Tag: Data Breach
The ongoing COVID-19 pandemic has facilitated an increase in information collection among consumers and organizations, creating a prosperous climate for cybercriminals. As businesses and customers adjust to the “new normal,” hackers are honing in on their targets and finding new, more sophisticated ways to access their sensitive data. As part of our recently launched Q&A perspective series, Michael Bruemmer, Experian’s Vice President of Data Breach Resolution and Consumer Protection, provided insight on emerging fraud schemes related to the COVID-19 vaccines and how increased use of digital home technologies could lead to an upsurge in identity theft and ransomware attacks. Check out what he had to say: Q: How did Experian determine the top data breach trends for 2021? MB: As part of our initiative to help organizations prevent data breaches and protect their information, we release an annual Data Breach Forecast. Prior to the launch of the report, we analyze market and consumer trends. We then come up with a list of potential predictions based off the current climate and opportunities for data breaches that may arise in the coming year. Closer to publication, we pick the top five ‘trends’ and craft our supporting rationale. Q: When it comes to data, what is the most immediate threat to organizations today? MB: Most data breaches that we service have a root cause in employee errors – and working remotely intensifies this issue. Often, it’s through negligence; clicking on a phishing link, reusing a common password for multiple accounts, not using two-factor authentication, etc. Organizations must continue to educate their employees to be more aware of the dangers of an internal breach and the steps they can take to prevent it. Q: How should an organization begin to put together a comprehensive threat and response review? MB: Organizations that excel in cybersecurity often are backed by executives that make comprehensive threats and response reviews a top corporate priority. When the rest of the organization sees higher-ups emphasizing the importance of fraud prevention, it’s easier to invest time and money in threat assessments and data breach preparedness. Q: What fraud schemes should consumers be looking out for? MB: The two top fraud schemes that consumers should be wary of are scams related to the COVID-19 vaccine rollout and home devices being held for ransom. Fraudsters have been leveraging social media to spread harmful false rumors and misinformation about the vaccines, their effectiveness and the distribution process. These mistruths can bring harm to supply chains and delay government response efforts. And while ransomware attacks aren’t new, they are getting smarter and easier with people working, going to school and hosting gatherings entirely on their connected devices. With control over home devices, doors, windows, and security systems, cybercriminals have the potential to hold an entire house hostage in exchange for money or information. For more insight on how to safeguard your organization and consumers from emerging fraud threats, watch our Experian Symposium Series event on-demand and download our 2021 Data Breach Industry Forecast. Watch now Access forecast About Our Expert: Michael Bruemmer, Experian VP of Data Breach Resolution and Consumer Protection, North America Michael manages Experian’s dedicated Data Breach Resolution and Consumer Protection group, which aims to help businesses better prepare for a data breach and mitigate associated consumer risks following breach incidents. With over 25 years in the industry, he has guided organizations of all sizes and sectors through pre-breach response planning and delivery.
