What Merchants Should Know About the Latest Mass Data Breach
On July 29, Capital One, a major issuing bank in the US market, reported a large-scale security breach in their network. The Capital One hack resulted in the exposure of personal data connected to more than 100 million credit applicants in the US and Canada.
This isn’t the biggest security breach in history. The Equifax hack perpetrated back in September 2017, for instance, exposed the personal financial information of 145 million Americans. That said, the news about Capital One is still a serious matter. As a merchant, you need to understand the ramifications of this latest incident, and what to do about it.
2019 Capital One Hack: The Details
The Capital One data breach didn’t happen in a vacuum: a former Amazon Web Services engineer who had performed contract work with the bank carried out the attack. Using her knowledge of the company’s systems, attacker Paige Thompson managed to access Capital One’s internal network.
Thompson reportedly exploited a vulnerability resulting from the bank misconfiguring a web application firewall. As a result, she was able to steal a massive cache of data from the servers Capital One used to store consumer data.
This personal information came from roughly 100 million US residents, plus an additional 6 million people in Canada. While the attacker didn’t get access to the same information for every victim, some of the data she managed to steal included:
- Full Name
- Street Address
- Zip/Postal Code
- Phone Number
- Email Address
- Date of Birth
- Self-Reported Income
- Credit Scores
- Account Balances
Even worse, the attack reveled the Social Security numbers of some 140,000 Americans, plus 80,000 bank account numbers and 1 million Canadian social insurance numbers.
While the suspect was located and apprehended almost immediately, a high percentage that compromised data has likely already made its way online. This holds serious potential consequences—not only for the bank, but for the entire marketplace.
Post-Breach Fraud Attacks are Coming
So, what are the likely ramifications of the Capital One hack? Well first, we’re almost certain to see a spike in fraud cases. This will come about through two primary tactics:
Account takeover, or ATO, is a form of identity theft. This is now one of the dominant threats facing eCommerce; ATO losses tripled just in the past year, totaling $5.1 billion in losses in 2018.
This tactic involves a third party who uses stolen account details to access a consumer’s private accounts. Once inside, the fraudster can change account details, make purchases, or withdraw funds. The fraudster doesn’t need to have access to all consumer data on hand to carry out ATO. In fact, fraudsters often begin with partial data and either guess, or find other ways to reveal any other necessary information.
One of the main reasons for the surge in ATO attacks is that consumers reuse login credentials. Thus, if one individual account is compromised, it means any account using those credentials, in part or in whole, is also compromised.
Synthetic Identity Fraud
Synthetic identity fraud is similar to account takeover fraud, in that it also leverages stolen information from actual cardholders. With this tactic, though, fraudsters use partial consumer data to forge a ficticious identity, rather than take over a real one.
For example, assume a group of fraudsters has access to a Social Security number and other partial information from multiple different users. By combining bits of data from different individuals, they can create a fake persona and take out lines of credit in that individual’s name.
Synthetic fraud is shockingly common. In 2017, roughly 10% of all children had someone using their Social Security number for lines of credit.
Customers Get Swindled…but Merchants Pay the Price.
Is your fraud detection strategy enough to stop bad actors? Find out now.
Of course, incidents like the Capital One hack carry consequences beyond direct fraud. For instance, major security breaches like this create a culture of customer anxiety and apprehension regarding fraud. The extensive news coverage and accompanying consumer warnings implant the idea that fraud attacks are coming. As a result, customers are more suspicious of transactions on their credit statements. They’re more likely to go straight to their bank with any transaction that isn’t immediately familiar and request a chargeback.
But that creates a significant problem: since customers don’t really know what to look for in identifying probable fraud, they often end up filing disputes against legitimate transactions (a practice called friendly fraud). This reality is backed up by data: while nearly 71% of disputes filed in 2018 were categorized as fraud, more than three-fourths of those were misidentified.
The average merchant lost 5.4% of total revenue to chargebacks in 2018. We can chalk up a substantial chunk of that to cardholders misidentifying legitimate purchases as fraud.
What Should Merchants Do?
Of course, there’s not a lot merchants can do on an individualized level. Massive breaches like the Capital One hack—as well as other high-profile incidents—have an incalculable impact on consumer opinion and behavior.
Having said that, there are some steps you can take to reduce risk based on key threat sources. For instance, optimizing your billing descriptors minimizes the threat of customers misidentifying legitimate transactions as fraud. For synthetic fraud and account takeover, you should employ a multilayer strategy to mitigate criminal fraud. This includes dynamic fraud-scoring based on a variety of indicators:
- Address Verification Service (AVS)
- Card Security Code verification
- 3-D Secure technology
- Proxy piercing
- Velocity checks
Each of these tools play a critical b role in determining the level of risk each transaction represents. Of course, no comprehensive fraud management strategy is complete without effective chargeback management. Click below to speak with a member of our team today about developing a strategy for your business needs.