Visa is rolling out an innovative AI solution to assess risk levels of transactions in real-time, aiming to thwart enumeration attacks facilitated by automated scripts and botnets.
Enumeration attacks, commonly known as brute force attacks, involve hackers repeatedly attempting card-not-present transactions using automated scripts. By trying various combinations of payment details like PAN, CVV2, expiration date, and postal code, attackers seek approval responses to identify valid payment account information. These attacks result in significant financial losses, estimated at $1.1 billion annually.
Perpetrators increasingly rely on advanced technologies such as automated scripts and botnets to amplify enumeration attacks, posing substantial threats and financial burdens. To counter this menace, Visa is enhancing its Visa Account Attack Intelligence (VAAI) with the VAAI Score. This new tool, leveraging generative AI, swiftly identifies and scores enumeration attacks. Initially available to U.S. issuers and set to launch in Europe in April 2025, the VAAI Score assigns real-time risk scores to detect and prevent enumeration attacks in card-not-present (CNP) transactions.
According to Visa, 33% of enumerated accounts fall victim to fraud within five days of attackers gaining access to their payment details.
By utilizing generative AI to comprehend typical and unusual transaction patterns, Visa's VAAI Score evaluates the likelihood of intricate enumeration attacks in real-time. Paul Fabara, Visa's chief risk and client services officer, highlights that the VAAI Score significantly reduces false positives compared to other risk models, thanks to its focused approach on specific enumeration signals, leading to enhanced performance.
Fabara emphasizes the urgency for effective tools to detect and deter enumeration attacks promptly. He underscores the significance of the VAAI Score, providing real-time risk scoring to enable issuers to make informed decisions regarding transaction blocking, thereby safeguarding clients from potential financial repercussions caused by enumeration attacks.