Let’s hit rewind for a second.
Do you remember the epic Equifax data breach of July 2017?
The breach exposed sensitive data about millions of Americans—including thousands of passports and driver’s licenses which were compromised along with the Social Security numbers of nearly all of the more than 146 million affected consumers.
With any data breach, especially those of Equifax magnitude, it’s inevitable that the stolen information will end up on the dark web—either sold off to the highest bidder or in bits and pieces that allow black market buyers to purchase and use stolen information.
And as bad as this is for the impacted consumers, it puts a toll on digital businesses too.
Many businesses rely on government-issued IDs (such as driver’s licenses and passports) to verify that people are who they claim to be. The problem is that the bad guys also have these IDs as well as other information that helps them corroborate their new-found identities. This information includes Social Security numbers and many of the answers required by knowledge-based authentication (which are often available on the dark web or on social media).
This means that these fraudsters can create new banking accounts, new social media accounts and a variety of online services under a forged identity.
Believe it not, the Facebook breach could be worse.
On September 28, Facebook notified users of a massive data breach affecting over 50 million people (with another 40 million that Facebook considered at risk). The actual breach took place a few days earlier, and the social media giant doesn’t know exactly what kind of information has been compromised. According to Mark Zuckerberg, “The attackers used our APIs to access profile information fields like name, gender, hometown, etc.” It does not appear as if passwords or credit card data was stolen.
So, if the number of records and the amount of sensitive information was less than the Equifax breach, then how could it be worse?
Put simply, the Facebook Login button.
Facebook Login is a single sign-on application which allows users to interact on other websites through their Facebook account. Facebook admitted that the hack affected those who use Facebook Login to log into other accounts and third-party applications such as Instagram and Spotify. The vulnerability, which was a result of three distinct bugs, enables hackers to create access tokens for ransom users which enable them to potentially access a user’s account on a third-party site.
The bug (which was introduced in July 2017) allowed hackers to obtain account access tokens, which are used to keep users logged in when they enter their username and password. Stolen tokens allow hackers to break into accounts. According to BuiltWith, there are over 190,000 websites that are Facebook Login Button customers and almost 40,000 live websites using Facebook Login Button.
Facebook said that it has reset access tokens of all users affected, as well as an additional 40 million accounts out of an abundance of caution. That means some 90 million users will have been logged out of their account—either on their phone or computer—in the last few days. Unfortunately, these access tokens enabled someone to use the account as if they were the account-holder themselves.
At this point, the breadth of access into other systems that trust the Facebook login service is still unknown. But, the breach was significant enough that Facebook reported it to the Data Protection Commissioner in Ireland where it is registered. It’s worth noting that this is the first data protection incident from one of the major tech companies since GDPR was enforced in May.
An Intensifying Identity Crisis
Breaches are happening every day. Earlier in September, British Airways disclosed a data breach impacting customer information from roughly 380,000 booking transactions made between August 21 and September 5 of this year.
Fueled by these breaches, the dark web has become a sanctuary for fraudsters looking to buy personal information and government-issued IDs to steal the identities and takeover online accounts of legitimate consumers. This means that businesses of all stripes need to take extra precautions to verify the real-world identities of new customers when new online accounts are being created or high-risk transactions (e.g., money transfers, password resets, etc.) are being for being performed online.
These breaches also mean that traditional methods of online identity verification, including knowledge-based authentication and ID verification have been rendered unreliable because scammers can now access most of the answers to the challenge questions or can provide authentic ID documents (e.g., driver’s license, passports or ID cards) purchased on the dark web.
As Miles Hutchinson, Jumio’s CISO commented: “Digital businesses need smarter verification solutions. You can no longer trust the process of verifying people using traditional data and info alone. Thanks to large scale data breaches, the market is being saturated with stolen personal information that’s being made available to any would-be fraudster.”
Increasingly, digital companies are turning to online identity verification solutions that require a valid government-issued ID document and a selfie taken from the user’s smartphone. The selfie is compared to the photo on the ID to make a definitive face match. At Jumio, we are also layering in liveness detection to the identity verification process to ensure that the person taking the selfie is, in fact, physically present and not using a picture of a picture as their selfie. Just asking your users to take a selfie has proven to have a chilling effect on would-be fraudsters who are reluctant to provide their own likeness to the organization they’re looking to defraud.
It’s time for consumers and businesses alike to take data breaches seriously. This not only means locking down the security of the apps and ensuring that all data is encrypted in transit and at rest, but ensuring that businesses are protecting your ecosystem by verifying all new users and verifying any risky online transactions. And consumers should be openly questioning trusting their valuable data with any online organization that still relies on KBA.
It’s time to start connecting the dots between data breaches, the dark web and account takeovers. They’re all interconnected. They impact how much consumers trust their online brands and how much businesses trust their own consumer base.
We’re all in this together.
So, let’s start demanding higher levels of accountability on both sides and start introducing some intelligent friction into the identity verification process to better safeguard our online ecosystems and communities.