• Products

    Digital Trust & Safety Platform

    Fight fraud without sacrificing growth

    Learn more

    Platform solutions

    • Payment Protection
    • Account Defense
    • Dispute Management
    • Content Integrity
    • Sift Connect
    • Passwordless Authentication

    Sift innovations

    • PSD2 Solution
    • New Releases & Enhancements
  • Industries

    One solution, any industry

    Learn how Sift can work for your industry

    Learn more

    Featured Industries

    • Fintech
    • Payment Service Providers
    • Retail
  • Customers

    Case studies by industry

    See how leading brands succeed with Sift

    Learn more

    Featured Customers

    • DoorDash
    • Uphold
    • Paula’s Choice
  • Partners
  • Fraud Center
  • Resources

    Fraud-fighting resources

    Explore fraud trends and insights

    Learn more

    • Blog
    • Demos
    • Infographics
    • Ebooks & Reports
    • Videos
    • Podcasts
    • One-Pagers
    • Webinars
    • Trust & Safety University
  • Company

    Why leaders choose Sift

    Technology, community, and partnership

    Learn more

    Our mission: Help everyone trust the internet

    • About
    • Careers
    • News & Press
Request a demo
Products
  • Digital Trust & Safety Platform
  • Payment Protection
  • Account Defense
  • Dispute Management
  • Content Integrity
  • Sift Connect
  • Passwordless Authentication
  • PSD2 Solution
  • New Releases & Enchancements
Industries
  • Fintech
  • Retail
  • Payment Service Providers
Customers
Partners
Fraud Center
Resources
  • Blog
  • Ebooks & Reports
  • One-Pagers
  • Demos
  • Videos
  • Webinars
  • Infographics
  • Podcasts
  • Trust and Safety University
Company
  • Search Careers
  • Our Company
  • Contact Us
  • Engineering Blog
Request a Demo Sign In
  • Blog Home
  • Account Fraud
  • Payment Fraud
< prev / next >
Share this article on LinkedIn
Tweet this article
Share this article on Facebook
SOCIALICON
Share this article via email

Data Breaches: Why the Battle Is Just Beginning for Online Businesses

By Joe Vignolo  / 

12 Sep 2019

If you are one of the 147 million Americans affected by the 2017 data breach of credit reporting agency, Equifax, and subsequent record-setting $700 million settlement with the Federal Trade Commission (FTC) announced recently, it may feel like this years-long ordeal is approaching its conclusion.

But like most things, it’s only a matter of time before it happens again. In fact, with high-profile breaches like Capital One, Facebook, Quest Diagnostics, and many (many) others, 2019 is on track to be the worst year ever for data breaches.

That is not only bad news for individual consumers and the breached businesses but all businesses that operate online – big and small. They will find themselves dealing with the fallout in a variety of ways.

Data breaches fallout
Data breaches don’t just affect the hacked company, but all online businesses where compromised credentials are used.

The far-reaching fallout of data breaches

Data breaches like the 2017 Equifax incident flood the web with users’ personal information, such as name, Social Security number, address, credit card numbers, passwords, and the like. For bad actors, that’s a treasure trove of data to be weaponized and used to commit fraud across the internet. 

Put bluntly, every business has to deal with the repercussions of breaches whether directly involved or not. Why? Because most people practice poor password hygiene. According to Dashlane, a password management app, nearly half of U.S. workers use their personal passwords for their work accounts. And a poll conducted by LogMeIn found nearly 60% of those surveyed use the same password everywhere. That doesn’t just put consumers at risk, it puts every business those consumers interact with squarely in fraudsters’ crosshairs.

And here’s a scary statistic: According to Google’s Password Checkup extension for Chrome, 1.5% of all website logins use compromised credentials, meaning those credentials have been exposed via a hack or breach.

So what can businesses expect to deal with following the recent breaches and how can they protect themselves from future data breaches?

Defending against account takeover

Considering the dismal state that password hygiene is in, it is only a matter of time before your users’ login credentials are compromised, leaving your business vulnerable. That means you need to be prepared for account takeover attempts. So how do you protect your business and your users from this eventuality? 

Consider implementing two-factor authentication (2FA) – an additional security layer that is used to confirm the identity of your users. It works by requiring users to know something (passwords, pin numbers, usernames) and have something (typically a mobile phone or a physical dongle). 

Fraudsters may gain access to your users’ email addresses, usernames, or passwords via the breach of another business, but it’s unlikely they will be able to get their hands on that information and cell phones or tiny USB fobs that your users carry with them everywhere.

Implementing 2FA is particularly important for online banks, medical accounts, or any site where credit card or financial information is stored. To be clear, 2FA does not help when these institutions themselves are breached through other vulnerabilities, but it can prevent the subsequent fraudulent login attempts.

Fighting synthetic identity fraud

Synthetic identity fraud is committed using a combination of real information associated with a legitimate user (social security number, shippable address, etc.) and false personally identifiable information (PII). According to Sift Trust & Safety Architect, Kevin Lee, synthetic identity fraud is “fake accounts on steroids,” because it’s using real information combined with fraudulent PII to, essentially, create a new identity. And that makes synthetic identity fraud much harder to catch.

