HSBC Turkey recently took the controversial decision not to reissue 2.7 million cards after a data breach because it said that not enough information had been stolen to commit fraud. It’s an interesting case because of what it says about the attitude of our major banks, which is shared by many internet retailers, online service providers and others. They believe as long as their systems aren’t breached successfully, there’s nothing to worry about. HSBC Turkey stated that the breach is not significant enough to cause an impact to the cardholders’ account however the bigger issue here is that the credentials captured can be used for fraud attempts on other sites and hence still compromising those people’s identities.
I’d argue this is not the case; that many different types of data can be used to commit account fraud online and failing to secure your systems from stolen data, as opposed to just data theft, makes your firm complicit in that crime. It’s well known among security professionals that every piece of innocuous data builds a jigsaw puzzle that can be used to unlock our digital lives. Organizations need to start a conversation at the highest level about how to extend security protections from the traditional data breach out to account fraud, for the good of the industry.
A change of focus
The focus today is simply too heavily weighted towards securing the network against a monumental data breach. The boardroom conversations are all around making sure they don’t become the next headline. Apple’s attitude to the iCloud "hacks" neatly sums it up. It could be paraphrased as "our systems weren’t breached, it was those irresponsible users and their weak passwords that were to blame." The fact is that your organisation can have the most secure network in the world but if you don’t put best practice anti-fraud measures in place, thus protecting customers that are unable to protect themselves, your neglect will give the fraudsters a helping hand. Your firm’s reputation, by association, will suffer.
Even if HSBC Turkey did re-issue new cards, its customers do not have the luxury of being able to change their identity. JP Morgan Chase recent breach of 76 Million US households contact information drew a similar response that consumers money was safe and that they did not need to change their passwords. Email addresses, for example, are amongst the most common authentication credentials around, used on everything from Facebook to dating sites and even tax forms. Alongside names, addresses, telephone numbers and other apparently innocuous details they can be used to build up a digital profile of a customer. Once the fraudster has enough elements, they have the keys to unlock that customer’s digital life. The question then, is not just are your systems safe from data breach, are they safe from data breached elsewhere?
A chance to stand out
In the face of a data breach, banks typically offer free credit monitoring – which actually only picks up fraudulent activity if someone applies for credit – and two-factor authentication systems, which place a greater usability burden on the customer. This simply isn’t enough. More sophisticated fraud monitoring, transparent to the customer, would ensure that any stolen details are rendered useless across the internet without causing friction.
It’s the kind of attitude that could help an organisation really differentiate from its rivals. Whether you like it or not, customers will blame you for an account takeover attack, even if it was their sloppy security posture that led to it. Sadly, no amount of user education initiatives will alter the fact that passwords are shared across multiple accounts and netizens often fall for basic phishing scams. So meet those user expectations by investing in more sophisticated fraud prevention systems to protect your customers’ accounts.
Securing the organizations’ database of sensitive personally identifiable information is of course important. But it will never be 100% breach-proof. That’s why CIOs, CISOs and board members need to think more clearly about the implications of what happens to stolen data downstream. Increasingly, cyber criminals are using breached data troves in more covert "low and slow" campaigns to circumvent most authentication brute force prevention systems. If more e-tailers, social media companies, banks and service providers paid more attention to preventing online account fraud then we’d take a huge step forward in making the fraudsters life more difficult.
So let’s take the initiative and block that path of least resistance. It’s about time we fought back.
Alisdair Faulkner is Chief Products Officer at ThreatMetrix.