Shoppers made from Binary

Devalue the Data

Shoppers made from BinaryIt can be tempting to point fingers when you see a security breach headline, like when Neiman Marcus hit the news cycle for yet another breach. But unlike the 2014 breach that was one of many large retailers hit with card skimming attacks where customer data was stolen, this time around Neiman Marcus was hit by a tactic that’s growing increasingly familiar to e-commerce companies. This approach is one that companies can do little to prevent: the use of stolen credentials against legitimate accounts.

Neiman Marcus didn’t do anything wrong. When the breach was discovered they acted swiftly – identifying that 5,200 customer accounts had been breached on December 26, 2015. Hackers used automated attacks to try username and password combinations they had obtained elsewhere on the web. Because passwords are often reused from site to site, these brute-force attacks can work. In the case of Neiman Marcus, these attacks resulted in unauthorized purchases from about seventy account holders. Hackers who successfully logged in were also able to see some contact information, purchase history and the four last digits of credit card numbers attached to the account. And none of the login accounts came from a breach of Neiman Marcus’ own data; had it been, more accounts would have been accessed.

Neiman Marcus did everything right: kept track of accounts, recognized the breach after it occurred, contacted customers and canceled the fraudulent orders. With the great tide of stolen credentials available on the web and social media offering up most of the answers to knowledge-based questions, these kinds of attacks are not going away and will only get worse.

So the question really is: what could Neiman Marcus, and other e-commerce merchants in the same position, do better? They can devalue that stolen data.

It’s not just fraudsters that have access to this data. Everyone knows your password. What happens in simple economics when there is too much of something? The value of that something decreases. There is no difference with the supply and demand of data. When there is an abundance of data, the value of that data bottoms out. Knowledge-based authentication measures still have a value because until recently, it’s been the only tool we had to tell if a person entering that password was in fact the user.

With passive biometrics and behavioral analytics, that’s no longer the case. Banks and retailers are coming on board with new authentication technologies that reduce customer friction and can predict and stop fraud before it happens. Customers still input usernames and passwords, but authentication comes from aggregated, observed, non-PII information. By devaluing data, you change how you authenticate allowing you to provide a better customer experience (both desktop and mobile) and have unparalleled ability to not only detect but predict fraud before it happens.