Skip to content
Deduce logo
Free Trial
  • Products
  • Use Cases
    • New User
    • Returning User
  • Resources
    • Resources
    • Blog
  • Partners
  • Company
    • About Us
    • In the News
    • Careers
  • Contact Us
  • Free Trial

Category: Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

New Gartner report rethinks the marketer’s to-do list

Mark Gavigan
Mark Gavigan
June 23, 2022
The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

New Gartner report rethinks the marketer’s to-do list

According to a recent Gartner report, CMOs have a new priority at the top of their to-do lists—and it isn’t to order more custom flash drives and beer koozies.

The State of Marketing Budget and Strategy 2022, Gartner’s annual survey of enterprise CMOs, indicates that marketing brass are shifting most of their attention to “Customer Acquisition, Retention and Engagement.” As users grow more impatient and wary of fraud, meeting all three of these needs requires an airtight, yet seamless approach to security. It also requires a combined effort from marketing and security teams.

Though still below pre-COVID-19 levels, marketing budgets are, on average, 9.5% higher than last year. Here is why spending on the right security solution is central to attracting, engaging, and keeping users around.

In the beginning…

All customer journeys start with identity, and optimizing the customer experience (CX) starts with account creation.

This means taking a good, hard look at outdated account signup measures such as email verification. At Deduce, we’ve talked to companies signing up millions of new users every month that have churned 10 percent of these accounts because of email verification issues. Further damage awaits downstream, negatively impacting lifetime customer value and brand reputation.

To neutralize fraud—including synthetic fraud—while maintaining an easy-breezy signup process, deploy an antifraud solution that provides real-time trust signals at the account creation stage. For regulated industries, these trust signals can also reduce the cost of customer onboarding.

A churning sensation

Remember those trust signals from two sentences ago? They not only fastrack signup, but alleviate another major customer pain point: false positives.

Once customers are acquired and have created their account, getting blindsided by a false positive upon logging in will often trigger a DEFCON-1 churn reaction. Security solutions bereft of real-time identity data that rely exclusively on behavioral biometrics and device fingerprinting will generate more false positives and smack users with a multi-factor authentication (MFA) alert.

Many users don’t think MFA is worth the increased security. They don’t have time for clicking CAPTCHA squares of traffic lights or authenticating via one-time passcode. And, thanks to SIM swapping, SMS codes aren’t 100-percent secure, let alone user-friendly, anyway.

A delicate balance

If CMOs wish to treat users to a Ritz-Carlton-esque app experience, they’ll need a security solution that’s rock-solid yet frictionless.

Fortunately, Deduce lies at the intersection of CX and security. With a real-time identity network comprising 500 million anonymized user profiles, 150,000+ websites and apps, and over 1.4 billion daily activities, Deduce uses real-time identity intelligence to ensure a user is legit during account creation and beyond, greatly decreasing the likelihood of a false positive MFA trigger. Spoof-proof trust signals—geolocation, new device, time of day, etc.—promise a smooth verification process throughout the customer journey.

The trusted user experience needn’t be a slog. Safe can also mean seamless, and vice versa.

Looking for a CX-traordinary security solution? Try Deduce for free today.

Related Content

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Account Takeover

Behavioral Biometrics vs. Identity Intelligence: What’s the Difference?

Behavioral Biometrics vs. Identity Intelligence: What’s the Difference?

Hint: One is more reliable than the other

Mark Gavigan
Mark Gavigan
April 20, 2022
Behavioral Biometrics vs. Identity Intelligence: What’s the Difference?

Hint: One is more reliable than the other

Identity fraud, including account takeover attacks, affects 15 million Americans each year. In response, companies are looking for fraud prevention solutions that are easy to deploy, frictionless, and unlikely to trigger false positives.

Two popular methods of detecting fraud are behavioral biometrics and identity intelligence. In simple terms, the former analyzes how a user acts while the latter analyzes who a user is. Most behavioral biometrics and identity-based solutions can be deployed without impeding the user experience—a key prerequisite in the digital age—but they share little else in common.

Before breaking down the key differences between behavioral biometrics and identity intelligence, let’s look closer at each approach and why an identity-centric model is more reliable.

Behavioral biometrics

Behavioral biometrics measures a user’s physical and cognitive traits to differentiate between fraudsters and real customers. Unlike physical biometrics, behavioral biometrics doesn’t scan fingerprints or eyes; instead, it looks for patterns in how a user interacts online. For example, it might invoke keystroke dynamics to determine if someone (or something) is copy-and-pasting into a text form or typing.

