Combatting Account Takeover

By TechZone360 Special Guest
Ryan Wilk, Director of Customer Success, NuData Security
June 17, 2015

The Ponemon Institute’s 2015 Cost of Data Breach Study showed a 23 percent increase in the total cost of a breach from 2013 to 2014. In other terms, companies paid an average of $154 per lost or stolen record. Multiply that by the hundreds of millions of records that were compromised last year, and it’s clear to see that we have a security crisis on our hands.

These records include incredibly personal data such as a person’s Social Security number, name, address, phone number, credit card number, name of local bank branch, etc. Data thieves sell this information to aggregators, who cross-reference and compile full identities—called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.

A full identity allows a cyber criminal to file a tax return or create new bank accounts under an actual person’s name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road. In a recent New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could dog her for the rest of her life, because her Social Security number was stolen.

Stolen data has repercussions for the victims, sometimes for years to come; this is the ripple effect of cybercrime.  Small data breaches appear on the surface to be minor losses of data, but they can quickly expand out across the digital waters, converging into a wave of personal information so detailed that undoing the damage is next to impossible.

There is a hierarchy of value on the dark Web for stolen data. Fullz sell for $5 a piece, but require a more in-depth and risky scam to realize value. Working user accounts with a payment method attached go for $27 each and can translate into hundreds to thousands of dollars in stolen money and merchandise.

It only makes practical sense, then, that account takeover (ATO) has become a new favorite fraud tactic. In account takeovers, fraudsters attempt to hijack valid user accounts instead of creating new accounts. ATOs can be automated or can be done with small human teams. Helping out the scammers are middlemen who play a key role in testing the login credentials before they are used again to commit actual fraud.

Image via Shutterstock

The current industry average is three high-risk logins for every high-risk checkout. The first login is to verify if the account works. The second time is to gain intelligence, and the third time is the actual fraud attempt. The transaction is no longer the point of focus for fraud—it is the login. By protecting the login pages of your sites, you cut fraudsters off at the source. You stop them from being able to take control of the account in the first place.

This leads to the question of how to protect login pages. This is where behavioral analytics comes into play. Why? Most merchants look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms. And, as detailed above, full identities are prevalent and cheap.

If it seems too difficult to distinguish between legitimate users and fraudsters, it’s time to ask yourself the question, “Do I understand my user in enough detail?”

This is what behavioral analytics does for you. User behavior analytics observe and understand how the user behaves, in an effort to answer bigger questions. For instance, how did the user behave previously when they logged in? Are they behaving the same now? When the user is inputting data, is it similar to how they’ve interacted on the same device before, or is it completely different?

Is their behavior repeated? If the behavior is the same every time they visit, perhaps we can say it’s a good user. But if it’s the same behavior that 1,000 users are all repeating, it could indicate the activity of a crime ring executing a distributed, low velocity attack. For these reasons, observing user behavior in detail enables the best chance of beating fraud.

Merchants are beginning to realize they can no longer rely on basic data validation measures anymore, because when it comes to account takeover, all of the data may be compromised and will be correct regardless of who logs in. As ATO gains steam, fraud detection and prevention efforts need to be focused on behavior. Behavioral analytics looks beneath the surface of matching usernames and passwords to truly understand user behavior. These behavior patterns reveal details that fraudsters can’t fake despite their best efforts.

About the Author: Ryan Wilk is the director of customer success for NuData Security. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles. 

Edited by Dominick Sorrentino

Related Articles

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More

Making Connections - The Value of Data Correlation

By: Special Guest    1/5/2018

The app economy is upon us, and businesses of all stripes are moving to address it. In this age of digital transformation, businesses rely on applicat…

Read More

3 Ways to Improve Your VR Projects

By: Ellie Martin    1/4/2018

There is no denying that VR is here and will most likely only increase in velocity as a terminal speed is yet to be even hypothesized. That is why it …

Read More

Alphabet to See Schmidt Step Down

By: Maurice Nagle    12/21/2017

In 2001, Google brought Eric Schmidt on board as CEO. To 10 years later become executive chairman, and continue to serve in this capacity through rest…

Read More