[BreachExchange] 3 Ways Data Breaches Accelerate the Fraud Supply Chain

[Destry Winant]

https://www.darkreading.com/vulnerabilities---threats/3-ways-data-breaches-accelerate-the-fraud-supply-chain/a/d-id/1338991

The battle's just beginning as bad actors glean more personal
information from victims and use that data to launch larger attacks.

While data breaches have become a nearly daily occurrence in news
headlines — most recently, Drizly and the Ritz Hotel — it's important
that businesses and security professionals understand the cascading
effect these incidents have on the broader online landscape.
Regardless of the size of the business reporting a breach or amount of
consumer data exposed, all businesses are threatened by a "fraud
supply chain" that feeds off these types of breaches.

The fraud supply chain is an interconnected ecosystem that allows
cybercriminals to use different attack vectors to steal from consumers
and businesses, often through more complex ways than merely buying
stolen credit cards to make large purchases. Therefore, fraudsters can
feed off any type of data to provide both a bridge for gaining further
personal information from existing victims and a springboard for
executing larger attacks.

Even the Smallest Breaches Cause Ripple Effects
Data breaches are almost always a means to an end. For example,
seemingly minor information such as usernames or passwords can arm
fraudsters with enough to execute more sophisticated attacks. Often,
bad actors will harvest user information obtained from various data
breaches to develop complete user profiles. Additionally, typical
consumer behaviors can often make this easier for fraudsters; studies
have shown 65% of users repurpose their passwords across multiple
platforms. Data breaches provide attackers with the credentials needed
to execute more widespread attacks such as:

- Accumulating More Personal Information Through Phishing Scams
Often, a minor data breach is not enough for fraudsters to execute
immediate attacks on an individual. However, simple credentials such
as an email address offer a direct line of communication for
fraudsters to initiate phishing schemes. Through this tactic, they'll
often impersonate a trusted source to convince consumers to share
further personal data such as credit card information, passwords, etc.
While most people may think it's easy to recognize a phishing scheme,
sophisticated fraudsters will use additional information garnered
through previous data breaches to personalize content that
demonstrates potential legitimacy.

For security teams, email protection is critical and must lean on a
layered approach. The foundation must be set with standards such as
email authentication and domain-based message authentication,
reporting and conformance (DMARC) to protect employees, stakeholders,
and customers from unauthorized usage.

Alongside these measures, secure email gateways (SEGs) and phishing
awareness/training can help avoid external threats. For example,
fraudsters often play to consumer emotions and fears, a reason why
we've seen phishing attacks accelerate amid the pandemic. Recent
phishing schemes have included cybercriminals impersonating health
officials and agencies seeking consumer information to facilitate fake
virus testing or contact-tracing initiatives.

- Coordinating Account Takeovers With Compromised Credentials
Once fraudsters have enough information, they'll use these credentials
to access and take over victims' accounts. This opens the door to a
variety of opportunities, including exposure to payment information,
ability to open new accounts with similar credentials, and access to
post fake or malicious content to victims' personal networks.

There's little you can do about users falling victim to social
engineering tactics outside of your platform. However, you can empower
your team to act accordingly when these bad actors show up on your
platform. Two-factor authentication (2FA) can address this by adding
friction when someone is trying to gain unauthorized access into an
account, and also notifying users when suspicious account access has
been detected.

There are also internal measures you can take for schemes in which a
user has been tricked into willingly handing over their credentials to
a bad actor. For example, businesses dealing with payments can
leverage a holding period before funds can be transferred, and review
transactions that seem anomalous (such as amounts outside of the
user's normal activity or transfers into a new account).

Lastly, you may also want to consider educational outreach (for
example, a newsletter, FAQ, or help center) that informs users of
common tactics. Let them know that your organization will never ask
them to share a verification code, for instance.

- Siphoning Money and Assets Through Payment Fraud Schemes
Payment information is often the holy grail for fraudsters. Payment
fraud typically begins with card testing through the purchase of
typically low-value, low-effort items. If the purchase is successful,
they know the payment information is valid. Funds can then be used to
buy goods to keep or resell, or to buy more data on the Dark Web.

While account and payment protection is paramount, users also demand
seamless experiences. Therefore, security professionals should
implement risk assessments based on user trustworthiness. This dynamic
friction will help eliminate friction for trusted users, block risky
interactions, and implement verification for suspicious activities.

Every business needs to face the repercussions of breaches, whether
they are directly involved or not. Simply put, every data breach is
every business's problem. That means fraud prevention needs to be an
ecosystemwide effort, so that user data is rendered useless — thus
breaking the most important link in the fraud supply chain.