Breached PII: Growing Fraud WorryNew Account Fraud, Account Takeover Expected to Grow
But card-not-present, better known as CNP, fraud is already, and has been, on the rise for some time, as more purchases continually move from brick-and-mortar retailers to the online, e-commerce environment.
"We can't rely on PII to authenticate users anymore. That data has been breached, and ultimately is worthless."
While EMV will spur fraudsters to shift their focus away from the physical point-of-sale and more toward e-commerce, it's not going to be that significant of a shift. There are plenty of other avenues fraudsters will attack after EMV.
An uptick in ATM fraud, for instance, is one trend to which we pay too little attention. Some of the new types of attacks being waged against Windows ATMs are circumventing the need for a card entirely (see Cybercrime Gang: Fraud Estimates Hit $1B).
Now that ATMs are running Windows, like the rest of a bank's enterprise, they're much easier to hack, and control. Hackers can compromise the bank's network and simply take control of the ATM, commanding it to dispense cash without the need for a card.
Even with the advent of EMV, which will prevent skimming at ATMs, fraud can be perpetrated.
So, when I spoke this week with Javelin's director of fraud and security, Al Pascual, I was more curious about the fraud-migration trends linked to EMV that we weren't talking about.
He had some enlightening details to share.
Javelin, in its 2015 Data Breach Fraud Impact Report , which came out June 11, predicts that between now and the end of 2018, data breaches involving healthcare, government and education will skyrocket. And the information compromised during these breaches will be much more devastating, long-term, than the card data we've seen compromised in the last 24 to 36 months via retail breaches such as Target and Home Depot.
That's because in healthcare breaches, such as Anthem, or government breaches, such as the Internal Revenue Service and Office of Personnel Management hacks, personally identifiable information is the target, and it's selling in the underground for a much higher dollar amount than any of the cards compromised in retail attacks.
Hackers attacking universities and other educational facilities are after the same kind of information - Social Security numbers, name, addresses, ages, etc.
It's all PII that can be used to perpetrate identity theft, new account fraud and account takeover.
"There is still going to point-of-sale card fraud," Pascual says. "But new account fraud and account takeover that uses this PII is a bigger worry, especially for banks. In this report, we looked at the trends and what we thought fraud would look like, and then we tied it back to data breaches."
And what Javelin came up with is bleak.
Data breaches and new account or account takeover fraud go hand-in-hand, Pascual says. "Education, healthcare and government will be targeted for that kind of PII data, and they need to do better jobs of encrypting that data or putting it on different networks. At this point, it's getting to be more embarrassing than anything else," because they've been such easy targets.
A Missing Fraud Link?
Avivah Litan, a fraud expert and distinguished analyst at consultancy Gartner, told me earlier this month, when I reported a little-hyped breach of a payroll center in California run by Heartland Payment Systems, that the breach of PII is one of our gravest security concerns, yet banks have not historically done much to mitigate risks associated with compromised PII.
Like Pascual, she said the breach of PII, which in this case was associated with payroll processing, poses much greater risks for consumers than a breach of card data.
"Just like the stuff that happened at the IRS, when 100,000 taxpayers had their accounts breached," she said. "For years, no one has reacted or paid attention to the breach of payroll data or taxpayer information, even though the loss of this kind of information is so much more serious to a consumer than credit cards. With credit cards, we are all protected, and the cards can be reissued."
With the theft of PII, however, new account fraud and bank account takeover are all real possibilities, Litan said. And banks don't have very good mechanisms in place to detect when a stolen identity is being used to open a new account or take an account over.
"There's no network to look for the suspicious use of PII or bank account numbers that have been breached in an attack like this," she said. "There's no network there, like MasterCard or Visa, to review things like they do for suspicious card activity. If someone starts taking money out of my bank account, there is nothing I can do about it, unless I can prove that someone has stolen my identity."
Lesson for Banks
Pascual echoes Litan's concerns, pointing out that banks need to be focused on coming up with better ways to authenticate users and verify accounts that don't involve knowledge-based authentication responses. Once PII is compromised, the fraudsters have all the information they need to defeat KBA.
"The fact that we use identifiers for authentication is a big problem," Pascual says. "With digital accounts in particular, you can handle all of the account opening online, without ever having to actually see a banker. And that's a big problem."
Now the onus is on banking institutions to improve their abilities to authenticate, not only by validating the identity of the person opening the account, but also by ensuring that the mobile device or PC being using to open the account online belongs to the same person, he says.
And banks need to invest in technologies and solutions that allow them to validate mobile and landline phone numbers with carriers or telcos.
"We need more device identification, and we need to do a better job of making sure that the behavior of that applicant makes sense, by looking at the time of day, how long it took him to fill out the online forms, etc.," Pascual says. "We can't rely on PII to authenticate users anymore. That data has been breached, and ultimately is worthless."