Preventing account takeover (ATO) fraud is paramount in today’s increasingly digital world. In this two-part series, we’ll explore the benefits and considerations of a Defense in Depth strategy for stopping ATO. The challenges with preventing account takeover Historically, managing fraud and identity risk in online banking has been a trade-off between customer experience and the effectiveness of fraud controls. The basic control structure relies on a lock on the front door of online banking front door—login—as the primary authentication control to defend against ATO. Within this structure, there are two choices. The first is tightening the lock, which equals a higher rate of step-up authentication challenges and lower fraud losses. The second is loosening the lock, which results in a lower challenge rate and higher fraud loses. Businesses can layer in more controls to reduce the false positives, but that only allows marginal efficiency increases and usually represents a significant expense in both time and budget to add in new controls. Now is the perfect time for businesses reassess their online banking authentication strategy for a multitude of reasons: ATO is on the rise: According to Javelin Strategy & Research, ATO increased 72% in 2019.1 Users’ identities and credentials are at more risk than ever before: Spear phishing and data breaches are now a fact of life leading to reduced effectiveness of traditional authentication controls. Online banking enrollments are on the rise: According to BioCatch, in the months following initial shelter-in-place orders across the country, banks have seen a massive spike in first time online banking access. Users expect security in online banking: Half of consumers continue to cite security as the most important factor in their online experience. Businesses who reassess the control structure for their online banking will increase the effectiveness of their tools and reduce the number of customers challenged at the same time – giving them Defense in Depth. What is Defense in Depth? Defense in Depth refers to a strategy in which a series of defense mechanisms are layered in order to protect data and information. The basic assumptions underlying the value of a Defense in Depth strategy are: Different types of transactions within online banking have different levels of inherent risk (e.g., external money movement is considerably higher risk compared to viewing recent credit card transactions) At login, the overall transaction risk associated with the session risk is unknown The risk associated with online banking is concentrated in relatively small populations – the vast majority of digital transactions are low risk This is the Pareto principle at play – i.e., about 80% of online banking risk is concentrated within about 20% of sessions. Experian research shows that risk is even more concentrated – closer to >90% of the risk is concentrated in <10% of transactions. This is relatively intuitive, as the most common activities within online banking consist of users checking their balance or reviewing recent transactions. It is much less common for customers to engage in higher risk transaction. The challenge is that businesses cannot know the session risk at the time of challenge, thus their efficiency is destined to be sub-optimal. The benefits of Defense in Depth A Defense in Depth strategy can really change the economics of an online banking security program. Adopting a strategy that continuously assesses the overall session risk as a user navigates through their session allows more efficient risk decisions at moments that matter most to the user. With that increased efficiency, businesses are better set up to prevent fraud without frustrating legitimate users. Defense in Depth allows businesses to intelligently layer security protocols to protect against vulnerability – helping to prevent theft and reputational losses and minimize end-user frustration. In addition to these benefits, a continuous risk-based approach can have lower overall operational costs than a traditional security approach. The second part of this series will explore the cost considerations associated with the Defense in Depth strategy explored above. In the meantime, feel free to reach out to discuss options. Contact us 1Identity Fraud in the Digital Age, Javelin Strategy & Research, September 2020
Enterprise Security Magazine recently named Experian a Top 10 Fraud and Breach Protection Solutions Provider for 2020. Accelerating trends in the digital economy--stemming from stay-at-home orders and rapid increases in e-commerce and government funding--have created an attractive environment for fraudsters. At the same time, there’s been an uptick in the amount of personally identifiable information (PII) available on the dark web. This combination makes innovative fraud and breach solutions more crucial than ever. Enterprise Security Magazine met with Kathleen Peters, Experian’s Chief Innovation Officer, and Michael Bruemmer, Vice President of Global Data Breach and Consumer Protection, to discuss COVID-19 digital trends, the need for robust fraud protection, and how Experian’s end-to-end breach protection services help businesses protect consumers from