Identity Theft hit an all-time high in 2016 according to Javelin Strategy and Research latest report. While the new EMV chip credit cards helped, it led to other types of fraud. Don Duncan, Security Engineer at NuData Security commented below.
Don Duncan, Security Engineer at NuData Security:
“There is no doubt that the shift to EMV is causing fraudsters to adapt their methods by turning to card-not-present fraud. This was the trend seen in Europe when they made the change a few years ago. The fraudsters will continue to shift their sights on untapped vulnerabilities as we shift our defenses. Account takeover (ATO) is the result of all the personally identifiable (PII) data that has escaped by way of massive breaches. Steadily increasing rates of ATO indicate that passwords and 2-Factor Authentication are hopelessly compromised. NuData also found that there was an overall decline in high-risk credit card activity last year. The data showed that high-risk events more than doubled since last year, with a 40% increase in login attacks, and a 600% increase in login anomalies, and half the number of credit card cycling events. All data points a clear shift from credit-card fraud to login.”
Don continues, “All of this points to a much needed paradigm shift in how we think about authentication, whereby identity isn’t tested online with a single factor such as a password, 2FA, physical biometric or any other single data point. Instead, the verification should be based on multiple factors that are combined and analyzed to give a more complete risk assessment of the user – even if legitimate credentials are presented by the hacker. The test should also be based on dynamically generated information that isn’t stored and therefore isn’t subject to theft, mimicry or spoofing. There are tools, such as passive biometrics, on the market now that base their verification tests on dynamic data, not solely single-factor data such as a password or 2FA. These multi-factor methods are the only way we are going to move beyond much of this identity fraud in the future.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.