Last week the New York Times reported that a Russian crime ring had amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.
The ring is located in in small city in south central Russia. They are highly organized and work together like a small company might with some members developing software tools, while others use those tools to steal data. They’ve been dubbed the CyberVor gang—vor meaning thief in Russia—by Hold Security, the Milwaukee-based security firm that uncovered the hack. This hack is ten times bigger than the recent Target data breach.
These recent attacks make it abundantly clear that hackers aren’t going away and they are more organized than ever. So, is it time to panic? No, not really.
“As we’ve seen this year already, data breaches are a constant,” said iovation’s CTO, Scott Waddell. “This points out once again the importance of putting every safety measure in place that you can. Use 2-step verification when it’s available, don’t use the same password on different accounts and consider using a password manager. The size of this attack is definitely big, but that doesn’t change what you need to do to protect your username and passwords. Even though you might have just changed your passwords because of Heartbleed, to be on the safe side, you need to change them again given the scope of the CyberVor hack.”
This type of data breach leads to ID theft and account takeover. “Our mission at iovation has always been about making the Internet a safer place to do business,” said CEO Greg Pierson. “This is another example of why we started this company. We help businesses stop fraud and by extension we help protect their customers from the impact of these large data breaches.”
Just like for consumers, it’s important for businesses to take stock of their defenses and figure out how they will protect themselves from cybercriminals using stolen data to takeover an account using someone else’s credentials. This issue reaches across industries like retail, insurance, gaming and finance, with the common denominator being any company that does business online. In the foreseeable future we can expect more of these types of data breaches. That means that companies will be looking at the strategies that they have in place and what more they can do to shore up their defenses.
No single approach will stop fraud completely. This is why it’s so important for businesses to put a multi-layered approach in place. That means layering a number of different defense approaches to asses risk and stop fraud. For example, device-based intelligence augments traditional authentication and fraud mitigation tools by recognizing any Internet-enabled device (including mobile) interacting with a user’s account. This type of intelligence can alert a business if a device has been previously associated with fraud, including account takeover, while bolstering risk-based authentication strategies and even reducing friction for good users.
As more of these data breaches and hacks occur, businesses and consumers need to be more vigilant with their strategies to protect their resources. The days of using one username and password for every account, or not having a comprehensive fraud approach in place, are long gone. Fortunately, there are readily available tools to improve security on both ends of the transaction.