2020 Market Guide for Identity Proofing and Affirmation
Get the Guide
X
Skip to content
X
jumio-black-logo jumio-black-logo
search jumio
  • Home
  • Solutions
    • Platform
    • Products
    • Use Cases
    • Industries
    • Features
    • Compliance
  • Technology
    • Informed AI
    • OCR
    • Certified Liveness Detection
    • Face-Based Biometrics
  • About
    • Company
    • News
    • Partners
    • Careers
    • COVID Relief
  • Resources
    • Library
    • Trusted Identity Blog
    • Technical Blog
    • Webinars
    • TCO Calculator
  • Contact
    • Support
    • Sales
    • More
  • English
    • English
    • Spanish (Español)
    • Portuguese (Português)
    • French (Français)
  • s
  • Request Sales Info
  • Request a Demo
Back to Trusted Identity Blog

Taking the Sting Out of Data Breaches

By Dean Nicolls | October 25, 2019
Taking the Sting Out of Data Breaches

Recently, you may have heard about a company that experienced a data breach, and because you didn’t patronize this company, you presumably breathed a sigh of relief.

But don’t get too comfortable — chances are your data may get compromised in the next breach, or the one after that. When there’s a big data breach, we all lose. It’s not just the consumers whose personal information was hijacked. It’s not just the victimized organization that has to deal with damage control and the legal and reputational aftermath.

Everyone loses. And we’ll keep on losing until we break the breach cycle.

Sadly, a healthy chunk of that stolen data, which often include names, email addresses, phone numbers, usernames and passwords, is destined for the dark web. That data is then bought and sold like pork bellies on the Chicago Mercantile Exchange and then weaponized by cybercriminals for large-scale account takeovers.

But, there’s also some good news on the horizon as new methods of biometric-based identity proofing and authentication, with embedded certified liveness detection, can help ameliorate the impact of these data breaches. But, let’s start by examining how cybercriminals exploit the data compromised stolen from these breaches.

Pass the Credential Stuffing, Please

When it comes to data breaches we all should be concerned. Today, cybercriminals can take full advantage of big data, high-velocity software and bot-based automation to access our online accounts. The technique used to perform account takeovers en masse is called credential stuffing — a cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

Digital security company, Akamai, recorded nearly 30 billion credential stuffing attacks in 2018. Each attack represented an attempt by a person or computer to log in to an account with a stolen or generated username and password. The vast majority of these attacks were performed by botnets or all-in-one applications. If you’re like the majority of users out there, you probably reuse the same password across a variety of websites, which means you’re even more exposed.

Unfortunately, because of the frequency and scale of recent data breaches, combined with the speed and reach of botnets, there’s a general consensus that the worst is yet to come.

Statistically speaking, credential stuffing attacks have a very low rate of success. Many estimates have this rate at about 0.1%, meaning that for every thousand accounts an attacker attempts to crack, they will succeed roughly once.

But before you dismiss this as an inconsequential threat, consider how large a pool these cybercriminals are leveraging. Back in February, TechCrunch reported that a batch of 127 million records stolen from eight companies was available on dark web market Dream Market. The asking price? $14,500 (naturally payable in bitcoin), which translates to a cost of 11 cents per 1,000 records. The sheer volume of the credential collections being traded by attackers makes credential stuffing worth it, in spite of the low success rate.

So, if an attacker purchased the aforementioned 127 million records, his bots would probably yield around 127,000 successfully cracked accounts. Once these accounts are cracked, cybercriminals can mine these legitimate accounts for profitable data often in the form of credit card numbers or sensitive data that can be used in phishing attacks. Plus, the attacker is likely to target other online accounts (banking, social media, email) of that same user since passwords are often recycled across multiple websites and online services.

That’s where the real sting of a data breach occurs — it’s the downstream damage that happens when a cybercriminal hacks into legitimate accounts. And what facilitates all this damage is our collective reliance on the simple password.

Overcoming the Faulty Password

The good news is there are some alternatives that can mitigate the damage. Probably, the most prevalent option is SMS-based two-factor authentication which provides an extra layer of security when users log in from a different location or from a different device. Unfortunately, only a small percentage of consumers use this form of authentication — for example, less than 10% of Gmail users have activated two-step verification. More importantly, SMS-based two-factor authentication has been undermined by various man-in-the-middle and man-in-the-browser attacks as well as SIM swap frauds carried out by tricking mobile providers.

Biometrics: Do You Hold the Key to Data Security?

SMS-based two-factor authentication is clearly a step in the right direction especially when it comes to thwarting account takeovers. But, another method of authentication is starting to gain traction. Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who he says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database.

There are a variety of biometrics that can be used to help corroborate identity — some are physical traits (e.g., face, fingerprint, iris and vein), while others are behavioral (e.g., gesture, keystroke and voice). Behavioral biometrics can be a powerful alternative but typically require multiple interactions to determine a reliable baseline.

