BREACH FEAR AND WHAT TO DO ABOUT IT

Understanding Account Takeover and New Account Fraud in the Era of Prolific Data Breaches

The Impact of Prolific Data Breaches

At a recent global conference, I interviewed dozens of leading CISOs, heads of fraud, payments, and security professionals. Their answer to my question around what keeps them up at night, still remains, “a big data breach”. As online banking and commerce continues to grow, so does the incentive to criminally defraud financial institutions and e- and m-commerce organizations.
Data breaches have become an almost daily occurrence, with over 700 million consumer records exposed to fraudsters in 2015 alone according to the Gemalto Data Breach Level Index. The type of data being targeted in the largest of such breaches has changed in the last year. While credit card details may have been the most hunted information in past years, 2015 was the year when data from leading healthcare companies, government agencies, and similar firms were pilfered and sold on the dark web.
This trend is expected to become the new normal, as criminal methods and intentions continue to evolve. Passwords, social security numbers, and all of the other information contained in an account profile are now more popular among criminals than credit card numbers. The opportunity to monetize account information to go for a bigger win for the fraudsters, and for use over a longer time period, is much greater than with a 16-digit credit card number that can be cancelled or updated at any time. Hackers have turned their attention towards this rich data to monetize this information in newer and more lucrative ways.

The Impact: The data accessed in these breaches is most often monetized through subsequent fraudulent attacks on banking and online e- and m-commerce. Because the type of data obtained is different than in previous years, the methods being used to defraud financial institutions and merchants are

2015: Cybercrime’s Epic Year: These figures are a snapshot of the large scale impact that cybercrime, breaches, and malicious attacks had in 2015. Source: 2015 Cost of Data Breach Study

also evolving. A 2015 study by Javelin Strategy & Research analyzed the impact of data breaches on consumer victims. Their report estimated that due to the prolific nature of these compromises, account takeover and new account fraud will increase by 60% in the next three years, jumping from an estimated $5 billion lost last year to $8 billion in 2018.
In 2015, NuData Security identified 45.95% of accounts created across their FI and e-commerce clients (some of the largest banks and merchants globally) as fraudulent attempts. This was a 66% increase in account creation fraud since 2014, when the rate was 27% of all accounts. They also reported that just over 3% of all logins in 2015 were ATO attempts, up by 17% from 2014. These figures strongly imply that the breached data from the hacks of 2015 were being used to perpetrate account takeover and new account fraud, which is more widespread than ever. Although the fraud prevention industry continues to develop, “Fraud will never be overcome: Fraudsters move faster than the industry.”1 It’s become a virtual

“In 2015, NuData Security recorded an average of ~46% of all accounts created across all of their financial institutions and e-commerce clients as fraudulent attempts.”

cat-and-mouse game. Merchants and financial institutions have become better at thwarting traditional fraud techniques, forcing criminals to deviate from their previous tactics and adapt their strategy.
The onus is now on the financial institutions and merchants to continue to improve their techniques in order to stop the latest fraud methods plaguing their business.

A Shift In Risk: 46% of accounts created are fraudulent attempts (new account fraud); 5.9% of all logins are high risk / fraudulent ATO login attempts; 4.7% of above fraudulent login attempts are bot/ scripted while only 3.3% of purchases are deemed fraudulent / risk.

Understanding ATO and New Account Fraud

Account takeover (ATO) fraud occurs when a fraudster accesses an existing user’s credentials (personally identifiable information) that allows consumers to log onto online banks, retailers, gaming sites, or social media. Utilizing an existing consumer’s account allows a criminal to masquerade as a genuine customer to transfer funds, use the payment method on file to make a high value purchase, or simply use their legitimate history to mask fraudulent transactions. Accessing these accounts have become easy through one of three common practices: • Attempting combinations of usernames and/or passwords obtained through data breaches, both large and small, sold on the Dark Web. Because most consumers use the same or similar login information for their various online accounts, fraudsters use this to their advantage, accessing financial and e-commerce accounts with compromised password details. • Cycling through easily remembered passwords, like “Password123”, or words like their child’s name, street name, birth dates, or other data socially engineered from public profiles. • Using brute force automated attacks for account takeover, which are systematic assaults (also referred to as “bots”) that use a script to continually “guess” a user’s password until the correct password is used. All of these methods allow fraudsters to access legitimate accounts to defraud companies and their consumers, often undetected. Account takeover attempts have multiplied exponentially in the last three years and per the previously measured prediction, it will continue to grow for two main reasons. The first is that passwords can no longer be relied upon to keep
a user’s account secure. With the rampant data breaches occurring daily, and the additional tactics we have highlighted in which criminals can easily access consumer accounts, the risk posed by businesses relying on passwords alone is too high. Second, traditional fraud prevention systems that primarily use rules-based systems to analyze payment and personal identification information (PII) do not have the ability to determine if a user accessing an account is in fact the real user of that account. To compound the problem, customers are also negatively affected by this method of fraud. No matter whether their card on file was used, or just their account, in addition to chargebacks, it can cause consumers to feel frustrated and distrustful of a company’s security when they learn their account was accessed fraudulently. Alternatively, the economic ramifications of failing to prevent these orders or bank transfers at any point can be immense. While these systems are still relevant in terms of apprehending other forms of fraud and some instances of account takeover fraud, they can only examine payment and some device information, not the user’s behavior at the time of login.
New account fraud (sometimes referred to as account creation fraud) is also growing due to the data being accessed in recent data breaches. According to a 2016 report by Javelin Strategy & Research titled “2016 Identity Fraud: Fraud Hits an Inflection Point,” there has been a 113% increase in incidence of new account fraud, which now accounts for 20% of all fraud losses. The report calls new account fraud “the most expensive and highest-impact” type of fraud. The information being obtained from healthcare providers and government agencies is extensive. Full names, social security numbers, healthcare ID numbers, medical history, and birthdates are just some of the data points gained in these attacks. In most cases, the information obtained is enough to apply for new financial accounts, many times without the victims being aware for months.

