The Equifax data breach has been making headlines, and it’s no surprise. As our CEO Michael Reitblat discussed with Retail TouchPoints, 143 million Americans have had their data stolen, as well as some consumers from Canada and the UK. Many of them won’t even have been aware that Equifax was storing their data in the first place, making it different to the other high profile breaches of recent years.
Equifax has a lot of data given its business as one of the the largest credit bureaus is collecting and maintaining people’s personal financial information. Unfortunately, that means that if they’re hacked, there’s a lot of personal, confidential and sensitive data made available to criminals. That’s just what happened.
A New Era of Identity Theft
The Equifax breach isn’t the largest. The Yahoo one, affecting 3 billion customers, takes that medal. Nonetheless, it’s probably the most serious. It isn’t a simple matter of names and email addresses having been stolen, though those are bad enough. It’s names, birthdates, Social Security numbers and home addresses, and in some cases more as well.
This is the kind of information used to access bank accounts, employee accounts, medical records. A creative criminal who doesn’t care about the damage he causes can do a lot with that level of data.
Identity theft is when a crook pretends to be a different, specific individual. This can be done with full identity details belonging to a real person, or by combining various details from a variety of people (a “synthetic” identity). Anyone whose details are used can be affected negatively by whatever the criminal does when pretending to be them - because it’s often so hard to prove that it wasn’t really you.
Identity Theft and Online Retail
This has a clear knock-on effect for online retailers and the danger that they're in from fraud attacks. Identity theft being easier means that fraudsters will easily be able to set up fake but very convincing accounts on your website, or take over existing legitimate accounts.
Consumers reuse passwords and security questions all the time. If the answers are stolen once, they’ll be easy to reuse, and it’ll look very like it’s the original customer. The more the fraudster knows about the victim, the easier it is to break into their accounts, or set up new accounts which really do look legit.
The Fraud Attack Index published in November 2017 found that 38.4% of attacks carried out against the online retailers that were analyzed made use of either account takeover or payment instrument account takeover.
For the merchant, what this means is that you need to have highly effective fraud detection and prevention in place not just at the point of checkout, but earlier as well. You need to be able to detect account takeover attempts when they’re happening, and stop them. You need to understand your customers well enough, and deeply enough, that you’re not fooled by a fraudster who has access to a lot of their data.
Stop Relying on Static Data
This leads to another important point. This data breach has shown that the time when you could expect static data to be reliable is over. Knowing someone’s unchanging information - their social security number, their CVV number, etc. - isn’t going to help you in a time when that information could be bought on any criminal marketplace.
In fact, a reliance on this kind of data is actually counter-productive. You’ll think you’ve successfully determined that a customer is who they say they are, when really you’re giving a fraudster the keys to the candy shop. And that will happen more and more often, as breaches like this have their cumulative effect.
Breaches are a fact of life now. It’s not pleasant, but it’s not something a retailer can ignore. You have to assume that your customers’ data is vulnerable. If their static data hasn’t been stolen yet, it may well be soon. You need a whole different mindset about how you can trust your customers in this new era.
Dynamic Data is Your Friend
If static data won’t help, it seems obvious to turn to dynamic data instead. To some extent this is beginning to happen in the wider payments ecosystem, such as the experiment with CVVs which change every hour, or attempts to incorporate multi-factor authentication into the process. Largely, though, these are nascent efforts, and retailers need technology they can rely on right now.
Behavioral analytics is the most obvious kind of dynamic data that is also intuitive in terms of building customer trust. Each customer behaves in distinctive ways. If you can identify those, and identify when there’s a change, then you’re obviously in a far better position to stop account takeover attempts. If the customer isn’t behaving like themselves, there’s a good chance it’s not them at all.
Device intelligence is also valuable. It’s possible to tell a lot about the device or devices typically associated with an account. If the device doesn’t match the usual patterns, both in type of device and in characteristics of the device and of how it’s being used, then that should run up a red flag for your system.
Leveraging dynamic data like this is a vital part of how Forter’s system is able to be so accurate, both at transaction level and at the account level for preventing account takeovers and account abuses such as coupon abuse or referral abuse. If you’re not using similar data points, you should be.
Don’t Over-React. React Right.
It’s very tempting, when things like a major breach occur, to react in fear by ensuring that your system becomes very conservative about which customers it will trust and approve. That way, you can’t lose money to fraudsters.
That might work, but it won’t stop you losing money from good customers who are either turned off by extra security steps and questions, or turned away by a system that mistakenly identifies them as fraud.
Don’t fall into this trap - it’s just as bad for your business as an increase in chargebacks from successful fraud attacks. In fact a Javelin study found that losses to false positives outweigh losses to chargebacks by as much as 5:1. You don’t want your customers or your business to suffer from over-caution, even when there’s reasonable cause for alarm.
Instead, react by investing in accuracy. What’s important is not that your system reject every fraudster (even if that means rejecting lots of good customers too) but rather that your system be able to distinguish accurately between the fraudulent and the genuine.
Innovation is Imperative
A key part of accuracy, when it comes to fraud prevention, is innovation. Fraudsters don’t stand still, and neither does their ecosystem. They’re continually developing new ways to trick your protections, and new tools to make doing so easier, faster and more scalable.
To beat them, you need to benefit from that same agile, creative mindset and process. Is your site already seeing the impact of the Equifax breach? Have fraud attacks been affected? You’ll be able to tell by analyzing the data. The more familiar you are with customer buying patterns, and the more time you spend analyzing your data on a daily basis, the more quickly you’ll know when something changes. Then you can act on that.
Forter’s exceptional accuracy in detecting fraud and ability to provide a consistently frictionless experience for good users is due to a culture of innovation. Using both machine learning and human research, we analyze all our clients’ data, all the time, looking for shifts in patterns, new trends, and ways we can improve the system even further.
Our team of experts turn up on average sixteen new leads for enhancements every single day - and that’s enhancements to a system that’s already very good at its job. We update the system multiple times a day. That’s not just impressive, it’s necessary - it’s the only way to keep ahead of the criminals who have access to the stolen data of 143 million Americans.
Don’t panic. start innovating.
Interested in what Forter could do to protect your business from the account takeovers and other attacks that will result from the Equifax breach? Get in touch.
This article was first published on September 13, 2017 and has been revised to reflect additional or updated information.