Information Security Today Home

New Books

Multilevel Modeling of Secure Systems in QoP-ML by Bogdan Ksiezopolski; ISBN 9781482202557
Securing Systems: Applied Security Architecture and Threat Models by Brook S. E. Schoenfield; ISBN 978-1-4822-3397-1
Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare by Thomas A. Johnson; ISBN 978-1-4822-3922-5
Data Privacy for the Smart Grid by Rebecca Herold and Christine Hertzog; ISBN 9781466573376
Multilevel Security for Relational Databases by Osama S. Faragallah, El-Sayed M. El-Rabaie, Fathi E. Abd El-Samie, Ahmed I. Sallam, and Hala S. El-Sayed; ISBN 9781482205398
Android Malware and Analysis by Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere; ISBN 9781482252194

The Ripple Effect of Identity Theft

Ryan Wilk, Director, NuData Security

As a society, we hear about data breaches all the time, but we rarely hear about what happens to the stolen data afterwards. We may not think much of losing one username and password combo or having to cancel a credit card, but each piece of data doesn't just disappear. It gets collected and combined into the tool of choice for today's fraudsters: one that's so difficult to overcome that we've had to rebuild how we do Internet security.

Data Privacy Is Dead

Since 2005, more than 675 million data records have been involved in data breaches in the U.S. alone, according to the Identity Theft Resource Center. These records include incredibly personal data such as a person's Social Security number, name, address, phone number, credit card number, name of local bank branch and so on. Data thieves sell this information to aggregators, who cross-reference and compile full identities--called "fullz" on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.

With this level of information, fraudsters can create new bank accounts or take out loans under an actual person's name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road.

In a recent New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could hinder her for the rest of her life, because her Social Security number was stolen.

Bad News Travels Fast

A recent report found that it took just 12 days for the account information of 1,500 "employees" to travel from California to 22 countries and five continents. In that time, it was viewed over 200 times and clicked on over 1,100 times. Fortunately, in this case, these accounts were fake set up for fake employees and then intentionally "breached" in order to determine the speed at which compromised data travels. This is especially disturbing when you consider it takes an average of 200 days for most corporations to detect a breach has taken place.

The experiment didn't just show how quickly stolen information gets circulated. It determined that the false information was being tested for validity too. Had the fake data actually been real accounts, fraud attempts would already be underway.

It's the ripple effect. Small data breaches look on the surface to be minor losses of data but they expand out across the digital waters faster than ever before, converging into a wave of personal information so deŽtailed that undoing the damage is next to impossible.

The Rise of Account Takeover (ATO)

What can you do with all of that stolen information? Depends on how much of it is amassed. There is a hierarchy of value on the dark web for stolen data. Stolen credit cards can cost mere cents and are labor-intensive and low return for fraudsters. It takes many attempts for a fraud scheme to work as cards are tested and cycled through. With so many data breaches last year, credit card numbers flooded the black market, lowering their value.

Fullz sell for $5 a piece, but require a more in-depth and risky scam to be fully utilized. Working user accounts with a payment method attached, an easy-grab scam with lucrative results, go for a mere $27 each and can translate into hundreds to thousands of dollars in stolen money and merchandise.

As a result, account takeover is growing quickly in the fraud world. NuData Security monitors more than 18 billion user interactions across the Internet annually, and we are seeing 112 percent year-over-year increases in account takeover attacks.

In account takeovers, fraudsters attempt to hijack valid user accounts instead of creating new accounts with stolen credit cards. ATOs can be automated, including scripted attacks, or can be done with small teams of human operators posing as account holders. Helping out the scammers are midŽdlemen who play a key role in testing the login credenŽtials before they are used again to commit actual fraud.

We are seeing, based on our behavioural analysis, that there are on average, three high-risk logins for every high-risk checkout. The first login is to verify if the account works. The second time is to gain intelligence and third time is when the fraudster attempts to commit actual fraud. The transaction is no longer the point of focus for fraud; it is the login. This shift creates an imperative to look at the login and account creation--rather than the transaction--in order to stop fraud before it happens.

In a sea of available data, account takeover pirates have their pick of digital credentials. Organizations must not only secure their own data but also be ever vigilant against people using stolen data on their websites as well.

By protecting the login pages of your sites, you cut fraudsters off at the source. You stop them from being able to take control of the account in the first place.

The Genius of Behavioral Analytics

How can you protect login pages from data thieves? This is where behavioral analytics shines. Let's take a look at what user behavioral analytics means. Most merchants look for a username and password match. Some use device ID or check for password resets. But the newer, more sophisticated criminals are skilled at bypassing these mechanisms.

And as we've seen, full packages of user information--full identities--are prevalent and cheap. If you are not confident that you can separate account testers and fraudsters from legitimate users, then the real question you need to ask yourself is, "Do I understand my user in enough detail?"

Rather than a simple checklist, behavioral analytics focuses on observed characteristics of who the user is, not just who he tells you he is. User behavior analytics are aimed at observing and understanding how the user behaves, in an effort to answer bigger questions, such as:

  • How did the user behave previously when he logged in? Is he behaving the same now?
  • When the user is inputting data, is it similar to how he's interacted on the same device before, or is it completely different?
  • Is her behavior repeated? Repeated behaviour can tell us a lot. If the behaviour is the same every time she visits, perhaps we can say it's a good user, acting the same as always. But if it's the same behaviour that 1,000 users are all repeating, it could indicate that this behaviour is part of a crime ring that could be a distributed, low velocity attack; the kind of attack that exposes you to massive amounts of loss.

Observing user behavior in detail enables the best chance of beating fraud.

A New Era in Fraud Detection

A recent research note from Gartner indicates that perimeter-focused security isn't keeping malicious actors out when it comes to enterprise security controls.

Merchants are beginning to realize they can no longer rely on basic data validation measures anymore, because when it comes to account takeover, all of the data may be compromised and will be correct regardless of who logs in; a legitimate user or imposter.

Instead, the key is to look at the behavior at login and connect it to checkout. Behavioral analytics digs under the surface of matching usernames and passwords to truly understand user behaviour. These behavior patterns reveal details that fraudsters can't hide despite their best efforts. As account takeover schemes gain prominence, fraud detection and prevention efforts need to be focused on behaviour. Behavioral analytics provide the intelligence needed to stop fraud before it starts.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2015 Auerbach Publications