Account takeover is one of the most harmful and widespread threats that security teams are dealing with today, costing organizations millions as a result of data loss, data leakage, or financial scams that leverage unauthorized account access.
Identity and account fraud is set to cost organizations over $20 billion USD in 2021 and methods of account compromise, such as social engineering and credential theft, have risen sharply over the course of the pandemic, as users have relied heavily on digital accounts for banking, e-commerce and, of course, healthcare services.
With account takeover attacks set to triple over the next four years, dealing with this problem poses a significant challenge. Strong account security solutions rely on machine learning systems to identify signs of account compromise. But most developers, including most security vendors themselves, have very little data which can be used to build effective models to protect users against account compromise.
This a problem that Ari Jacoby, co-founder and CEO of identity intelligence provider Deduce, refers to as “data poverty,” an issue that he argues is one of the major reasons that security teams struggle to deal with the challenges of account takeover. We sat down with Jacoby, and Deduce’s VP of Product, Robert Panasiuk, to discuss these issues and how the data poverty problem can be solved.
What Is Data Poverty?
When it comes to tackling account takeover, some companies are much better equipped than others. Tech companies like Facebook, Google, Apple and Amazon collect huge amounts of data that they can use to create advanced algorithms to detect signs of account compromise. This means that, although account compromise is still an issue on these platforms, there is often a strong level of security in place to keep accounts safe.
But, for the vast majority of tech companies who develop platforms for their users––companies including banks, healthcare organizations and even government services––that level of data is simply not possible to obtain. This means they are unable to build predictive algorithms that are intelligent enough to detect account compromise.
“In an ideal world, there would be a common currency of data; a shared common currency that would allow all industry participants to keep more consumer accounts safe,” Jacoby says. “But the opposite is true in the cybersecurity risk and fraud space, unfortunately.”
Instead, how the process typically works is that each vendor has contracts in place when they collect data, which specifically stipulates that all data collected is their own and their customers, and that nobody else may use this data. This is often reinforced by data regulations, which often prevent the sharing of data, especially personal data, across systems.
“So, there’s a lot of data that flows through the veins of this industry, but very little of it can be used to actually move the industry forward, and save more consumer accounts from harm,” he says.
Jacoby and his team noticed this trend, applying it to the concept of data poverty. “Data poverty is really the idea that there is no cultural or contractual wherewithal in the industry today to share data, which hurts the industry and consumers. Only the internet titans have the requisite amount of data they need to make good access decisions.”
“There are many, many walled gardens, and walled gardens within solutions, which puts organizations and people at a disadvantage,” Panasiuk says. “And when you think about the way bad actors work together, they collaborate all the time!”
Hacking tools are readily available, criminal organizations work together to share knowledge; there’s almost a “Stack Overflow” on the dark web for cybercriminals, he explains.
“Because a lot of consumer data is so secure and so limited, there’s no way to combat that; there’s no defence against this collaborative effort without building a data network. And that’s really what we’re doing, we’re trying to give everyone an equal fighting chance against these bad actors.”
The Deduce Identity Network
The Deduce Identity Network collates hashed login and fraud data from over 150,000 websites in real-time, providing their clients, typically in FinTech, e-commerce, gaming, healthcare and social media, with vast amounts of data on whether a login attempt is malicious or not, enabling them to protect their customers against account fraud.
Their APIs provide contextual evidence and predictive cybersecurity controls to make intelligent predications about account behavior to reduce the risk of account compromise, and increase trust that people logging in to accounts are real users, and not malicious cybercriminals. This helps organizations to secure registration, authenticate users when logging in, and authenticate account change and secure payment processes, reducing the risk of successful account takeover.
The platform helps to alleviate the issue of data poverty, sharing data streams from across their customer-base to provide more accurate security for their users. The more customers they have on board, the more data they can utilize, and the more accurate their machine learning systems become at detecting account compromise.
Core to the Deduce platform is the notion that building trust and confidence in accurate user logins is just as important as identifying signs of account fraud, says Panasiuk.
“These days a lot of fraud managers are identifying that building trust and reducing fraud are either equal or, in some instances, that building trust is actually more important than reducing fraud. Customers are more aware about data privacy, so conversations now are centered around building trust, optimizing user journeys,” he says.
Traditional identity verification tools use the user’s personal details such as name, address and social security number to verify identity and authenticate actions such as approving loans, but stolen data like this can be very easily attained by cybercriminals due to the collaborative networks they have built.
“However, if you bring in a tool like ours, we can say: ‘This is a new user that’d we expect to be in Chicago, and we expect them to be using a mobile phone that’s running Android 11, because that’s what they typically use when logging into accounts with this email address.’ Any login we see outside of these parameters represents an increased risk.”
“We allow organizations to evaluate that login from the digital side, where they previously had no visibility because this is a new user coming to their systems for the first time.”
How Can We Reduce The Risk Of Account Takeover?
The risk of account takeover is not going away, and data-centric tools like Deduce will be central in helping organizations to secure their systems and ensure user’s personal data and accounts are protected, as well as ensuring that companies’ reputations are protected. Jacoby’s advice to organizations struggling to secure their services against the challenges of account takeover is to listen to the needs of the consumer.
“I think we’re now living at a time of heightened activism on the consumer side,” Jacoby says. “The consumer is hyper aware, they know there is no privacy without security, and they care about login security. They’d like to see some semblance of visible cybersecurity.”
Through interacting with the big tech players like Apple and Google, most users are aware of privacy concerns and are used to using two-factor authentication and biometric controls, Jacoby says–– features that most customers want to see implemented in services where financial transactions are taking place, like gaming and e-commerce, and also in important services like banking and healthcare.
“Our recommendation is really the same as the industry recommendation. Which is certainly to invest in this category of solutions, because investment is prudent given the tremendous growth the industry is experiencing to the problem of account takeover. It’s not something that’s going to go away, it’s something that is going to continue to get more sophisticated. So, getting involved today, is very important.”
Thanks to Ari Jacoby and Robert Panasiuk for participating in this interview. If you’d like to learn more about the Deduce platform and how it works, visit their website here: https://deduce.com/