The number of U.S. data breaches tracked in 2015 totaled 781, the second highest total on record since the Identity Theft Resource Center (ITRC) began tracking beaches in 2005. These data breach targets included locations where high volume consumer data is stored. Further, several individual accounts were hacked that resulted in millions of combined losses. The data breaches potentially led to identity theft including the theft of social security numbers, financial account information, medical information, Internet of Things (IoT) product account information, email addresses, and passwords.
Through data breaches, hackers have access to full account information for online retailers, thereby allowing hackers to complete credit card purchases corresponding to those accounts without even having the credit cards. The total value of the card-not-present threat is expected to grow from $9 billion in 2013 to nearly $19 billion in 2018, while fraud at point of sale (POS) locations continues to shrink.
Data breaches can also occur when users are led to connect to the Internet through a wireless network controlled by a hacker, or when users fall prey to a phishing attack, a malware attack, or a man-in-the-middle (MITM) attack, and mistakenly give up personal data such as user identifications (user Ids), passwords, and/or device identification (device Ids). The hackers use this personal data for unauthorized purchases, thereby causing substantial personal losses.
Financial institutions are generally obligated to use multi-factor authentication (MFA). These institutions maintain a list of trusted devices that can access web sites or applications on mobile, desktop, tablet devices, etc. These device Ids are often shared across multiple applications, and there is the potential risk of knowing in advance the device Id that the user is using for another application. It is also possible to use some kind of social engineering attack to obtain access to a user Id, a password, and/or a device Id.
In banking, e-commerce, or other security sensitive applications, an ongoing need exists to validate device Ids along with user-Id-password combinations. Some banking applications employ machine learning based algorithms that are based on the parameters and/or attributes of the user device and perform a risk calculation of the user for that device Id to determine if the device can be trusted. This mechanism suffers from the drawback of accuracy due to the basic nature of the machine learning and still gives some leeway to an attacker performing a fraudulent transaction. The statistical models used by such mechanisms tend to be inaccurate and operate in a predictive- and/or pattern-based mode, and are tuned to generate alerts for a given percent of users. This results in a high rate of false positives and false negatives. Moreover, once this ratio is established, changes to the model are difficult and slow, constituting a significant barrier to rapid and effective handling in the evolving and constantly changing fraud landscape.
With the current use of device Ids/device fingerprinting, user Ids, and passwords, fraudulent transactions in an e-commerce or banking transaction are still possible. There are ways of performing MITM attacks and retrieving user Ids, passwords, and device Ids for sensitive security applications, or using citadel malware applications to imitate the usage patterns of users.
Further limitations and disadvantages of conventional and traditional approaches will become apparent to one of skill in the art, through comparison of such systems with the present disclosure as set forth in the remainder of the present application with reference to the drawings.