May 25, 2016 -
This is a guest post by Ryan Wilk, vice president of customer success at NuData Security.
With all the news of data breaches we’re continually exposed to, it’s no wonder that ecommerce and financial industries have a serious fear of the breacher.
In fact, more than 700 million consumer records were exposed to fraudsters in 2015 alone, according to the Gemalto Data Breach Level Index. That’s a huge number.
That stolen data is then being used to perpetrate more crime, and it can often feel like a never-ending cycle. Account takeover and new account fraud are currently gaining traction as the fraud trends du jour, and they show no sign of stopping. You can say a lot of things about fraudsters, but you can’t say they aren’t tenacious.
As soon as fraud prevention technology evolves, so do these hackers’ tactics. Remember the old “Tom and Jerry” cartoons? Online fraud is like a constant game of cat-and-mouse, albeit one with potentially detrimental financial and reputational consequences.
A 2015 study by Javelin Strategy & Research on the impact of data breaches on consumers found that the growth of these fraud tactics could lead to an estimated loss of $8 billion in 2018. That’s up from $5 billion in 2015. It’s going to take some pretty expensive cheese to feed these mice.
Fortunately, there is a solution out there for merchants and financial institutions. And no, it doesn’t involve brain scans or iris tattoos or any sort of other crazy physical indicator. Nope, the solution lies in something that can’t be replicated so easily.
The thing is with account takeover and new account fraud is that it essentially requires a fraudster (or the bot they build) to impersonate an actual good user. With access to an existing user’s credentials – for sites like online banking, retailers, etc. – bad actors can then masquerade as a genuine customer to transfer funds, use the payment method on file to make high-end purchases or simply mask fraudulent transactions.
This is accomplished through a few different ways, including:
• Attempting combinations of usernames and/or passwords obtained through data breaches, both large and small
• Cycling through easily remembered passwords, like “Password123,” or words like their child’s name, street name, birth dates or other data socially engineered from public profiles
• Using brute force automated attacks for account takeover, which are systematic assaults (also referred to as “bots”) that use a script to continually “guess” a user’s password
Account takeover attempts will continue to grow for two main reasons. First, passwords can’t be relied on to keep a user’s account secure. Second, traditional fraud prevention systems lack the ability to determine if a user accessing an account is actually the real user.
Those bad actors might have gotten away with it, if it weren’t for those meddling behavior biometrics!
This is where behavioral biometrics and analysis enter the picture to “unmask” these posers. Data from online users can, and should be, collected and analyzed from the very beginning – as soon as that user begins interacting with an online property. That data includes information such as how long the user takes to log in, how they interact with a website, what kind of device is being used, where is it being used, how fast are they typing, etc. All of these types of details cab be collected and analyzed to essentially put together a unique and multifaceted profile for each user.
It’s relatively easy to replicate someone’s username and password, but it’s pretty much impossible to match their every behavior, not to mention geographic location, specific device and all of those other attributes.
By passively identifying the good users, the anomalous or bad users become obvious in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also allows businesses to prevent bots and systems from running scripts to access or create new accounts.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.