Our society may have hit the saturation point when it comes to ongoing news about data breaches. Large organizations seem to lose a lot of money, but the average consumer just changes their passwords and gets issued a new credit card. Many end up with a year or two of free credit monitoring, so all seems well. Back to life as usual.
If only that were the whole story. The missing piece is that all the data from all those breaches can add up to a mighty weapon that’s impossible to trace and potentially devastating to individuals. It’s a relatively new phenomenon that’s forcing the industry to rethink Internet security.
The millions of data records that were compromised just last year are comprised of incredibly detailed personal data such as a person’s Social Security number, name, address, phone number, credit card number, name of local bank branch and so on. Data thieves sell this information to aggregators, who cross-reference and compile full identities – called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.
Malicious actors take this compiled data and take out loans, file tax returns or
create new bank accounts under an actual person’s name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road. In a recent New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could hinder her for the rest of her life, because her Social Security number was stolen.
The effect of compromised personal data doesn’t stop when an individual gets a replacement credit card. Instead, data from multiple breaches can build and build like an avalanche that may demolish a person’s financial future and cannot be restrained.
Fraud’s New Darling: Account Takeover (ATO)
There is a hierarchy of value on the dark Web for stolen data. Stolen credit cards can cost mere cents and are labor-intensive and low return for fraudsters. It takes many attempts for a fraud scheme to work as cards are tested and cycled through. With so many data breaches last year, credit card numbers flooded the black market, lowering their value.
Fullz would, at first consideration, seem like the best option, as they offer a full identity profile for only $5 each. However, they require a more in-depth and risky scam to be fully worthwhile. Working user accounts with a payment method attached, an easy-grab scam with lucrative results, go for $27 each and can translate into hundreds to thousands of dollars in stolen money and merchandise.
Welcome to the era of account takeover. In this type of fraud, cyber criminals attempt to hijack valid user accounts instead of creating new accounts with stolen credit cards. ATOs can be automated, including scripted attacks, or can be done with small teams of human operators posing as account holders. Helping out the scammers are middlemen who play a key role in testing the login credentials before they are used again to commit actual fraud.
On average, there are three high-risk logins for every high-risk checkout. The first login is to verify if the account works. The second time is to gain intelligence and third time is when the fraudster attempts to commit actual fraud. The transaction is no longer the point of focus for fraud – it is the login. This shift creates an imperative to look at the login and account creation – rather than the transaction – in order to stop fraud before it happens.
Consequently, organizations must not only secure their own data but also be ever vigilant against people using stolen data on their websites as well. By protecting the login pages of your sites, you cut fraudsters off at the source. You stop them from being able to take control of the account in the first place.
Behavioral Analytics: Protection From Login Through Checkout
So, then, the new goal is to protect your login pages from data thieves. This is the forte of behavioral analytics. Let’s take a look at what user behavioral analytics means.
The typical way of addressing online fraud is to look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms. And as we’ve seen, full packages of user information—full identities—are prevalent and cheap.
Being able to distinguish between legitimate users and fraudsters is essential; if you don’t feel confident about your ability to do this, you need to consider whether you
understand your user in enough detail. Rather than a simple checklist, behavioral analytics focuses on observed characteristics of who the user is, not just who they tell you they are. User behavior analytics are aimed at observing and understanding how the user behaves, in an effort to answer bigger questions, such as: