October 17, 2018
Data Breaches For Days
Data breaches are the new normal. Kevin King, Director of Product Marketing at ID Analytics, speaks to how and why we should be planning for an increased volume of ever-more sophisticated attacks, and provides insight into the minds of malicious outside attackers.
Eric: Welcome back to the Finance Frontier. I’m your host, Eric Hathaway. I’m joined today by Kevin King, who has a decade of experience in credit risk and fraud analytics. Kevin currently works with ID Analytics, which is a fraud detection and prevention solution provider.
Eric: Kevin is a driving force behind ID Analytics thought leadership program and has authored several thought leadership white papers on fraud, credit, and identity risk. So, welcome Kevin, and thanks for joining us today.
Kevin: The pleasure is mine. Thanks for having me on.


Absolutely. So, just before we drop into some of the topics we’re going to talk about today, just a little about you. I understand you’ve got quite the collection of craft beers.


Yeah. You know, I’m better at buying it than I am drinking it or making it. So, I’ve got a refrigerated room in my basement. Kind of a wine cellar-like deal. We’ve all got hobbies. I tell my wife they’re basically adult baseball cards. Right? I collect them, I look at them, occasionally drink them, but …
Eric: There you go. So, craft beers obviously not only a US phenomenon, but over the last probably six or seven years, it’s actually gone international. Do you have … What’s the furthest country away that your beers come from?


That’s a good question. A lot come from Belgium, right? Those are going to be older. I’m going to say Denmark and some of those areas. Kind of the Nordic countries are making really good stouts. You can imagine. Lots of cold temperatures there, so they like hardy beers, and a good stout age in a bourbon barrel is just about right for me. So, I would say that.


There you go. Fraud has really changed over the last five years and even in the last two years, I think we’ve seen some incredible developments in breaches in what’s happened in fraud and how organizations are having to address fraud. So, why don’t you give us a little bit of an idea of how you got into the field of fraud analytics or analytics in general and specifically in fraud?


I’m a fraud analytics lifer, which may mean a little less when you know that I’m in my early 30s. Well and truly, got hired as an intern to be a fraud investigator at ID Analytics. So, very early 20s. I’ll protect the names of the innocent and the specific parties involved, but essentially a large government agency lost a lot of data on US individuals.


They didn’t know who had that data. Maybe fraudsters had it, maybe they didn’t. They wanted some people to start looking for unusual activity with the individuals and the files that were lost. Right?



So, we all of a sudden start seeing four or five different individuals who shouldn’t know each other, other than both being involved in this breach, start applying for credit cards at the same address in a city that none of them might ever have lived in before. You start looking for those kinds of patterns. So, I got hired as an intern to get hands’ on into the data and look for signs that fraudsters were leveraging these breached identities in this breached data to try, and access credit and services. That was the start and I think as a lot of people in the fraud world or the fraud defense world find, it’s an easy thing to get passionate about.


You look at some of the major breaches that have happened, I think in the last year, 7, 000,000 records a day, that’s 82 records a second, if you time that out with total records breached in 2017, close to 2.5 billion.1
Eric: We’re seeing, obviously, there’s huge numbers as far as how that’s affected consumers, how it has affected organizations, but more scary to me, when you look forward is that so many of those records haven’t even been used yet.


So, can you give us an idea of being in the industry and really locked in and looking at that data, looking forward, is there a real concern as to all of those records that have been breached and being used in the future?


I think there’s major concern here, right? When we talk about the attack chain that happens with fraud. That’s the term we use to kind of talk about the sequence of events that occur from the moment that data is compromised and then throughout that compromised data’s life. How was it sold? How as it used to attack?
Kevin: We’ve seen a pattern over the last few years where fraudsters have really exercised an immense amount of patience, right? Not only always something that we associate with criminals and you guys talked about this on an earlier podcast that it is not unusual for us to see a fraudster sit on data for two, three, four years.


We’ve seen that ramp up in the wake up some of these data breaches where the play book for a breached company has been to offer those who were compromised some kind of free identity theft protection service. Very often, that free service has an expiration date. You get it free for a year, for 18 months.
Kevin: So, there’s a feeling that both, because of these protection services and because of human nature, there’s a period of high vigilance on the consumer when they are compromised. Right?


