(Don’t Fear) the Breacher

(Don’t Fear) the Breacher.
hackerWith all the news of data breaches we’re continually exposed to, it’s no wonder the ecommerce and financial industries have a serious fear of the breacher.
In fact, more than 700 million consumer records were exposed to fraudsters in 2015 alone, according to the Gemalto Data Breach Level Index. That’s a huge number. That stolen data is then being used to perpetrate more crime, and it can often feel like a never-ending cycle. Account takeover and new account fraud are currently gaining traction as the fraud trends du jour, and they show no sign of stopping. You can say a lot of things about fraudsters, but you can’t say they aren’t tenacious. As soon as fraud prevention technology evolves, so do these hackers’ tactics. Remember the old “Tom and Jerry” cartoons? Online fraud is like a constant game of cat-and-mouse, albeit one with potentially detrimental financial and reputational consequences. A 2015 study by Javelin Strategy & Research on the impact of data breaches on consumers found that the growth of these fraud tactics could lead to an estimated loss of $8 billion in 2018. That’s up from $5 billion in 2015. It’s going to take some pretty expensive cheese to feed these mice. Fortunately, there is a solution out there for merchants and financial institutions. And no, it doesn’t involve brain scans or iris tattoos or any sort of other crazy physical indicator.  Nope, the solution lies in something that can’t be replicated so easily. The thing is with account takeover and new account fraud is that it essentially requires a fraudster (or the bot they build) to impersonate an actual good user. With access to an existing user’s credentials — for sites like online banking, retailers, etc. – bad actors can then masquerade as a genuine customer to transfer funds, use the payment method on file to make high-end purchases or simply mask fraudulent transactions. This is accomplished through a few different ways, including:

  • Attempting combinations of usernames and/or passwords obtained through data breaches, both large and small
  • Cycling through easily remembered passwords, like “Password123,” or words like their child’s name, street name, birth dates or other data socially engineered from public profiles
  • Using brute force automated attacks for account takeover, which are systematic assaults (also referred to as “bots”) that use a script to continually “guess” a user’s password

Account takeover attempts will continue to grow for two main reasons. First, passwords can’t be relied on to keep a user’s account secure. Second, traditional fraud prevention systems lack the ability to determine if a user accessing an account is actually the real user. This is where behavioral biometrics and analysis enter the picture to “unmask” these posers. NuData Security’s NuDetect platform collects and analyzes data from online users the moment they begin interacting with an online property. Data collected includes how long the user takes to log in, how they interact with a website, what kind of device is being used, where is it being used, how fast are they typing, etc. All of these types of details are collected and analyzed to essentially put together a unique and multifaceted profile for each user. It’s relatively easy to replicate someone’s username and password, but it’s pretty much impossible to match their every behavior, not to mention geographic location, specific device and all of those other attributes. By passively identifying the good users, the anomalous or bad users become obvious in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also allows businesses to prevent bots and systems from running scripts to access or create new accounts. Interested in learning more? Check out our latest white paper. Those bad actors might have gotten away with it, if it weren’t for those meddling behavior biometrics! — Want to read more posts like this? See our full blog here.