“…there has been a 113 % increase in incidence of new account fraud, which now accounts for 20% of all fraud losses.”

Because the data provided by fraudsters is accurate, and can be validated with premier verification services, it can be difficult to determine if the person applying for a new loan or credit card is indeed the consumer that the data belongs to, especially with traditional information verification tools and services. Asking out-of-wallet questions and utilizing information validation services that verify addresses, e-mail addresses, phone numbers, etc. can be ineffective when fraudsters have obtained full records from employers, government agencies or health insurance companies.
Both account takeover and new account fraud are typically not attempted by a human. Due to the multitudes of accessible data and the potential for monetization based on the number of successful attacks, hackers write scripts that can be run by bots en masse to attack systems using that data in order to commit account takeovers and new account fraud. Scripted attacks can be very difficult to detect, as the perpetrators have studied the account creation and login pages of their target company to ensure that each field is completed correctly and appears legitimate, in order to blend in with all other orders or applications. As in the example of account takeover, standalone fraud prevention systems are merely looking at the information provided in the order or application, not the behavior displayed when logging in to or creating an account.

“…estimating that 33 million cardholders, or 15% of all cardholders, had a transaction denied because of suspected fraud in the past year, resulting in a loss of nearly $118 billion.”

Whenever these new fraud methods start to become costly for businesses, an expensive side effect develops; companies apply excess caution when reviewing orders, sometimes mistaking good orders for bad orders. When this occurs, the merchant is not only losing the immediate sale, but also in most cases the lifetime value of that customer. In a separate study, Javelin Strategy & Research evaluated this issue in a sponsored study entitled “Overcoming False Positives,” estimating that 33 million or 15% of all cardholders had a transaction denied because of suspected fraud in the past year, resulting in a loss of nearly $118 billion, while actual e-commerce fraud in the U.S. only reached $9 billion. By these figures, only 1 in 13 transactions canceled due to fraud is actual fraud. Merchants need a better way to save these legitimate sales while still preventing the potential dollar loss due to sophisticated fraud tactics.

There Must be a Better System

With these fraud attacks growing at a rate of 60% over three years, it is high time that financial institutions and online companies consider new detection methods. With many traditional fraud prevention tools, only the data entered into a shopping cart or account creation form is analyzed. Some will look at device or connection, which can be spoofable. With all of the information being extracted in recent data breaches, all these details can be a perfect match with the genuine consumer and still be fraudulent and/or spoofed. Additionally once the order and application form is completed, it initiates payment authorizations, fraud and/or credit reviews, which entail high costs and human resources associated with the fraud decision-making process.
With observable behavioral biometrics, users accessing an account or application are continually evaluated from the moment they begin interacting with an online property. The amount of time it takes to log in, place an item in a cart, or get to the application page, is all captured. Device information such as whether a mobile, PC, or tablet is being used, along with device identification information, browser language, screen size, location, and whether the IP or geo-location has been faked are all compared to an existing user profile. Additionally, and most uniquely, observable behavioral biometrics analyze the way in which a user interacts with a website. As an example, each person has
a unique method and rhythm of typing. Factors analyzed include whether an accessor uses two fingers or predominantly types with their right or left hand, and how they hold their mobile phone while typing on it. By absorbing all of these characteristics and aggregating the data, behavioral biometrics create a unique profile for each user. By passively identifying the good users, the anomalous or bad users become obvious in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also allows businesses to prevent bots and systems from running scripts to access or create new accounts. The uniqueness of the data gathered and the aggregation and application of all collected data creates a full 360 degree view of each user, providing a unique and cost-saving benefit to client companies.

“Additionally, and most uniquely, observable behavioral biometrics analyze the way in which a user interacts with a website.”

