Data Breaches: Why the Battle Is Just Beginning for Online Businesses
By Joe Vignolo /
12 Sep 2019
If you are one of the 147 million Americans affected by the 2017 data breach of credit reporting agency, Equifax, and subsequent record-setting $700 million settlement with the Federal Trade Commission (FTC) announced recently, it may feel like this years-long ordeal is approaching its conclusion.
But like most things, it’s only a matter of time before it happens again. In fact, with high-profile breaches like Capital One, Facebook, Quest Diagnostics, and many (many) others, 2019 is on track to be the worst year ever for data breaches.
That is not only bad news for individual consumers and the breached businesses but all businesses that operate online – big and small. They will find themselves dealing with the fallout in a variety of ways.
The far-reaching fallout of data breaches
Data breaches like the 2017 Equifax incident flood the web with users’ personal information, such as name, Social Security number, address, credit card numbers, passwords, and the like. For bad actors, that’s a treasure trove of data to be weaponized and used to commit fraud across the internet.
Put bluntly, every business has to deal with the repercussions of breaches whether directly involved or not. Why? Because most people practice poor password hygiene. According to Dashlane, a password management app, nearly half of U.S. workers use their personal passwords for their work accounts. And a poll conducted by LogMeIn found nearly 60% of those surveyed use the same password everywhere. That doesn’t just put consumers at risk, it puts every business those consumers interact with squarely in fraudsters’ crosshairs.
And here’s a scary statistic: According to Google’s Password Checkup extension for Chrome, 1.5% of all website logins use compromised credentials, meaning those credentials have been exposed via a hack or breach.
So what can businesses expect to deal with following the recent breaches and how can they protect themselves from future data breaches?
Defending against account takeover
Considering the dismal state that password hygiene is in, it is only a matter of time before your users’ login credentials are compromised, leaving your business vulnerable. That means you need to be prepared for account takeover attempts. So how do you protect your business and your users from this eventuality?
Consider implementing two-factor authentication (2FA) – an additional security layer that is used to confirm the identity of your users. It works by requiring users to know something (passwords, pin numbers, usernames) and have something (typically a mobile phone or a physical dongle).
Fraudsters may gain access to your users’ email addresses, usernames, or passwords via the breach of another business, but it’s unlikely they will be able to get their hands on that information and cell phones or tiny USB fobs that your users carry with them everywhere.
Implementing 2FA is particularly important for online banks, medical accounts, or any site where credit card or financial information is stored. To be clear, 2FA does not help when these institutions themselves are breached through other vulnerabilities, but it can prevent the subsequent fraudulent login attempts.
Fighting synthetic identity fraud
Synthetic identity fraud is committed using a combination of real information associated with a legitimate user (social security number, shippable address, etc.) and false personally identifiable information (PII). According to Sift Trust & Safety Architect, Kevin Lee, synthetic identity fraud is “fake accounts on steroids,” because it’s using real information combined with fraudulent PII to, essentially, create a new identity. And that makes synthetic identity fraud much harder to catch.
To make matters worse, children are often targets of synthetic fraud, with more than 1 million children falling victim to identity theft in 2018 alone. A child’s PII is extremely valuable to fraudsters because it has never been used to open any type of account – a clean slate for a bad actor to do with as he pleases.
To combat this, businesses need to look beyond the PII being used to create accounts and start looking at the behavior that takes place once the account is created. Is the person acting like a normal user of your platform?
This type of analysis is difficult to do with a traditional rules-based fraud detection solution due to the large number of signals and interactions needed to make an accurate determination. A machine learning (ML) model that examines your users’ actions, combined with a global network of data, can help aggregate and analyze the myriad signals on your site. Device fingerprinting, when combined with ML and user behavior, can also aid in identifying fraudulent accounts, e.g. has this device been associated with other accounts?
Preventing punitive action following data breaches
As we’ve seen with the Equifax breach, beyond a massive hit to a company’s brand and customer trust, fines, remediation costs, and class-action lawsuits are often levied against businesses that are breached. In fact, many businesses are pushed to the brink of bankruptcy (or beyond) following an incursion.
To protect themselves, many businesses look into cyber-risk insurance to cover costs that are associated with the fallout of a data breach. In the case of Capital One, they have a $400 million insurance policy that will be used to cover credit monitoring and legal support for affected users.
But insurance policies don’t cover everything, and they do nothing to mitigate the potential hit to a company’s bottom line following a breach. For public companies, data breaches negatively affect stock prices. For private companies, the costs associated with breaches can be astronomical – can you really afford a breach if you are pouring all your money into growing your business? It pays to be proactive and put the policies and protocols mentioned in previous sections in place so that you have a decreased chance of experiencing a breach.
How to protect your business
If your company conducts business online (allowing users to create accounts, taking payments, etc.), it will at some point have to deal with the fallout of another company’s breach. To protect your livelihood (and the livelihoods of your users), you need to be ready. You can implement the precautions mentioned in this article yourself or look for a platform that can automate a lot of the processes.
When looking for a provider to help protect your business, be sure they have robust technology, an engaged community with insights that can help you in your fight against fraud, and the willingness to partner with you.
While traditional rules-based fraud detection solutions do catch some fraud, they don’t catch it all because of their static nature and are inherently reactive. They treat every user the same way – as a potential fraudster. That’s where machine learning comes in. Machine learning models tailored to the unique requirements of your business and fine-tuned to spot anomalies that other solutions miss is the best way to go.
Combine a custom ML model with the learnings from a global network of businesses fighting fraud, and you can rest assured you have your bases covered. You benefit from the shared knowledge of the other businesses in that community, usually in the form of fraud signals and trends that your business hasn’t seen yet.
This requirement is often overlooked. You should look for a fraud prevention platform that will partner with you at every step of the journey to serve your unique needs and forge trusted long-term relationships. Your business is unique; there isn’t a one-size-fits-all fraud solution. You need to find a partner that can act as a consultant as you implement any fraud-fighting platform, otherwise, when you do eventually hit a roadblock or start seeing a new type of attack, you might be on your own.
If you’re interested in fighting fraud without hindering business growth but are unsure where to start, request a Digital Trust & Safety Assessment. The simple assessment will help you understand your unique challenges, the benefit of adopting Digital Trust & Safety, and where you are on the journey.
Joe Vignolo is the Director of Content Marketing at Sift, specializing in authentic storytelling that connects and converts. Before joining Sift, he ran content at Outreach and Datanyze and was an award-winning broadcast journalist in the San Francisco Bay Area. He also believes Point Break (the original) is a shining example of American cinema.