Viewpoint: Don’t Fear the Breacher

By Ryan Wilk, NuData Security

It’s little wonder that any organization that touches sensitive customer data is suffering a serious case of breach phobia these days. After all, we’re constantly being bombarded with information about the latest data breach, be it a bank, a retailer or even a health care company. In fact, while credit card numbers used to always be on fraudsters’ “most wanted” lists, in the past year, data from leading health care companies, government agencies and similar firms is an increasingly hot commodity.

The Gemalto Data Breach Level Index found that more than 700 million consumer records were exposed to fraudsters in 2015 alone. Data stolen in breaches are typically used in fraudulent attacks on banking and e-commerce organizations. Account takeover and new account fraud are expected to increase by 60 percent in the next three years, resulting in a loss of some $8 billion.

Payments professionals cannot be blasé about the importance of good security. As fraud technology advances, so do the bad guys’ tactics. Criminals are evolving their methodology all the time, and the onus is on financial institutions and merchants to stay ahead.

Account Takeover and New Account Fraud: The New Black

Fraudsters can—and will—use stolen credentials to log onto an online account and then masquerade as the legitimate user. The bad actor then can transfer funds, use the payment method on file to make a high-value purchase or simply cover up fraudulent transactions. This is what’s known as account takeover fraud, and it’s become relatively easy through a number of common practices, including cycling through easily remembered passwords like “Password123,” or words like a victim’s child’s name, street name, birth dates or other data socially engineered from public profiles.

This type of fraud shows no sign of stopping anytime soon for two primary reasons. For one thing, passwords aren’t sufficient to keep a user’s account secure. The second reason has to do with how traditional fraud-prevention systems work. These tools primarily use rules-based systems to analyze payment and personal identification information—they lack the ability to determine if a user accessing an account is in fact the real user of that account.

These systems do help apprehend some forms of fraud, but they aren’t enough.

Similarly, new account fraud also is growing, and in fact, analysts estimate it comprises 20 percent of all fraud losses. With new account fraud, the information obtained is often enough to apply for new financial accounts, many times without the victims being aware for months.

Neither of these methods is typically attempted by a human. Hackers write scripts that can be run by bots en masse to attack systems using that data. Scripted attacks can be tricky to detect, as the perpetrators have studied the account creation and login pages of their target companies to ensure that each field is completed correctly and appears legitimate. Standalone fraud-prevention systems merely look at the information provided in the order or application, not the behavior displayed when logging in to or creating an account.

This poses something of a Catch-22 for businesses: How, as a company, do you apply excess caution when reviewing orders or account applications without ruining the experience for the legitimate customers, or worse, accidentally flagging a good user as a bad one? When this occurs, the merchant or financial services provider is not only losing the immediate sale, but also in most cases the lifetime value of that customer.

Don’t Throw out the Baby with the Bathwater

It’s abundantly clear that financial institutions and online companies need to implement new detection methods. Fraudsters have become too sophisticated for the old fraud prevention tools.

There is an answer to this conundrum, however: behavioral biometrics.

With observable behavioral biometrics, evaluation of users accessing an account or application begins from the moment they start interacting with an online property and throughout the entire interaction. The amount of time it takes to log in, place an item in a cart or get to the application is continuously tracked, from the moment they begin interacting with an online property. Device information such as whether a mobile, PC or tablet is being used, along with device identification information, browser language, screen size, location and more also is collected. All of this information is compared with an existing user profile. The way a user interacts with a Website is also analyzed, including the way a person types, how they hold their mobile phone, etc. Through this aggregation of characteristics and data, behavioral biometrics can create a unique profile for each user. For new users, there is a wealth of information to draw from on our platform. For example, even if someone is new to one site, there’s a good chance their behavior has been captured and analyzed by another site.

Verifying the good users makes the anomalous or bad users stand out in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also enables businesses to prevent bots and systems from running scripts to access or create new accounts. The uniqueness of the data gathered and the aggregation and application of all collected data creates a full 360-degree view of each user.

What’s more, this all can be accomplished in a way that’s non-intrusive and doesn’t affect the customer experience. What it comes down to is that there’s no reason for merchants or financial institutions to live in constant fear of data breaches when there are solutions that will identify and prevent fraud attempts while also protecting the customer experience.

Ryan Wilk is the vice president of customer success for 2016 Pay Awards-winning NuData Security. Previously, he was manager of trust and safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles. NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. Ryan can be reached at [email protected].

In Viewpoints, payments professionals share their perspectives on the industry. Paybefore’s goal is to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.