Here are some other ways in which behavioral biometrics can examine a user:

  • Signature analysis
  • Gait analysis
  • Voice recognition
  • Lip movement

While behavioral biometrics is easy to integrate and improves the accuracy of fraud identification systems, it has its drawbacks. Being a nascent technology, assimilating it into your existing technology stack can be expensive. Once it is activated, stockpiling enough personal data to successfully analyze a user’s behavior will take some time. The aforementioned accuracy can also take a hit if a user strays from their typical behavioral patterns—a drunk or sick user might speak or type differently, an injured user might suddenly walk with a limp. Even a user’s setup can elicit false positives: consider someone who gets flagged erroneously, via keystroke analysis, because they use different keyboards at home, at work, and on the go.

The increased likelihood of false positives outlined above makes behavioral biometrics more suitable as a complementary fraud defense rather than a core solution.

Another flaw of behavioral biometrics is bias. Some solutions rely upon training data that skews toward one demographic. For instance, a 2018 study from MIT and Stanford discovered that the facial data used in at least one system was more than 77% white and more than 83% male.

Identity intelligence

Sophisticated anti-fraud tactics such as behavioral biometrics can be effective. But, in the era of synthetic identities, it’s not enough.

Detecting fake identities consisting of stolen passwords and other personal info requires robust security checks at point of entry, post-authentication tools that can zero in on inconsistent behaviors and preempt fraudulent transactions. Identity intelligence achieves precisely this.

Identity intelligence leverages massive datasets rife with insights on how legitimate users interact online. This knowledge helps neutralize fraudsters even if they possess a user’s login details. Contrary to behavioral biometrics’ need to ramp up its behavioral data for a given user, identity intelligence pulls from data that is ready to go from day one and, thanks to machine learning, constantly growing and up to date.

Identity intelligence hones in on both the person and their device. If George logs in, it finds out if it’s really George, and if the device in question belongs to him. Device usage offers identity-based solutions a plethora of behavioral insights: the types of mobile apps George uses during his morning commute, the wifi network he uses at work, the VPN he accesses on his home computer. Identity intelligence is the actionable, real-time, dynamic fraud prevention approach that closes the gaps left behind by behavioral biometrics.

Identity intelligence that can’t be faked

If a company needs identity intelligence to overcome the blindspots of their existing behavioral biometrics solution, or to remove the need for behavioral biometrics altogether, they’ll need as much identity data as they can muster. No one has more of this data than Deduce.

Deduce boasts the largest real-time identity graph for online fraud in the US. The brain behind our identity intelligence, the Deduce Identity Network, comprises more than 500 million anonymized user profiles and over 1.4 billion daily activities. This sizable (and fully compliant) data stack prevents the false positives that would hinder a behavioral biometrics solution.

Furthermore, given fraudsters’ proclivity with learning to hack new technologies (like behavioral biometrics), businesses can be assured that Deduce’s identity intelligence cannot be bamboozled. Fraudsters are too cheap to outwit our network. Circumventing such a vast arsenal of user profiles, website and activity data—over an extended period of time—requires money, time and effort they can’t afford.

Want to give our identity intelligence a spin? Even if you’ve already implemented a behavioral biometrics tool, Deduce can be layered right on top. Contact us today and get started in just a few hours.

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Device Fingerprinting: ATO Liability, Bearer of False Positives

Device fingerprinting is moot without real-time identity intelligence

Mark Gavigan
Mark Gavigan
January 10, 2022
Device Fingerprinting: ATO Liability, Bearer of False Positives

Device fingerprinting is moot without real-time identity intelligence

Device fingerprinting, a way of positively identifying a device by recognizing its unique software and hardware characteristics, used to be enough to prevent identity fraud. Not anymore.

The list of factors device fingerprinting tracks — IP address, installed fonts, flash data, VPN/browser details, battery info, etc. — may seem sufficient to prevent fraud and false positives. But today’s fraudster can easily spoof these parameters, and the multitude of devices in our lives, each carrying a unique fingerprint, increases the likelihood of a legitimate user getting flagged incorrectly.

Like an old mall cop who can’t chase down shoplifters without his trusty Segway, device fingerprinting requires similar augmentation in the form of real-time insights.

Here is why augmenting device fingerprints is imperative to correctly identifying users and bad actors, and how adding real-time trust signals to the mix forms the perfect one-two punch.

You get a fingerprint, you get a fingerprint, you get a fingerprint

Akif Khan, a Senior Director at Gartner Research, points to three primary reasons as to why device fingerprinting — in and of itself — isn’t viable as a long-term, comprehensive fraud solution:

  • Device and fingerprint overload. Many users spend time on multiple devices each day — phone, laptop, tablet — with a unique fingerprint assigned to each. Without real-time data, a device fingerprinting could easily flag a good customer if they transacted across more than one device.
  • Reliable fingerprints are hard to come by. User privacy and device fingerprinting don’t exactly go hand in hand. Anti-cookie sentiment, private browsing, and the plethora of browsers at users’ disposal contributes to inconsistent fingerprinting. Khan asked some fraud prevention vendors if their solutions would detect the same fingerprint across different browsers on the same device — only one said yes.
  • Beware of malware. Fraudsters are finding more ways to execute malware-based attacks and remotely access a user’s device. Once a device and its fingerprint is hijacked, a bad actor can do as they please.

