Account Takeovers

Data Breaches & Digital Identity Validation: Trends to Watch

April 13, 2018

As part of my role at Emailage, I interact with my counterparts from major fraud prevention providers who are busy developing cutting-edge capabilities to meet new fraud trends and beyond.

One commonality I’ve noticed is a focus on creating an effective, streamlined way to verify customer identity for digital orders. In this piece, I’m going to share a bit more about some trends and how we fit into this conversation.

As we all know, there’s lots of data available on the dark web just waiting to fall into the wrong hands. Much of it already has, making the task of verifying identity and confirming accuracy difficult.

The abundance of breached personal information introduces a tough reality. What happens when all data appears to match, yet the person using it to transact isn’t the true owner?

Two trends we’ve observed

In cases where stolen data (such as name, address, SSN or phone number) is used in a fraud attempt, we don’t generally see fraudsters taking the extra step of gaining access to the victim’s email address.

This is because it’s hard to gain control of an email account without notification of the victim. Fraudsters work at scale. It’s too time-consuming to gain a password through phishing or malware.

Instead, fraudsters will create a new email address and try to pass it off with the stolen data. More on this in a bit.

In an account takeover scenario involving a compromised email address, the trend differs. Here, fraudsters will attempt to leverage existing accounts associated with that account. It should be noted that automation plays a big role in this process. Once fraudsters are in, they will run programs that will identify accounts linked to that email address.

From there, exploiting and monetizing these accounts is as simple as a password reset. This represents a much faster path to cash than opening new accounts.

On our side, we’re also starting to see a rapid specialization in targeting these types of fraud. In fact, I recently spoke to a company that is rolling out a very specific set of solutions which target synthetic ID fraud.

It’s a space to watch very closely, as we all know how quick fraudsters are to adapt and the data breaches just keep coming.

How we fight back

We use the email address as the core data element for our predictive fraud risk scoring. Then we connect other data elements such as name, address, phone, IP and device. We are able to cross-validate the email history and patterns of millions of emails, creating a clear picture of how a real email behaves.

Taken together, this process gives a holistic view of whether the person behind that transaction is who they claim to be. As this data evolves, emails that lack salient pieces of information (or whose identity doesn’t add up) are easy to identify.

This greatly enhances the hit rates in cases such as card-not-present fraud, chargebacks and synthetic ID fraud in a scalable manner.

However, at Emailage people are our greatest asset. Every day, our decision scientists engage in customer calls. We don’t keep them locked in a side office. You can find them seeking frontline feedback, advising around modeling or suggesting rules. Together with our fraud specialists, they refine our predictive risk scoring to be the best it can be.

This layered approach allows us to build individual models that fight back at the growing threat today’s fraudsters pose.

In closing

The email address will always remain at the core of how we fight back against online fraud. But several other elements, such as enhanced machine learning and behavior analytics, are already providing very robust digital identity validation for our customers. As a result, we’ve been asked to play a much bigger role in a wider variety of use cases.

Two years ago, we were a key part of the conversation around online fraud prevention. Now, we are being discussed in terms of digital identity validation, brand protection, content abuse and much more.

We’ve worked very hard to provide a solution which reduces the risk of fraud while allowing for business expansion, so this is a very exciting time for us.

Yet, there’s no silver bullet for fraud prevention. These trends need a more sophisticated approach to predicting and assessing risk. We must all be vigilant and work together. I look forward to doing just that alongside my fellow fraud prevention professionals.


I invite you to follow me on LinkedIn

Follow Emailage on LinkedIn and Twitter (@emailage)

Click here to discover how to get secure, intelligent risk assessment using an email address. 

close-link
close-link
close-link