Equifax Attack Underscores Dangers in Post-Breach World
Posted September 13, 2017
News of a massive cyberattack on one of the three major U.S. credit bureaus is adding urgency to a long-running crisis that’s shaping up into a perfect storm for fraud.
According to Equifax, the hack it disclosed last week includes personal data on an estimated 143 million Americans — including social security numbers, birthdays, addresses and more.
“This isn’t just 143 million credit card numbers,” reports USA Today. “This is vast amounts of personal information about you.”
Packaged together, this information could fetch as much as $30 per identity on the dark web — the results of which could be harrowing. Think fraudulent loans, bank account takeovers, illegal credit card purchases, and (much) more.
But, as shocking as this attack may seem, the truth is even worse.
Today, billions of personal identity files are on the loose, thanks to a continuous stream of corporate data breaches in recent years. The resulting tsunami of stolen identity data is fueling a cybercrime crisis that has led to $3 trillion in losses worldwide.
We’re All Victims Now
The fact is, we’ve been living in a post-breach world for years.
Sure, Equifax is getting all the attention. But, Experian and thousands of other companies in virtually every industry have also been hacked. In the past 12 months alone, more than 4 billion personal identity files have been compromised worldwide.
Check out this new interactive quiz from the New York Times to get a sense of just how often your own identity information may have been compromised through hacks in recent years.
Indeed, in a matter of minutes, cybercriminals can harvest all sorts of personal identity information online — names, address, social security numbers, bank and retail accounts, PIN codes, challenge questions and more.
They can then impersonate victims easily, hijacking existing user accounts or creating new ones. Unfortunately, traditional identity verification systems cannot differentiate between a legitimate customer and a fraudster using valid credentials.
According to our Q2 2017 Cybercrime Report, attacks using these kinds of credentials hit an all-time high earlier this year — up 100 percent from 2015.
While it’s nothing new, the Equifax breach does serve to highlight the fact that an already existing crisis stands to get a whole lot worse.
Doubling Down on Outdated Solutions
Faced with a storm surge of costly fraud, many organizations add two-factor authentication (2FA) to their identity verification systems. This typically involves sending a one-time passcode (OTP) to the user’s mobile phone.
While that certainly does add an extra layer of protection, it puts the onus on trusted users and customers to jump through additional hoops to prove their own identity. For highly suspicious transactions, this makes sense, but using 2FA too broadly is delivering an alienating experience to customers. Do this and you’re treating customers like cybercriminals. Besides, cyberthieves have already crafted tactics to circumvent such measures.
Which means this latest incident isn’t an isolated event, and the problem isn’t going away. Breaches will continue, supporting fraud for years to come as cybercriminals take advantage of the anonymity of the web to plunder businesses and consumers. As the supply chain of cybercrime continues to advance, the threats to business will no doubt become more voracious and high speed. You don’t want to be the slowest gazelle in this herd.
Meanwhile, customers are getting more fed up with each new headline. They expect much stronger security than 2FA without any of the friction. And here’s the thing: They can have it.
Smarten Up — or Fall Behind
The fact is, consumers are already getting what they want from first movers in banking, eCommerce, media, lending, insurance and other industries that have transitioned to today’s smart authentication systems.
These technologies verify identities using hundreds of dynamic data elements and global, crowdsourced threat intelligence that can’t be faked. Trust is established instantly, streamlining the digital experience for legitimate customers, while blocking out fraudsters — even if they’re using valid credentials.
It won’t be long before consumers en masse demand this kind of fraud-free, friction-free digital experience, and start voting with their dollars. In fact, some are doing it already.
As a result, businesses will need to ponder: Why fall victim to complacency? Why project an old, alienating brand image with your digital experience? The drag on consumer trust will only grow with time, putting the brand at risk of being indelibly scarred by even a single security incident.
This week’s headlines should be a wake-up call.
The time to regain control, establish invulnerable trust — and get ahead of the fraudsters — is now.
Originally published at www.threatmetrix.com on September 13, 2017.