December 19, 2017
A Silicon Valley security company recently found a single file on the Dark Web containing 1.4 billion unencrypted username/password combinations, illustrating clearly why account takeover has become one of the most feared fraud types affecting merchants today. Los Altos, Calif.-based 4iQ, which posted news of the find in its blog, said the database in the file is an amalgam of information stolen in more than 250 individual breaches including Yahoo, LinkedIn and many smaller breaches both reported and unreported. The company said it is the largest aggregated database of its kind ever reported.
4iQ said it has tested and verified many of the clear text passwords. The file, which included information about how people set passwords, reuse them and create repetitive patterns over time, is basically a toolbox for fraudsters interested in taking over accounts and criminally monetizing them.
ATO fraud is particularly nefarious because, having gained access to an account using the proper username/password information, fraudsters can be indistinguishable from legitimate account holders. ATO used to be a problem specific to banks, but any business that has users set up online accounts with access to stored value or linked payment methods is vulnerable.
Access this rebroadcast of a recent Card Not Present webinar—The Anatomy of Account Takeover Fraud—to learn how fraudsters are attacking at the account level and the best ways to detect it.