Features: October 9th, 2015

Theft of data is becoming more prevalent and sophisticated. A worrying development is taking over the user account rather than creating a new account with stolen data. Data verification checks have no value, because all data is correct. In this article Ryan Wilk argues that the most effective defence is detailed observation of user behaviour.

The Ponemon Institute’s 2015 Cost of Data Breach Study showed a 23 percent increase in the total cost of a breach from 2013 to 2014. In other terms, companies paid an average of $154 per lost or stolen record. Multiply that by the hundreds of millions of records that were compromised last year, and it’s clear to see that we have a security crisis on our hands.

These records include incredibly personal data such as a person’s Social Security number, name, address, phone number, credit card number, name of local bank branch, etc. Data thieves sell this information to aggregators, who cross-reference and compile full identities—called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.

A full identity allows a cyber criminal to file a tax return or create new bank accounts under an actual person’s name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road. In a recent New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could dog her for the rest of her life, because her Social Security number was stolen.

Stolen data has repercussions for the victims, sometimes for years to come; this is the ripple effect of cybercrime. Small data breaches appear on the surface to be minor losses of data, but they can quickly expand out across the digital waters, converging into a wave of personal information so detailed that undoing the damage is next to impossible.

There is a hierarchy of value on the dark Web for stolen data. Fullz sell for $5 apiece, but require a more in-depth and risky scam to realize value. Working user accounts with a payment method attached go for $27 each and can translate into hundreds to thousands of dollars in stolen money and merchandise.

It only makes practical sense, then, that account takeover (ATO) has become a new favourite fraud tactic. In account takeovers, fraudsters attempt to hijack valid user accounts instead of creating new accounts. ATOs can be automated or can be done with small human teams. Helping out the scammers are middlemen who play a key role in testing the login credentials before they are used again to commit actual fraud.

The current industry average is three high-risk logins for every high-risk checkout. The first login is to verify if the account works. The second time is to gain intelligence, and the third time is the actual fraud attempt. The transaction is no longer the point of focus for fraud—it is the login. By protecting the login pages of your sites, you cut fraudsters off at the source. You stop them from being able to take control of the account in the first place.

This leads to the question of how to protect login pages. This is where behavioural analytics comes into play. Why? Most merchants look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms. And, as detailed above, full identities are prevalent and cheap.

If it seems too difficult to distinguish between legitimate users and fraudsters, it’s time to ask yourself the question, “Do I understand my user in enough detail?”

This is what behavioural analytics does for you. User behaviour analytics observe and understand how the user behaves, in an effort to answer bigger questions. For instance, how did the user behave previously when they logged in? Are they behaving the same now? When the user is inputting data, is it similar to how they’ve interacted on the same device before, or is it completely different? Is their behaviour repeated? If the behaviour is the same every time they visit, perhaps we can say it’s a good user. But if it’s the same behaviour that 1,000 users are all repeating, it could indicate the activity of a crime ring executing a distributed, low velocity attack.

For these reasons, observing user behaviour in detail enables the best chance of beating fraud. Merchants are beginning to realise they can no longer rely on basic data validation measures any more, because when it comes to account takeover, all of the data may be compromised and will be correct regardless of who logs in. As ATO gains steam, fraud detection and prevention efforts need to be focused on behaviour. Behavioural analytics looks beneath the surface of matching usernames and passwords to truly understand user behaviour. These behaviour patterns reveal details that fraudsters can’t fake despite their best efforts.

Ryan Wilk is director, NuData Security