fraud. According to the magazine, “With Experian’s best in class analytics, clients can rapidly respond to ever-changing environments by utilizing offerings such as CrossCore® and Sure ProfileTM to identify and prevent fraud.” In addition to our commitment to develop new products to combat the rising threat of fraud, Experian is focused on helping businesses minimize the consequences of a data breach. The magazine noted that, “To serve as a one-stop-shop for data breach protection, Experian offers a wide range of auxiliary services such as incident management, data breach notification, identity protection, and call center support.” We are continuously working to create and integrate innovative and robust solutions to prevent and manage different types of data breaches and fraud. Read the full article Contact us
Be warned. I’m a Philadelphia sports fan, and even after 13 months, I still relish in the only Super Bowl victory I’ve ever known as a fan. Having spent more than two decades in fraud prevention, I find that Super Bowl LII is coalescing in my mind with fraud prevention and lessons in defense more and more. Let me explain: It’s fourth-down-and-goal from the one-yard line. With less than a minute on the clock in the first half, the Eagles lead, 15 to 12. The easy option is to kick the field goal, take the three points and come back with a six-point advantage. Instead of sending out the kicking squad, the Eagles offense stays on the field to go for a touchdown. Broadcaster Cris Collingsworth memorably says, “Are they really going to go for this? You have to take the three!” On the other side are the New England Patriots, winners of two of the last three Super Bowls. Love them or hate them, the Patriots under coach Bill Belichick are more likely than any team in league history to prevent the Eagles from scoring at this moment. After the offense sets up, quarterback Nick Foles walks away from his position in the backfield to shout instructions to his offensive line. The Patriots are licking their chops. The play starts, and the ball is snapped — not to Foles as everyone expects, but to running back Corey Clement. Clement takes two steps to his left and tosses the ball the tight end Trey Burton, who’s running in the opposite direction. Meanwhile, Foles pauses as if he’s not part of the play, then trots lazily toward the end zone. Burton lobs a pass over pursuing defenders into Foles’ outstretched hands. This is the “Philly Special” — touchdown! Let me break this down: A third-string rookie running back takes the snap, makes a perfect toss — on the run — to an undrafted tight end. The tight end, who hasn’t thrown a pass in a game since college, then throws a touchdown pass to a backup quarterback who hasn’t caught a ball in any athletic event since he played basketball in high school. A play that has never been run by the Eagles, led by a coach who was criticized as the worst in pro football just a year before, is perfectly executed under the biggest spotlight against the most dominant team in NFL history. So what does this have to do with fraud? There’s currently an outbreak of breach-fueled credential stuffing. In the past couple of months, billions of usernames and passwords stolen in various high-profile data breaches have been compiled and made available to criminals in data sets described as “Collections 1 through 5.” Criminals acquire credentials in large numbers and attack websites by attempting to login with each set — effectively “stuffing” the server with login requests. Based on consumer propensity to reuse login credentials, the criminals succeed and get access to a customer account between 1 in 1,000 and 1 in 50 attempts. Using readily available tools, basic information like IP address and browser version are easy enough to alter/conceal making the attack harder to detect. Credential stuffing is like the Philly Special: Credential stuffing doesn’t require a group of elite all-stars. Like the Eagles’ players with relatively little experience executing their roles in the Philly Special, criminals with some computer skills, some initiative and the guts to try credential stuffing can score. The best-prepared defense isn’t always enough. The Patriots surely did their homework. They set up their defense to stop what they expected the Eagles to do based on extensive research. They knew the threats posed by every Eagle on the field. They knew what the Eagles’ coaches had done in similar circumstances throughout their careers. The defense wasn’t guessing. They were as prepared as they could have been. It’s the second point that worries me when I think of credential stuffing. Consumers reuse online credentials with alarming frequency, so a stolen set of credentials is likely to work across multiple organizations, possibly even yours. On top of that, traditional device recognition like cookies can’t identify and stop today’s sophisticated fraudsters. The best-prepared organizations feel great about their ability to stop the threats they’re aware of. Once they’ve seen a scheme, they make investments, improve their defenses, and position their players to recognize a risk and stop it. Sometimes past expertise won’t stop the play you can’t see coming.