Khan, while transparent about its shortcomings, agrees that device fingerprinting plays an important role in mitigating fraud. However, without an intelligence layer stacked on top, many fraudsters will find a way to execute ATO (account takeover) attacks and honest customers will be unnecessarily flagged. These outcomes can add friction to the customer journey, cause churn, and harm company reputations.

There’s no time like real-time

Real-time data is the missing link in the device fingerprinting dilemma.

A single user logging into multiple devices can generate red herring security alerts, but a fingerprinting solution coupled with real-time analytics intelligently verifies a user’s identity with no added friction. Similarly, real-time identity intelligence checks for additional data points that counteract fraud tactics like device spoofing, in which bad actors use web browsers that mask operating system data and sometimes create fake virtual environments to throw device fingerprinting off the scent.

The real-time data needed to augment device fingerprinting includes risk signals like impossible travel, device downgrade, network risk, and previously unseen email, among dozens of others, as well as trust signals such as familiar network, familiar device, and familiar city. However, neutralizing ATO and false positives consistently requires identity intelligence, real-time data on a profile’s activity across the consumer web. This type of external visibility — in concert with device fingerprinting — yields a much smarter authentication risk control plane thanks to a scoring system that is able to link millions of user touch points together.

Here are two scenarios that benefit from the dynamic duo of device fingerprinting and real-time identity intelligence:

  • A user has three browser fingerprints on a given website from the same device: one fingerprint from an earlier version of Chrome, one from the latest version, and another from Chrome with new plugins installed. Linking this data with activity data across thousands of websites, the risk engine intelligently links and resolves, reducing unnecessary false positives.
  • A given IP that has been shown (and confirmed by third-party sources) to be a benign residential IP node suddenly sees a spike in authentication failure paired with many new attempted usernames. It’s inferred that there is malicious activity (typically indicative of a compromised node).

At Deduce, these intricate login and authentication events pop up thousands, if not millions, of times per day. By correlating event-level telemetry data, augmentative data sources, and first- party feedback data, Deduce adds an intelligence layer to device fingerprinting that keeps the good people in and the bad people out. Powering these insights is the Deduce Identity Network, a consortium of 150,000+ websites and apps that sources the maximum amount of real-time activity data for a given user. To date, this has netted over 450 million unique identity profiles that generate more than 1.4 billion daily observations.

Want to mitigate ATO and false positives? Click here to see how Deduce can augment device fingerprinting and give your customers peace of mind.

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Account Takeover & Chill: The Murky Waters of Streaming Media Fraud

Fraudulent account sharing is bad news for streaming platforms and users

Mark Gavigan
Mark Gavigan
December 17, 2021
Account Takeover & Chill: The Murky Waters of Streaming Media Fraud

Fraudulent account sharing is bad news for streaming platforms and users

Remember those kids who swindled their way into two-for-one double features, sneaking into a second, likely R-rated, movie they didn’t pay for? (Don’t worry, your secret is safe with us.) Some of those rascals eventually straightened out and grew into upstanding members of society; others found new, circuitous ways to make a buck off of the entertainment industry.

The modern analog for the double feature workaround is sharing login credentials to avoid paying monthly fees for video-on-demand (VOD) services like Netflix and Hulu, or audio platforms like Spotify and Apple Music. Revenue loss is the most obvious drawback for streaming businesses: fraudulent account sharing is estimated to cost Netflix and Hulu over $1 billion per year. Legal claims stemming from regional content licensing violations can also prove hazardous. But the user experience may take the biggest hit of all, ultimately leading to serious customer churn and a negative brand reputation.

Here is a closer look at the multifaceted threat posed by fraudulent account sharing, and how streaming companies can fight back.

Oversharing, under-caring

Credential sharing is rampant in the streaming world. One study found that 80 percent of 13–24 year olds had shared an online video service password with a person outside their household, with nearly a third of 35–74 year olds doing the same. Meanwhile, 65 percent of music streamers also share their credentials.

This is sometimes referred to as casual sharing, a well-intentioned exchange between friends and family members. Costly as it is to VOD and audio platforms, streaming behemoths are doing very little to mitigate unauthorized account sharing. Studying the potential dangers of casual account fraud — which stretch far beyond revenue loss — may change their minds.

