A Post-Equifax world: What Online Businesses Need to Know
Has your personal data, or your company's, already been leaked onto the "dark web"? Here are some things you can do.
Has your business felt the impact of the recent Equifax breach yet? If not, you may soon. Equifax is just the latest in a long string of data breaches that typically cause ripples for all online businesses for months -- or even years -- to come.
Here's what you need to know:
Data breaches affect all companies that do business online
When another company is breached, you may not think that it could affect your own. But you'd be wrong because the downstream consequences of a breach can be extremely damaging to other companies and their users. Personal information can get hacked or leaked onto the "dark web," consisting of sites on an encrypted network that can't be found by Google and other familiar search engines.
When this happens, fraudsters get busy scouring the internet for other sites where they might use this valuable data to their advantage. One of those sites could easily be yours.
Fraudsters are flocking to account takeovers and identity theft.
Gone are the days when criminals focused on credit card fraud. Fraudsters are now monetizing different types of data easily available on the dark web. For example, TrendMicro found that Uber, Facebook, Netflix and Paypal accounts are worth more on the black market than credit card details. And personally identifiable information (like social security numbers and birth dates) was selling for $1 to $3.30 per item, compared with $0.22 for a bundle of credit card data.
Any time the dark web is flooded with a new batch of names, addresses, social security numbers and other personal information, account takeovers (ATOs) go up. And the huge breaches of the past few years (those at Yahoo!, Dropbox, etc.) have been taking their toll. Nearly half of online businesses saw an increase in ATO in 2016, according to our company's, Sift Science Fraud-Fighting Trends report.
Starting to worry? Here are some preventive steps you can take:
Keep an eye out for signs of account takeovers So, how do you know if an account has been compromised? You can start by looking out for clues, like a user who: 1) logs in from different devices and locations; 2) suddenly changes to an older browser or operating system; 3) or has had many failed login attempts. A fraudster may also update his or her settings, shipping address or password all at once. And suspicious users are known to use proxies or VPN setups.
It's important to know that each of these signals, taken on its own, may not indicate that an account's been compromised. There are plenty of legitimate reasons for updating settings, or logging in from a new device. Maybe the person responsible just bought the new iPhone! It's important to look at a range of data points holistically to identify account takeover.
Watch out for fraudulent new accounts. Another way that fraudsters wreak havoc with compromised data from the Equifax breach is by stealing someone's identity and creating new accounts. Or, they might piece together different bits of information (think birth dates, names and social security numbers) from a variety of accounts to create an entirely new identity (also known as "synthetic identity theft").
Patterns that could potentially point to fraudulent accounts on your site include multiple new signups originating from the same IP address or device, or a sudden increase in the incidence of new account openings not related to any promotions or seasonal trends. Also, you can monitor the average length of time it takes someone to sign up on your site. If that length of time suddenly gets faster, fraudsters could be using scripts to quickly open accounts.
Encourage your users to practice good online "security hygiene." Unfortunately, one of the reasons ATO is on the rise is users' poor online security habits. As many as 59 percent of people reuse passwords across multiple sites, which makes it easy for fraudsters with leaked credentials to gain access to those users' other online accounts.
Steps that users can take to protect themselves include using a password manager and setting up two-factor authentication across all of their key accounts. People can also enter their email address on the website haveibeenpwned to see whether it has already been part of a known data breach.
Be cautious - but don't overreact. Although you need to take precautions to safeguard your users, make sure these measures aren't getting in the way of legitimate customers. You can't ask every visitor to your site to enter a security code, fill out a Captcha form, or otherwise try to prove their identity. Fighting fraud is a balancing act, and you don't want to spoil your customers' experience by creating too many security roadblocks. You especially don't want to accidentally turn good users away.
At the heart of every healthy customer relationship is trust. You don't want the side effects of another company's security nightmare to become your own, eroding your users' trust in your company. Although massive data breaches have become a fact of life, you can proactively protect your users from the disastrous effects of ATO, identity theft and fraud. It's in their best interest -- and your own.