You are here

You are here

Overcoming breach fear: Combine data, biometrics for better account security

Ryan Wilk VP, Customer Success, NuData Security

There is little room for doubt that online fraud defenses must be beefed up. Over 700 million consumer records were exposed to fraudsters in 2015 alone, according to the Gemalto Data Breach Level Index. And fraudsters can make use of all kinds of personally identifiable information (PII).

While credit card details may have been the most wanted information in past years, 2015 was the year when data from leading healthcare companies, government agencies, and similar organizations became the hottest commodity on the Dark Web. Data stolen in these breaches is typically used in fraudulent attacks on banking and e-commerce companies. A 2015 study by Javelin Strategy & Research on the impact of data breaches on consumers found that account takeover and new-account fraud will increase by 60 percent in the next three years. That means that the estimated $5 billion lost last year would grow to $8 billion in 2018.

Unfortunately, as fraud prevention technology advances, so do fraudsters’ tactics. Think of the cat and the mouse. As merchants and financial institutions become better at thwarting traditional fraud techniques, criminals are forced to adapt. The onus is now on the financial institutions and merchants to stay ahead. 

Bankers and e-commerce sites need new ways to combat online fraud. One promising possibility involves analyzing user behavior so that potential fraudsters can be more readily flagged.

Understanding account takeover and new-account fraud

Account takeover (ATO) fraud occurs when a fraudster accesses the credentials, or PII, that consumers use to log onto online banks, retailers, gaming sites, or social media. Using an existing consumer’s account allows a criminal to masquerade as a genuine customer to transfer funds, use the payment method on file to make a high-value purchase, or simply mask fraudulent transactions. Accessing these accounts has become easy through one of three common practices:

  • Attempting combinations of usernames and passwords obtained through data breaches, both large and small
  • Cycling through easily remembered passwords, such as “Password123,” or passwords based on things such as a child’s name, street name, birth dates, or other data socially engineered from public profiles
  • Using brute-force, automated attacks, which are systematic assaults (also referred to as “bots”) that use a script to continuously guess a user’s password

Account takeover attempts will continue to grow for two main reasons. First, passwords can no longer be relied upon to keep a user’s account secure. Second, traditional fraud prevention systems that primarily use rules-based systems to analyze payment and PII do not have the ability to determine if a user accessing an account is in fact the real user of that account.

The economic ramifications of failing to prevent orders or bank transfers at any point can be immense. While these systems are still relevant in terms of apprehending other forms of fraud and some instances of ATO fraud, they can examine only payment and some device information, not the user’s behavior at the time of login. 

New-account fraud is also growing. According to a 2016 report by Javelin Strategy & Research titled “2016 Identity Fraud: Fraud Hits an Inflection Point,” there has been a 113 percent increase in incidence of new-account fraud, which now accounts for 20 percent of all fraud losses. In most cases, the information obtained is enough to apply for new financial accounts, many times without the victims being aware for months.

Neither of these methods is typically attempted by a human. Hackers write scripts that can be run by bots en masse to attack systems using that data. Scripted attacks can be tricky to detect, since the perpetrators have studied the account creation and login pages of their target company to ensure that each field is completed correctly and appears to be legitimate. Stand-alone fraud-prevention systems look merely at the information provided in the order or application, not the behavior displayed when logging in to or creating an account.

Whenever these new fraud methods start to become costly for businesses, an expensive side effect develops: Companies apply excess caution when reviewing orders, sometimes mistaking good orders for bad. When this occurs, the merchant is not only losing the immediate sale, but also in most cases the lifetime value of that customer. Javelin Strategy & Research evaluated this issue in a sponsored study titled “Overcoming False Positives.”

Transactions were denied to roughly 33 million cardholders in the past year because of suspected fraud—that's 15 percent of all cardholders. That resulted in a nearly $118 billion loss. In contrast, actual e-commerce fraud in the US only reached $9 billion. Merchants need a better way to save these legitimate sales while still preventing the potential dollar loss due to sophisticated fraud tactics. 

New detection systems needed

With these fraud attacks growing at a rate of 60 percent over three years, it is high time that financial institutions and online companies consider new detection methods. With many traditional fraud-prevention tools, only the data entered into a shopping cart or account creation form is analyzed. Some will look at device or connection, which can be spoofable. With the data available from recent data breaches, all these details can match perfectly with the genuine consumer yet still be fraudulent or spoofed. Additionally, once the order and application form is completed, it initiates fraud decision-related resources via payment authorizations and fraud and/or credit reviews.

With observable behavioral biometrics, users accessing an account or application are continually evaluated from the moment they begin interacting with an online property. The amount of time it takes to log in, place an item in a cart, or get to the application page is all captured. Device identification information (whether a phone, PC, or tablet is being used), browser language, screen size, location, and whether the IP or geolocation has been faked are all compared to an existing user profile. The way a user interacts with a website is also analyzed, including the way a person types, holds the mobile phone, etc. By absorbing all of these characteristics and aggregating the data, behavioral biometrics create a unique profile for each user.

By passively identifying the good users, the anomalous or bad users become obvious in comparison. This enables the program to easily highlight when a different person or bot is attempting account takeover and also allows businesses to prevent bots and systems from running scripts to access or create new accounts. The uniqueness of the data gathered and the aggregation and application of all collected data creates a full 360-degree view of each user.

Combining data to defeat fraud

Financial institutions and merchants must implement solutions that identify and prevent fraud attempts, while also protecting the customer experience. The way to do this is by combining data obtained from device and observable behavioral biometrics from the time of login or account creation and throughout the user’s account lifespan.

Image credit: Flickr

Keep learning

Read more articles about: Enterprise ITData Centers