Coming up next: The ATO Show

As shared login credentials pinball between more and more users, the likelihood of account takeover (ATO) increases. And once ATO sinks its teeth in, viewer discretion is advised. Post-ATO, the revenue loss resulting from casual account sharing can quickly dovetail into fines related to compliance and content licensing. Paramount, Universal, and other studios won’t be too thrilled if their content is streamed outside of its specified region.

ATO is equally devastating for the user — and user experience.

Joe Fraudster, who could care less about watching Squid Game, might peddle an account on the dark web at a discounted price, or worse, execute a credential stuffing attack and access a user’s bank account(s). This is often quite easy considering 68 percent ​​of users recycle the same password across multiple websites.

A compromised account, and its potential to harm a user financially, doesn’t boost customer morale. Neither does increased friction. Imagine a viewer planning their entire weekend around binge-watching a show, only to log in and see an error screen because too many people are watching at once — i.e. those hacks who bought the account credentials from that Joe Fraudster fella.

Adopting a fraud prevention solution to neutralize account fraud is a no-brainer; otherwise, a customer exodus is inevitable with so many streaming options available. But choosing the wrong approach — like an outdated multi-factor authentication (MFA) tool — only exacerbates the friction.

Teamwork makes the stream work

Some execs are beginning to take streaming fraud seriously. Netflix, for example, is experimenting with account authentication tools. Who knows when the others will come around, but when they do, only partnering with a dynamic, comprehensive, data-driven solution will effectively counteract ATO — without adding friction to the customer journey.

Enter Deduce. The Deduce Identity Network — combining data from 150,000+ websites and apps, 450,000+ anonymized profiles, and more than 1.4 billion daily interactions — processes over 100 different risk factors to authenticate users in real time. If something seems off, the user is alerted for verification purposes. Forgot to log out of that smart TV back at the hotel? Deduce won’t let the next guest in that room access your account. Deduce inhibits promotional abuse as well, utilizing trust signals to ascertain whether users are creating new email addresses to extend free trials.

Deduce’s unprecedented stockpile of data and real-time intelligence also cuts down on false positives. And legitimate users log in much faster thanks to seamless authentication that can eliminate the need for text or email passcode verification. This creates a Trusted User Experience and potentially saves millions by preventing account sharing fraud and the customer churn that follows.

Ready to change the channel on streaming fraud? Tune into Deduce today and request a demo.

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Real-Time Data: The Key to Preventing Identity Fraud

Only a real-time solution can stop shapeshifting fraudsters

Mark Gavigan
Mark Gavigan
December 3, 2021
Real-Time Data: The Key to Preventing Identity Fraud

Only a real-time solution can stop shapeshifting fraudsters

Ah, Christmas. The most fraudulent time of the year.

Unlike bad actors, the uptick in online shopping and transactions (and fraud) — compounded by supply chain shortages — doesn’t imbue cybersecurity teams with much holiday cheer. But one simple, yet monumental change can make all the difference: joining the real-time data revolution.

Data is ubiquitous. Fraudsters are smarter and faster than ever. Real-time data analysis is the only plausible way for businesses to protect their finances and reputations. Out with static, or historic, data (email, phone number, SSN); in with dynamic, up-to-the-minute data (user activity, IP address, device). This is the way.

Companies employing a static, traditional fraud prevention approach are prime targets for account takeover (ATO) and new account creation fraud, among other cyber attacks expected to cost $10 trillion globally by 2025. Not switching to a real-time solution will inevitably lead to a breach sooner than later — and it only gets worse from there.

There’s no time like real time

The irrelevance of historic data in preventing fraud is easy to explain: much of that information is already available on the dark web.

In the seediest corners of the internet, large-scale cybercrime syndicates operate like a fraudulent bodega, peddling users’ personal info for discounted prices. Static data such as names, dates of birth, addresses, mother’s maiden names, and the like is low-hanging fruit for the modern fraudster: plug and play, ammunition for credential stuffing or creating a synthetic identity. Some of these groups are sophisticated enough to enlist AI and machine learning experts to orchestrate breaches, and cunning enough to cook up new schemes, like loyalty point fraud.

Hackers are also benefiting from gargantuan data sets. The data is coming in droves, from all directions, and companies unable to analyze, much less access, dynamic data won’t detect fraudulent activity until it’s too late. Time is of the essence, especially with fraudsters closing the gap between account creation and fraudulent purchases. Delayed fraud detection means delayed remediation, and more dollars down the drain. But dollar signs aren’t the only consideration for pivoting to a real-time fraud prevention platform.

Leave historic data in the past

If a company doesn’t leverage real-time identity data, and is consequently infiltrated by bad actors, most higher-ups will naturally obsess over the immediate financial consequences. However, dealing with chargebacks is peanuts compared to what awaits further downstream.

Think about customer churn, and the army of angry ex-customers who will air their grievances across social media. The combined lifetime value of those lost customers plus the negative hit to brand reputation is not an endearing combination — and even the most seasoned crisis comms team may not fully right the ship.

