What happens to data after a breach?

“The rise across all fraud loss types during 2015 owes much to the growth of impersonation and deception scams, as well as sophisticated online attacks such as malware and data breaches.” – Financial Fraud Action UK 2016.

The last few years have been particularly eventful, and 2015 will be remembered for many momentous milestones. For those of us involved in security and fighting fraud online, we will remember it as a big year for major data breaches.

A report carried out by PwC examining UK data breaches showed that not only had there been a rise in 2015 but that the scale and cost of these breaches had doubled. The report concluded that data breaches, for large business are “a near certainty.”

In the short term, these attacks mean less consumer confidence and less business for the businesses that were breached.

There is also the legal requirement to notify the Information Commissioner’s Office and the possibility of being in breach of Privacy and Electronic Communications Regulations (PECR) leading to fines and other possible sanctions.

There is also the question of liability. If data is lost, firms could find themselves in breach of the Data Protection Act (1998) and be subject to prosecution. Indeed, there is a growing market for data breach insurance as companies seek to shield themselves from the liability inherent in security failures leading to breaches.

What Kount are concerned with, though, isn’t so much the breaches themselves but what happens afterwards. What is happening to this data once it falls into the hands of criminals? What are they using it for and how can merchants and others protect against it?

Breaches mean fraud increases

The simple fact is that this information is used to carry out fraud. For the cunning criminal, even the smallest amount of personal information can be enough to fraudulently apply for financial products. When payment details are compromised, it is enough for criminals to start making purchases using illegally obtained card details and emptying out bank accounts.

Financial Fraud Action UK (FFA UK) is the UK’s financial industry anti-fraud group and works alongside a dedicated police force to monitor and combat financial fraud in the UK. In March this year, it published its 2015 year-end report, announcing, as said at the top of the article, that “financial fraud losses across payment cards, remote banking and cheques totalled £755.0 million in 2015, an increase of 26 per cent compared to 2014.”

When looking for key drivers behind this huge increase, the experts at FFA UK are in no doubt: “The rise across all fraud loss types during 2015 owes much to the growth of impersonation and deception scams, as well as sophisticated online attacks such as malware and data breaches.”

The message is crystal clear: data breaches in the UK are a significant cause of the increase in financial fraud in 2015.

It might seem obvious, but this is the first time that these two trends have been linked and causality demonstrated. The continued rise of CNP fraud in the UK is being driven by, among other things, the data illegally obtained via data breaches.

Bracing against breach related fraud

Fraud

Fraud costs merchants money in a number of different ways. Lost goods and lost revenue through chargebacks both hit merchants in the pocket. There is also the possibility that merchants will become too risk averse and tighten up their rules to the extent that legitimate transactions are declined because merchants do not have the protocols, expertise, and systems in place to differentiate between fake and genuine consumers.

Fraud is a real and present threat but our research has shown that merchants are still not receiving the critical intelligence they need to fight it.

In April of this year, we published our annual Kount Mobile Payments and Fraud Report, and discovered that despite these breaches and rising fraud, merchants were still not facing up to the threat of mobile fraud.

Looking at the responses to three critical areas, we saw that, although merchants seemed to be slightly more aware of the amount of fraud taking place, in some cases they seemed to be becoming less fraud aware than they had been previously.

2015 - 2016 Change

  • Merchants aware of share of total fraud coming from mobile channel 40 per cent 43 per cent + 7.5 per cent
  • Merchants who consider it very important to detect mobile transactions 46 per cent 42 per cent - 8.5 per cent
  • Merchants who believe that existing e-commerce fraud prevention tools are suitable for m-commerce 28.5 per cent 36 per cent +25 per cent

Transactions taking place on mobile devices are the most vulnerable to intrusion and only around four in ten merchants believe it is important to detect mobile transactions. Detecting a mobile transaction is critical. This vital piece of intelligence should be a central part of evaluating the risk factors of any transaction. Without this knowledge, merchants are not making a fully informed decision about the level of risk presented by the transaction.

Equally, the tools that can track e-commerce fraud are not always up to the task of tracking m-commerce fraud. Different platforms require different security systems.

Thinking beyond the breach is critical for merchants. There is a demonstrable correlation between data breaches and fraud; figures from the US and UK bear this out. In the last year, there were 442,000 thefts of mobile devices in the UK. A significant proportion of these would have had payment and financial information stored on them. Multiply this with the increasing number of data breaches and merchants have to start getting mobile security savvy.

This rise in breaches and the correlating rise in fraud should be serving as a warning to merchants. And, yet, our intelligence suggests that this is currently not the case.

Data breaches happen because that data is valuable to criminals. And it is valuable to criminals because they can use them to carry out fraud against merchants, financial institutions and others.

If these targets of fraud are able to strengthen their security and be more ready for the threat of fraud, then less fraud will take place. And if less fraud takes place then there is a possibility, however slight, that the reward of fraud will not be worth the risk of detection and so data breaches might seem less attractive.

Don Bush, Vice President of Marketing at Kount