July 10, 2018
Increasingly, when mass media outlets report on a “data breach” they actually are looking at cases of account takeover fraud. What starts out as account takeover, however, can actually morph back into a data breach depending on how fraudsters leverage the hijacked accounts. Recently, the Detroit Free Press broke a story about what it called a data breach at Macys.com. It described how Macy’s recently disclosed to its online customers that over a period from the end of April through the middle of June a “party that received information from a non-Macy’s source…made use of usernames and passwords to log in to customers’ accounts.”
Plainly, the activity described was account takeover: a bad actor had come into possession of a number of validated Macys.com accounts and was attempting to monetize them in various ways. According to the Free Press, however, Macy’s also said the cybercriminals “gained access to names, email addresses, phone numbers, birthdays and payment card information.” That information, of course, is available to anyone who manages to takeover an account. Whether enough Macy’s accounts were compromised where the fraudster could then turn around and resell the information so others could commit other types of fraud at other sites is unclear. Macy’s did not disclose how many accounts were affected.
Regardless, account takeover fraud is especially pernicious because of the myriad ways the information contained in an online account can be leveraged by fraudsters. Card Not Present has presented two recent webinars exploring different facets of ATO fraud with two different antifraud technology providers: NuData Security and Riskified. Recordings of both presentations are available in the Webinar page of our Educational Resources section.