A post-Equifax world: What online businesses need to know
By Jason Tan /
12 Oct 2017
This article was first published on Entrepreneur.com in a slightly different format.
Has your business felt the impact of the recent Equifax breach yet? If not, you may soon. The well-publicized breach compromised the personal information of over 143 million Americans. And the reality is that breaches of this magnitude have a huge effect on other businesses too. Even companies that have never been breached have a huge challenge on their hands. Equifax is just the latest in a long string of data breaches that end up causing ripples for all online businesses for months – or even years – to come.
Here’s what you need to know:
Data breaches affect all companies that do business online
When another company is breached, you may not think it affects your own. But the downstream consequences can be extremely damaging to you and your users. When personal information gets hacked or leaked onto the dark web, fraudsters get busy scouring the internet for sites where they can use this valuable data to their advantage. One of those sites could easily be yours.
Fraudsters are flocking to account takeovers and identity theft
Gone are the days when criminals focused on credit card fraud. Fraudsters are monetizing different types of data easily available on the dark web. For example, TrendMicro found that Uber, Facebook, Netflix, and Paypal accounts are worth more on the black market than credit card details. And personally identifiable information (like social security numbers and birth dates) was selling for $1-$3.30, compared with $0.22 for a bundle of credit card data.
Any time the dark web is flooded with a new batch of names, addresses, Social Security numbers, and other personal information, account takeovers (ATOs) go up. And the huge breaches of the past few years (Yahoo, Dropbox, etc.) have been taking their toll. Nearly half of online businesses saw an increase in ATO in 2016, according to the Sift Science Fraud-Fighting Trends report.
Keep an eye out for signs of ATO
So, how do you know if an account has been compromised? You can start by looking out for clues, like a user who logs in from different devices and locations, suddenly changes to an older browser or operating system, or has many failed login attempts. A fraudster may also update their settings, shipping address, or password all at once. And suspicious users are known to use proxies or VPN setups.
It’s important to know that each of these signals, taken on its own, may not indicate that an account’s been compromised. There are plenty of legitimate reasons for updating settings, or logging in from a new device. Maybe they just bought the new iPhone! It’s important to look at a range of data points holistically to identify account takeover.
Watch out for fraudulent new accounts
Another way that fraudsters wreak havoc with compromised data from the Equifax breach is by stealing someone’s identity and creating new accounts. Or they might piece together different bits of information (think birth dates, names, and Social Security numbers) from a variety of accounts to create an entirely new identity (also known as “synthetic identity theft”).
Patterns that could potentially point to fraudulent accounts on your site include multiple new signups originating from the same IP address or device, or a sudden increase in new account openings that aren’t related to any promotions or seasonal trends. Also, you can monitor the average length of time it takes someone to sign up on your site. If that length of time suddenly gets faster, it could mean fraudsters are using scripts to quickly open accounts.
Encourage your users to practice good online security hygiene
Unfortunately, one of the reasons ATO is on the rise is due to users’ poor online security habits. As many as 59% of people reuse passwords across multiple sites, which makes it easy for fraudsters with leaked credentials to gain access to their other online accounts.
Some steps that users can take to protect themselves include using a password manager and setting up two-factor authentication across all of their key accounts. People can enter their email address on the website haveibeenpwned to see whether it has already been part of a known data breach.
Be cautious – but don’t overreact
Although you need to take precautions to safeguard your users, make sure these measures aren’t getting in the way of legitimate customers. You can’t ask every visitor to your site to enter a security code, fill out a Captcha form, or otherwise try to prove their identity. Fighting fraud is a balancing act, and you don’t want to spoil your customers’ experience by creating too many security roadblocks. And you definitely don’t want to accidentally turn good users away.
At the heart of every healthy customer relationship is trust. You don’t want the side effects of another company’s security nightmare to become your own, eroding your users’ trust in your company. Although massive data breaches have become a fact of life, you can proactively protect your users from the disastrous effects of ATO, identity theft, and fraud. It’s in their best interest – and yours.
Jason Tan is the co-founder and CEO of Sift. Fueled by a passion for building great products and amazing teams, he's also held leadership and engineering roles at BuzzLabs, Optify, and Zillow.