Then, of course, are the fine-happy regulators who won’t be too thrilled to see another Equifax or Robinhood fiasco. Neither will investors, who are increasingly prioritizing businesses with air-tight threat intelligence. If a company, and its customers, are at risk, so is its valuation.

Adopting a solution that can harness real-time, dynamic data is the key to effectively preventing ATO and new account creation fraud. It provides the necessary adaptability to keep up with shapeshifting fraudsters and stop attacks before they happen — the only acceptable speed in today’s world.

Deduce’s real-time Identity Network, comprising more than 450 million anonymized user profiles collected from 150,000 websites and apps, preemptively alerts companies of fraud well in advance. Want to see how Deduce’s real-time solution can shore up your fraud protection? Contact us today.

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Points Well Taken: The Growing Loyalty Fraud Problem

Fraudsters are pouncing on $48 trillion in unspent rewards points

Mark Gavigan
Mark Gavigan
November 23, 2021
Points Well Taken: The Growing Loyalty Fraud Problem

Fraudsters are pouncing on $48 trillion in unspent rewards points

Practically every B2C organization employs some type of loyalty program, and for good reason — companies love the uptick in spending and brand allegiance; customers love the free lattes and round-trip flights.

But no one is a fan of loyalty fraud. Except fraudsters, of course, snatching their share of the $48 trillion in unspent rewards points and either using them or selling them for profit. The latest ace up fraudsters’ sleeves has only become more prevalent during the pandemic. Even before the pandemic, loyalty fraud had doubled from 2017 to 2018.

Scroll down for the full download on loyalty fraud — including what happens when a company doesn’t combat it with an intelligent fraud prevention solution. (Hint: the negative impact stretches far beyond pocketbooks.)

Pointing in the wrong direction

From July 2018 to June 2020, fraudsters used stolen passwords to launch roughly 100 billion credential stuffing attacks. More than half of these incidents targeted retail, travel, and hospitality industries, companies that reward repeat guests with frequent flyer miles and complimentary hotel stays, free products and discounts. Airlines and hotel chains were especially hit hard post-pandemic — customers aren’t likely to access their rewards (and report a discrepancy) if they aren’t traveling.

Loyalty points are also emerging as a new virtual currency with increased spending flexibility, further incentivizing bad actors to target these accounts. For example, some brands allow customers to buy products on Amazon using their points.

Loyalty fraud, a form of account takeover (ATO), works like this. Hackers buy passwords off the dark web; then, after cracking the right login combination, they can sell a customer’s hard-earned loyalty rewards on the dark web for money (after the 2014 Hilton Honors hack, 250K Hilton Honors points sold for $3.50). If a customer uses the same password across multiple rewards accounts, hackers can access those points, too.

If a customer’s lucky, they’ll merely get their points drained and subsequently replenished — an issue costing merchants $1 billion per year — while fraudsters spend them or peddle them for profit. But personal info is what fraudsters are really after: credit card numbers, social security numbers, even seemingly harmless details like names, dates of birth, and phone numbers.

Points are one thing; accumulating an entire portfolio of personal information for a given individual — and seizing assets far more lucrative than loyalty rewards — is an account hijacker’s dream scenario.

The intangibles

When assessing the impact of loyalty fraud, it’s easy to get caught up in the financial costs: millions of dollars in reimbursed points, including refunding merchants like Amazon in the case of fraudulent points-for-product transactions; fines and lawsuits (if a data breach occurs); lost lifetime value of customers who jump ship. And don’t forget the time (i.e. money) customer support spends assuaging irate customers, investigating claims, and restoring stolen points.

But the intangible effects of loyalty fraud — which ultimately carry their own share of financial harm — may deal the most damage.

One of the first dominoes felled by a rampant loyalty fraud problem, particularly one rooted in a data leak, is customer churn. The outcry from affected users, in tandem with negative PR, is a serious reputation killer. A brand can’t create a Trusted User Experience without trust from its customer base. And building, or rebuilding, that trust with existing users — and new users isn’t possible without the help of a data-driven antifraud platform.

With ATO losses up 72 percent year-over-year, and loyalty fraud comprising a significant chunk of that number, brands must enlist a solution with ample data, and algorithms powerful enough to preempt fraudulent activity in real time — before points, personal details, and customer trust is lost.

Want to score points with your customers? Try Deduce for free today and see how our Identity Network of more than 450 million anonymized user profiles can neutralize ATO threats for companies of all sizes.

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Robinhood Breach Underscores Danger of Account Takeover

ATO hits companies hard. It only gets worse downstream.

Mark Gavigan
Mark Gavigan
November 19, 2021
Robinhood Breach Underscores Danger of Account Takeover

ATO hits companies hard. It only gets worse downstream.

