On Saturday, Vodafone UK said hackers had accessed the accounts of around 2,000 of its customers, the second cyber attack on a British telecoms company this month. The attackers had potentially gained access to the victims' bank sort codes and the last four numbers of their bank accounts, along with their names and mobile telephone numbers, a Vodafone spokesman said. Only a handful of those affected in the attack had seen any attempts to use their data for fraudulent activity on their Vodafone accounts. "No credit or debit card numbers or details were obtained. However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts," a spokesman said. The company was contacting all those involved and that other customers need not be concerned, he said.
Ryan Wilk, director at NuData Security reacts: “On the heels of this weekend’s Vodafone breach, and last week’s TalkTalk breach, we continue to see a striking trend that no matter how diligent a company is in trying to protect its sensitive data store, fraudsters always seem to be one step ahead. While phone and wireless companies have recently been in the headlines this trend is industry agnostic. Any company in any vertical where sensitive data is stored will be a target of hackers and criminals. While the loss of this data is an issue in and of itself, the secondary use of the stolen data should a concern to every business.
Data thieves sell this information to aggregators, who cross-reference and compile full identities, called “fullz,” on the data black market. This increases the value and usefulness of the stolen data and is building countless identities for the fraudsters. With the amount of data on the black market, there is no end to the potential damage the fraudsters can do using the stolen data. With this level of information, fraudsters can create new bank accounts or take out loans under an actual person’s name, causing problems for victims for years to come.
The creation of fraudulent accounts is on a sharp rise. We’ve seen among our clients that accounts are vulnerable. Of the 500+ million account creations we analyzed over a few months, more than 57% of them were flagged fraudulent and account creation fraud has risen over 100% since February of this year alone. That kind of long-term, big payout fraud is greatly enhanced with the use of stolen customer PII.
This continues to underscores why it’s vital to switch from traditional and insecure KBA-based authentication, which can be easily stolen, to hard to replace user behavioural biometrics. In today’s age of insecure data, it is even more vital to not just know that your user entered the correct credentials, but to also know that it is the correct human user on the other side of the machine.
By harnessing the power of passively understanding the behavioural attributes of the user you can authenticate users in ways that create less friction but is more secure. Using continuous behavioural analysis, companies can understand the underlying traits that make their users unique so that you can know with 99%+ certainty if it really is the legitimate user and get a front row seat to fradusters trying and failing to game the system using the stolen data. The data is out there and continues to grow each day making it is vital that companies move to the next level to protect the trust & safety of their brand in the eyes of their customers.”