Then, we start to get two years’ out. We start to get three years’ out. All of a sudden, those free services go away. Consumers feel like the worse is over with, and that is when oftentimes the value is at its peak.


So, one of the other things that I wanted to touch on, obviously, we’re really looking at the financial services’ industry. One of the interesting stats that we found is that cybersecurity attacks happen almost 300 times more frequently in financial services than other businesses.2 Is that something that you’re noticing as well and is that going to continue, that trend moving forward?
Kevin: In my mind, you have to separate where the data is being breached from. Very interesting question that we want to think about. Who is getting attacked to try, and get your social? To try, and get your password? Then, where is that data being leveraged to attack an organization?


I think on that first half, financial services are a natural place for a hacker to go after because those accounts tend to be really rich sources of information about somebody.


Then, when I think about where is that data used to attack a company, they are the most natural fit simply because the dollar amounts to be gained are so much larger than what we may see in other areas. Financial services tend to lead the pack and you tend to think about things like loans and credit cards that can be quickly monetized.
Kevin: Mortgages, less so. Auto loans, you have to be very sophisticated and know how to monetize that. It’ll differ by product, but they’re unquestionably the primary focal point of this behavior.
Eric: Why do you think that they are attacking those firms and maybe the answer is financial services because that’s where they can get? But, do you see other reasons behind those being the major attacks?


I think it varies, right? Fraudsters are looking for a point of weakness. I’ll toss out Dominoes Pizza as an example, right? We don’t think about Dominoes Pizza being a place where they need to have great info security. Well, if you use the same password at Dominoes that you use for your bank account, right? Stealing Dominoes Pizza password all of a sudden has a whole lot of value.


So, financial services can be a target of these attacks because of the rich amount of data they have, but sometimes you go path of least resistance and it’s companies you don’t really think being a good source of information that have the weakest defenses.


What I think is really valid is this idea of is fraud ever going to come down? I’d argue that the answer is it will always be a major issue in one form or another. I think we will at various times find good technology answers that push fraudsters mostly out of an area.


I’ll point to chip technology on our credit cards. Right? We saw this first in Australia and the UK and we knew that when we got chip, we call it chip and signature here. In Europe, you’ll chip and pin, where they actually have to enter a pin code. It doesn’t make it impossible to commit card present fraud, but it makes it difficult enough that it pushes fraudsters out of that market.
Kevin: But, as I often say, they’re not going on monster.com and applying for a new gig. Right? They’re going to find another way to commit financial crime. What we saw in the UK and Australia is that they moved to identity fraud either at the point of account opening or during account life, so what we could call account takeover.


That seems to be what’s happening here in the US in the year since we’ve migrated to that chip and signature technology with our credit cards.


Just to change course a little bit, we’ve been talking about these mass breaches, which have been top-of-mind for folks lately because they keep happening and like you said, will probably continue to happen. One thing you mentioned to me the other day when we were chatting, is that you actually find individual targeted attacks to be more concerning.
Eric: You had some fascinating points about just how masterful some of these attacks are and the level of social engineering that goes into many of them. Can you talk a little bit more about that?


Yeah. I think it’s … Why do I talk about some of those digital attacks, the really targeted things like a spearfishing being more concerning both to consumers and to enterprises, right? Look, we’re speaking about financial services, but we’re all consumers ourselves, right?
Kevin: I think we understand the notion that if you’re one of 143,000,000 that are compromised, then your likelihood of being singled out as a victim is lower, right? I’m not saying it’s that low. I’m not saying we shouldn’t be worried about it, but it’s lower.


If you’re a victim of a spearfishing attack, right? When you are conned into giving your password or your information, you are almost a one-to-one match that a fraudster is going to then take that information and either use it themselves or they’re going to sell it on the black market to somebody who specializes in leveraging the kind of data that you gave them.


All right, now, if you gave up your password to your bank, then that data’s going to be sold to somebody who specializes in monetizing fraudulent access to bank accounts. Right? We find that there’s a lot of specialization in this field.
Kevin: But look, maybe the information you gave up is [SEMS 00:12:05]. A lot less sensitive. A lot less threatening. We even talk about with organizations, the danger of putting out-of-office notices that has any detail about how long you’re gone, where you’re at, because that information can be used through social engineering to get access to any number of things, right?


Having some knowledge that looks like you know somebody personally is a huge, huge weapon these days. I’m thinking about it from the info sec side of things, right? Getting access into buildings and into data centers because you appear to have some knowledge of the right person or can impersonate them, and then, also, when it comes to getting access to somebody’s accounts.


All of that information can be used and when somebody got that information directly from you, not at a file with millions of people, the likelihood of you being targeted and of that technique working, because they specifically asked for the information they needed to commit the crime is much, much higher. So, I’m worried about breaches, but I spend a lot of time thinking about those more targeted attacks.


Yeah, dive in a little deeper for me one of the things you mentioned is that specialization side of things. I mean, we’ve seen this in financial services as banks have provided everything, but what we’re seeing is far more targeted FinTechs coming out and really targeting a piece of the industry and becoming extremely successful to where the banks are buying those specialized companies.


No differently, I’m assuming, in the fraud landscape, when you’re talking about specialization, these fraudsters are becoming more efficient, more competitive, probably using better tools, and better at actually using that information. Can you talk a little bit deeper into the kinds of specializations that are occurring to give listeners a little idea of how developed this industry has become?


Certainly. We spent time, I’m going to now say 18 months’ ago, where we took a set of known stolen identities, so consumer victim identities, ID Analytics is a part of Symantec, another company within Symantec, is LifeLock. A lot of people know as an identity theft protection company. So, we had pretty good insight into consumers who have been a victim of this crime.
Kevin: So, we took their identities and looked in our data network. Our data network has, let’s call it 3,000,000,000 give-or-take applications for credit and services going back in the US, we’ll say, 15 years. So, we’re able to track how these victim identities were used to go seek credit and services.


The question we wanted to understand in this study was, if a fraudster gets Kevin King’s information, do we immediately see them take my identity and apply for a new cell phone, a new online loan, apply for five credit cards, or do we see concentrated activity within one industry? In fact, the latter is what we saw.


That when Kevin’s identity was compromised, they took that information and they went to five, six different credit card companies in a week. They attempted to commit the crime. Then, they sold that data on the dark web to somebody who specialized in something different. All of a sudden, we would see pockets of information in telecommunications, for example.


So, from an organizational perceptive, one of the things that I’ve always spoken about is to combat fraud, you really have to layer different pieces and different solutions in the sort of customer journey. How do you think about or propose to institutions to be able to combat fraud as it has become so specialized?
Eric: They do know all the loopholes. They’re going to attack at multiple places during that customer journey, the account opening, management, on-and-on-and-on. Do you have sort of a proposed concept around what you think is the best approach for organizations going forward?


The problem’s always changing, right? I think it’s always important when we talk about best practices to speak in the here-and-now, to try, and look forward a little bit, but understand that if any of us are about to cement in a set of tools and practices for the next five or 10 years, then we’re making a big mistake, because fraudsters will change on a dime.


So, maybe let’s say, one of the first fundamental things you need is an infrastructure, a platform, whatever you want to call it, that allows you to add and remove tools, allows you to change the logic with those tools. If you can’t stay flexible to bring on new technologies and change how you use those technologies, you’re in a bad spot.


That’s probably going to be a truth that stands the test of time. When it comes to this notion of how many technologies do you use, I love the spirit of the comment, “Hey, let’s use them all.” A question I have for you, Eric, is what kind of title, what was this individual who answered that question, what did he do in the bank?
Eric: He was the actual head of the fraud division, interestingly enough.
Kevin: Ahhh. I thought he might be, and hey look, my company sells fraud solutions. I love the guy that says, “Let’s get it all.” Right? There’s a reality that we need to remember, which is as we put up walls to keep bad guys out, we make it tougher for us to do business with good guys as well.


The challenge you start to get to as you layer on five or six different technologies, and I assume we’re talking about let’s use one out of every category. Let’s make sure we look at the identity risk of that name, social, date of birth.
Kevin: Let’s look at the user name and password they set up. Let’s look at their device. Let’s look at maybe different authentication or identity proofing measures like documents, for example. It’s all good, but everything adds friction.


I’ve been talking a lot about this new term that’s being used, micro moment. As a lifestyle as we have become very digital as a society, the instant gratification. You know, Amazon really sparked that off, where you can go click a button and have it at your door. Heck now, it’s within an hour. It was two days and we were plenty happy with that, now it’s an hour.


I think the last best experience you’ve had is sort of the expectation for the next one you’re going to have. That has started to roll over into other industries, banking, financial services, in general, etc.
Eric: I think you bring up a great point in the friction in that customer journey. So, we’re so used to that immediate reaction. I want to contact my bank. I want to take care of my accounts and I want it to be over, but all of a sudden, I’m locked out of my account. Now, I’m frustrated or I have to go through three different steps to log in again. Now, I’m frustrated again.


It’s such a balance between providing that sort of micro moment concept to the customer, but then addressing that. Obviously, the ROI side of things and whether adding those providers, that’s always something that a firm’s going to have to look at, but can you discuss with me a little bit your thoughts around providing that micro moment, keeping that customer friction as low as possible. What are some of the newest ways that institutions are going about that?


You know, I think the key is to break at a very high level, break your strategy down into two pieces. We’ll be talking about … Let’s talk about account opening. The same philosophy would hold true at log in. Some of our clients call that moment, front door.


Let’s stay focused on account opening. At a very high level, I cut the world into two phases of our strategy. Phase one is look at everything and pinpoint a very small subset of applications that may be fraud. All right?
Kevin: They are high risk. They are suspicious for a range of reasons, right? Also, you’d like to know what that reason was, right? If you have five different tools plugged in, you want to make sure you’re thinking about why this application fell under suspicion and then you enter that second phase.


And, that second phase is going to be actively go and identity proof, authenticate, remediate, whatever term you want to use. Go through some kind of process that allows you to get to an answer of, do I trust this identity and am I willing to let them open up account when you find something suspicious. That’s why you need that second phase.


Most of the companies I work with say, “Look, once you’ve fallen into that bucket of concern, I’m willing to apply some friction.” The goal is to keep that bucket as full of bad guys as possible, right, and as many good people out of it as possible.
Kevin: So, at ID Analytics, we’re focused more on that passive set though as we work with Symantec, we’re thinking more about authentication as well, so we’re starting to see both sides of the tool. That, right now, feels like the best way to go.


When you look at biometrics or even behavioral biometrics now, right? How you interact with your device, for instance. You know, at the end of the day, this is still data that’s stored somewhere. If data’s being hacked and stolen, can that data, those biometrics, whether it be a fingerprint or an eye scanner, or even the behavioral side of things. Can those be stolen?


Certain technologies may come around that for a period of time may not make it impossible to commit a crime, but may make it tough enough to push fraudsters towards another type of financial crime. In the big picture, things come around.
Kevin: There will be card present fraud again. So long as people are using credit cards, that’s going to continue to be something that appeals to criminals and at a certain point in time, the chip and signature, the EMV as we call it in the industry sometimes, that’s going to be less of a deterrent.


I think it’s the same thing for some of the issues you brought up around biometrics and user behavioral biometrics. I would say the concern around that data being breached isn’t my number one concern with those technologies right now.


I think they’re still working to improve both on their ethicacy and on the consumer experience, but the key problem with what you just said, is if we get to a point where if you’re stored data on your thumbprint or your eye scan, things like that, are compromised, you’re not changing that. You’re not getting a new thumb or a new eyeball anytime soon.


You got my password, I’ll go change my password. I can change a lot of that information and look, password is not a perfect authenticator, right? I think it’s a good step sometimes, but the real problem with the reliance on that information that can’t be changed if it starts to get breached, is that there’s no way to change that credential, if that’s what we want to think of it as.
Eric: Well, thank you for joining us today. I will make one suggestion to you from a craft beer perspective, take a look at Japan.
Kevin: I appreciate the tip.
Eric: Kevin, thanks so much for joining us today.
Kevin: Fantastic. I appreciate you guys having me on.


If you enjoyed this interview, don’t miss our other episodes. Subscribe to the Finance Frontier, wherever you listen to podcasts, or listen online at the financefrontier.com.

Love the show? Want to be featured as a guest? We’d love to hear your questions and comments and welcome guest recommendations. Our producer Sara Tatnall can be reached at sara.tatnall [at] zootweb.com.

Share This