It’s been an eventful year for embattled trading platform Robinhood. Following its infamous biff with “meme stock” investors in January, leading to lawsuits and congressional hearings (and an upcoming Netflix movie), the company went public in July but failed to inspire much excitement around the IPO.

Before Robinhood could lick its wounds and hope for a better 2022, they suffered another setback in early November: a data breach that impacted more than 7 million customers. The breach snatched names, emails, dates of birth, and — to the delight of robocallers — thousands of phone numbers.

You might think, “No credit card or social security numbers leaked? What’s the big deal?” but bad actors don’t need much to harm consumers.

Here is how stolen account information, even seemingly innocuous details like names and dates of birth, can lead to account takeover fraud (ATO) and cause further damage downstream.

A dark reality

Stolen account information is trafficked in the nefarious underworld known as The Dark Web. In what’s essentially a farmer’s market for fraudsters, tens of thousands of account credentials are up for grabs at any given time, some going for as much as $15,000.

Personal information acquired from data breaches is another valuable commodity among Dark Web shoppers. These days, name, date of birth — a zip code in some cases — can be used to verify a customer’s identity. Hackers also leverage data mined from The Dark Web to plan and execute phishing attacks or aid other ATO schemes, such as credential stuffing.

The biggest danger of ATO, however — particularly at the scale of the Robinhood breach — is its ability to metastasize, potentially costing millions in chargebacks, not to mention time spent on remediation and navigating a PR firestorm.

A storm with no calm

The worst part of an ATO breach is the aftermath. Per Javelin Research, customers pay an average of $290 for every successful ATO attack and spend 15–16 hours disentangling the wreckage. Not a fun time for customers — or customer support teams.

Many of the users affected by ATO are likely to flee and seek out other platforms. 85 percent of respondents from a recent CMO Council report indicated they dislike companies with identity verification issues; ostensibly, a breach resulting in ATO fraud bumps this number into the 90th percentile. And what will they do after jumping ship? Air their grievances, which — in aggregate — deals a hefty blow to a company’s brand image. It’s the polar opposite of a Trusted User Experience that encourages loyalty, and, depending on the degree of damage, can be difficult to come back from.

To protect against ATO and its residual impacts, companies need to adopt the data-driven, pre- and post-authentication security approach of a Deduce. Our real-time Identity Network comprises more than 450 million anonymized user profiles collected from 150,000 websites and apps, offering preemptive protection that tips off companies long before ATO can manifest.

Want to give Deduce a go? Try a free trial here.

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Deduce Raises $10M Series A, Launches “Insights”

FAAMG-like fraud prevention for companies of any size

Ari Jacoby
Ari Jacoby
June 24, 2021
Deduce Raises $10M Series A, Launches “Insights”

FAAMG-like fraud prevention for companies of any size

Deduce, the leading provider of cybersecurity solutions powered by real-time identity network data, today announces its successful $10M Series A round led by Foundry Group with participation from True Ventures. The company is also announcing the launch of Deduce Insights, a first-of-its-kind platform that increases digital identity telemetry and acts as cybersecurity radar to give early warning of fraudulent behavior before it affects a company’s customers.

identity insights

Insights provides real-time analytics profiling and scoring based on over 1.4 billion daily user interactions drawn from over 150,000 websites and 450 million user profiles. Powerful fraud-spotting tools once reserved for the world’s largest tech companies, like Facebook, Apple, Amazon, Microsoft, and Google (FAAMG), are now available to companies of any size.

“Following the success of our Customer Alerts product, companies told us that they wanted a platform to plug gaps in the data needed to proactively spot fraudulent behavior so they could stop it before their customers were affected,” explains Ari Jacoby, Deduce CEO and co-founder. “We developed Insights to answer that call with a level of real-time user behavior data unprecedented outside the walls of the world’s largest tech companies.”

The innovative approach of Deduce’s Customer Alerts product — that directly alerts customers about suspicious account activity — resulted in the company’s selection as a finalist in the RSA Innovation Sandbox competition along with an honorable mention from Fast Company’s World Changing Ideas Awards.

“Identity fraud is a huge problem facing any industry that registers or logs in customers. Account takeover fraud alone is expected to triple over the next five years,” points out Lindel Eakman, a partner at Foundry Group. “Few companies outside of the FAAMG club have the data and resources to counter that threat but Deduce’s innovative approach levels the playing field to let any company proactively protect its customers — and its reputation — as the pandemic-accelerated shift online becomes the new norm.”

Insights draws from the same pool of innovation as Customer Alerts and is powered by the Deduce Identity Network that works within global data privacy rules, including GDPR and CCPA, to analyze vast troves of real-time user behavior data. The data network provides ground truth for determining whether a user is who they claim to be at the point of online interaction. Powerful algorithms crunch the data to spot potentially fraudulent activity and provide early warning to detect and prevent threats including:

Account Opening/New Registration Fraud — augments a company’s existing fraud or know-your-customer (KYC) solutions with digital insights to stop fraudsters from impersonating compromised user identities

Account Takeover — detects and allows quick responses to irregular or anomalous user account activity, bolstering defenses and stopping account takeover in its tracks

Account Anomalies — measures deviations against known and expected account interactions to detect security threats

Customers from eCommerce and fintech to social and entertainment rely on Deduce to detect and stop potentially fraudulent behavior before consumer accounts are affected. Untappd, a networking service for beer lovers around the world, uses Deduce’s Customer Alerts to protect its users against suspicious account activity and enhances its fraud-spotting with Insights by adding critical factors to forecast potentially fraudulent behavior, like:

Activity Data — determine what the expected point of origin, interaction type, and typical behavior is for a particular user

Device Metrics — identify suspicious changes in device type and parameters including OS and browser data

Network Intelligence — detect anomalous and suspicious network types that are involved in fraudulent activity and anomalies like proxy servers, TOR browsers, or datacenters

Geolocation — assess a user’s point of origination across countries, states, cities, and time zones to spot suspicious behavior

Threat Signals — easily consume trust indicators, and risk signals to affect a user’s online journey

Recurrent Ventures, an innovative digital media company, will soon start using Deduce to protect its user and visitor data across its portfolio of high-profile media properties such as The Drive, Domino, Popular Science, SAVEUR, Task & Purpose, and more.

“In an increasingly complex online world where users are highly mobile, own multiple email accounts or use services like VPNs, it’s very difficult to discern legitimate behavior from fraudulent behavior,” explains Matt Young, Recurrent’s CRO. “Deduce’s unparalleled technology addresses the critical cybersecurity issues but most importantly, it will help us protect our users and our brands.”

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Coopetition is the Panacea for Data Poverty in Cybersecurity

Competing security companies can unite to fight fraudsters and still remain competitive

Ari Jacoby
Ari Jacoby
June 2, 2021
Coopetition is the Panacea for Data Poverty in Cybersecurity

Competing security companies can unite to fight fraudsters and still remain competitive

More data = more accuracy. This is generally a well-understood truth in any data-applicable field, from economics to medicine to machine learning. Fortunately, we live in an era awash in data; the abundance of data underpins the success of businesses across various industries — except in cybersecurity, where there is actually a dearth of actionable data.

Data poverty in cybersecurity is a profound problem for businesses and consumers. It means cybersecurity systems lack access to the grade-A data needed to effectively prevent the next enormous data breach. It means security systems lack the data insights to effectively identify insidious hacker patterns.

What’s the solution to the data poverty in cybersecurity? Data coopetition.

Data Coopetition: a Proven Model in Many Industries

Coopetition

Data coopetition is data sharing between businesses, even rival ones, to achieve a common goal. It’s an existing practice in several industries, for example:

  • Casinos exchange intelligence on card counters.
  • Rival software companies exchange data to make more money and improve the customer experience.
  • Adtech businesses collaborate to deliver more effective brand campaigns.
  • Healthcare providers exchange patient data, enabling doctors to accurately diagnose diseases and save lives.
  • The FS-ISAC (Financial Services — Information Sharing and Analysis Center) is a consortium of 15,000 businesses in the financial sector collaborating to safeguard their respective institutions and customers from cybercrime.

Yet data coopetition is woefully absent in cybersecurity, the very mitigators of cybercrime. Why? The simple answer is competitive advantage: cybersecurity companies are reluctant to share data for fear of giving their competitors an advantage. However, as exemplified by other industries, data sharing isn’t a zero-sum game; actionable data can be exchanged in a secure and privacy-compliant way with the right solution.

Data Democratization on a Privacy-Compliant Basis

The Deduce Collective Intelligence Platform
The Deduce Collective Intelligence Platform

No cybersecurity vendor is data-rich. Sharing timely and functional behavioral data on cyberthreats benefits all vendors working to neutralize bad actors. For example, companies can exchange data on attack reports, which provide the code used to defend against an attack. Another example is sharing datasets of typical user behavior, such as how often they mistype their passwords, in order to identify anomalies in user patterns that indicate unauthorized access.

How can cybersecurity companies share data in a secure way that doesn’t compromise competitive advantage? Deduce was founded to address this data democratization opportunity. We created a data collective through which companies can share information about users’ security-related behavior and logins. In exchange for sharing data with the platform, companies get access to Deduce’s repository of identity data from over 150,000 websites, which is used to better detect suspicious activity and alert their users.

