Page 22 - Cyber Warnings
P. 22
Fighting Fraud After the Data Breach Dust Settles
By: Ryan Wilk, vice president of customer success, NuData Security
As data breaches have become a part of modern life, seemingly as inevitable as death and
taxes, interesting shifts in both the tactics and goals of fraudsters are emerging. Last year, cyber
criminals were less interested in credit card data and more focused on obtaining the kind of
personally identifiable information on file with government entities, healthcare companies and
other such firms.
Banking and ecommerce organizations are the primary targets of fraudulent attacks using data
stolen in these breaches. A 2015 study by Javelin Strategy & Research on the impact of data
breaches on consumers found that account takeover and new account fraud will increase by 60
percent in the next three years.
That makes for an increase from the estimated $5 billion lost last year to $8 billion in 2018.
As merchants and financial institutions become better at thwarting traditional fraud techniques,
criminals are forced to adapt. They continue to innovate in their quest for ill-gotten gain. The
onus is on the financial institutions and merchants to stay ahead.
The Two Biggest Fraud Threats Today
By accesses an existing user’s credentials (personally identifiable information), a fraudster can
perform account takeover (ATO). Using an existing consumer’s account allows a criminal to
masquerade as a genuine customer to transfer funds, use the payment method on file to make
a high-value purchase or simply mask fraudulent transactions.
Accessing these accounts has become easy through one of three common practices:
• Testing low-security passwords, like “Password123,” or words such as a child’s name, street
name, birth dates or other data socially engineered from public profiles
• Trying combinations of usernames and/or passwords obtained through data breaches
• Using automated “brute force” attacks, which are systematic assaults (also referred to as
“bots”) that use a script to continually “guess” a user’s password
ATO is popular and will increase for two reasons. First, passwords can no longer be relied upon
to keep a user’s account secure. Second, traditional fraud prevention systems that primarily use
rules-based systems to analyze payment and personal identification information (PII) do not
have the ability to determine if a user accessing an account is in fact the real user of that
account.
22 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
