Combatting Account Takeover

By

The Ponemon Institute’s 2015 Cost of Data Breach Study showed a 23 percent increase in the total cost of a breach from 2013 to 2014. In other terms, companies paid an average of $154 per lost or stolen record. Multiply that by the hundreds of millions of records that were compromised last year, and it’s clear to see that we have a security crisis on our hands.

These records include incredibly personal data such as a person’s Social Security number, name, address, phone number, credit card number, name of local bank branch, etc. Data thieves sell this information to aggregators, who cross-reference and compile full identities—called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.

A full identity allows a cyber criminal to file a tax return or create new bank accounts under an actual person’s name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road. In a recent New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could dog her for the rest of her life, because her Social Security number was stolen.

Stolen data has repercussions for the victims, sometimes for years to come; this is the ripple effect of cybercrime.  Small data breaches appear on the surface to be minor losses of data, but they can quickly expand out across the digital waters, converging into a wave of personal information so detailed that undoing the damage is next to impossible.

There is a hierarchy of value on the dark Web for stolen data. Fullz sell for $5 a piece, but require a more in-depth and risky scam to realize value. Working user accounts with a payment method attached go for $27 each and can translate into hundreds to thousands of dollars in stolen money and merchandise.

It only makes practical sense, then, that account takeover (ATO) has become a new favorite fraud tactic. In account takeovers, fraudsters attempt to hijack valid user accounts instead of creating new accounts. ATOs can be automated or can be done with small human teams. Helping out the scammers are middlemen who play a key role in testing the login credentials before they are used again to commit actual fraud.

Image via Shutterstock

The current industry average is three high-risk logins for every high-risk checkout. The first login is to verify if the account works. The second time is to gain intelligence, and the third time is the actual fraud attempt. The transaction is no longer the point of focus for fraud—it is the login. By protecting the login pages of your sites, you cut fraudsters off at the source. You stop them from being able to take control of the account in the first place.

This leads to the question of how to protect login pages. This is where behavioral analytics comes into play. Why? Most merchants look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms. And, as detailed above, full identities are prevalent and cheap.

If it seems too difficult to distinguish between legitimate users and fraudsters, it’s time to ask yourself the question, “Do I understand my user in enough detail?”

This is what behavioral analytics does for you. User behavior analytics observe and understand how the user behaves, in an effort to answer bigger questions. For instance, how did the user behave previously when they logged in? Are they behaving the same now? When the user is inputting data, is it similar to how they’ve interacted on the same device before, or is it completely different?

Is their behavior repeated? If the behavior is the same every time they visit, perhaps we can say it’s a good user. But if it’s the same behavior that 1,000 users are all repeating, it could indicate the activity of a crime ring executing a distributed, low velocity attack. For these reasons, observing user behavior in detail enables the best chance of beating fraud.

Merchants are beginning to realize they can no longer rely on basic data validation measures anymore, because when it comes to account takeover, all of the data may be compromised and will be correct regardless of who logs in. As ATO gains steam, fraud detection and prevention efforts need to be focused on behavior. Behavioral analytics looks beneath the surface of matching usernames and passwords to truly understand user behavior. These behavior patterns reveal details that fraudsters can’t fake despite their best efforts.

About the Author: Ryan Wilk is the director of customer success for NuData Security. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles. 




Edited by Dominick Sorrentino
Get stories like this delivered straight to your inbox. [Free eNews Subscription]


SHARE THIS ARTICLE
Related Articles

Can Science Outsmart Deepfake Deceivers? Klick Labs Proposes an Emerging Solution

By: Alex Passett    3/25/2024

Researchers at Klick Labs were able to identify audio deepfakes from authentic audio recordings via new vocal biomarker technology (alongside AI model…

Read More

Top 5 Best Ways to Integrate Technology for Successful Project-Based Learning

By: Contributing Writer    3/19/2024

Project-based learning, also popularly known as the PBL curriculum, emphasizes using and integrating technology with classroom teaching. This approach…

Read More

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More