[BreachExchange] 3 Keys to Avoiding the Downstream Effects of Data Breaches in 2018
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Nov 13 19:51:47 EST 2017
http://paymentsjournal.com/3-keys-avoiding-downstream-
effects-data-breaches-2018/
The fraud outlook for 2018 continues to be dampened by news of new data
breaches, growing fraud rates and the increasing savvy of fraudsters. But
that doesn’t mean your business has to be a victim. Payments businesses can
make several changes to protect themselves in the new fraud climate. Here
are three keys to confronting fraud in an era of widespread data breaches:
#1. Assume every identity has been compromised
In the first half of 2017, the number of data breaches climbed 29 percent.
>From the Republican National Committee contractor whose breach exposed
voting data on nearly 200 million Americans, to Verizon’s breach that
affected more than 14 million customers, data hacks are increasing in
frequency and severity across all industries.
The recent breach of credit reporting giant, Equifax, is another example.
Reported by the Wall Street Journal as the largest social security breach
in history, approximately 143 million U.S. consumers’ confidential data,
including social security numbers, names, birthdates and addresses were
compromised. What’s more, they reported that more than 200,000 consumers’
credit card numbers and 180,000 consumers’ sensitive documents were
ascertained.
Because personal data of every kind is only a few clicks away for
fraudsters, payments businesses face significant identity verification
challenges. They need smarter systems to allow customers to use their own
(likely compromised) data, while being able to recognize when criminals are
using the same data illegally.
#2. Go beyond Social Security Numbers
For many businesses, the social security number has long been regarded as a
key indicator of identity. But if it wasn’t made abundantly clear by the
Equifax data breach, social security numbers (SSNs) can no longer be a
trusted piece of identity data. In fact, SSNs were never meant to serve
this purpose in the first place. They were created solely as a way to keep
track of an individual’s earnings for social security and benefits purposes.
So, what do you do if SSNs are a key customer identifier for your business?
Start incorporating modern identifiers into your verification process.
These attributes, such as home address, phone or IP address, are
exponentially more valuable because they travel with a person wherever they
go. For example, the proximity of an IP address to the applicant’s physical
address or phone location simply can’t be faked. Multiple attributes can
also be connected together to prove a person’s identity beyond a reasonable
doubt.
#3. Confirm Whole Identities by Linking Identity Data Attributes Together
While it’s easy to use and piece together stolen identity data, it is
impossible to fabricate the linkages that effectively mimic a real person.
Legitimate customers can be confirmed by verifying many identity data
elements and ensuring they all connect to the individual behind the
transaction, clearly distinguishing them from bad actors whose data
elements won’t correlate properly.
Linkage analysis can include connecting name, address, phone, IP and other
non-personally identifiable information (non-PII) data.
Some positive signals include things like:
- an email address age of more than 720 days
- an IP address within 10 miles of the physical address
- a match between phone and address
- a match between email and name
- a match between phone and name
- a match between address and name
And common risk signals include:
- a mismatch between linked email, phone or address details
- an email address less than 90 days old
- a non-fixed VoIP or toll free phone number
- a phone country code and physical address mismatch
- invalid phone, email or address info
- a proxy IP address
The ever expanding volume of personal data available on the dark web has
rendered basic identity data attribute verification obsolete. In order to
tell if a customer is who they say are whole identity verification is
what’s needed. Doing so will help set your business up for reaching records
of your own kind.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171113/7b9f0efc/attachment.html>
More information about the BreachExchange
mailing list