It’s Time to Shift the Cybersecurity Mindset

To protect businesses and their customers from fast-evolving fraudsters, the industry must shift its mindset — we have no other choice. Companies gain no competitive advantage by hoarding cybersecurity data. Even worse, it leaves everyone vulnerable. We need to think more along the lines of other industries that already realize the value of shared data. By adopting a collective intelligence model, cybersecurity companies have a fighting chance against hackers.

See Deduce in action! Click here to request a demo.

Book a Demo Now
Book a Demo Now

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Account Takeover is a Growing Problem for Businesses and Consumers

What you need to know about protecting your business and your customers from account compromises

Ari Jacoby
Ari Jacoby
June 2, 2021
Account Takeover is a Growing Problem for Businesses and Consumers

What you need to know about protecting your business and your customers from account compromises

Chances are, you’ve been a victim of account takeover fraud (ATO) in which one or more of your online accounts have been compromised.

It’s a sobering reality that online fraudsters are profiting hugely through hacking campaigns that target businesses and consumers alike. According to a recent report, the average cost of cloud account compromises has gone up to $6.2 million in the last 12 months. Javelin Research estimates that consumers pay an average of $290 for every successful ATO attack, and spend 15 to 16 hours working to resolve problems stemming from each attack.

The bottom line: account takeovers are now a critical threat to everyone. It’s time to fight back. Read on to learn the essential facts about ATO, and what you can do to protect yourself, your business, and your customers.

What is Account Takeover Fraud?

ATO, also known as account compromise, is a form of identity theft in which hackers take control of someone’s online account for financial gain.

There are many different kinds of ATO fraud, but the end goal is always the same: to hijack an account and use it for financial gain. Once fraudsters have gained control of an account, they can steal information, withdraw funds, make purchases, or use the account for other criminal purposes.

Types of Account Takeover Fraud

account takeover fraud

Online fraudsters employ various methods of ATO fraud, and they’re always innovating and testing new approaches. These are the most common types of ATO fraud:

  • Credential cracking: hackers force entry by simply guessing users’ login details.
  • Credential stuffing: using stolen credentials from one site to gain access to other accounts.
  • Account creation attacks: new accounts are set up and used later for fraudulent purposes.
  • Malware: malicious code such as keystroke loggers are used to silently capture a user’s login details.
  • Mobile banking trojans: a fake screen is layered over a legitimate app to trick users into providing their login information.
  • Phishing: bogus emails or texts lure users into either installing malware or providing their login details directly.
  • Sim card swapping: phone number is ported to a new device to gain access to mobile accounts, especially mobile banking apps or other fintech services.

💡For more detailed insights on ATO methods, check out our comprehensive overview on account takeover fraud.

The Challenges of Detecting ATO Fraud

To detect ATO fraud, it’s important to detect both attempted ATO fraud (before an account is taken over) and ongoing ATO fraud (after an account is hijacked). This is no easy task, as it requires the ability to detect subtle nuances in human behavior, as well as the minute variances that creep in when an automated system or human bad actor attempts to pass themselves off as a legitimate user.

Individual businesses don’t have visibility into those processes at the scale that’s needed, as they rarely see enough traffic to successfully identify an attack or warn users.

ATO Prevention Strategies

The chief way to prevent account takeovers is to deploy both pre- and post-authentication security measures. This requires requires a deep understanding of the varied and rapidly evolving ways in which fraudsters try to gain access to online accounts, and an equally deep understanding of how such efforts differ from the ordinary behaviors of regular human account users.

ato prevention

What does it take to acquire such insights? Data sharing.

At Deduce, we’ve built a data coalition of over 150,000 member websites to help businesses stop ATO fraud before an account is compromised. Using AI tools trained on billions of historical interactions, we rapidly detect anomalous behavior — such as a login from an unusual geographic location — and automatically deploy appropriate security measures to prevent attacks before they begin.

Learn how Deduce can protect your business from the next massive data breach. Book a demo today.

schedule a demo today
Schedule a demo today

Related Content

Account Takeover

The Top Priority for B2C CMOs Has Changed. Security Plays a Major Role.

Cybersecurity

Turning the Tables on Restaurant Reservation Fraud

Multi-Factor Authentication

The Trusted User Experience: A Day in the Life

Deduce logo

276 5th Ave.
RM 704 # 950
New York, NY 10001-4527

  • LI
  • TW
  • Products
    • Identity Insights
    • Resources
  • Use Cases
    • New User
    • Returning User
  • About Deduce
    • About Us
    • Investors
    • Careers
  • Legal
    • Privacy Policy
    • Terms & Conditions
  • Get In Touch
    • Contact Us

Read Reviews ›   Submit a Review ›

Deduce © 2022

This site uses cookies to collect analytical data. By clicking “Accept”, you are agreeing to the terms stated in our privacy policy & cookie policy.