The numbers that tell the story of Equifax’s data breach are beyond stunning, but the nauseating truth is that the figures tell only the beginning of the story:
- As many as 143 million Americans’ Social Security numbers, birth dates and home addresses stolen, according to the company.
- Nearly 210,000 credit card numbers snatched by hackers who now possess the crown jewels of ecommerce fraud.
And that’s where the next chapter starts. As consumers race to shore up protection of their personal accounts after news of the breach broke this week, ecommerce retailers will be bracing for a surge in fraudulent orders powered by the gusher of information released by the latest mega-breach.
“These guys never sleep,” Signfyd’s Vice President of Risk Products Vahe Amirbekian said of the networks of data thieves and fraudsters thriving in the information age. “If they could steal from Equifax, and we can assume that Equifax did a lot to protect the data, then that testifies once again to the level of persistence and sophistication of the guys you’re dealing with.”
Indeed, among the many reasons that the Equifax breach was so mind-boggling is the fact that the company itself is in the business of confirming the true identities of consumers seeking credit. If ever there were a central repository of all that is known about anyone, Equifax and its competing credit bureaus, are it.
Think about it: 143 million Social Security numbers. If every resident of the United States had a Social Security number, that would mean that the criminals behind the Equifax breach now have 44 percent of the country’s numbers.
Fraudsters now have access to enough credit card accounts to give one to every resident of Rochester, N.Y. And merchants who sell online can expect to be hearing from many of them soon, if they haven’t already.
“There will be a wave of fraudulent transactions using these credit cards,” says Amirbekian, who’s worked for years in risk and ecommerce fraud prevention, including at eBay and PayPal. “If you stole a credit card, your clock is ticking. You want to use it as soon as possible. You don’t want to sit on it. The longer you sit on it, the less valuable it becomes.”
And while the prospect of an increase in ecommerce fraud is enough to keep online merchants up at night, Amirbekian points out that the ecommerce fraud prevention steps retailers need to take are no different from what they should have be doing all along. In a sense, just as an earthquake prompts Californians to assemble the earthquake kits they should have assembled long ago, a data attack, like the one this week, should prompt merchants to redouble their vigilance.
“This is yet another reminder that fraud is a professional business,” he says. “It is becoming increasingly hard, if not untenable, for individual merchants to stay on top of things, because you’re dealing with professional fraud rings. Fraud is not about to go away.”
Fraud, of course, is already big business. In the first quarter of the year alone, merchants lost $48.2 billion to ecommerce fraud in the eight industry segments that Signifyd and PYMNTS.com studied in the Global Fraud Index.
The specter of fraud further constricts profits for merchants by prompting them to decline orders that look suspicious, but in reality have been placed by legitimate customers.
So, what to do? First, take a look the list of tips accompanying this post. And yes, be more vigilant. Don’t be fooled by the order value. Fraudsters won’t necessarily go for high-priced items, certainly not initially, when they are testing the viability of their newly stolen credit accounts.
And to underscore Amirbekian’s point, remember that this is not kids’ stuff. Those who traffic in stolen financial information and work full-time at defrauding merchants are as serious as they are sophisticated. They work in adjacent and interdependent industries, Amirbekian explains.
“The people who stole these accounts, will probably not use the cards themselves,” he says. “They probably will sell it. Credit cards will surface on the black market and they will be used by some other rings specializing in monetization of stolen cards.”
Indeed, Digital Shadows earlier this summer published “Inside Online Carding Courses Designed for Cybercriminals,” a report detailing courses for cyber-crooks and pointing to hundreds of sites that sell stolen credit card information and other vendors that provide tools to help validate the cards.
“You have to just tackle this whether you want to or not,” Amirbekian says of the ongoing fraud assault. “It requires constant attention, deep expertise and systematic counter-measures.”
After all, deep expertise is exactly what the fraudsters have developed.
Photo by iStock.
Mike Cassidy is Signifyd’s lead storyteller. Contact him at firstname.lastname@example.org; follow him on Twitter at @mikecassidy.