In 2017, a record-breaking 16.7 million consumers experienced fraud or identity theft. And fraud rates are only continuing to rise, according to the latest Javelin report, 2018 Identity Fraud: Fraud Enters a New Era of Complexity. In particular, account takeover attacks, one of the biggest sources of fraud for businesses, saw exponential upward growth. Last year, instances of account takeover fraud hit a record high, nearly tripling over 12 months.
Total losses to account takeover fraud? $5.1 billion. In 2016, losses added up to a mere $2.3 billion.
It’s crystal clear that tackling fraud demands a new approach—one that’s even savvier than the cybercriminals themselves.
Identity Theft: the Gateway to Even More Fraud
It’s scary to think, but identity theft is only the start. It’s a gateway to other forms of cybercrime that are costing companies severely and hurting consumers. It’s a snowball effect, where cybercriminals use leaked data to open false accounts that then enable an explosion of even more nefarious forms of fraud. Identity theft, driven by data breaches, leads to payment fraud, account takeover fraud, false insurance claims, fraudulent credit card openings, drained bank accounts and more.
The steps that fraudsters take after a data breach demonstrates this alarming reality. In the past year, we’ve seen several large data breaches where consumers lost credit card information to fraudsters. Once cybercriminals have hold of the data, they rapidly get to work to sell or use the stolen account data for fraud. With stolen credentials, cybercriminals can initiate transactions through fraudulent merchant and bank accounts and ATMs to drain funds. Card issuers and consumers have difficulty keeping up with the speed at which fraudsters exploit stolen payment data, opening up consumers to even more fraud.
One way that cybercriminals capitalize on stolen identities is through follow-up social engineering attacks, even after a compromised card has been disabled. With a synthetic identity and a stolen credit history, a fraudster can use social engineering to scam users into adding authorized users to their account. The fraudster steals the card owner’s good credit, applies for several new credit cards, maxes them out and disappears without a trace.
Identity theft and account takeovers are driving the rise of fraud. Once hackers are inside an account, they engage in follow-on forms of crime, whether it’s credit card fraud, a business email compromise attack or payment hijacking in the insurance industry. Stopping new account fraud means adding stronger identity proofing measures during the application stage that unearth fraudsters and block them from initiating false openings.
The Lifecycle of a Data Breach
Once your personal data is stolen, it doesn’t stop there. In fact, that’s just the beginning. When they get their hands on your info, fraudsters have a tried-and-true method for figuring out how to make the most of it. Here’s a look at the breakdown:
- Dump checking: this is when fraudsters test the stolen info to make sure it will still be valid for payment purposes
- Determine which cards can purchase inventory based on certain issuers and geographic locales
- Sell stolen account data in large batches
- Determine whether they need to steal or further assemble any additional info, like CVV numbers
- Encode stolen numbers on counterfeit cards, or make card-not-present transactions
So in the time it takes for a bank to notify you that your information may have been compromised, a fraudster is likely well on their way to making illicit purchases based on your information. Check out more about the lifecycle of a card data breach in this infographic.
Identity Proofing with Behavioral Biometrics – Stop Fraud at the Source
Fraudsters know how to exploit the weaknesses in the online application process. By using stolen information to hack into accounts, they can initiate transactions, drain bank accounts and ultimately damage a company’s bottom line and reputation with consumers.
If we can’t rely on the information entered into an online application to verify identity, what can we observe instead? The answer is to ground identity proofing on the one thing cybercriminals can’t change: their behavior.
Fraudsters interact with online applications differently than legitimate users. That means account takeover attacks can be detected based on how information is being entered into a form, not just on the accuracy of the information entered. Here are a few examples of how user behavior differs
- Application Fluency: Most fraudsters use compromised or synthetic identities to repeatedly attack a site. These actions show a fluency with the site and the process used to open a new account.
- Navigational Fluency: Fraudsters often use advanced computer skills that are rarely seen among real users. Common examples include keyboard shortcuts and function keys.
- Data Familiarity: Fraudsters exhibit several behavioral traits when they enter in unfamiliar data compared to a legitimate user with intimate knowledge of their personal information
By mapping these behaviors in real-time throughout the initiation process, behavioral biometrics pick up on suspicious behaviors, alert the company that possible fraud is in the works and provide an immediate recourse to prevent a potentially fraudulent application from going through.
Stopping fraud means shutting cybercriminals down at the application stage. Identity proofing with behavioral biometrics eliminates our overreliance on easily-acquired personal credentials. Ultimately, the problem of fraud won’t go away until businesses actively take steps to up their cybersecurity and foil fraudsters’ proven techniques.
Learn how a top 5 global credit card issuer detected more new account fraud while reducing false declines in our case study.