By Ryan Wilk
Those in the InfoSec world are used to grappling with the kind of numbers that might make a layperson recoil in horror, but one statistic from 2017 stands out as especially worrying.
A report from the Identity Theft Resource Center and CyberScout found that data breaches had reached a historic new high in 2017, with 1,579 reported, which left 179 million records exposed.
This, needless to say, is a problem that has already caught up with customers and businesses transacting online.
The focus for organizations tends to be on the breach itself; they encourage customers to change passwords and remind them to review their bills and credit bureaus. However, the breach itself is just the beginning of the chain of events to which the data will then be subject.
Once the information has been stolen, criminals decide how to use this data. It is often hosted on dark web forums, where people can buy it and use it for fraudulent purposes. This can be as simple as purchasing something with a stolen credit card number or as complex as a comprehensive program of identity fraud – where fraudsters can pose as a business that the customer hired (a plumber, for example) to get the payment transferred to the fraudster’s account instead of the contractor’s.
To make matters worse, if a bad actor is missing any piece of information, they can just access a Google-like website to find it. Any type of stolen information can help. What may seem an irrelevant piece of information to a user can be the last piece of the puzzle for a bad actor. Online stolen data aggregators are where all the stolen pieces come together to provide buyers your entire digital information that includes usernames, passwords, credit cards, social media accounts, and more.
With so much personal data available to anyone with a few bucks, companies are losing trust in their users.
So what is to be done? Much of the problem stems from the traditional authentication models that fraudsters are proficient at bypassing.
As everyone who has any accounts online will know, the temptation to recycle passwords is often greater than the threat of having these accounts hacked into.
However, even if accounts are shared through weak passwords, this could allow bad actors (once a data breach has taken place) to build a much clearer picture of you as an individual and put your finances and identity at risk.
To protect their business, some companies increase the friction levels on all their users and although this may reduce some fraud, it also increases false declines, user frustration, and customer churn.
The alternative, as devised by a handful of innovative companies, is to find a method of user verification that meets the needs of both company and customer – one that is secure and frictionless.
Biometrics is rising to the challenge to protect accounts, which is sending shivers down the spines of fraudsters. However, the physical biometrics field is not bullet-proof – nothing is today – and to avoid any unwanted traffic, multi-layered solutions that include passive biometrics are proving to be the most efficient ones.
These technologies monitor inherent human behavior that is impossible to replicate by a third party. Passive biometrics analyze subtle signs such as how a user types, how hard they press the keys or how they hold the device.
This means that even if the bad actor has all the correct information of a user, including security questions, credit card number, and even access to the user’s text messages, the solution will recognize the unusual behavior and block or interject the bad actor before they log in. This way, stolen data becomes useless in the hands of fraudsters.
New innovative products are making it easier for users to access services online, but these services can only be offered if the companies have reliable security solutions in place. With multi-layered solutions that don’t rely on static data, companies can safely offer their services while providing an enhanced customer experience to their users.
These next-generation security solutions are making the 179 million stolen records look less threatening and helping bring trust back to the online space.
About Ryan Wilk
Ryan Wilk is the Vice President of Delivery for NuData Security, now a MasterCard company. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles.