November 14, 2017
Fraud Top Ten Tips: The Cybersecurity Breach Aftermath
Posted January 8, 2016
Protecting against downstream fraud attacks in the wake of large-scale security breaches.
Digital companies can no longer trust static login and user credentials.
In the wake of all the large-scale data breaches we’ve seen in the last few years, stolen data such as login credentials and payment details is being widely leveraged by cybercriminals for fraudulent activity- especially on online banking and eCommerce sites.
To compound the problem, cybercriminals are able to dramatically increase the efficiency and scale of such attacks by using Bots and Botnets to run massive identity testing sessions in order to penetrate fraud defences. The recent trend towards low-and-slow Bot attacks can often bypass traditional security defences such as Web Application Firewalls.
How do organisations continue to successfully operate online in this world of digital debris? Here is our guidance on how to accurately authenticate your users in real-time, and secure against fraud and account takeover attacks.
Top Ten Tips for Authenticating Users and Transactions in a Post-Breached World:
- Use behavioural profiling and analytics to monitor for suspicious patterns of login requests or transactions, based on known devices, account history and persona identifiers.
- Device identification is a powerful tool to match users’ desktop and mobile devices to their login credentials.
- Ensure that you identify devices not just by cookies, which can easily be wiped, but with a full profile of their device characteristics, such as operating systems, language and time zone settings.
- Ensure you are equipped to detect evidence of malware on a legitimate user’s login session. This includes key loggers, Trojans, man-in-the browser and man-in-the-middle attacks; as well as non-signature based detection techniques such as advanced page fingerprinting. For example, banks need to be able to detect activity from devices infected with Remote Access Trojans.
- Monitor for risky devices and IP addresses which have been involved in attacking other companies, or which are accessing multiple accounts from the same device. Attackers employing low-and-slow Bot attacks are increasingly able to stay below the detection threshold of individual business but they invariably leave an identifiable global footprint.
- Look out for suspicious computer configurations, including oddly-configured mobile devices or devices which are disguising their geo-location with hidden proxies or are on the Thor network. However, as a word of caution, beware using geo-location in silo to block trusted users who are travelling or working from legitimate VPNs.
- Ensure you have mechanisms in place to instantly recognise returning customers with no evidence of tampered login details or compromised devices. Remember 95% of online activity is genuine – do not treat your customers as criminals.
- Only implement step-up, “out-of-band” authentication or manual reviews for suspicious and high-risk logins – minimising friction is a priority when it comes to authentication.
- No man is an island: Leverage shared intelligence for real-time insight into where the latest threats are coming from.
- Avoid lots of technologies working in silo to authenticate users, but get a holistic view of users’ identity in order to protect against fraudsters and ‘low and slow’ Bot attacks.