Page 15 - Cyber Warnings
P. 15
Once in possession of stolen profile data, hackers will package it for sale on the Dark Web.
They will advertise aspects of the data like credit card numbers, Social Security Numbers
(SSN), phone numbers, and emails. Sometimes they even offer volume discounts. The
nefarious characters that acquire this data – which they often do incognito, via Bitcoin payments
– will usually age it, meaning let it sit for a period of time, as the unsuspecting true persons
associated with the data go about their daily lives. This improves the quality of the stolen data
and increases its potency, which was what happened in the Yahoo! breach.
The most common way to effectively use the stolen data is to create synthetic IDs. This means
using part of a real identity associated with a valid credit card or SSN while changing other parts
of the data, usually the email address and sensitive phone information. The reason a cyber thief
changes these components is to intercept “out-of-band” (OOB) communications, the text
messages and emails confirming that a change has been made. This renders two-factor
authentication (2FA), for years a trusted cybersecurity measure, increasingly patchy. In fact, in
July the National Institute of Standards and Technology (NIST) updated to its Digital
Authentication Guidelines (DAG) to state that 2FA over SMS is no longer secure. If FIs want to
ensure customer security, they will have to be on the front lines of evolving cybersecurity
standards.
Understanding Exposures
The recent transition to EMV chip-card technology in the US has made it difficult for hackers to
clone credit cards, so instead hackers have been initiating fraud via account takeover and
account creation. One study saw account takeover fraud increase by 112 percent from August
2014 to August 2015. To stay ahead of the criminals, smart organizations have started taking
steps to improve their chances of catching this type of activity through the use Social
Biometrics, device fingerprinting, and geodesic IP location tracking.
Social Biometrics is the process of leveraging social media data alongside trusted online and
offline information to correlate data in the application process. This allows for vastly improved
fraud prediction and authenticity validation, as new email, phone or address information
introduced by fraudsters will have a low correlation and therefore high fraud indication. This
method is particularly useful for fraud mitigation. Replicating a human-like network for a
fraudulent (or synthetic) identity would be incredibly difficult, and would show low social proof of
authenticity.
Device fingerprinting seeks to understand known good or bad devices – e.g. devices that have
been used to commit fraud in the past – and determine if they are connected to the identity
presented at the time of application. These systems have been around for years, and the quality
of their fraud mitigation is reliant upon the expanse of their network. Of course, when individuals
regularly change the devices that they use to connect to the internet and apply for new
accounts, like phones and laptops, device fingerprinting becomes difficult.
15 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
