A data breach sounds like bad news for everyone, but there’s a silver lining when it comes to identity verification.
Every year sets a new record for the number of exposed records in a data breach. In 2020, the volume jumped by 141% with 37 Billion records lost.
Now, of course, this is bad news for the companies affected. Perhaps even more so for their users. It puts their accounts at risk and forces them to take preventive actions.
But we can also use that information judiciously to protect them. In fact, a data breach can actually inform processes like credit scoring with the right fraud prevention tool. Let’s see how it works in practice.
Have You Been Pwned?
A growing number of companies, such as Firefox, allow you to check if your personal information has been compromised directly within their product.
But the go-to place for data leaks is undoubtedly haveibeenpwned.com, the number one website to find compromised information.
At a glance, it will let you see if your email has appeared in any data breaches, which ones, and will give you background information on the leak.
There is also a step by step guide of how to improve your own security (usually including paid sponsorships by password managers).
But it’s nevertheless interesting to see how people react once they have indeed been pawned.
What Happens After a Data Breach
The reason data breaches happen in the first place is that criminals can resell the information on the dark web. So that’s the first thing that will happen.
You’ll come across huge data dumps, as they’re called, which are sold in bulk on shady internet forums.
These account login details are used for account takeover (ATO attacks), or credential stuffing, where fraudsters attempt a combination of the email and password on numerous services.
As a side note, this is why using slightly customised passwords for different services can backfire. If your Gmail password is passw0rd4Gmail, it’s easy enough to infer what it will be for LinkedIn.
If fraudsters do succeed in getting in, they will mine the accounts for personal details or, ideally, currency (crypto fiat and even bonus points).
Now if we switch over to the company that lost the data’s side, it will probably have to inform their users. This is especially true for European companies since the GDPR forces companies to publicly acknowledge when they’ve lost customer records.
Once the user is made aware of the leak, they tend to change their passwords – but not the email address. This is where it becomes interesting from a fraud management perspective.
Email Checks at the Signup Stage
When users sign up for your service, chances are they must provide an email address. We’ve previously covered the merits of email analysis in another post, but in the context of data breaches, here’s the key takeaway:
- An email address that appears on a data breach is likely from a legitimate user. It means the address is mature, and you may even be able to infer its age.
- An email address that doesn’t appear on a data breach should be considered riskier. It may be freshly created, or even a throwaway.
This is a tremendous advantage in modern credit scoring, where you need to calculate how risky a user is based on as little data as possible.
Email Checks at the Login Stage
Things get even more interesting at the login stage. One way to ensure only legitimate users get into their accounts would be to keep an eye out for the latest data breach news, and manually check if their login details have been leaked.
But there’s a smarter way to automate checks: using a combination of email analysis and device fingerprinting.
Put simply, here are examples of rules you could set up:
- If the email has recently appeared on a data breach and the user seems to connect from a new device, you should increase the risk. This is highly likely pointing to an account takeover.
- If the email has recently appeared on a data breach and the user is connecting from a trusted device, you could suggest a password change. It’s never a bad idea to educate users about the value of their accounts to prevent later damages.
You could even go into more sophisticated setups using velocity rules, for instance. If a user email appears on a data breach, logs into their account and makes a password reset request within a short timeframe: does it mean they are legitimate user worried about their accounts? Or an opportunistic fraudster?
Only a previously installed device fingerprinting solution will help complete the full picture to reduce customer insult rate and improve security.
Leveraging Every Data Point for Identity Verification
In conclusion, you can see how a data breach can be a boon for fraud managers. It may seem counterintuitive, but sometimes, the work of cybercriminals can actually be employed against them.
Of course, this just one weapon in your email profiling arsenal. You’ll also need to complete the picture using every tool at your disposal, such as IP analysis, device fingerprinting, and ideally custom rules specific to your industry.
Learn more about our products
Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.