Data Scraping Is on the Rise: Here’s How to Mitigate the Damage

Social media is a gold mine of information, filled with enough personal data to make any fraudster happy. It’s why there has been an uptick in data breaches and cyberattacks hitting major social media platforms. In this piece, Justine Fox of NuData Security explains how social media platforms can mitigate damage from these types of attacks without impacting the user experience. 

The internet is teeming with data scrapers — automated scripts that pull large amounts of publicly available information from websites and apps. Not all scrapers are bad. For example, the bots that index the web for Google are scrapers of a sort. 

But scraping is against the terms of service for most social media platforms. That’s because when scraping creates vast, well-organized databases of personal information, it can aid and abet fraud and social engineering attacksOpens a new window by helping attackers link together names, emails, phone numbers and other data for particular users. 

That’s what happened to the social networking app Clubhouse in April, when 1.3 million of its users saw their scraped personal information posted online, including their full names and social media handles. The sheer scale of scraping operations make them a growing privacy and security threat — and a sign that companies need to step up their security protections. 

With so much neatly organized personal information widely available on the internet, attackers will likely accelerate their efforts to use it for fraud in the coming months. Whether they trick users into sharing their credentials through social engineering or simply set up their own fake accounts online, these efforts can be devastating and difficult to stop. Identity fraud cost Americans $56 billion in 2021, according to one estimateOpens a new window .

To mitigate the damage from account takeover attacks and identity theft, social media platforms need alternative ways to validate users that don’t rely exclusively on easily-stolen credentials — without sacrificing the frictionless user experience social media platforms are known for.

Learn More: Cloud Access Security Broker (CASB):Top 8 Use Cases for Improving Data Security

The Real Social Dilemma: Friction Vs. Security

Reducing friction to a minimum is key to social media business models. By making it effortless to like, share, subscribe or buy on their platforms, social media companies achieve massive scale for creators, advertisers and users.  This model generates enormous amounts of revenue for themselves. Add too much friction to any of these steps and users engage less, which means less revenue for social media companies. 

Unfortunately, many traditional cybersecurity measures create the type of friction social media companies try to avoid. For example, multi-factor authentication (MFA) increases security by requiring a user to input a one-time-use code as well as their password at login, but enabling it also increases friction by adding an extra step to login. 

In addition, MFA alone won’t always be enough to protect a social media account. There’s a thriving black marketOpens a new window for stolen social media accounts with high-value usernames, known as OG (“original gangster”) accounts. Attackers intent on stealing a particular OG account will use tactics like SIM swappingOpens a new window to intercept MFA codes sent to a user’s phone, then take over that user’s account. Even if a social media company required all accounts to enable MFA, they would still need other transparent layers of defense.

Learn More: How Biometrics Is Becoming the Security of the Future

Mitigating the Damage With Low-Friction Security Solutions

While tools to prevent data scraping exist, they likely won’t be enough to protect your users’ publicly shared information from being aggregated. The data brokers and other actors who scrape social media sites are constantly innovating new ways to circumvent anti-scraping protections. 

And it’s likely attackers will use the resulting data to compromise a significant number of user accounts or impersonate those individuals while accessing other services. Some attackers might combine data from multiple sources and test out different combinations to see which ones work. For example, combining names scraped off a social media platform with stolen credit card numbers could eventually produce a “match” that will let the attacker carry out a fraudulent transaction. Bad actors can even blend real personal information with fake data, like a fake name, to create so-called synthetic identitiesOpens a new window that they can then use to open all-new fraudulent accounts.

Luckily, that’s not the end of the story. You can mitigate the damage from compromised accounts by using low-friction methods to detect bad users quickly, even if they possess legitimate user credentials. 

For example, with passive biometrics you can build a profile of each user based on their inherent behavior, such as the way they hold their device. These behaviors are largely innate and extremely difficult for an unauthorized user to replicate, which makes it possible to identify when an attacker is accessing an account. 

You can then shut them out of the account automatically or send them a security challenge to confirm their identity. Behavioral analytics, which look at a user’s habits like when they usually log on and from where, can make it even easier to identify bad actors before it’s too late.

This is because capabilities like passive biometrics and behavioral analytics work continuously in the background, they improve security without adding any friction for the trusted user. By enabling you to stop fraudsters before they do more damage — for example, by spamming the hacked user’s friends list with phishing links so they can compromise more accounts — these strategies mitigate the damage stemming from all types of cyberattacks, including those with roots in data scraping.

Learn More: Is Behavioral Biometrics the Answer for Digital Identity Crisis?

A More Secure Online Experience

While data scraping incidents involving social media platforms have been in the news recently, this problem can affect almost any company with an online presence. Many websites and apps display personal information that can be useful to attackers — and all companies are vulnerable to social engineering, account takeovers and other attacks that leverage scraped data.  

Low-friction solutions like passive biometrics and behavioral analytics mitigate the damage from compromised accounts by making stolen or exposed personal data worthless to attackers. And they do so without bogging users down in extra authentication steps. At a time when more and more personal information is available online for free, strategies like these are increasingly important for keeping your user experience secure — and maintaining consumers’ trust.

Let us know if you liked this article on LinkedInOpens a new window , FacebookOpens a new window , and TwitterOpens a new window . We would love to hear from you!