed two cases of fraud that revealed collusion in action. Fraudsters made gains in these cases in the form of gratuities and cashback rewards points.

Case One: Leading Food and Beverage Company

The first case involved a leading food and beverage (F&B) company in which collusion fraud manifested as gratuity, or tip, abuse. The company’s digital platform provides a convenient service to its customers by bringing together the restaurant outlet, logistics requirements, and online payments. Figure 1 explains the legitimate process in completing an online transaction that includes a tip.

Figure 1. Order flow on a food and beverage provider platform.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement