Reports are surfacing that both Tumblr and MySpace have been hit by a “mega breach” , with hundreds of millions of hacked account details being advertised for sale online. In both cases, the logins appear to have been stolen several years ago, with the breach only just recently coming to light. The incident comes in the same month that it emerged a four year old database containing more than 167 million LinkedIn credentials had been traded online. Lisa Baergen, Director at NuData Security told @DFMag;
“I sound like a broken record; but here we are again. Just as consumers start to feel secure, news of yet another breach hits the wire. No matter how long it takes to come out, the bottom line is that you have to stop thinking “ what IF” and accepting it should be seen as “ WHEN”…
Although usernames and passwords can be changed, victims of a breach need to understand that every bit of information exposed is important and may sit dormant for some time. These credentials are likely sold in packages on the dark web and compiled out of solid profiles of your online identity. Fraudsters are learning that information stolen from various breaches can create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more fraud can take place.
As an example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. Where credit card fraud was all the rage a couple years ago, it is account takeover and new account fraud that is on the dramatic rise. We saw in our own database of billions of behavioural events annually a 10% month-over-month increase in new account fraud.
Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and trust it is not the hacker using our identity information online.
User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the consumers. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster using our legitimate information ripped from all these breaches. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring. The only way to achieve this is by truly being able to identify the identity of the user behind the device.
So, good luck hackers – you can keep stealing our data, but we are going to make this data invaluable to you, and you can’t steal my behaviours!“