To make matters worse, children are often targets of synthetic fraud, with more than 1 million children falling victim to identity theft in 2018 alone. A child’s PII is extremely valuable to fraudsters because it has never been used to open any type of account – a clean slate for a bad actor to do with as he pleases. 

To combat this, businesses need to look beyond the PII being used to create accounts and start looking at the behavior that takes place once the account is created. Is the person acting like a normal user of your platform? 

This type of analysis is difficult to do with a traditional rules-based fraud detection solution due to the large number of signals and interactions needed to make an accurate determination. A machine learning (ML) model that examines your users’ actions, combined with a global network of data, can help aggregate and analyze the myriad signals on your site. Device fingerprinting, when combined with ML and user behavior, can also aid in identifying fraudulent accounts, e.g. has this device been associated with other accounts? 

Preventing punitive action following data breaches

As we’ve seen with the Equifax breach, beyond a massive hit to a company’s brand and customer trust, fines, remediation costs, and class-action lawsuits are often levied against businesses that are breached. In fact, many businesses are pushed to the brink of bankruptcy (or beyond) following an incursion.

To protect themselves, many businesses look into cyber-risk insurance to cover costs that are associated with the fallout of a data breach. In the case of Capital One, they have a $400 million insurance policy that will be used to cover credit monitoring and legal support for affected users.

But insurance policies don’t cover everything, and they do nothing to mitigate the potential hit to a company’s bottom line following a breach. For public companies, data breaches negatively affect stock prices. For private companies, the costs associated with breaches can be astronomical – can you really afford a breach if you are pouring all your money into growing your business? It pays to be proactive and put the policies and protocols mentioned in previous sections in place so that you have a decreased chance of experiencing a breach.

How to protect your business

If your company conducts business online (allowing users to create accounts, taking payments, etc.), it will at some point have to deal with the fallout of another company’s breach. To protect your livelihood (and the livelihoods of your users), you need to be ready. You can implement the precautions mentioned in this article yourself or look for a platform that can automate a lot of the processes.

When looking for a provider to help protect your business, be sure they have robust technology, an engaged community with insights that can help you in your fight against fraud, and the willingness to partner with you. 

Technology

While traditional rules-based fraud detection solutions do catch some fraud, they don’t catch it all because of their static nature and are inherently reactive. They treat every user the same way – as a potential fraudster. That’s where machine learning comes in. Machine learning models tailored to the unique requirements of your business and fine-tuned to spot anomalies that other solutions miss is the best way to go. 

Community

Combine a custom ML model with the learnings from a global network of businesses fighting fraud, and you can rest assured you have your bases covered. You benefit from the shared knowledge of the other businesses in that community, usually in the form of fraud signals and trends that your business hasn’t seen yet.

Partnership

This requirement is often overlooked. You should look for a fraud prevention platform that will partner with you at every step of the journey to serve your unique needs and forge trusted long-term relationships. Your business is unique; there isn’t a one-size-fits-all fraud solution. You need to find a partner that can act as a consultant as you implement any fraud-fighting platform, otherwise, when you do eventually hit a roadblock or start seeing a new type of attack, you might be on your own.


If you’re interested in fighting fraud without hindering business growth but are unsure where to start, request a Digital Trust & Safety Assessment. The simple assessment will help you understand your unique challenges, the benefit of adopting Digital Trust & Safety, and where you are on the journey.

Related

data breachesfraud preventionsynthetic identities

Joe Vignolo

Joe Vignolo is the Director of Content Marketing at Sift, specializing in authentic storytelling that connects and converts. Before joining Sift, he ran content at Outreach and Datanyze and was an award-winning broadcast journalist in the San Francisco Bay Area. He also believes Point Break (the original) is a shining example of American cinema.

  • < prev
  • Blog Home
  • next >
  • Company
  • About Us
  • Careers
  • News & Press
  • Partner With Us
  • Blog
  • Support
  • Help Center
  • Contact Support
  • System Status
  • Trust & Safety University
  • Fraud Management
  • Developers
  • Overview
  • APIs
  • Client Libraries
  • Integration Guides
  • Tutorials
  • Engineering Blog
  • Social

Don’t miss a thing

Get industry trends, insights, and actionable fraud-fighting tips.

You're on the list.

You can unsubscribe at any time. Please see our Website Privacy Notice.
Do Not Sell My Personal Information

If you are using a screen reader and are having problems using this website, please email support@sift.com for assistance.

© 2022 Sift Science, Inc. All rights reserved. Sift and the Sift logo are trademarks or registered trademarks of Sift Science, Inc.
Privacy & Terms

Secure your business from login to chargeback

Stop fraud, break down data silos, and lower friction with Sift.

  • Achieve up to 285% ROI
  • Increase user acceptance rates up to 99%
  • Drop time spent on manual review up to 80%
Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.