Fraud stories, part 2: digital identity and new account openings

Account takeover attacks are among the fastest growing cybersecurity threats that we face today.

06 bank accounts atm

An elderly man gets a phone call from his account manager at the wealth management division of the bank. “Sir, there has been a compromise of your account. Please allow me to verify some information with you and then we can get started on resolving the problem.” The account manager supplies various personal details that the man confirms and upon validation, the man is asked to download TeamViewer on his machine so the account manager, along with tech support, can dial in and assist him without him having to come into the branch. The man logs into his bank account, the tech support accesses his machine remotely, and after several keystrokes, tells the man that he will reset the machine. The screen turns black, everything goes back to normal and the man logs out.  What the man did not know, is that during the time the screen was black, multiple transfers were setup to be made out of his account.

This is Fraud Stories, a monthly blog focused on digital identity and online fraud, one of the most defining issues of our day.

Account takeover is up nearly 300%

According to Auriemma Group, account takeover attacks such as the one above, are among the fastest growing cybersecurity threats that we face today, up 280% last year. In the last few weeks, we have been hit with pretty damning news of the Equifax breach, which affected 143 million consumers; and lost in that news cycle were several other breaches including at the Children’s Hospital of Colorado.  The public is more aware than ever that their personal information is exposed, and that information used to ascertain identity can easily be obtained by crooks for nefarious purposes. But the cycle did not start with Equifax and unfortunately, it will likely not end with this episode either.  Another lost truth in the news hype following the announcement, is that there is as much danger in fraudsters using this stolen data to refine and update their databases for use in social engineering and phishing attacks, as there is in using the data to apply for loans and credit cards.

What to do now?

The first step is admitting that there is a problem. Actually, it is admitting there are two problems. There is a cybersecurity problem, but there is also a related problem of how we as a society define identity and provision people based on that identity. Static forms of information and physical identification cards may have once been reliable proof that someone was who they claimed to be, but when it is so easy to adopt other personas and mask footprints in the process, those definitions must change.

Most of us would agree that a device is not a person, so authenticating a device is not the equivalent of authenticating a user. Biometrics – specifically behavioral biometrics – and other techniques like behavioral analytics provide dynamic ways to ascertain and validate identity. The fact is that a layered approach is required, that takes into account the omnichannel user experience – web, mobile, in-store, call centers – so that there is no single fixed target for the fraudsters to work on circumventing. Oftentimes, fraudsters exploit the fact that the left hand does not have access to the information the right hand has. For example, if a user called the call center and asked to change their phone number (a common method for fraudsters to obtain the SMS code that is commonly required for the two-factor authentication for logon to a bank account), the risk profile for online transactions should be raised.

From a cybersecurity perspective, CSOs, regulators, stakeholders and consumers need to recognize that technology and fraudster techniques are way ahead of policy. Earlier generations of information security may have involved PINs, passwords, firewalls and anti-virus software; multi-factor authentication, malware and robotic detection and IP validation; VPN and other endpoint security offerings. All of these equate to a cyber version of a fence or barrier and an endless cat-and-mouse game.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies