The irony of it all – when you end up losing more when you thought you were taking precautions and getting the right protection. This is the irony of the Equifax hack.
But when we look closer, the Equifax hack is not just another major data breach that has taken the world by storm; this is the data breach that will move us to a whole different playing field that fraudsters and hackers have brought us to. Historically, data breaches involved only one or two fields of breach – e.g. credit card numbers or accounts login and passwords. The Equifax breach has compromised a whole range of information associated with one user, including names, credit card numbers, addresses, birth dates and even Social Security numbers. With more associated information per user account, hackers are now able to create more comprehensive and seemingly genuine identities for their fraud attacks on merchants, enterprises and government organizations.
Interesting statistic: A stolen credit card number alone is worth $1 in the black market. This number multiplies 5x with each added associated information to that credit card number. For example, a credit card with an associated email account is worth $5, and with an additional Social Security number, it is worth $25, and this goes on.
If you are expecting a large influx of fraud following the Equifax breach and turning up the rules of your fraud system, think again. Just not too long ago, the Yahoo breach was making waves as well. The fact that it could be kept under covers for as long as two years signaled a few things, but most importantly that fraudsters did not flood businesses with fraud attacks right after the breach. Instead, these fraudsters were smart to lie low and steadily make a few purchases with patient time intervals. It is definitely not hard to imagine how the after effects of the Equifax breach will potentially last years, not months.
With this context knowledge in mind, what active steps can businesses and enterprises take to protect themselves?
(1) Reduce reliance on humans
Many solutions in the market are currently still extremely reliant on humans as part of the fraud management process. This becomes more and more evidently problematic when hackers are using machines to launch their fraud attacks and humans are unable to keep up. Imagine – with the Equifax hack, hackers can create a complete profile of both you and I with all our personalized information – how would humans be able to spot the difference between you and a fraudster?
(2) Real time machine learning > Traditional machine learning
Traditional machine learning involves training the systems with historical data to predict future fraud. This is insufficient when fraudsters are launching completely new and unknown cyber attacks with no prior historical data. Whitelists can be compromised at any point in time, while blacklists become obsolete quickly because fraudsters have a long list of user information at their disposal; they will never risk getting caught using the same information twice.
With real time machine learning however, the system is always learning on the fly to identify any fraudster attempting to trick the system with manipulated data (multiple identities from the same hacker). Even in the face of unknown cyber attacks, the system will still be able to prevent fraud before it happens.
(3) Manage your fraud risk; not eliminate it
If you think about it, accepting a transaction draws the same parallels as investing in a stock; both will give you a potential return that comes with potential fraud risk. With that in mind, just like it is for investing, risk is to be managed, not eliminated. 0% risk gives you 0% returns – just by increasing your risk very slightly (by 0.1%), you can increase your potential revenue return by 10%.
It is intuitive to put up more barriers and set up more rules in the aftermath of a breach for fear of fraud attacks, but this risk averse attitude will only serve to limit your business potential and cut away your revenue growth.