July 15, 2021
Changing the Narrative: How to Use Data Breaches for User Verification
by Liam Machin, SEON
Data breaches are becoming a more frequent occurrence with criminals continuously adapting their techniques to access potentially harmful data.
More accounts are at risk of being exploited than ever before, with over 6bn fake emails sent worldwide every day, and as countries globally continue to become digital - the number of breaches is only going to increase.
From hacks that have affected universities to breaches that have compromised information at hospitals, the list truly is limitless.
Yet, despite the warranted cause for concern from the public, merchants can in fact use data breaches to support user verification and fight back against fraudsters...
What is a Data Breach?
A data breach consists of a company or person's data exposed to an untrusted environment, often due to some form of intentional or unintentional activity that had no authorisation to release said data.
According to Verizon’s annual data breach report, 86% of data breaches are motivated by money with 55% committed by organized criminal / cybercrime groups.
By exploiting out-of-date software, system vulnerabilities and weak passwords, fraudsters are able to access account information and leak it through the dark web.
This information is often be sold in huge ‘data humps’ to other criminals and then used for a host of malicious reasons including:
As a product on the dark web
As mentioned above, information is often sold in data humps to other criminals to use for other means.
The fraudster can sometimes acquire enough information to ultimately take over your identity to obtain credit, goods or other beneficial services.
Account takeover / Credential stuffing
Criminals can access both username and passwords to take unauthorized ownership of an account.
Credential stuffing sees fraudsters attempt a combination of the email and password on numerous services to gain access.
Phishing attacks consist of sending fraudulent communications that appear to come from a reputable source, often via email.
Company / organisational issues
Not only can reputation be damaged but criminals further impact companies through techniques such as ransomware.
If you are not already, companies should look to ensure that their software is constantly updated and educate employees on cyber safety practises to help mitigate internal risk.
What happens if there is a data breach?
If a data breach occurs, the company that has lost the data is forced to investigate the situation as well as inform its users, especially in Europe following the implementation of GDPR in 2018.
Often when a leak happens, users look to change their passwords as a preventive measure however the email address often remains in use, therefore this can be used for user verification purposes.
Sadly for merchants there is no foolproof method of protecting your company or your customers from data breaches however for user verification purposes, the work of cybercriminals can actually be used against them.
Check if your email address has been involved with a data breach with a search on HaveIBeenPwnd.
How can a breach be used within risk management?
Given that many people will often remain on the same email address despite being involved with a data breach, an effective fraud prevention solution will be able to trace the amount of breaches it has been involved in and use it for user verification purposes.
For example, at the login or sign up stage of the customer journey, the use of email analysis and device fingerprinting can provide you with an insight into the person on the other end.
At sign up, if a customer's data has been exposed due to a data breach not only can it be used as a timestamp but it also can show signs that the email address has been active for some time and not just made specifically for fraudulent purposes.
When a customer logs in, certain factors and data points can reveal a potential account takeover scenario.
As an example, if the email in question has been exposed by a recent data breach and is coming from an entirely new device, you can deduce that the account might be being used by a bad actor and authorise further actions.
More sophisticated systems can make use of complementary products such as velocity rules, device fingerprinting as well other analysis tools to establish a holistic view of the customer.
Leveraging every data point for user verification
Tamas Kadar, CEO of SEON, highlighted the importance of leveraging as many data points as possible to help customer checks and unlock a merchant's full potential.
“Data breaches are happening more often which leads to more personal data, especially passwords, being compromised and unfortunately there is no end in sight,” he said.
“Online platforms are taking steps to inform users about leaked passwords being used (Chrome, Github) it’s highly recommended to not allow customers to use leaked passwords, or in case they do, apply 2FA for login attempts, which would eliminate most of the account takeover attacks.
“At the same time, leaked data points are incredibly useful to validate customer profiles, if an email address or phone number happens to be in a breach, it gives more credibility of the validity of the real identity behind these data points.”
The most effective fraud defenses see merchants, customers and the entire payment ecosystem work together seamlessly to out smart the fraudsters.
Criminals and fraudsters are always experimenting with other advanced technologies in order to harvest information and ultimately cause harm.
Merchants need to ensure their rules are not lagging behind and, whilst on its own this information is not going to completely remove risk, using data breaches as an indicator for potential fraud will increase the precision of your risk management processes.
As technology continues to drive businesses to digitalize, so will it drive cybercrime towards new methods of finding vulnerabilities. In order to mitigate the risk of data breach and avoid becoming a victim of fraud, cyber safety measures should become a priority for every organization.
Although a lot of online businesses haven’t developed a breach response plan yet, just implementing several basic risk management practices can help avoid cybersecurity incidents. The key takeaway is to establish the right actions and responsibilities for people tasked with managing a breach.
Following university Liam began his working career at iGaming B2B organization SBC in 2019. He supported the launch of news portal PaymentExpert and was promoted to news editor that same summer.
After a stint in sales and launching a live music startup, Liam re-engaged with his interests of high-risk industries and joined SEON as a copywriter to help the company with its fraud-fighting efforts.