PII: The Impact of Exposure

digital safety concept padlock in electronic environment.

Almost 179 million records containing personal information were disclosed during 1,579 data breaches in 2017, according to the Identity Theft Resource Center and CyberScout. This represents a 45% increase over 2016. It also means that nearly everyone in the U.S. has had their personal information exposed and that it will end up in the hands of cybercriminals in the near future – if not already. What was once an infrequent occurrence has now become an epidemic.

The Identity Theft Resource Center has been tracking breaches since 2005, and each year, the number of breaches has been growing but, in 2017, it exploded. The rising number of data breaches is directly linked to the escalating fraud losses from account takeover, synthetic identities, identity theft, and other types of fraud.

Data thieves sell this personal information from breaches to aggregators, who cross-reference and compile full identities on the data black market – called “fullz” or synthetic identities. This increases the value and usefulness of the stolen data, which may have been gathered over multiple data breaches. With this level of information, fraudsters can create new bank accounts or take out loans under a real person’s name. They can even access a customer’s account and transact impersonating the legitimate user. When these actions take place, they cannot be traced back to the fraudster and can cause severe and lasting harm to the fraud victim for years down the road.

When it comes to social media, consumers need to be careful about what is posted on social network profiles. Status updates – upcoming travel plans, going out to a game, etc. – allows criminals to take advantage of every situation. If personal information like a phone number, birthday, your pet’s name, or school information is provided, cybercriminals can take this private information and use it for fraudulent transactions because banks and other agencies use precisely this information to verify customers.

A Closer Look

NuData Security data from its consortium shows that on average 40% of monthly logins are fraudulent. Account takeovers – accessing accounts with stolen credentials – increased from 12% to 77% of total logins in the first half of 2017 alone. Thirty-five percent of all new accounts were created with stolen identities.

It is now incumbent on online businesses, as well as consumers, to incorporate as many best practices as possible to secure individual identity and to fight fraudulent transactions. Consumers should use unique, strong passwords on all sites, and change them periodically. They should also keep close tabs on their credit card statements and bank account transactions. Most institutions now allow customers to set account alerts that will provide timely notification of large dollar transactions, as soon as they are attempted. This puts the control into the customer’s hands: Monitor their accounts in real time, rather than waiting for their monthly statement to arrive in the mail – after the damage is done.

Alerting consumers about breaches and getting them to change passwords right away, however, is a losing proposition and, in the end, consumers themselves pay the consequences. Password management services help customers adhere to best password practices, but at the end, companies are the ones who can make a difference by choosing stronger authentication solutions.

Change is Hard to Do

The gauntlet has been laid, and now online companies have to reassess their fraud and authentication strategies continuously. The latest numbers on identity theft and fraud prove that online enterprises, banks, and retailers need to develop a new way to authenticate their customers online.

To fight fraudster’s growing sophistication, online businesses need to take an entirely different approach to digitally identify and verify legitimate customers. New technologies that combine layers of passive and physical biometrics into their mix are proving to be the most reliable.

This multi-layered approach can leverage the user’s natural actions combined with behavioral analytics and passive biometrics to give companies control over who their users are. While hackers will continue to steal passwords and credentials to access accounts, commit fraud or steal money, they are not able to replicate a person’s inherent behavior. It is equally important for companies to continually monitor the traffic in an environment and to adjust the rules when anomalous trends are detected.

Cyberattacks are growing in sophistication and businesses need to be ready for that. While it is increasingly hard to stay ahead of bad actors when it comes to breach protection, companies can take a different approach to customer and digital security by using these stronger authentication methods. This unique approach to authentication that looks at the user’s behavior devalues stolen PII data and protects companies from post-breach damage.

About the Author

Robert Capps is a recognized technologist, thought leader, and advisor with over twenty years of experience in the design, management, and protection of complex information systems – leveraging people, process, and technology to counter cyber risks. In his previous role at RedSeal as a Senior Director, Robert was responsible for technical, security, and customer operations. Before RedSeal, Robert was Senior Manager, Global Trust, and Safety at StubHub.

Listen to the PaymentsJournal Podcast with Robert Capps here