We all fear the mere thought of criminals breaking into our homes or cars, rifling through our personal belongings, and potentially putting our lives at risk in the process. However, we tend to pull a one-eighty when it comes to cyber threats and see them as almost unreal; 1s and 0s with a shallow bite.
Still, rather than breaking through windows or snatching handbags, cybercriminals target sensitive, personal information with real damaging consequences. In fact, this is becoming such a widespread problem that the amount of stolen credentials detected in botnets has shot up exponentially by an eye-popping 141%, according to Blueliv. If that number wasn’t enough, keep in mind it only represents North America, according to a recent report.
Credentials: Hot Commodities
How hot is hot? The cascade of records breached is in the billions. Here are some of this year’s most famous breaches: MyHeritage, 92 million records; Under Armour, 150 million records; Exactis, 340 million records; Cathay Airways Pacific, 9.4 million records, Panera Bread, 37 million records. And the list goes on and on. Between 2018 and 2023 criminal data breaches will expose 146 billion records, growing at a rate of 22.5% per year according to a Juniper Research.
These credentials, once stolen, are often listed on the dark web for the low, low price of a few bucks. Prices range, depending on the value of the information. For example, U.S. credit card numbers sell for anywhere between $10 to $12, some top off at roughly $18. Of course, prices can go much lower than this depending on the value of the data in question. The price depends on the piece of information and the value of it. For example, Uber login information after their data breach a few years back was sold at $1 on the dark web. Market saturation is also an important factor; the more credentials available on the dark web, the lower the price tag. As breaches continue to expose data, the prices are bound to go down.
Transforming Stolen Data into Profit
When hackers get their hands on credentials, end users don’t normally find out until it’s too late and they, for example, receive a bill for a trip to Patagonia they never purchased. Because the attack uses legitimate credentials, it is also hard for companies to realize until the damage is done. Unlike a thief who snatches a woman’s purse on the street, cybercriminals can use sophisticated software (aka bots) to do the job for them. Bot-driven attacks are based on a script that develops an action, for example, testing credentials at login.
Today, using layered security that includes behavioral biometrics, companies can detect these mass-scale attacks when the correct credentials are presented. Looking at other aspects of the behavior such as where they come from, what type of device they use or what operative system, companies can build a dynamic picture of their traffic.
Layered security provides a multi-angle view that highlights the source of the anomalies. For example, the chart below shows where the activity spikes happen, making it easy to spot fraud attempts.
Mitigating the Mayhem
When companies can look at their traffic beyond the credentials, they build a more accurate picture of their good and bad traffic. We are seeing more businesses adopt new authentication frameworks that incorporate a layered security to identify customers by their online behavior. A multi-faceted security approach not only negates the idea of total reliance on credentials, but also looks at the traffic from different angles.
These smart tools verify customers through behavioral patterns like how hard someone presses down the keys or how quickly they swipe. Thousands of identifiers are used to verify a user in real time so that if a cybercriminal steals a device, credential or password, her behavior would give her away.
Risk Management
Incorporating a multi-layered security solution with passive biometrics and behavioral analytics allows companies to identify customers online with a high level of confidence. Additionally, it can lower false declines (where real customers are declined based on a particular anomaly). False declines are a substantial problem; the Aite Group estimates that the U.S. lost over $300 billion to false declines in 2017 alone.
Positively identifying customers online gives digital businesses the foundation to build the relationship with customers through special rewards, gift points, and shopping specials. Knowing your users is paramount to a successful relationship to increase the lifetime value of your customers.
About the author:
Ryan Wilk is Vice President, Customer Success for NuData Security, a Mastercard company. Previously, he was the manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various eCommerce roles.