Customer Data at Risk – How Attackers Steal and Use Sensitive Information
Today, digital data thieves have easy access to customer information. Anyone can buy user information, even complete identities, from the dark web for as little as $1.1 Data breaches have become an everyday story, leading to the easy accessibility of data. The tremendous rise in data breach instances and people’s growing indifference to them has led to serious cyber crimes. Furthermore, fraudsters are infiltrating systems to amass user information using techniques smarter than ever before, to commit crimes extremely tough to detect.
Let’s understand a few tactics and techniques that fraudsters use to steal user data, and the types of fraud they commit after having amassed sensitive user information.
How Attackers Access Customer Data – Tactics and Techniques
- Phishing: An attacker sends out fraudulent emails in bulk in the hope to get a reply from a few recipients. Even if a small number fall for the scam, the fraudster obtains significant information and money. This common technique, which has been in use for decades, is called phishing, with its two most popular types being spear phishing and email phishing. A phishing message directs the user to a bogus website and asks the user to update information such as social security number or bank account details. What makes phishing work is how closely they mimic actual emails and websites. Even the links used in the message seem legitimate.
- Vishing and SmiShing: Unfortunately, it is not just the inbox that is vulnerable to attackers. Fraudsters can also use phones to steal personal information. This technique is known as vishing. A voice over IP is used to spoof caller ID, which makes it seem like a real person or company is making the call. Just like phishing and vishing, SmiShing attacks make use of cell phone messages to create a sense of urgency in the mind of the phone owner, thereby making it easier to steal information.
- Dumpster Diving: A person with criminal intent looks for your personal information on items obtained from the trash you have disposed off. For example, discarded bank statements, utility bills or credit cards no longer in use.
- Skimming: Information stored on the magnetic strip of your credit or debit card gets stored on installed skimmers when you use your card to make payments or withdraw cash. Apart from this, skimming scams often also make use of hidden cameras to record your ATM PIN.
- Password Hacking: Hacking into someone’s emails, shopping cart, or social media accounts takes seconds for a seasoned fraudster. A number of websites suggest default usernames and passwords for certain routers making access even more simple for hackers. Stolen password files from a company’s database are also a key resource for trained hackers.
- Buffer Overflows: This technique is used by fraudsters to steal user data via online forms. For example, while filling an online form, the hacker deliberately fills in a large volume of unsupported data. So if an online form field accepts only seven to nine characters for zip code, the hacker can break into the system to set new values and take control, exploiting the buffer overflow.
How Criminals Abuse Stolen Data
Fraudsters often trade stolen personal information for cash, or they misuse it to intelligently scheme sophisticated crimes. Some of these fraud types include:
- Fabricated and Synthetic Identity Fraud: Fraudsters combine stolen and fake information to create a synthetic identity. For example, legitimate Social Security Numbers can be paired with fake driver’s license numbers and fake names, and this fabricated identity can be easily used to apply for and obtain credit cards. Using fabricated identities, criminals manage to build clean credit ratings. They rack up huge debts from banks and then manage to vanish without a trace. Banks end up losing billions to synthetic identity fraudsters, and months or even years chasing people who don’t really exist.2
Criminals also create fabricated or fake profiles on dating websites to lure victims with their stories. Such ‘romance scams’ are aimed at winning trust and asking for financial help. The victim never gets to meet the scammer in person and is never able to trace him because of a fake or fabricated identity being used.
- Marketplace Fraud: Low barriers to entry have made it easy for anyone to bid on products in online marketplaces. Fraudsters see this as an opportunity. For example, they often use online marketplaces to sell low-quality goods or non-existing items.
- Fake Profile Fraud – A fraudulent seller copies the profile of a legitimate seller in order to fool victims into buying something they’ll never receive.
- Fake Buyer and Seller Closed Loop Account Fraud – A fraudster creates multiple fake buyer and seller accounts. The fake buyers pay the fake seller for non-existent items or services using stolen credit cards.
- Payment Fraud: This is one of the most concerning fraud types that every online business must guard against. The spur in payment fraud is huge and this upward trend is likely to continue in the coming time.3 Out of the various types of payment frauds, a few are:
- Credit card fraud: Fraudsters misuse stolen credit card information to make hefty purchases. While the actual credit card owner can dispute the charge against stolen money, eCommerce merchants suffer both loss of the product and money. Moreover, they are also held liable for fraud and have to incur chargeback cost.
- Clean fraud: Fraudsters cleverly impersonate legitimate cardholders such that the merchant assumes a fraudulent transaction is absolutely clean and valid. Such fraud is extremely difficult to detect.
- Account takeover: Having gained unauthorized access to a user’s bank account information and personal information, the fraudster contacts the credit card company pretending to be the real card owner. They can then get critical details on the card get changed and take control of the real user’s bank account. The funds from the real user’s account can now easily be misused by the fraudster to make illegal transactions. It’s concerning to know from Javelin’s research that ATO fraud tripled in 2017, causing a loss of more than $5 billion.4
Enabling Machines to Fight Fraud
People lose trust in companies that fail to protect their information. Though most companies ensure tight data security checks, such measures often crumble in front of the shrewd techniques that fraudsters use for breaching data.
Running your website on ‘https’ or having a couple of security technologies in place is not enough. Though regional regulations such as the European Union’s General Data Protection regulation has recently come into effect to penalize those who fail to curb breaches, it is not possible to stop data theft altogether. The focus, therefore, should be on implementing smart fraud detection solutions that can identify, predict, and prevent fraud before it happens.
Simility’s Adaptive Decisioning Platform disrupts traditional thinking about risk and fraud. Designed keeping in mind fraud’s ubiquitous nature, the platform combines adaptive data ingestion with big data analysis and machine learning. Such an agile platform is a pioneering approach to prevent fake and stolen identity from entering into the system.
To know more about the platform and how it assigns fraud scores to new account sign-ups from stolen, fake or synthetic information, download our new whitepaper – Effective Methods to Protect Against Application Fraud.
1. Shining A Light On The Dark Web: How Much Is Your Personal Information Selling For, https://www.texasdatasolutions.com/shining-a-light-on-the-dark-web-how-much-is-your-personal-information-selling-for/.
2. Driving The Future of Payments – 10 Megatrends. https://www.accenture.com/us-en/insight-banking-future-payments-ten-trends.
3. CNP Fraud Around the World, https://www.uspaymentsforum.org/cnp-fraud-around-the-world/.
4. 2018 Identity Fraud: Fraud Enters a New Era of Complexity, https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-complexity.
Latest posts by Jayan Tharayil (see all)
- Customer Data at Risk – How Attackers Steal and Use Sensitive Information - January 23, 2019
- Fraud Targets Young and Old: Firms Need Better Tools - October 30, 2018