Maybe the most disconcerting thing about the Equifax data breach — other than the staggering size of the theft of personal information — is the relative quiet that has followed in the six weeks since the heist was disclosed.
While plenty has been written about what could happen as a result of cyber-thieves nabbing the personally identifiable information of 145.5 million people, there have been no public reports about a rash of fraudulent online activity or a multitude of fake accounts created by criminals.
And while it’s worthwhile to wonder whether we’re experiencing the calm before the fraud storm, the experts in security and fraud, who were recruited to write essays on Equifax for a revealing e-book, appear to have seized on a different takeaway:
As big as the Equifax breach was, the problem of online fraud is bigger than Equifax alone.
Signifyd’s Head of Risk Product Vahe Amirbekian, for instance, wrote in “Protecting Consumer Identity” that while the Equifax breach calls for increased vigilance, account takeover fraud was already increasing dramatically before the breach became known.
He ran down three of the industries covered in the most recent and soon-to-be-published global fraud research by PYMNTS and Signifyd, which showed account takeover fraud up year-over-year in the second quarter of 2017 by 55 percent in apparel, 87 percent in consumer electronics and 138 percent in cosmetics.
The Equifax breach has so far been like watching a natural disaster from afar. Even those not directly affected by an earthquake or storm heighten their game. The Equifax breach is a reminder that best practices need to be examined and re-examined in a world where fraudulent attacks are a fact of life.
As a practical matter, firms and retailers that provide “instant” credit at checkout should “curtail and limit” those offerings, because they rely on the vary information that was stolen to verify identity and creditworthiness, Amirbekian wrote in an essay included in the e-book. In fact, retailers should be extra wary of any new accounts, given that any fake accounts created with stolen Equifax data would be relatively new.
Amirbekian also cautioned against adopting a “lone wolf” security policy — never a good idea, but even a worse idea with so many more names, birthdates, social security numbers and other personal information floating around on the dark web and in fraudster forums.
Online fraudsters prey on sites with limited data and manual review
“Fraudsters prey on ecommerce sites operating with limited data and manual order reviews,” Amirbekian wrote. “Going it alone simply leaves your customer data vulnerable to threats — threats your platform provider may already be aware of.”
He suggested that retailers work closely with their fraud protection platforms to get a bigger picture of the looming threats. Signifyd’s network of 5,000 merchants and its partnerships with the leading third-party data sources provides a 60 percent chance that Signifyd has seen a consumer before they even place an order with one of its merchants, he wrote.
Also important, Amirbekian said in his essay, is the divide between the well-protected and the poorly protected. The Equifax breach is likely to widen that. Early adopters and retailers who aggressively protect themselves from fraud no doubt have redoubled their efforts, making them even more difficult targets for fraudsters.
Fraudsters, not surprisingly, don’t pursue the hardest targets. Instead, they go after the poorly protected sites.
So why haven’t we heard about a big uptick in fraud tied directly to the Equifax breach? At this point, we’re left to speculate. In some ways, there is no hurry for fraudsters. As USA Today points out, the type of personal information that was stolen — names, birthdates, social security numbers — are not the sorts of things that people tend to, or even can, change.
Having access to a cache of information sufficient to create new accounts that look completely legitimate is different from stealing credit card information. Credit cards accounts can be shut down with a phone call, making them highly perishable for fraudsters.
Personal data, which might inspire some urgency among fraudsters given that cyber thieves are likely to sell the same pilfered information to several fraudsters, is much more long lasting.
“Once hackers gain access to these key pieces of personal data — which is akin to the DNA of a person’s online digital self — it is at the cyber thieves’ disposal forever to cause harm,” the USA Today story reported.
In his contribution to “Protecting Consumer Identity,” Kent Kling, chief security officer for Transaction Network Services, seconded the concern about the long-lasting and potentially slow-moving effects of the Equifax breach.
“In this case, it’s our personally identifiable information (PII), such as Social Security numbers, which cannot be changed; so, the effects of this breach will be felt now, but also over the long term, as criminals repeatedly dip into this data,” Kling wrote.
Could it be that fraudsters are waiting for the height of the holiday shopping season, when fraud teams — and pretty much everybody in a retail operation — are stretched thin and under pressure to accelerate manual fraud reviews to get orders out quickly?
Some have dismissed the holiday threat, saying that the information fraudsters have could be used for more valuable pursuits — taking out loans or stealing tax refunds, for instance. But the truth is professional fraud rings are like law firms or accountancies. They specialize. Just as a law firm might specialize in corporate law, or personal liability or criminal law, a fraud ring might specialize in ecommerce fraud.
In other words, fraudsters are going to do what they’re good at.
And so, what more can merchants do to protect themselves from the growing menace of fraud?
PCI compliance is table stakes in the era of the data breach
In his essay, Kling pointed to the importance of following industry standards, such as adhering to PCI-DSS (or Payment Card Industry Data Security Standards). PCI-DSS has helped keep consumer credit card information secure, he wrote, but those who handle personal information need to keep innovating, because fraudsters are constantly working to find new weaknesses to exploit.
Jeremy Grumbley, CEO of Creditcall, agreed, writing in his essay that businesses simply can’t let their guard down. Fraud rings are incredibly sophisticated and they are constantly modifying and optimizing their tools, as any sophisticated enterprise would. As targets, merchants must also be constantly evolving their fraud protection tools.
“The primary threat is no longer kids running scripts and hacks they downloaded,” Grumbley wrote. “Governments and organized criminals have bleeding-edge technologies at their fingertips that the mainstream hasn’t seen.”
In the end, retailers need to adopt a new way of thinking, given the prevalence and frequency of data breaches. As one contributor wrote, it’s become harder and harder to know who’s who.
“Cyber and data security attacks underscore a new reality: Customer-contact employees cannot assume that someone is who they say they are simply because they can recite a data point that was recently breached, such as a date of birth or Social Security number,“ Tina Giorgio, CEO of ICBA Bancard, wrote in her contribution.
We’ve come a long way from the days when regular customers could walk into the corner market and be immediately recognizable to everyone working in the shop.
Online commerce is fast becoming the way people shop. And while we may be losing a bit of community, there is no question that shopping is becoming more convenient and efficient than ever before.
And for merchants, it’s becoming more perilous than ever before when it comes to fraud — no matter how quiet things may appear on the surface.
Mike Cassidy is Signifyd’s lead storyteller. Contact him at firstname.lastname@example.org; follow him on Twitter at @mikecassidy.