From malware and phishing to expansive distributed denial-of-service attacks, the sophistication, scale and impact of cyberattacks have evolved significantly in recent years. Mitigate risk by employing these best practices: Manage third-party risks. Regularly review response plans. Opt in to software updates. Educate, educate, educate. Organizations must adopt stronger, more advanced technical solutions to protect sensitive data. While enhanced technology is necessary for defending against data breaches, it can’t work independently. Learn more
Cybersecurity has become one of the most significant issues impacting international security and political and economic stability. Our new report, Data Breach Industry Forecast 2018, outlines 5 predictions for the data breach industry in the coming year. Here are 3: The U.S. may experience its first large-scale attack on critical infrastructure, causing disruption for governments, companies and private citizens. Failure to comply with the new EU regulations will result in large penalties for U.S. companies. Attackers will use artificial intelligence to render traditional multifactor authentication methods useless. Read all five predictions>
Cybersecurity cannot be successful if siloed. The entire organization must be part of the effort. Take these steps to ensure a more engaged relationship between cybersecurity teams, C-suite executives and other departments: Make the company’s chief information officer accountable directly to the chief executive officer and/or the board. Train employees at every level to spot security risks and to understand their role in protecting the entire organization from cyberattacks. Put cybersecurity on the agenda for every board and executive-level meeting, and incorporate it into quarterly state-of-the-company, all-hands meetings. With cybersecurity threats evolving and escalating daily, companies need to make engagement a priority that starts at the top and continues through every level of the organization. Increasing engagement in cybersecurity >
There’s a consensus that too many C-suite executives are disengaged with their organization’s cybersecurity efforts. That indifference can seriously hamper an organization’s ability to quickly and effectively respond to an incident. To best protect the organization, cybersecurity professionals should take the following steps to increase engagement: Pinpoint the greatest cybersecurity issues your organization faces and create descriptive verbiage that simplifies these risks. Engage in one-on-one meetings with key leaders to help them understand how cybersecurity risks affect not only the overall organization, but their domain as well. Stage a cybersecurity simulation exercise for your C-suite executives in which members role-play a data breach scenario. Leadership is not the only department that should be invested in protecting the organization. Next week, we’ll look at how to engage the entire organization in cybersecurity efforts. If you’d like, you can jump ahead and read it now. Increasing engagement in cybersecurity
Leadership and Cybersecurity Multiple studies suggest many executives aren’t as engaged as they should be when ensuring their organizations are prepared to mitigate and manage cybersecurity risks. Insights from our Fourth Annual Data Breach Preparedness Survey, conducted by the Ponemon Institute, support this sentiment. Of the privacy, compliance and IT professionals polled: 57% said their company’s board, chairman and chief executive officer were not informed about or involved in data breach response planning. 60% have leadership who don’t want to know immediately when a material breach occurs. 66% have a board that doesn’t understand the specific cybersecurity threats their organization faces. 74% said their board isn’t willing to take ownership for successful incident response plan implementation. For organizations to protect themselves, cybersecurity professionals need to create greater engagement among the organization’s leadership. Next week, we’ll look at how they can accomplish this. If you’d like, you can jump ahead and read it now. Fourth Annual Data Breach Preparedness Survey
With the recent switch to EMV and more than 4.2 billion records exposed by data breaches last year*, attackers are migrating their fraud attempts to the card-not-present channel. Our recent analysis found the following states to be the riskiest for e-commerce fraud in 2016. Delaware Oregon Florida New York Nevada Attackers are extremely creative, motivated, and often connected. Prevent e-commerce fraud by protecting all of your customer contact points. Fraud Heat Map>
Internet-connected devices provide endless possibilities, but they rely on technology and collected data to deliver on their promises. This can compromise your network security. Follow these tips to enjoy the conveniences provided by Internet of Things devices while keeping your network safe. Look for devices that use end-to-end encryption. Change default passwords before connecting devices to your network. Enable two-factor authentication, when available. Leverage all security options, such as passwords, encryption, firewalls and firmware. The Internet of Things is only as strong as its weakest link. That\'s why it’s so important to understand and treat each connected device as part of a broader network. More security tips
