The prevalence of major data breaches has led to a surge in account takeover attacks, where fraudsters used illegally obtained information to break into bank accounts and more. A study by Javelin Strategy & Research shows that account takeover losses more than tripled in the last year to $5.1 billion. Massive amounts of stolen account credentials and personally identifiable information stored in one poorly protected, central location, is the perfect storm for account takeover attacks.
Within the first four months of 2018, we’ve witnessed large-scale breaches that are responsible for the uptick in account takeover attacks from well-known brands – five of which were disclosed in just one week:
The software service provider used by Delta, Sears and Best Buy, 7.ai, was hit with a cyberattack in September 2017 and rectified by October. However, the companies were not notified of the attack until the first week of April 2018. The vast number of credit card data stored in one place acted as a honeypot – an easy target for hackers. What’s worse, customers were left in the dark for months and therefore could not take proper measures to secure their accounts in an appropriate time, leaving them open to all kinds of fraud.
- SAKS FIFTH AVENUE AND LORD & TAYLOR
Dubbed the largest breach ever to hit a retail company, the Saks Fifth Avenue/Lord & Taylor breach affected 5 million cardholders at the brands. The attack is believed to be caused by an email phishing attack with a malicious link that employees clicked on, allowing hackers to infiltrate central systems and retrieve customer credit and debit card data, which they have been selling on the black market since May 2017.
About 800,000 payment cards stored on Orbitz.com and its partner site, Expedia, were breached, along with customer information from multiple travel sites that used Orbitz as their booking engine, including American Express. Other information accessed include customers’ full names, dates of birth, phone numbers, email and billing addresses and genders. Once a hacker finds that information, he or she is able to take over a user’s account for their own benefit – whether that means charging cards or transferring funds to their own accounts.
- PANERA BREAD
Perhaps one of the more egregious incidents, Panera’s website continued to expose as high as 37 million customers’ account information after being warned about the breach for eight months. Details included usernames, first and last names, email addresses, phone numbers, last four digits of saved credit card numbers, saved home addresses, social account integration information, saved user food preferences and even dietary restrictions.
The extent of these breaches could be drastically reduced if personal credentials were not stored on a company’s central database. Moreover, consumers should not be required to give up their right to privacy by attaching their email, phone number, credit card details, social security number, date of birth, Facebook profile and more to their accounts, for authenticity. When this kind of data – that hackers find attractive – is stored centrally, it is not a matter of if, but when, it will be breached.
Centralization has resulted in huge breaches of personally identifiable information (PII) like names, passwords, PINs, even static biometrics (5.6M fingerprint records were stolen from the Office of Personnel Management in 2015).
Static biometrics now have moved to on-device implementations and decentralized architectures. With businesses now looking at adopting technologies that recognize the customer based on their behavioral patterns, including the the way they interact with their devices. Rather than storing that behavioral data in one easy-to-access location, that information should be decentralized – which allows for the safe storage of sensitive data across a user’s multiple devices, a preferable substitute to a company’s central database. Similar to how static biometrics now can be securely stored on-device, it would be prudent for behavioral biometric data to be secured on-device, or else this data will also be a honeypot for ill-intended actors to go after – similar to other AI platform breaches including the Facebook data breach.
The push toward privacy and sovereign identity will drive the shift to decentralization. Not only will this open the door for more effective security measures, it will also give consumers back their ownership and control of their PII.
To learn more about Zighra’s decentralized behavioral biometric solutions: