Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:14 PM
Dark Reading
Dark Reading
Products and Releases

ThreatMetrix Shares Strategies For Implementing Effective Security Measures Without Disrupting Authentic Users And Compromising Privacy

Company suggests using behavior-based identity proofing

San Jose, Calif. – January 22, 2014 – ThreatMetrix&trade, the fastest-growing provider of integrated cybercrime prevention solutions, continues its alignment with Data Privacy Day by announcing several strategies for businesses to change the economics of data breaches and identity theft through global trust intelligence.

The Identity Theft Resource Center recorded more than 600 data breaches in 2013, a 30% increase over the number of breaches in 2012. Target and Neiman Marcus are just two examples of companies that experienced significant breaches recently and more are expected to occur in 2014. Personally identifiable information exposed in past breaches includes credit card numbers, password hints, names, email addresses and other sensitive information.

To make matters worse, in the aftermath of data breaches, the solutions companies put in place to protect consumer identities are far from ideal. Businesses in the past have either implemented intrusive two-factor authentication solutions or offered customers credit monitoring.

"The current way in which companies prevent misuse of stolen identities is broken," said Alisdair Faulkner, chief products officer, ThreatMetrix. "Many businesses that offer credit monitoring, two-factor authentication and other means of protecting personal information following a data breach end up causing additional damage to the customer relationship due to added charges, intrusive features or requesting more personal data. Instead we need solutions that make stolen identities worthless in the hands of cybercriminals."

While two-factor authentication solutions such as SMS one-time passwords can provide an extra layer of protection, the reality is that they are expensive, can lead to abandonment and only protect the fraction of users that choose to adopt.

As an alternative to two-factor authentication, some businesses offer free trials of credit monitoring services, which expire and can require payment through automatic renewal. Instead of putting consumers at ease, these services can potentially cause backlash if customers perceive companies are profiting from their misfortune. In any case, credit monitoring does not prevent identities from being abused to hack accounts or commit payment fraud.

High profile breaches are a prime example of why businesses across industries – including retailers, financial institutions and others – should not rely on traditional identity verification services to screen users.

"Legacy identity verification solutions are largely a solution for a bygone era because they can prove that an identity exists, but not ownership of that identity," said Faulkner. "The cat is out of the bag – cybercriminals and consumers are well aware that traditional verification and authentication solutions are no longer effective – and businesses need better strategies in place for customer identity protection."

Instead of applying bandage-like solutions, ThreatMetrix recommends changing the economics of data breaches and identity theft by transparently rendering stolen data invaluable with global trust intelligence comprising of:

Anonymized Shared Intelligence – A collective problem requires a collaborative solution. Leveraging trusted identity networks that use strict anonymization practices to share intelligence improves security without compromising privacy. Anonymized networks used in this way enable trust to be federated across applications and companies to reduce challenge rates.

Behavior-Based Identity Proofing – Simple reputation systems cause authentic customers to be treated unfairly when their identities or accounts are abused. Analyzing patterns of usage including locations, identities, devices and associations over time provides 'spoof-proof' identity screening without false positives – incorrectly labeling legitimate customers as fraudulent.

Passive Two-factor Authentication – Use cookieless device identification technologies in combination with rich contextual information such as account usage, location profiles and business risk to reduce unwanted and intrusive step-up authentications.

"ThreatMetrix uses anonymized device, identity and transaction data to determine whether or not customers are who they claim to be without needing to know their name," said Faulkner.

To effectively protect customers, businesses should leverage a global data repository that can process transactions in real time and verify their authenticity against anonymized user profiles and past behavior. The ThreatMetrix&trade Global Trust Intelligence Network (The Network) is the most comprehensive global repository of identity and fraud data and protects hundreds of millions of users and revenues each day from cybercrime. Its real-time analytics evaluate logins, payments, new account registrations and remote access attempts to differentiate between good and bad actors.

Data Privacy Day takes place on January 28 and is sponsored by the National Cyber Security Alliance. ThreatMetrix, a Data Privacy Day Champion, will continue its commitment to Data Privacy Day by publishing additional news on protecting consumer identities throughout the month of January.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Ransomware Surge & Living-Off-the-Land Tactics Remain Big Threats
Jai Vijayan, Contributing Writer,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-22
A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an arbitrary file by removing the CSRF token from a request.
PUBLISHED: 2019-11-22
The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a code injection vulnerability. An attacker could exploit the vulnerability to inject malicious code into the management page, resulting in users� information leakage.
PUBLISHED: 2019-11-22
The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a configuration error vulnerability. An attacker could directly access the management portal in HTTP, resulting in users� information leakage.
PUBLISHED: 2019-11-22
IBM SmartCloud Analytics 1.3.1 through 1.3.5 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 159185.
PUBLISHED: 2019-11-22
IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks ag...