On Sept. 7, Equifax revealed that it had suffered a security breach that could impact as many as 143 million consumers in the U.S., the UK and Canada. But consumers aren’t the only ones that could be affected by the breach, which occurred from mid-May through July 2017 — retailers also are facing a considerable risk.
Credit card fraud attempts increased 15% year-over-year during August 2017, a period that does not typically see such jumps in activity, according to data from Forter, an e-Commerce fraud prevention solution provider.
In an exclusive Q&A, Michael Reitblat, CEO of Forter, notes that false account creation and account takeovers are the biggest issues retailers will have to tackle in the wake of the breach.
Reitblat shared insights into how the breach will impact retailers, and what merchants should do to help mitigate the effects:
In the short term, retailers should review changes in buyer behavior that occurred during the weeks following the breach, to identify any uptick in fake account activity.
Longer-term, retailers should be sure to use dynamic data, rather than static data (such as an unchanging user name or password), for consumer authentication.
Finally, retailers need to maintain consumer trust and confidence in the wake of the breach, even though this one didn’t involve them directly. This latest incident is a reminder that “databases will be breached, and consumer information will be out there,” said Reitblat, so retailers need to operate with that unsettling fact in mind.
Retail TouchPoints (RTP): How are retailers being immediately affected by the Equifax breach?
Michael Reitblat: The first thing to know is that it’s still not very clear what specific data was actually stolen. We’re still trying to understand whether it’s all the information you could possibly think of in terms of data from a credit bureau — which is extremely bad — or if it’s just partial data. It’s clear that names, Social Security numbers and addresses were all stolen.
If you look at it from a retailer perspective, the first thing they should expect is a lot of false account creation and account takeovers. Credit card numbers were stolen, but that’s not the main issue here. The issue is that fraudsters have the full name, address, Social Security numbers, and access to a lot of security questions consumers might have had with the credit bureau to authenticate themselves. People usually use the same questions everywhere, so fraudsters can use them to gain access and reset passwords on retail accounts and transact using that.
We already see a substantial spike in account takeover activity happening in the data from retailers we are working with.
RTP: What exactly are cybercriminals doing when they take over an account?
Reitblat: Let’s say you open up an account with Macy’s. You’ll usually have a credit card stored there and be able to transact quicker without typing in all of your details. If I try to get access to your account — I don’t have your password through [the stolen data], but I do have a “change password” option. I’ll have to then type in a series of information and responses, which is usually birthday, address, email or security questions like “What’s your high school?” or “What’s your favorite football team?”
If these are the same answers you have used with your credit bureau, then I can guess those and get access to your Macy’s account, where I will be able to transact with whatever credit card you already have stored.
Macy’s would look at it and say, “Well, we already know that person. He transacts with the same accounts that he always does with the same credit card, so he must be fine,” although it’s not fine.
There’s an additional problem where a fraudster can open a new account providing all of your information. They can then use someone else’s stolen credit card with that account, or just leverage promotions and identity-based free trials that don’t require a credit card.
RTP: How have retailers handled the breach thus far, and how do you see them resolving these issues going forward?
Reitblat: The retailers didn’t do anything wrong and now they have to deal with the problem because someone else messed up. A second problem here is that it usually takes them a while to even figure out when something happens.
Part of the challenge is that all their credentials were stolen over a month ago, and we started seeing an increase in account takeover activity in our clients around four weeks back. We assume that other retailers that experienced a similar problem will find out they have a big issue a couple of weeks down the road, when all those chargebacks start coming back in.
I encourage all retailers to take a closer look at all the activity they’ve had in the last few weeks to make sure that there wasn’t a substantial change in behaviors and buying patterns — as I’d expect there was.
RTP: What lessons can retailers take from this breach, and how can they protect themselves from future breaches, whether they occur externally or internally?
Reitblat: We still don’t have the full details of how Equifax was breached. There are some suspicions, but it’s still too early to analyze and I’m pretty sure they’ll issue a full report of what happened.
These situations almost always start from a human error somewhere. For example, someone didn’t install a patch or security update on one of the providers that they’re using, or they didn’t enforce the same policies everywhere. From the hacker’s perspective, they just need one weak link somewhere, and then they get access.
If you remember the Target breach, it was just an un-updated third-party POS company. I would encourage retailers to ensure that all of their security policies are updated, and hold their vendors to the highest security standards possible.
At the same time, I think it’s another reminder to the whole industry that databases will be breached, and consumer information will be out there. The whole ecosystem needs to operate knowing that this will happen continuously, and everyone has to have a plan of what do they do when it happens. Retailers should collaborate with vendors more in sharing what was breached, and people should have defense mechanisms to deal with breaches.
All the data that’s being breached, by definition, is static. It’s your name, which you most likely won’t change, or your SSN or address. You should base your authentication on behavior-based dynamic parameters instead, which are one-time-use codes that are basically meaningless to steal, because they change all the time anyway. If you’re looking at a wide range of different data elements to make that decision, versus just relying on user name, password and address, these elements can’t be reused by a hacker.
RTP: How do retailers maintain consumer trust and confidence in the event of a data breach, even if it came from somewhere else?
Reitblat: I definitely don’t want retailers to overreact — which they do most of the time, unfortunately — and start suspecting everyone and declining too many orders. I think it will require all retailers to step up and use better services. The consumer didn’t do anything wrong, and the vast majority of them are good and not trying to do anything malicious.
Understand that you still want to give your consumers the best service, while improving your identification capabilities. It’s another wakeup call for retailers to start leveraging this technology better.