Facebook and LinkedIn data exposures show the scope of account takeover risks

TL;DR

Account takeover fraud is rising sharply, fueled by personal data that is easy to find online, including publicly shared information rather than just stolen passwords. Large exposures of Facebook and LinkedIn user data gave fraudsters email addresses and phone numbers they can use for phishing, SIM swapping, and identity hijacking with a long shelf life. Merchants defend their stores by strengthening authentication and screening every order, even from longtime customers, with human review of flagged orders to avoid false declines.

Account takeover (ATO) fraud is big business for criminals, and it’s on the rise. One study found that ATO attacks on ecommerce retailers selling physical goods increased by 378% during the second quarter of 2020, compared to the same period in 2019. What’s driving this increase? In many cases, it’s personal data that’s all too easy to find online, and it doesn’t even need to be sensitive information like passwords in order to fuel ATO attacks.

Recent news about Facebook and LinkedIn user data underscores just how much material fraudsters have at their fingertips and how they can use even publicly available information to commit fraud. In April, news broke that personal data such as phone numbers, email address, birthdates and genders from more than 500 million accounts on each of the two social networks had been collected by data-scraping tools and shared on the dark web.

Facebook in particular took heat for not notifying users at the time the data-scraping incident was first reported, back in 2019. Both Facebook and LinkedIn have noted that the exposed data was shared by users and wasn’t the result of a breach of secured data. However, security experts quickly outlined a number of ways that the scraped data could be used to commit fraud.

What fraudsters can do with scraped social media data

The quantity of email addresses and phone numbers exposed by the data scrapers is particularly worrying, because scammers can target victims for phishing scams via email, text and voice calls to trick them into handing over login credentials and financial information. With those resources, they can take over social media, banking and retail shopping accounts. For example, by targeting Facebook users for phishing scams and stealing their login information, fraudsters then have access to any payment methods the victims have stored in Facebook for social shopping. They also have the ability to sign into the victim’s accounts at online retailers that allow for social logins.

With a bit of research, a scammer armed with a phone number and some other personal data can also commit SIM-swapping fraud by impersonating the victim to their cell provider’s customer service team to take over the victim’s phone number. Then they can get the victim’s messages and calls on a device in the fraudster’s possession, control any SMS-based two-factor authentication the victim has on their accounts and effectively hijack their identity. And because, as one observer noted, most people rarely change their phone numbers and email addresses, this kind of data has a long “shelf life” for fraud once it’s exposed.

How to stop account takeover fraud from hurting your online store

It’s clear that login credentials and social logins can be compromised by fraudsters with stolen data, so the first and simplest ATO prevention step is to review the way you handle customer authentication. If you require customers to sign in with a user ID and a password, consider implementing strong password requirements so their credentials are harder to crack. You can also encourage shoppers to choose a unique password for their store account, to reduce the risk of fraud if their reused password is leaked elsewhere.

Social logins make store account access easy for customers, but they also mean that your customers can lose access to their account with your store if they ever close or are locked out of that social account. You may want to review your use of social logins, to see if the convenience for customers outweighs the cost of fraud due to compromised social accounts. Keep in mind that 44% of Australian shoppers in a March 2020 Sapio survey for ClearSale said they’ve abandoned purchases because of friction during the checkout process, so you need to balance safety with ease of use.

Regardless of how your customers sign in or check out in your store, it’s crucial to screen every order to authenticate the customer—even if they’ve been shopping with you for years. AI-driven fraud programs can quickly detect unusual behavior by existing customers to help spot ATO fraud. These algorithms can also evaluate first-time customers for potential identity theft.

When orders are flagged, they should go immediately to manual review, where experts can decide if the order is good or fraud. That can avoid false declines that drive customers away for good. Among Australian consumers, 38% told Sapio they’d never shop again with a merchant that declined their order, and 22% would say something about the decline on social media. Only 8% said they’d never shop again with a merchant after a fraud experience with their store.

Account takeover fraud shows the risks that merchants take if they assume that their customers—even established customers—are who they claim to be. That’s not an argument for treating shoppers with overt suspicion. Instead, it highlights the need to use best practices and technology to authenticate customer identity in real time for every transaction, even orders coming from longstanding customers, to protect their accounts and your revenue.

Original article at: https://informationsecuritybuzz.com/articles/facebook-and-linkedin-data-exposures-show-the-scope-of-account-takeover-risks/

Frequently Asked Questions

How fast is account takeover fraud growing?

One study found that account takeover attacks on ecommerce retailers selling physical goods increased by 378% in the second quarter of 2020 compared with the same period in 2019. Easy access to personal data online is a major driver.

What made the Facebook and LinkedIn data exposures dangerous?

Personal data such as phone numbers, email addresses, birthdates, and genders from more than 500 million accounts on each network was collected by data-scraping tools and shared on the dark web. Even though the data was user-shared rather than from a breach of secured data, it gives fraudsters ample material for attacks.

How do fraudsters use scraped social media data?

They can target victims with phishing via email, text, and voice calls to steal login credentials and financial information, then take over social, banking, and retail accounts. A phone number plus other details can also enable SIM-swapping fraud that hijacks the victim's identity and two-factor codes.

Why does exposed personal data stay dangerous for so long?

Because most people rarely change their phone numbers or email addresses, this kind of data has a long shelf life for fraud once it is exposed. Information leaked years ago can still fuel attacks today.

How can merchants reduce account takeover risk?

Review how you handle authentication, require strong and unique passwords, and reconsider social logins where the fraud cost outweighs the convenience. Most important, screen every order to authenticate the customer, even those who have shopped with you for years.

How do merchants balance security with customer experience?

AI-driven programs can spot unusual behavior and flag orders for manual review by experts, which avoids false declines that drive customers away. This matters because surveys show many shoppers will never return after a declined order, and some will complain publicly, so authenticating identity in real time protects both accounts and revenue.

Fraud & chargeback protection

Stop fraud before it costs you

ClearSale's AI-powered fraud prevention reviews every order and backs it with a chargeback guarantee, so you approve more good orders and fight fewer disputes.

Request a Demo