Sophisticated Data Breaches Threaten the U.S.
NuData Security, passive biometrics and Mastercard company, announced that they have found that 40% of all account access attempts online are high risk. They also found that account takeovers increased ten times in 2017 as compared to 2016. Robert Capps examines such data breaches.
Across the globe, data breaches continue to increase each year, making it even easier for fraudsters to take over accounts. This is because each time a breach occurs, more personally identifiable information (PII) becomes available for criminals. We are already near ten billion exposed records since 2013 – 9.7 billion – according to the Breach Level Index.
This exposed information is not just outdated information like your teenage years’ email password; we are talking about full names, addresses, social security numbers, and more. Buying this information for a few bucks even the least sophisticated of actors can gain access to personal accounts or steal identities.
Private credentials being stolen and sold on the dark web is not new, what is new is the information currently at stake. Where it was once common for single pieces of information to hit the dark web (a name and a password, for example), criminals are now able to gain access to the complete identities (including names, passwords, physical mailing addresses, and social security numbers). When a fraudster has this much information, it becomes a near cakewalk to take over not just a user’s account, but their whole identity.
Account takeover has also been on the rise, partially as a side effect of the U.S. adoption of the EMV cards. These new cards with chips are turning the card present environment into a more secure place. On the flip side, fraudsters who use to make a profit using the cards’ magnetic stripe are trying to mitigate their losses by moving their activity to the card-not-present space.
Growing Pains
NuData Security’s latest statistics show a sharp increase in the number of purchases made with flagged credit cards, which doubled in the last year. Similarly, the number of account takeover attempts increased tenfold in the same period of time.
Bad actors are becoming more sophisticated and they are also mastering automation by developing mass-scale attacks in the blink of an eye. Today a bad actor can use a simple algorithm to crack a password with billions of possible combinations in ten seconds and use a company’s login interface millions of times in a day to find those working combinations. They can do all of this while remaining unnoticed by companies who don’t have visibility into these attacks.
Combating Mass-Scale Automated Attacks
Combating account takeover poses a huge challenge because the attacks that pave the way for account takeover happen at the login stage, where many companies don’t have the tools to look at what’s happening. The attacks at login use millions of stolen credentials to find the working combinations and, once they find them, they can take over the accounts they’ve been trying to open and make a profit.
Cutting Through the Noise
Being able to see what’s happening at login allows companies to know what accounts are being targeted and also protect them before there is any fraud loss.
Multi-layered technologies that include behavioral analytics and passive biometrics are providing deeper insight into what’s happening at the login and are blocking most of the automated threats before, at the pre-login stage. By blocking automated mass-scale attacks at login, companies are mitigating account takeover losses before they happen.
In a time where we can’t trust users’ PII, it is increasingly important to find tools that can discern between human and non-human behavior and verify legitimate users before they set foot into the session – all without relying on the user’s static data (password, one-time code…).
Using these layers of technology companies can gain visibility into what’s happening in their environment and thwart fraudulent attempts without adding any unnecessary friction on their good users.