Or an email address? Or a phone number?
“Immediately after the news of SVB’s impending breakdown, bad actors who we had seen testing banking systems across our customer portfolio for weeks scaled up their attacks within hours, leveraging bots to create new accounts about every four minutes. Banks and fintechs providing small business and/or investment accounts must practice vigilance during this time of uncertainty.” – Socure CEO Johnny Ayers
What does “testing banking systems” mean? And how do they “leverage bots to create new accounts”?
Hackers facilitate what is called “user enumeration.”
User enumerationis where a hacker gathers a list of all valid usernames on a server or web application to get an idea of how many accounts exist and uses this information to compromise accounts in the platform.
Some web applications are configured to tell the user if the username provided is correct, even if the password doesn’t match. If a hacker enters a username they obtained, this information unwittingly tells them they have guessed a valid username.
Once a hacker has a list of legitimate and active user accounts, they can use it to attack the organization or the individual. These are just a few ways hackers can leverage user enumeration.
Contact Lists for Cash or Counterfeit
By developing a list of active and legitimate user accounts, hackers can create a contact list of users that they can sell to companies for targeted marketing purposes or to fraudsters for phishingcampaigns.
Account Takeover
Hackers inject stolen pairs of usernames and passwords into login forms to gain access to user accounts. If they have a valid username, all they have to do is attempt logins with commonly used passwords to perform the attack. This is why multi-factor authenticationis crucial.
Phishing Scams
If a hacker gathers contact information of legitimate accounts, including email addresses or phone numbers, they can create tailored messaging to users that prompt them to provide their sensitive information to an attacker.
By limiting the amount of data exposure, consumers can protect their information from being exploited in user enumeration.
What if your customers could easily stop data brokers from selling their private info directly on your platform?
What other banks and users can learn about data privacy from Silicon Valley Bank
The collapse of Silicon Valley Bank was unfortunate for many reasons, one being a significant spike in identity theft for surrounding consumers. “Small businesses and investment platforms witnessed a fraud rate increase of 498 percent between 7 and 11 March, when news of SVB’s collapse made waves the most.” Hackers prey on inefficiencies and weaknesses within systems to perform attacks, and businesses must be on high alert at all times. Unfortunately, even the most efficient business is not always safe. People aren’t always proactive in protecting their online private information, which leads to 90% of identity fraud claims that occur today. In order to create a successful data privacy solution, responsibility must be shared between the platform and the user.
Global Crackdown on Genesis Market: Where Do We Go Now?
Major law enforcement agencies from 17 countries, including the FBI and Dutch National Police, have successfully shut down the notorious Genesis Market, one of the world’s biggest criminal marketplaces that sold victims’ “digital fingerprints” to online fraudsters for less than a dollar. What is important to know is that the Genesis Market operated on the open web, not just the dark web, and it was notable for its user-friendly, English-language interface. So what does this mean for all the criminal marketplaces on the dark web? According to the National Insitute of Justice, law enforcement sees evidence of a steady expansion of dark web activities but largely lacks quantitative data to inform effective responses and solutions to dark web activities. Using what they learned from the Genesis Market seizure, authorities can devise a plan of attack on other criminal marketplaces.