C-level briefing: Stephen Moody and Stephen Topliss of ThreatMetrix explain the findings from their latest report.
Prior to the advent of the internet, most secure transactions would require you to present a physical piece of documentation, memorise some kind of passphrase or number, or appear in person.
With all the talk (not to mention troubling statistics) about cyber threats increasing, it’s easy to pine for some idealised past when people weren’t trying to steal your data. Has the internet made us more vulnerable to having our details stolen?
Well, according to Stephen Moody and Stephen Topliss of ThreatMetrix, new technology is providing new solutions that might make us more secure than we have ever been before.
That’s not to say the threats aren’t there, however. The ThreatMetrix Digital Identity Network analysed over 15 billion transactions in real time over the past 12 months and noted a 40 percent increase in fraudulent transactions and cybercrime activity specifically targeting the financial industry.
According to the findings, the biggest emerging threat is bot attacks, which were up tenfold compared to the previous quarter.
"We’ve seen a significant increase in the use of botnets to test credentials," says Topliss, Vice President of Service and Support at ThreatMetrix.
Bots are software applications that run automated tasks over the internet. They perform simple and repetitive tasks much quicker than a human could.
According to Topliss, these bots are used to take potential user credentials and then repeatedly test them against different accounts, verifying their validity.
With millions of attacks taking place over very short periods of time, as Topliss says, "they only have to have a small success rate for it to be a big concern."
There are two purposes to these attacks, either to hack into existing accounts to steal more information or to set up new accounts with stolen information.
So how to tackle these threats? Surely a simple Captcha, used on many websites, would prevent a bot from being able to get into an account.
"Any kind of friction is really bad for business," says Moody, EMEA Solutions Director. "Imagine trying to log in on a mobile and trying to do a captcha. Yes, it works, but it is very high friction. If you’re going to be very successful on the internet you don’t want any friction."
Problematically, especially on mobile devices, customers prioritise convenience over security, meaning that they may opt for the path of least resistance to accomplish the tasks they need to get done.
This is where ThreatMetrix’s network comes in, however. For digital forms of carrying out tasks, there are new digital identities arising.
"We create tokenised hashes of events," says Topliss. "You log in to your device to say watch a movie on Netflix. We see the device, username, email address, location come through as a hash. All those things go into our analytics network."
Every company running ThreatMetrix gets access to the intelligence in the network. While they cannot see what a person’s transactions actually are, they can see if their behaviour is consistent.
"Say you have one or two email addresses, a couple of phones, a couple of laptops, you access the internet from work, at home, on the move," says Hopliss. "That creates a profile for this user with this hash of an email address, who is associated with these hashes of devices.
"The way we would look at it would be second, third or fourth factor authentication. If you put in a username and password to log in, it isn’t that secure on its own. If someone’s got it you are wide open to them hacking your account.
For example, forgetting a password for a critical account creates the hugely high-risk event of having to call up the bank or institution. With ThreatMetrics, the company can see that it was the right person and they have just forgotten their password.
In this way, then, as Moody explains, what is often viewed as a liability becomes actually an additional protection.
"The mobile device is actually an incredibly powerful way to protect you. Because of the location stuff, you know that your card is near your phone. Certain types of fraud will become very difficult to do."
The static data of who a person is and where they live is far more easy to attain and use, then, than the digital identity that each person creates. This is constantly updated as the person browses the internet, buys products and visits social network. It is therefore much harder to fake.