Learning Lessons From Large Scale Breaches
At this point, there’s no ignoring it: our financial security is compromised daily. And no doubt, many reading this wouldn’t hesitate to recount all the breaches they have been a part of as consumers; merchant breaches in which replacement cards forced you to update your linked accounts, or data compromises where personal information was stolen and identity theft protection was provided, forcing you to consider freezing new credit originations.
These are only the breaches we know about — considering the residual risk of all the data breaches we’ve been exposed to, the totality of it all becomes immense. Back at the start of 2014, I suggested that we’re experiencing data breach fatigue; today it’s closer to data breach exhaustion, and consumers may now feel powerless.
We must ask ourselves as consumers, what exactly is being compromised? What information has fallen into the pocket of an attacker and how could they use it to attack me? As we are compromised once, twice, or multiple times, are we falling under greater risk? How vulnerable are we when it is revealed that personal details landed in the hands of hackers and fraudsters?
Typically, most concerning for consumers is demographic data that can be uses in authentication, illegitimate identity-theft account opening, or the use of a payment card for unauthorized spending (or potentially for account takeover) if an attacker has the relevant non-public personal information. There is a risk here to be sure, even if we, as service providers, don’t realize the impact of it. So what lessons are out there?
Zombie authenticators and static data elements are a gift to hackers
Well, for starters; why are we still using knowledge-based authentication based on third-party-issued static data elements to authenticate? Government (in the U.S. Social Security) identity numbers, home addresses and the user’s date of birth are zombie authenticators – even worse than passwords! They have been compromised so many times, or are sometimes available through public or searchable sources… still in 2017.
Fraudsters have databases to store these elements as well, and anyone who has an account on a dark website can search an underground database to see if a birthday, SSN (social security number) or home address exists for the intended target. In fact, there is already a neologism for this: “Credential Stuffing” – the act of intercepting and using as many authentication elements (e.g. account login or recovery credentials) that have been compromised to attempt to take over an account.
Biometrics and other authentication measures should be embraced
When being asked to authenticate myself, I cringe when I see these types of questions. I’d much prefer to do business with an entity that has a more rigid authentication process and does something far more clever and sophisticated to validate that I am, in fact, me. We now have biometrics if the customer can use them remotely, on a mobile app. We have dynamic account-based questions (only known internally to the service provider and customer), and we have multifactor out-of-band authentication… these can be embraced to perform a far greater authentication experience and reduce the potential for account takeover. Would I feel more secure in a world of high-frequency data breaches when I know my financial institution authenticated me with two factors? Could this actually be faster than the present authentication practices of asking multiple questions, throughout a contact center session? Of course!
I know no one wants to get a letter from their financial institution, or look themselves up on a newly-created security webpage to determine they are exposed after a large breach is revealed, but this is a reality. To sit idly by and continue to authenticate with the most static data elements that are most consistently compromised is a lesson of any breach du jour.
Related Blog Posts
Women in Payments: Don't Be Afraid to Ask Questions
Today, we have the pleasure of speaking with Google's head of Retail and Payments Activation for Southeast Asia, Anna Maria Maurieta. Anna works closely with retailers and e-wallet partners across the region's complex and sometimes highly-regulated market—including countries such as Indonesia, Thailand, Malaysia and Vietnam—making it easier for Google Play users to make payments on Play.
New Survey Results How Lenders Can Capture More of the Billion Dollar Pie
It should come as no surprise that the disruption found throughout the world of payments would impact the world of consumer finance. Fact is, the eCommerce experience enjoyed by shoppers has created an undeniable ripple effect for everyone from bankers to lenders. And with billions of dollars at stake, it’s important to understand the impact of this paradigm shift, especially as it applies to the growing demographic known as Gen Z.
How UPI is Driving India's Shift from Cash to Digital Payments
The Indian economy has traditionally been heavily dominated by cash, while experiencing low adoption of various online payment systems including National Electronic Funds Transfer (NEFT), Real Time Gross Settlement (RTGS) and inter-bank mobile payments. The dominance of cash is evidenced by the ratio of cash withdrawals at ATMs vs debit card usage at Point of Sale (POS)—ATM transaction volume is more than 2x greater than POS.
Success Speaks: Surprising New Ways Students Want to Pay
Colleges and universities are facing the dual tasks of accommodating not only new payment methods, but also a new generation of students, Gen Z, whose expectations differ greatly from even millennials. How can higher education institutions meet these demands?
In our latest Success Speaks webinar, experts from Temple University, FutureCast, ACI and MTFX Group of Companies explored today’s payments landscape for colleges and universities, payment desires of Gen Z, innovations the higher education sector is already implementing and how schools can better assist with international payments.
Women Must Choose to Rise Up Despite Past, Current and Future Circumstances
Money20/20, Europe’s biggest payments and fintech event, was recently held in Amsterdam and featured Rise Up Money20/20, a global program designed to address the gender imbalance in leadership positions within the financial services and fintech industries. A cohort of 30 female professionals was selected to take part in an exclusive curated agenda, complete with a series of bespoke content sessions, one-to-one mentoring and unique networking opportunities.
How Italian Banks and Processors Can Capitalize on Digital Transformation
The European payments landscape is in an era of significant change thanks to PSD2 and other macro factors, but there is more than one way to deliver real-time and open payments to meet PSD2 requirements and its technical standards. Banks and processors must manage this alongside their own set of domestic challenges and opportunities.
Overcoming Cyber Threats to Payments Security
Recently, Gene Scriven, chief information security officer at ACI, spoke at NACHA Payments 2019 on the ever-changing landscape of cybersecurity. Here are a few highlights from his session, including the impacts of cybersecurity breaches, today’s emerging threats and the new strategies to keep your organization safe.
Removing Gender Bias and Enabling Women to Succeed in Leadership Roles
The recent UK Women in Payments (WIP) Symposium 2019 took place in London, recognizing unique leaders who help uplift women in the payments industry. Among those recognized was ACI’s Melissa McKendry, vice president, Retail Banking Implementation Services, who was honored by WIP as the 2019 Advocate for Women.
Why Banks Must Democratize Machine Learning for Fraud Prevention and Payments Intelligence
Banks are already actively on the path to digital transformation, considering new technologies, new customer experiences and new business models. A critical piece of this digital transformation centers on better understanding the wealth of data within the banks’ systems and mining it for improved customer insight. In the New Payments Ecosystem, data is as valuable to the bank and its customers as the deposits held in their accounts, and it should be protected, and leveraged for the benefit of the customer.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.