Combatting Account Takeover

By TechZone360 Special Guest
Ryan Wilk, Director of Customer Success, NuData Security
June 17, 2015

The Ponemon Institute’s 2015 Cost of Data Breach Study showed a 23 percent increase in the total cost of a breach from 2013 to 2014. In other terms, companies paid an average of $154 per lost or stolen record. Multiply that by the hundreds of millions of records that were compromised last year, and it’s clear to see that we have a security crisis on our hands.

These records include incredibly personal data such as a person’s Social Security number, name, address, phone number, credit card number, name of local bank branch, etc. Data thieves sell this information to aggregators, who cross-reference and compile full identities—called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.

A full identity allows a cyber criminal to file a tax return or create new bank accounts under an actual person’s name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road. In a recent New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could dog her for the rest of her life, because her Social Security number was stolen.

Stolen data has repercussions for the victims, sometimes for years to come; this is the ripple effect of cybercrime.  Small data breaches appear on the surface to be minor losses of data, but they can quickly expand out across the digital waters, converging into a wave of personal information so detailed that undoing the damage is next to impossible.

There is a hierarchy of value on the dark Web for stolen data. Fullz sell for $5 a piece, but require a more in-depth and risky scam to realize value. Working user accounts with a payment method attached go for $27 each and can translate into hundreds to thousands of dollars in stolen money and merchandise.

It only makes practical sense, then, that account takeover (ATO) has become a new favorite fraud tactic. In account takeovers, fraudsters attempt to hijack valid user accounts instead of creating new accounts. ATOs can be automated or can be done with small human teams. Helping out the scammers are middlemen who play a key role in testing the login credentials before they are used again to commit actual fraud.

Image via Shutterstock

The current industry average is three high-risk logins for every high-risk checkout. The first login is to verify if the account works. The second time is to gain intelligence, and the third time is the actual fraud attempt. The transaction is no longer the point of focus for fraud—it is the login. By protecting the login pages of your sites, you cut fraudsters off at the source. You stop them from being able to take control of the account in the first place.

This leads to the question of how to protect login pages. This is where behavioral analytics comes into play. Why? Most merchants look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms. And, as detailed above, full identities are prevalent and cheap.

If it seems too difficult to distinguish between legitimate users and fraudsters, it’s time to ask yourself the question, “Do I understand my user in enough detail?”

This is what behavioral analytics does for you. User behavior analytics observe and understand how the user behaves, in an effort to answer bigger questions. For instance, how did the user behave previously when they logged in? Are they behaving the same now? When the user is inputting data, is it similar to how they’ve interacted on the same device before, or is it completely different?

Is their behavior repeated? If the behavior is the same every time they visit, perhaps we can say it’s a good user. But if it’s the same behavior that 1,000 users are all repeating, it could indicate the activity of a crime ring executing a distributed, low velocity attack. For these reasons, observing user behavior in detail enables the best chance of beating fraud.

Merchants are beginning to realize they can no longer rely on basic data validation measures anymore, because when it comes to account takeover, all of the data may be compromised and will be correct regardless of who logs in. As ATO gains steam, fraud detection and prevention efforts need to be focused on behavior. Behavioral analytics looks beneath the surface of matching usernames and passwords to truly understand user behavior. These behavior patterns reveal details that fraudsters can’t fake despite their best efforts.

About the Author: Ryan Wilk is the director of customer success for NuData Security. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles. 

Edited by Dominick Sorrentino

Related Articles

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More

Putting the Flow into Workflow, Paessler and Briefery Help Businesses Operate Better

By: Cynthia S. Artin    9/14/2018

The digital transformation of business is generating a lot of value, through more automation, more intelligence, and ultimately more efficiency.

Read More

From Mainframe to Open Frameworks, Linux Foundation Fuels Up with Rocket Software

By: Special Guest    9/6/2018

Last week, at the Open Source Summit, hosted by The Linux Foundation, the Open Mainframe Project gave birth to Zowe, introduced a new open source soft…

Read More

Unified Office Takes a Trip to the Dentist Office

By: Cynthia S. Artin    9/6/2018

Not many of us love going to see the dentist, and one company working across unified voice, productivity and even IoT systems is out to make the exper…

Read More

AIOps Outfit Moogsoft Launches Observe

By: Paula Bernier    8/30/2018

Moogsoft Observe advances the capabilities of AIOps to help IT teams better manage their services and applications in the face of a massive proliferat…

Read More