It’s the combination of leveraging a biometric with certified liveness detection that ensures, with a high degree of assurance, that the person logging in is, in fact, the registered account owner.

When you think back to the original problem,  large-scale data breaches are feeding the dark web with unprecedented amounts of static PII data, including boatloads of usernames and passwords. Fraudsters are then purchasing these credentials for pennies on the dollar and then using botnets to hack into our online accounts (which are generally only protected with a username and password). It’s a pretty bleak picture.

When your online account is protected with biometric authentication, credential stuffing attacks are rendered utterly useless. With this approach, it doesn’t matter if your username and password falls into the hands of a cybercriminal because they won’t be able to access your account without a corroborating live video selfie taken from you. Even if a sophisticated fraudster is clever enough to create a deepfake video (which might spoof some weak 2D liveness detection solutions), biometric-based solutions with certified liveness detection will easily detect these spoofs and automatically reject them as fraudulent. So, we don’t need shared secrets anymore, nor do we need to worry about our biometric data falling into the wrong hands — certified liveness detection overcomes many of the shortcomings of traditional authentication methodologies.

To better understand the role of certified liveness detection and biometric authentication in preventing account takeovers, I encourage you to check out Trusted Identity from Start to Finish, a new FindBiometrics white paper (sponsored by Jumio and FaceTec). In it, you’ll learn how certified liveness detection and face biometrics can help you shut out fraudsters while welcoming good customers in.

 

Related Posts

Liveness Detection

The Evolution of Liveness Detection for Identity Fraud Detection

July 18, 2018
The identity fraud detection game is evolving. Fast. Online fraud is now 81% more likely than fraud at the point of sale, and account takeover fraud (ATO) made up a significant and growing chunk of total online fraud in 2017, according to a new report. In its 2018 Identity Fraud Report, Javelin Strategy and Research...

FaceApp: Photoshopping on Steroids

July 19, 2019
Check out the before and after pictures The Jonas Brothers created with FaceApp. While the app has been around since 2017, it’s gone viral in the last week as people use it to see how they would look when they’re older. Pretty cool.  Pretty innocuous. Well, maybe, not so much. Let’s start with FaceApp’s own...
Account-Takeover-Fraud

The Harsh Reality of Account Takeover Fraud [Infographic]

July 22, 2019
Account takeover (ATO) fraud is when a fraudster seizes control of an online account, changes information such as the username, password or other personal information, and then makes unauthorized transactions with that account. ATO is on the rise, and businesses and banks are in the crosshairs. Cybercriminals are targeting a variety of accounts including checking...

Latest Posts

  • How Identity Verification Can Help U.S. Colleges Weather the COVID Pandemic
  • Beyond Simple Case Management: How to Choose an AML Investigation Management Solution
  • 2021: New Age Restrictions Come Into Play in Europe
  • Innovation is the Key to Future-Proofing Traditional Banks
  • Enterprises Step Up Identity Verification to Combat Rising Account Takeover, Identity Fraud and Credential Stuffing Attacks in 2021
  • 5 Surprising Findings from the 2020 Holiday Fraud Report

This content from Jumio is for general information purposes only. Please consult your legal team for advice regarding your particular situation.

social-media
social-media
social-media
social-media
social-media
  • Solutions
    • KYX Platform
    • ID Verification
    • Identity Verification
    • Jumio Go
    • Transaction Monitoring
    • Document Verification
    • Authentication
    • Screening
    • Address Services
    • Video Verification
    • BAM
    • Fastfill
  • Use Cases
    • User Onboarding
    • KBA Replacement
    • Fraud Detection
    • KYC & AML Compliance
    • Biometric Authentication
    • Going Passwordless
    • Age Verification
    • New Account Onboarding
  • Industries
    • Financial Services
    • Retail
    • Travel
    • Sharing Economy
    • Gaming
    • Telcos
    • Mobility Services
    • Healthcare
    • Education
  • Features
    • Features
    • Compliance
    • KBA Alternatives
    • Compare
  • Technology
    • Informed AI
    • OCR
    • Face-Based Biometrics
    • Certified Liveness Detection
  • About
    • Company
    • Security
    • News
    • Global Coverage
    • Media Resources
    • Brand Guide
    • Partner Program
    • Partner Login
    • Events
    • Awards
    • COVID Relief
    • Fintech Equality Coalition
  • Resources
    • Library
    • Blog
    • Technical Blog
    • Webinars
    • TCO Calculator
  • Contact
    • Support
    • Sales
    • Careers
  • Login
    • Privacy
    • Legal Information
    • © 2021 Jumio All rights reserved. US Patent App.
  • Languages
    • English
    • Spanish (Español)
    • Portuguese (Português)
    • French (Français)