PayThink

The breach wave has created a crisis of trust

Register now

The biggest threat to consumer’s digital identities is the ever-growing personal information available through data breaches.

Since 2013, attackers have exposed 14 billion records that are often used for account takeover or new-account fraud. Additionally, creative fraudsters can leverage legitimate account information to generate fake or synthetic accounts that blend in with legitimate users.

These attacks constitute a major threat to both consumers and organizations that rely on the internet to do business. The attackers bypass many traditional security barriers that, ironically, organizations use to mitigate risk. This year has seen an increase in targeted intrusions for financial gains. Attackers focus on testing the resilience of organizations by layering attacks, updating techniques with additional sophistication, establishing relationships with other attackers, and sharing tools to better disguise their individual identities. Bad actors are invisible for traditional security tools and consumers turn out to be the ones impacted by those security tools experiencing friction.
Consumer trust is at the core of delivering a service over the internet. That trust is hard to win and easy to lose — eroding daily as attackers achieve success with fraudulent transactions.

Static authentication is broken, making regulations and standards move toward improved controls.

Fraudulent transactions cost both businesses and consumers a pretty penny. For every 100,000 login attempts against a merchant login, an attacker will successfully log into an average of 0.05% accounts; a total of 500 accounts. Out of those, a merchant’s current security tools would stop, on average, half of the fraudulent purchase attempts, leaving a total of 250 fraudulent purchases through.

If the average cost of a fraudulently purchased goods is $100, this merchant would have lost $25,000. Now, to put this into perspective, a regular mass-scale attack has millions of login attempts per day, exposing the merchant to million-dollar losses from a single attack.
For issuers, the story is similar, but the fraudulent transactions normally have a higher dollar value.

These attacks leverage fresh data from constant data breaches. This makes the attacks invisible to traditional security solutions that rely on a correct username and a password, until a consumer is impacted.

Consumers have a role to play to fight fraudulent activity in their account. This involves good account hygiene (e.g., to use a different password for every website or application) and insurance against identity theft.

It can be challenging to detect these threats with legacy security tools. There are two major attack types that feed of stolen records to target companies and end users:

Account takeover: Under the account takeover attack type, we can break it into subcategories like account testing, credential stuffing, account harvesting focused attacks that target login, register and password reset functionality online.

New-account fraud: When we consider new-account fraud, the attacks are sophisticated. Attackers will commit trial fraud, coupon abuse, rewards abuse, complete credit card applications, or create other types of financial accounts with the final goal to make money.

Both account takeover and new-account fraud are becoming increasingly complex, mimicking human behavior by, for example, faking mouse movements, and using information from legitimate users.

For reprint and licensing requests for this article, click here.