One way of devaluing cyber attacks

Financial institutions looking to verify online users should use “security layers” to help devalue attacks to extract data from legitimate consumers, a Vancouver-based security company recommends.

For insurers and banks, security layers with behavioural analytics and passive biometrics can allow them to look across multiple aspects of the user’s interaction. Brokers can advise clients on how lucrative credit card data can be for cyber criminals.

Passive biometrics allows for the creation of an inimitable profile of each customer by looking at typing speed, device angle and hundreds of other behavioural patterns. By using security layers with behavioural analytics and passive biometrics, “businesses can look across multiple aspects of the user’s interaction, instead of relying solely on the username, password and other static data which could have been stolen,” Ryan Wilk, vice president of customer success at NuData Security, told Canadian Underwriter Wednesday.

Wilk commented following a data breach discovered last month by the City of Saint John in New Brunswick. Credit card information from about 6,000 people was sold on the dark web after the city found its parking system had been hacked with a malware that collected credit card information from the previous 18 months from those paying parking tickets.

“Once data has been stolen, it’s used in a number of ways, including account takeover and identity fraud,” Wilk said. “The loss of credit card data is a worry for everyone.”

Cyber criminals can use the card number and CVC (the three-digit number at the back of the card) to accurately mimic a legitimate customer in order to make fraudulent purchases, or facilitate further cyber crime, Wilk reported. Using behavioural analytics and passive biometrics “devalue phishing attacks and other techniques to extract data from legitimate consumers, as this is not enough to access a victim’s account or make illegitimate purchases. Additionally, it creates a dynamic and intelligent authentication solution that is seamless, frictionless, and unobtrusive to end users.”

Wilk added that there has been a change in the value of stolen data as more and more intuitions are implementing user authentication solutions that render stolen data valueless.

In the case of the City of Saint John, it learned of the breach to a third-party software used to process online parking ticket payments (Click2Gov). The first instance of malicious activity was traced to May 2017, allowing the city to believe that breach impacted anyone who paid a city-issued parking ticket online from early 2017 to Dec. 16, 2018.