Hackers and data breaches have compromised the personal information of 110 million Americans just in the last twelve months, affecting 47 percent of the U.S. adult population. This staggering figure underscores the importance of establishing e-identity through the use of multiple forms of authentication, and when required verification, for both new and return users or accounts.
Personal data for nearly half of Americans has been compromised and consumers aren’t the only ones at risk – merchants and other organizations are feeling the aftermath with more convincing fraud attempts and an increase in account takeover activity. According to estimates and data from the Identity Theft Resource Center, along with research from the Ponemon Institute on behalf of CNNMoney, the personal information of 110 million Americans has been exposed across 432 million compromised accounts. This includes payment card, email, and user accounts created with merchants and other web or mobile services.
The amount of hacking and data breach stories that continue to hit the press each day is alarming, but according to research from Unisys, consumers are experiencing “data breach fatigue.” This is in the wake of massive data breaches involving payment cards used at Target, Michaels and Nieman Marcus, as well as account data of Adobe, SnapChat, AOL and eBay users.
Simply requiring a username and password is not enough. Organizations need to acknowledge the fact that many consumer email, username and password combinations are compromised, and that many consumers reuse these combinations of credentials across multiple sites and services. Additionally, millions of credit and debit card numbers, along with other supporting information, is already in the hands of the fraudsters.
Organizations should consider expanding their efforts and capabilities in terms of establishing trust in the identities that are presented to them online. This is true for new users and one time transactions in terms of authenticating and verifying the identity information provided, as well as with authenticating users on subsequent logins. Even if a user provides the correct email/username and password combination, consider the device and IP they are coming from, look for the use of proxies and consider the use of behavioral characteristics and signals. Based on these signals additional forms authentication, multi-factor authentication or verification may also be needed to establish if you are dealing with the real accountholder.
For more information:
Comments