Happy holidays! It’s the holiday season and a festive time of year. Colorful lights, comfort food and holiday songs – all of these things contribute to the celebratory atmosphere which causes many people to let their guards down and many businesses to focus more on service than on risk. Unfortunately, fraudsters and other criminals can make one of the busiest shopping times of the year, a miserable one for their victims. The nature of the stolen data has the potential to create long-term headaches for the organization and tens of millions of individuals. Unlike a retailer or financial breach, where stolen payment cards can be deactivated and new ones issued, the theft of permanent identity information is, well, not easily corrected. You can’t simply reissue Social Security numbers, birth dates, names and addresses. For individuals, we need to internalize this fact: our data has likely been breached, and we need to become vigilant and defend ourselves. Sign-up for a credit monitoring service to be alerted if your data or ID is being used in ways that indicate fraud. Include your children, as well. A child’s identity is far more valuable to a fraudster as they know it can be several years before their stolen identity is detected. The good news is, in addition to the credit bureau, many banks and auto clubs now offer this as a service to their customers. For organizations, the focus should be on two fronts: data protection and fraud prevention. Not just to prevent financial theft, but to preserve trust — trust between organizations and consumers, as well as widespread consumer trust. Organizations must strive to evolve data protection controls and fraud prevention skills to minimize the damage caused by stolen identity data. There are dozens of tools in the industry for identifying that a consumer is who they say they are – and these products are an important part of any anti-fraud strategy. These options may tell you that the combination of elements is the consumer, but do you know that it is the REAL consumer presenting them? The smart solution is to use a broad data set for not only identity verification, but also to check linkage and velocity of use. For example: Is the name linking to other addresses being presented in the past week? Is the phone number showing up to other addresses and names over the past 30 days? Has the SSN matched to other names over the past 90 days? Since yesterday the address matches to four phone numbers and two names – is this a problem? And it must be done in ways that reinforce the trust between consumers and organizations, enhance the customer experience, and frustrate criminals. Click here to learn more about Experian’s products and services that can help. As we go walking in the winter wonderland, remember, the holiday season is a time for cheer… and vigilance!
Every day, millions of new things get connected online, such as toasters, heart monitors and cars. Many of these things have weak security controls that create vulnerabilities in critical private networks. As more products get connected, the casual mindset about the security risks inherent in the Internet of Things must begin to change. Here are 12 tips to help safeguard your systems from the Internet of Things. >> Securing the Internet of Things
Leveraging customer intelligence in the age of mass data compromise Hardly a week goes by without the media reporting a large-scale hack of sensitive personal or account information. Increasingly, the public seems resigned to believe that such compromises are the new normal, producing a kind of breach fatigue that may be lowering the expectations consumers have for identity and online security. Still, businesses must be vigilant and continue to apply comprehensive, data-driven intelligence that helps to thwart both breaches and the malicious use of breached information and to protect all parties’ interests. We recently released a new white paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise, to help businesses understand how data and technology are needed to strengthen fraud risk strategies through comprehensive customer intelligence. At its core, reliable customer intelligence is based on high-quality contextual identity and device attributes and other authentication performance data. Customer intelligence provides a holistic, bound-together view of devices and identities that equips companies and agencies with the tools to balance cost and risk without increasing transactional friction and affecting the customer experience. In the age of mass data compromise, however, obtaining dependable information continues to challenge many companies, usually because consumer-provided identities aren’t always unique enough to produce fully confident decisioning. For more information, and to get a better sense of what steps you need to take now, download the full white paper.
Imagine the following scenario: an attacker acquires consumers’ login credentials through a data breach. They use these credentials to test account access and observe account activity to understand the ebbs and flows of normal cash movement – peering into private financial records – verifying the optimal time to strike for the most financial gain. Surveillance and fraud staging are the seemingly benign and often-transparent account activities that fraudsters undertake after an account has been compromised but before that compromise has been detected or money is moved. Activities include viewing balances, changing settings to more effectively cover tracks, and setting up account linkages to stage eventual fraudulent transfers. The unfortunate thing is that the actual theft is often the final event in a series of several fraudulent surveillance and staging activities that were not detected in time. It is the activity that occurs before theft that can severely undermine consumer trust and can devastate a brand’s reputation. Read more about surveillance, staging and the fraud lifecycle in this complimentary whitepaper.
Learn More Image
