July 13, 2015 -
This is a guest post by Ryan Wilk, director of Customer Success, NuData Security.
According to the “2014 Data Breach Stats” report, there were 761 data breaches last year, with more than 83 million records exposed. Most people grouse about having to change their username and password or cancel a credit card and then move on with their day. Little thought is given to what happens to that data once it’s been stolen.
What happens is that the data is collected and combined into a weapon of mass destruction by today’s fraudsters – one that’s so difficult to overcome that our society now has to rethink how we do Internet security.
These stolen records include incredibly personal data such as an individual’s Social Security number, name, address, phone number, credit card number, name of local bank branch and so on. Data thieves sell this information to aggregators, who cross-reference and compile full identities – called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.
Having this aggregated information enables cybercriminals to apply for loans or open bank accounts under a real person’s name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road. In a recent New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could hinder her for the rest of her life, because her Social Security number was stolen.
This is the insidious nature of cyber crime. Small data breaches look on the surface to be minor losses of data, but they expand out rapidly across the digital waters, converging into a wave of personal information so detailed that undoing the damage is next to impossible.
What Happens to All That Stolen Data
There is a hierarchy of value on the dark web for stolen data. Stolen credit cards can cost mere cents and are labor-intensive and low return for fraudsters. It takes many attempts for a fraud scheme to work as cards are tested and cycled through. With so many data breaches last year, credit card numbers flooded the black market, lowering their value.
The “fullz” mentioned above have a market rate of $5 each—quite a reasonable price—but they require a more in-depth and risky scam to be fully made use of. Working user accounts with a payment method attached, an easy-grab scam with lucrative results, go for $27 each but can translate into hundreds to thousands of dollars in stolen money and merchandise. It makes sense, then, that account takeover (ATO) is spreading like wildfire in the fraud world. In fact, there has been a 112 percent year-over-year increase in account takeover attacks.
In this scenario, cyber criminals try to take over legitimate user accounts instead of creating new accounts with stolen credit cards. ATOs can be automated, including scripted attacks, or can be done with small teams of human operators posing as account holders. Helping out the scammers are middlemen who play a key role in testing the login credentials before they are used again to commit actual fraud.
Fraudsters generally perform three high-risk logins for every high-risk checkout. The first login is to verify if the account works. The second time is to gain intelligence and third time is when the fraudster attempts to commit actual fraud. The transaction is no longer the point of focus for fraud – it is the login. This shift creates an imperative to look at the login and account creation – rather than the transaction – in order to stop fraud before it happens.
With so much data available on the black market, fraudsters can pick and choose among the digital credentials. Organizations must not only secure their own data but also be ever vigilant against people using stolen data on their websites as well.
Behavioral Biometric Analysis Provides Advantages
You can cut fraudsters off from the get-go by protecting the login pages of your sites. In this way, you stop them from being able to take control of the account in the first place. How can you protect login pages from data thieves? This is where behavioral analytics shines. Let’s take a look at what user behavioral analytics means.
In the constant battle against fraud, most merchants look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms. And as we’ve seen, full packages of user information—full identities—are prevalent and cheap.
Now, here comes the tricky part: can you tell the difference between account testers or fraudsters and legitimate users? If not, the real question you need to ask yourself is, “Do I understand my user in enough detail?”
Instead of relying on who a “user” tells you they are, behavioral analytics focuses on observed characteristics of the user. User behavior analytics are aimed at observing and understanding how the user behaves, in an effort to answer bigger questions, such as:
• How did the user behave during previous logins? Are they behaving the same now?
• Is their behavior unique to them, or is it being repeated? Repeated behavior can reveal a lot. If the behavior is the same every time they visit, perhaps we can say it’s a legitimate user, acting the same as always. But if it’s the same behavior that 1,000 users are all repeating, it could indicate that this behavior is part of a crime ring that could be a distributed, low-velocity attack – the kind of attack that exposes you to massive amounts of loss.
• When the user is inputting data, is it similar to how they’ve interacted on the same device before, or is it completely different?
If you are able to observe user behavior in detail, you have the best chance of detecting and defeating fraud.
Fraud Detection in a World of ATO
When it comes to account takeover, all of the data may be compromised and will be correct regardless of who logs in – legitimate user or imposter. Merchants are beginning to realize they can no longer rely on basic data validation measures anymore.
The new fraud detection paradigm, in light of ATO, is to observe user behavior starting from their login all the way through to checkout. Simply making sure usernames and passwords match just won’t cut it anymore. This is where behavioral biometrics and analytics prove so valuable: it enables merchants to see user behavior patterns that help determine whether a user is the real deal or a fraudster.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.