The ability to capture hundreds of data points that combine environmental aspects such as device information with behavior signals empowers businesses to prevent order and application attempts before the miscreant can even make the attempt at a fraudulent purchase, bank transfer, or credit application. The cost savings from analyzing these orders post-transaction are delivered immediately.
The accuracy of the biometric analysis of these types of fraud, which so often go undetected, is unique to this solution.
A demonstration of a legitimate user entering login information may show a biometric match of over 90%, giving a high confidence score that it is the genuine user behind the device. Even if another human accessed the user’s device and account login information, the biometric match and confidence score would be low, simply because the keys weren’t struck in the same way as the true user would. The use of behavioral biometrics is completely invisible to the consumer, with zero friction added to the sign-in or sign-up process. To further prove its accuracy, should a legitimate user ever attempt to access their account at the same time as a brute force attack is mounted on it, behavioral biometrics has the ability to “Additionally, and most uniquely, observable behavioral biometrics analyze the way in which a user interacts with a website.” “
allow the authenticated user access to their account, while blocking the fraudster effectively eliminating any potential customer friction. NuData Security’s NuDetect solution enables merchants and financial institutions to confidently prevent account takeover and new account fraud attempts with their behavioral biometrics solution before an account is even accessed. Through this pre-authentication ability, NuDetect allows organizations to authenticate and verify users before any transactional information is entered, eliminating the financial cost of remediation of said transaction as well as those of the human resources used to manually review troublesome orders and applications. User profiles, which we call Digital Identities, are continually updated in real time with every interaction, allowing the user to access their account on different devices, assuming their behavior is relatively consistent with their digital identity. For new applications without an existing digital identity, NuDetect utilizes its network of millions of profiles to compare the behavior of legitimate applicants to the current user completing a new application. If a new trend or attack method suddenly comes into play, NuDetect is predictive, and can react appropriately in real-time. With pinpoint precision, NuData allows organizations to be facilitators of services or sales, letting more more legitimate transactions that may have displayed risky traits be completed because the data can demonstrate that it was a human placing the order, not a hacker.
Organizations that use NuDetect have seen their ability to detect fraudulent activity prior to a transaction attempt dramatically increase. One digital goods

In a recent implementation of NuDetect in a top-10 National retail and commercial bank with the objective to positively identify valid customers. After 30 days, it was reported that NuDetect was able to positively identify 91% of the User traffic with a high (87%) confidence factor, clearly illustrating the value of layered detection.

marketplace organization experienced a +99% accuracy in account hijacking detection, despite fraudsters using 940 IP addresses across 68 countries in one large scale attack. Another enterprise level e-commerce travel company attributed to NuDetect the prevention of upwards of 5,000 account hijacking attempts per day while being able to accommodate their trusted users in a scalable manner. This merchant also realized a 30% decrease in manual reviews, a reduction in false positive decisions by over 60% and was able to verify that 99% of their users behave non-fraudulently. The confidence provided by NuDetect also allowed this company to expand their business in markets and additional offerings that may have been seen as “too risky” prior to understanding their users and identifying bad actors earlier in the process. With industry estimates that account takeover and account creation fraud will increase by 60% in the next three years, it is more important than ever for financial institutions and merchants to have solutions that identify and prevent these attempts, ensuring that a company’s losses don’t double while also limiting the impact to legitimate consumers. Organizations that transact online need to adapt to keep up with the changes in data available to fraudsters and the methods in which they are using them. The proven way to do this is through combining data obtained from device and observable behavioral biometrics from the time of log-in or account creation and throughout the user’s account lifespan.
NuData harnesses the power of behavioral and biometric analysis, enabling its clients to accurately identify the human behind the device.

About NuData Security

Verifying the Good User Behind the Device NuData Security is differentiated by its focus on user behavior and highly accurate user identification tools as opposed to a focus on individual financial transactions. This is achieved through four distinct capabilities that work closely together to build a complete, nuanced picture of the user.

Device & Connection

Is the device really an iPhone or a server pretending to be? Has the device been used in fraud before? Are the users trying to make their browsing anonymous or fake their Country of origin? Or is this a trusted location (home, work or VPN)?

Behavioral Biometric Verification

How does the user interact with their device? Is their typing speed and pattern consistent with how they behave with this device at this location? If they are on mobile, how are they holding the device?

Behavioral Analytics

What is the user trying to do and how do they do it? When logging in for example, did they browse directly to the general domain name, a specific link, or click a button? Did they type their password with a consistent word per minute (unusual) or were there small deviations in their typing speed (normal)?

Realtime Entity Linking

Can you link this user profile across tens of billions of behavioral events to uncover bad or good behavior patterns? Predicting emerging threats through identifying risk and fraud through collective behavior. www.nudatasecurity.com NuDetect is underpinned by Machine Learning, which analyzes minute patterns of behavior across billions of user interactions in real-time, giving unparalleled accuracy knowing who the user truly is behind the login. Further, NuDetect is the only solution that operates from the moment of account creation all the way to the transaction, so it can detect whether a change is a potentially fraudulent or just part of natural behavior changes over time.

Subscribe to Industry Era




More Stories