With some unwanted recent findings regarding fraud, as well as major breaches in cybersecurity, a stronger strategy towards security is needed now more than ever. John Marsden, head of ID and fraud at Equifax, gives an overview of the problem and offers critical advice for individuals and businesses
Recent ONS crime figures show banking and credit fraud is up 13% in the year ending June 2016.
Companies have stepped up their fraud protection with multiple layered fraud defences, but this often moves criminal activity to channels that are less well protected.
Fraud is a surprisingly professional industry. The number of cases continues to rise as criminals find new ways to access information, often fuelled by a deep understanding of their target’s identity. Underlying this is the sharing of knowledge and consumers’ personal information across dark web marketplaces.
Consumers must take steps to protect themselves from falling prey to fraudulent behaviour. People are without doubt confused about where to store and share confidential information like their bank account number, sort code and even date of birth.
As consumers seek the convenience and speed offered by digital correspondence, they expose themselves to fraudsters who will steal this information to gain access to accounts and financially exploit individuals.
Data shared on the dark web cannot be treated as a one-time event; the data never truly vanishes and can spread globally in a short amount of time, enabling criminals to fraudulently takeover accounts and identities.
To reduce the risks and damage associated with fraudulent activity, more needs to be done to educate the public and give them a stronger chance of protecting themselves.
The advice is very clear: remain vigilant, only share your details when you are sure the channel is secure, and keep the following guidelines in mind when handling your personal information:
- Do not do your online banking in public places, and definitely do not use public Wi-Fi – criminals can set up bogus public Wi-Fi hotspots to access devices and information.
- Never respond to unprompted banking messages unless you are absolutely certain the request is genuine, for example you have spoken with your bank to confirm.
- Be very aware of domain names online and the security signs visible in a browser. Make sure you log on to a banking website at a web address you know, not via a link.
- Never provide any banking details to a third party you do not know or are unsure about – in part or as a whole.
- Avoid unnecessarily sharing details such as your name, address and date of birth.
Fraud losses rise
The latest FFA UK report reveals a 25% year-on-year increase in financial fraud losses for the first half of 2016 to £399.5m.
Cyber and ID fraud dominate the fraud landscape, and online scams and attacks continue to rise. E-commerce is growing, and is a tempting prospect for fraudsters looking to use identity and payment data such as credit and debit card information they have gained via the vast ‘carders’ markets’.
Fraudsters are sophisticated, and can easily gather information which can then be used to open accounts and make purchases online fraudulently. This situation is exacerbated by an increasing frequency of data breaches by hackers who can then sell this data on to other criminals.
In addition, a frightening number of consumers are also still being tricked into handing over personal data. This usually occurs when a criminal is able to convince an individual that they are emailing or calling from a legitimate organisation and they need to verify their personal details. Using this information, criminal fraud networks can create high-quality ID data to sell via the dark web.
The financial services industry has to work together, educating consumers and sharing information to help collectively tackle this criminal activity.
The focus must be twofold. It is vital that any organisation holding personal data continuously evolves the systems and processes in place to keep that information safe.
Equally, any business handling financial transactions has to take every possible step to ensure the customer they are dealing with is genuine.
It is clear that passwords alone are no longer enough, fraudsters are wise to our thinking when we create a password, making them all too easy to crack. This is why businesses need to invest in new technology like biometrics and device recognition creating multiple layers of defence.
The criminals do not stand still, and businesses of all sizes need to work hard to stay ahead.
Stolen passwords and usernames
Around 500m Yahoo passwords and usernames have been stolen since 2014.
Passwords are continuing to topple like dominos, and the rate of major breaches is increasing at an alarming rate. The Yahoo breach is a super-sized domino that is going to have huge effects on people for years to come.
This is a game changer in the online fraud world; aside from Gmail being cracked, there is no other single event that could happen that will cause more fraud and damage over the next five years.
The breach has been a major blow to Yahoo, with personal details of around 0.5bn users now up for sale on the dark web. This information will spread quickly and globally, with no chance of recovery. There will be a long-lasting impact for consumers and businesses as hackers attempt to use the breached data to access other online accounts.
We urge businesses to be on high alert for any customer contacting them from a Yahoo email address, as there is a high chance that their details have been comprised. One particular area to watch are requests to reset passwords; sending a ‘click here to reset password’ link to a Yahoo address is not advisable given the size of the breach.
Passwords are no longer effective as a standalone measure, and companies must act sooner rather than later to improve their online security.
The normal advice of complex password, numbers and numerals no longer works in a world where there are now billions of cracked passwords; companies should instead introduce a second layer of authentication processing, such as device recognition, to help build the necessary barriers to keep data safe.