Data breaches happen so frequently these days that many consumers have “breach fatigue.” However, the threat does not die when public interest does. Stolen data moves faster than breaches can be detected, heightening the risk for merchants.

All of the stolen data from all of those breaches ends up in the hands of bad actors. Data thieves sell this information to aggregators, who cross-reference and compile full identities, called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.

And that data moves quickly. A “Where’s Your Data?” experiment recently discovered that it took only 12 days for the account information of 1,500 fake “employees” to travel from California to 22 countries and five continents. In that time, it was viewed over 200 times, and in another 12 days, over 1,100 times. This is especially disturbing when you consider it takes an average of 200 days for most corporations to detect a breach has taken place.

Smaller data breaches like the fake one referenced above may seem to be minor losses of data, but they expand out in a ripple effect across the digital waters faster than ever before, converging into a wave of personal information so detailed that undoing the damage is next to impossible.

There is a hierarchy of value for stolen data. Stolen credit cards can cost mere cents and are labor-intensive and low return for fraudsters. It takes many attempts for a fraud scheme to work as cards are tested and cycled through. With so many data breaches last year, credit card numbers flooded the black market, lowering their value.

The “fullz” mentioned earlier—full identity profiles—go for $5 each, but they require a more in-depth and risky scam to be really worthwhile. Working user accounts with a payment method attached, an easy-grab scam with lucrative results, command a higher rate of $27 each but can translate into hundreds to thousands of dollars in stolen money and merchandise.

Understandably, fraudsters are turning their attention to account takeover (ATOs). In account takeovers, fraudsters attempt to hijack valid user accounts instead of creating new accounts with stolen credit cards. ATOs can be automated, including scripted attacks, or can be done with small teams of human operators posing as account holders. Helping out the scammers are middlemen who play a key role in testing the login credentials before they are used again to commit actual fraud.

On average, there are three high-risk logins for every high-risk checkout. The first login is to verify if the account works. The second time is to gain intelligence and third time is when the fraudster attempts to commit actual fraud. The transaction is no longer the point of focus for fraud, it is instead the login. This shift creates an imperative to look at the login and account creation—rather than the transaction—in order to stop fraud before it happens.

Organizations must not only secure their own data but also be ever vigilant against people using stolen data on their websites. By protecting the login pages of your sites, you cut fraudsters off at the source. You stop them from being able to take control of the account in the first place.

Merchants clearly need to protect login pages from cyber criminals, and this is the forte of behavioral analytics. To prevent fraud, merchants typically look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms. And as we’ve seen, full packages of user information are prevalent and cheap.

This means that it can be incredibly difficult to differentiate between account testers and fraudsters as opposed to legitimate users. If that is true, then the real question you need to ask yourself is, “Do I understand my user in enough detail?”

In contrast to standard, traditional methods of fraud detection, behavioral analytics focus on observed characteristics of who the user is, not just who they tell you they are. User behavior analytics are aimed at observing and understanding how the user behaves in an effort to answer bigger questions, such as: When the user is inputting data, is it similar to how they’ve interacted on the same device before, or is it suddenly completely different? How did the user behave before when they logged in? Are they behaving the same now?

Repeated behavior can tell us a lot. Is the user’s behavior repeated? If the behavior is the same every time they visit, perhaps we can say it’s a good user, acting the same as always. But if it’s the same behavior that 1,000 users are all repeating, it could indicate that this behavior is part of a crime ring that could be a distributed, low velocity attack, the kind of attack that exposes a merchant to massive amounts of loss.

The best chance of beating fraud these days is to observe user behavior in detail.

In the past, basic data validation methods like verifying that usernames and passwords match were enough. But not anymore. When it comes to account takeover, all of the data may be compromised and will be correct regardless of who logs in, legitimate user or imposter.

When you can look at a user’s behavior from the time they log in through to checkout, you can go beyond verified usernames and passwords to determine if the user’s current behavior itself is in line with previous sessions. Fraudsters just can’t fake behavior that is specific to each individual.

Ryan Wilk is director of customer success for NuData Security