Visa is launching a generative AI tool designed to assign real-time risk scores to transactions in an effort to combat enumeration attacks. These attacks, commonly referred to as brute force attacks, occur when hackers use automated scripts to submit multiple card-not-present transactions by combining payment details such as the primary account number (PAN), card verification value (CVV2), expiration date, and postal code.
When a transaction receives an approval response, the hacker gains access to valid payment information, which can then be exploited to withdraw funds or accumulate charges. According to Visa, these attacks contribute to annual fraud losses of $1.1 billion.
Malicious actors employ advanced technologies, including automated scripts and botnets, to enhance their card testing efforts, allowing them to exploit vulnerabilities rapidly and on a large scale. These enumeration attacks not only lead to significant financial losses but also incur operational costs for the affected entities.
In response to this growing threat, Visa is enhancing its Visa Account Attack Intelligence (VAAI) offering with the introduction of the VAAI Score. This new tool, which integrates generative AI components, will first be available to U.S. issuers and is slated to launch in Europe in April 2025 for both issuers and acquirers. The VAAI Score evaluates each transaction and assigns a risk score in real time, specifically aimed at detecting and preventing enumeration attacks in card-not-present (CNP) transactions.
Visa reports that 33% of accounts subjected to enumeration experienced fraud within five days of the hacker gaining access to their payment details. By leveraging generative AI to analyze both normal and abnormal transaction patterns, the VAAI Score assesses the likelihood of complex enumeration attacks in real-time.
Paul Fabara, Chief Risk and Client Services Officer at Visa, noted that the tool has reduced the false positive rate by 85% compared to other risk models, focusing on specific signals related to enumeration to enhance its effectiveness. “Enumeration can have lasting impacts on our clients, and there’s an immediate need for tools that can better detect and prevent these attacks in real-time,” he emphasized. “With the VAAI Score, our clients have access to real-time risk scoring that can help identify the likelihood of an enumeration attack, enabling issuers to make more informed decisions about when to block a transaction.”
For those interested in exploring the implications of artificial intelligence in the banking sector, the first NextGenAI conference hosted by Finextra will take place on November 26, 2024. Register your interest here.