Propelled by the massive quantity of private consumer data available to the criminal underworld, identity fraud’s massive growth is driven largely by the engine of automation. With the prevalence of consumer data on the dark web, social media, databases and other areas of the internet, identity theft was at a record high in 2016 impacting two million more people in 2016 than 2015 according to Javelin Research* and that trend is continuing. The depth of information assembled to form a complete profile of consumers through breaches, social media, and more are sold on the Dark Web for hackers to leverage in a variety of online fraud to take over accounts for money, products or services.
Automated attacks: BOTs, Brute Force and More
Automation technology that enables account takeovers has become increasingly sophisticated and is now what credit card fraud was a couple year’s ago. NuData’s threat intelligence for May 2017 shows Account Takeover (ATO) attacks on both mobile and web logins have risen 630% since February 2017 in which much was hackers using brute force automated scripting. Application fraud and ATOs against financial institutions can result in serious fraud implications such as money movement or fund transfer schemes.
Banking and financial customers that use the same password across multiple accounts can assume hackers have that information. Brute force attacks use automated scripts to run through thousands of possible username / password combinations to test account access, obtain passwords, credit cards, purchases or other personal identifiable information (PII). Using information derived from a brute force attack, cybercriminals pose as genuine customers to gain control of an account and then make unauthorized transactions. Since 2013, nine billion data records have been lost or stolen.
Cyber criminals use automated tools to discern which information is usable and which is not. Account compromises can lead to loss of funds and long-lasting financial damage for customers who, in some cases can be financially responsible. For banks and financial institutions, the result is a loss of customer trust, increased customer attrition, and indelible brand damage. It is a stealth attack that packs a real punch.*
Battling bad bots is another challenge for both financial institutions and customers. Recent research from NuData Security found a 600% spike in Botnet activity alone in the month of April 2017. Bots are also used for ATOs and a variety of other nefarious activities.
Approximately a third of websites containing forms were hit by spam bots, according to Distil’s 2017 Bad Bot Report. It also reveals that nine out of 10 websites infiltrated by bots got behind the login page, which means they could have accessed sensitive data. *
Malicious bots can be programmed to steal content, overwhelm websites, or even attempt to access a user account without permission. One of the prime examples of this is the use of automated bots by scalpers to purchase vast sums of tickets for high-demand events, then re-sell them at greatly increased prices. In January 2016, the IRS was hacked using stolen social security details in conjunction with an automated bot to set up fraudulent accounts.
Automation systems such as GUI scripts not only mimic human users. They can manipulate web browsers to mimic and replay what might appear at face value to be human input. This is where the criminals leave a telltale calling card. In assuming strength by mimicking human users, they may have shown a weakness that can be detected by passive biometrics. Machine learning solutions have made bots more sophisticated, but they are unable to replicate the subtle, unique variables that present themselves in humans in every instance of data input.
The Flip Side: Automating a Solution for Online Fraud
In the identification industry, automation has the potential to bring improved efficiency and cost savings across the board, from due diligence in identity proofing and compliance to automated fraud detection and more. In the cybercrime world, automation can reap millions of dollars.
It is that challenge that pushes banks and financial institutions to find innovative, futuristic approaches to fighting the plague of automated attacks. Layered security that incorporates passive biometrics and behavioral analytics differentiate real customers and payments from impostors using stolen credentials.
Passive biometrics tracks and analyzes hundreds of behavioral aspects such as the angle of a handheld device when in use, the pressure applied to the keys or screen, and the length of gaps between typing and swiping can all separate good users from bad. These factors are virtually impossible for a non-human interface to replicate. Anomalous behavior can be identified by analyzing and comparing the patterns of known human users with unusual patterns and to existing patterns of the good known user.
This combination focuses on observed characteristics and specific behaviors to identify true customers and add context to the authentication of users. For example, when repeat behaviors occur every time a particular customer interacts with bank technologies are similar to what the customer typically does, they would be considered a good user. However, if the exact same behavior occurs with 1,000 users and keeps repeating, it could indicate this behavior is part of a potentially distributed, low-velocity cyber-attack – the kind of attack that exposes banks to large losses.
Layering behavioral biometrics with other solutions such as ID Check or fingerprint sensors is a great example of how passive and active biometrics work in tandem to balance security and user experience with an integrated step authentication (facial recognition, fingerprint etc.), providing a seamless experience for good users, and when additional assurance of authentication is required.
Other important benefits of this approach include cost savings, online fraud prevention, decreased loss of customers and improved security. Adding biometrics to behavioral analytics, two-factor authentication, and physical biometrics, is a solid approach that reduces risks while having the benefit of enhancing the customer experience.
About the Author:
Ryan Wilk is Vice President, Customer Success for NuData Security, now a MasterCard company. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles. NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. NuData Security analyzes and scores billions of users per year and services some of the largest ecommerce and Web properties around the globe.
* https://www.javelinstrategy.com/coverage-area/2017-identity-fraud
* From Automation Success Story
* https://resources.distilnetworks.com/white-paper-reports/2017-bad-bot-report