Data breaches are big business, with many high profile companies and government agencies including Target, Sony, Ashley Madison and the US government falling victim over the past few years. If current trends are anything to go by, 2016 will be no different. Details of breaches have already been reported from the international food chain Wendy’s and HSBC, one of the largest global banking and financial services organisations. Login details, passwords, payment information and personally identifiable information are the core details that hackers desire. These data breaches are a stark reminder that personal data continues to be a desirable target, no matter how diligent a company’s efforts are in data protection.
Masking the truth
One result of the growing number of data breaches is the rising trend of Account Takeovers (ATO). Used by hackers to impersonate genuine customers, it is harder for retailers and financial institutions to both detect and safeguard against, making it a near fool proof-way for attackers to gain information such as logins and passwords.
The Internet has become awash with such stolen details and fraudsters have realised that consumers are notoriously bad at managing their online security, often reusing the same login data across many websites. The use of stolen credentials to log into high value websites, coupled with the fact that traditional fraud solutions are set up to focus on the kind of suspicious, new account transactions that are the hallmark of large credit card data breaches, are a perfect storm for fraud. Once data thieves steal this customer information, they are able to create new bank accounts and even take out loans with legitimate customer PII (Personally Identifiable Information).
Having the correct credentials for an account is only the beginning for adjudicating identity. Knowing if the correct person is logging on is the next big challenge facing organisations as they attempt to curb the amount of stolen personal data that is currently being leaked. With consumer data now so easily available to the average cyber criminal, companies must re-evaluate their traditional reliance on easy-to-bypass Knowledge Based Authentication (KBA) and add hard-to-replicate user behavioural biometrics. Continued reliance on traditional identity signals and authentication techniques will ultimately result in a foreseeable outcome: inconvenience and friction on good a customer’s experience and financial losses to organizations and consumers.
By harnessing the power of continuous behavioural analytics and passive biometrics, it is possible to authenticate users in a more secure manner while providing a friction-free customer experience. By understanding the underlying traits that make the users unique, stolen data becomes much less useful to bad actors, in turn making it far less valuable on the black market. Reducing the value of stolen information is a key control to reducing the number of network intrusions and resulting data breaches.
In the meantime, stolen credentials are out there, with more every day. That is why it is imperative for companies to change how they authenticate users to preserve the trust and safety of their brand in the eyes of their customers.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the views of The Economist Intelligence Unit Limited (EIU) or any other member of The Economist Group. The Economist Group (including the EIU) cannot accept any responsibility or liability for reliance by any person on this article or any of the information, opinions or conclusions set out in the article.