At War With the Ghost Army

Gone are the days when news of a data breach was shocking. Today they have become all too common an occurrence – but their impact is as serious as ever. In the recent Target breach alone – nearly one half of all American adults – 110 million – had their data stolen, opening the door to malicious use by fraudsters.

It's just the latest battle in an ongoing war against a sophisticated and interconnected army of digital ghosts. And the battle is far from over. In a matter of days, the ghost army was able to erode consumer trust and peace of mind. It was an audacious attack and the greatest impact to be felt in the upcoming months.

One of the most concerning issues around breaches is that many consumers' digital identities are based on a single email address or username/password. With stolen identity data in hand, criminals can submit fraudulent mortgages, credit card applications, even create fake credit cards, in the names of thousands of unsuspecting victims. Regardless of how the data is used, one thing is certain: breaches pose serious dangers to consumers, retailers and financial institutions.

Organizations within the financial services industry find themselves in the crosshairs of the digital army of fraudsters. Banks, credit unions and credit card companies are among the richest targets for determined digital criminals. Unfortunately, despite the risk, many of these organizations are still scrambling to deploy proper defenses. So how do you protect against an unregulated, networked enemy intent on inciting chaos and filling their bank accounts?

When a breach has been reported, banks and credit unions must be especially vigilant. How can they be certain who is logging into a customer's account? With the personal data compromised in the recent data breaches breach, criminals can launch sophisticated phishing attacks that lure people into giving up bank and credit card information in the name of security.

What controls are in place to ensure that a fraudster in Malaysia isn't using a legitimate identity and an anonymous proxy to submit credit card applications that are a perfect match to credit bureau data? Or to alert when a long-standing offline banking relationship suddenly enrolls online? Once access is established, address and other data can be updated and sold to the highest bidder in underground forums.

Below are several important recommendations to help banks and credit unions ensure customer accounts are not put at risk by the flood of compromised data from recent data breaches:

• Protect the front door. Assume customer accounts have already been compromised and implement a multi-layered, device-based security protocol at login. This will ensure access for legitimate customers while providing insights into any unauthorized login attempts. You may not be able to control how consumers manage their digital identities, but you can help protect them from potential financial damage.
• Stress account alerts. A growing number of fraudulent transactions are identified by consumers who are using email or text alerts. Encouraging customers to use this option engages them in the account monitoring process and can reduce the time to detect any fraud.
• Adopt an omni-channel fraud strategy. Early adopters of mobile technology used native applications and mobile-optimized websites to offer banking on the go. Too often they did so without the same protections as provided for online banking. It is important to have a consistent security policy across channels to ensure new offerings don't introduce new risks.
• Don't rely solely on traditional data sources for account openings. While traditional identity verification sources such as credit bureaus and shared databases are important, they do not provide a silver bullet. Sophisticated attackers are using legitimate data elements to create synthetic identities – and even 100% legitimate identities – to acquire credit lines and bank accounts that can be sold underground.
• Act on intelligence. Once an account has been directly targeted or compromised, lock down associated accounts, contact customers and proactively reissue cards. Many institutions do not have device-level visibility to online logins, but this is where fraud staging activities are most likely to be perpetrated.
• Lighten the regulatory load. Partner with information security organizations to ensure compliance with data protection and security standards so fraud prevention teams can focus on identifying and prevent attack rather than appeasing regulators. By developing strong partnerships with relevant oversight authorities helps ensure that you are involved in planning upcoming compliance requirements.

The days and weeks following a breach are a time of heightened risk. Even after a breach has occurred, the risk can be managed. Arming your organization with a layered security strategy that includes device intelligence will prepare them for the onslaught of fraudulent account creation activity, attempted account takeovers or unauthorized transactions that follow in the wake of any high-profile breach.

Mike Gross is senior manager, risk strategy and professional services, for 41st Parameter in Scottsdale, Ariz.