News

15 Billion Stolen Logins From 100,000 Breaches – Reveals New Dark Web Audit

Oliver Smith
July 09, 2020
3 minutes read
676

15 billion – a figure published demonstrates the stolen logins came about through the 18 months of Digital Shadow’s Security researchers. They audited the criminal’s marketplace over the dark web and found that the stolen credentials have increased 300% since the audit done previously in 2017. The audit reveals 15 billion stolen credentials from 100,000 breaches.

Among those 15 billion records, about 5 billion are unique. These records estimate an average of $15.43 as an individual record selling. These data breaches highlight most of the compromised data belongs to banks and financial accounts which accumulate an average of $70.91 per piece. Also, about 25% of all dark web advertisements offer such records as they carry more valuable data.

In the audit, researchers have also found that the stolen credentials are provided as a service. Now instead of buying the credentials, criminals rent the identity for a particular time period for less than $10.

New Dark Web Audit Reveals 15 Billion Stolen Logins From 100,000 Breaches – Forbes https://t.co/JWrK8rmq2X

— Neil Heath (@NeilHeath10) July 8, 2020

The chief information security officer, Rick Holland, said in a statement,

“The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them,” Also, he said, “Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere.”

He added by giving a simple message: “Consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”

Certified information systems security professional and senior vice president of global business and corporate development at digital identity firm ForgeRock Inc., Ben Goodman, told in a statement that passwords are traditional user authentication method for decades and that a user has an average of 130 online accounts.

“It’s unlikely that users can remember 130 unique sets of login credentials and as a result, most opt to reuse the same passwords and usernames across most if not all of their accounts,” he said. “In fact, 57% of people who have already been scammed in phishing attacks still haven’t changed their password, enabling fraudsters to leverage compromised login credentials from one account to access additional profiles with more critical data, including banking and healthcare information.”

His advice: Organizations must recognize the security risks of passwords and usernames and adopt technology to enable passwordless and username-less logins.

Disclaimer: No warranty is herein provided that the information contained in this document is accurate, up-to-date, and/or complete. In no circumstance(s), does such information constitute legal or any other advice. Any person who intends to use, rely, pass-on, or re-publish the information contained herein in any way is solely responsible for the same. We suggest to verify the information and/or obtain expert advice independently if required.

Latest News

News
Lawyers in Malta Lag Behind in Complying with AML Measures
Malta obliged the various sectors to comply with risk assessment measures. According to the Financial Intelligence Analysis Unit, the legal industry is lagging behind in complying with these measures.

Only 57 per cent of the legal businesses had a system for business risk assessment (BRA) in place the previous year which places the legal industry at the bottom of the list of sectors for compliance requirements including credit institutions, gaming companies, service providers, auditors and accountants.

However, FIAU is driven to gain more compliance management measures from the listed sectors. The overall results indicate that the improvement was seen in every sector as Malta continues to focus on its fight against money laundering terrorism funding.

Business Risk Assessment is a tool through which the members of the financial services can analyse the risks attached to a client and which measures can ensure minimized risks. This tool is a part of anti-money laundering compliance.

FIAU reported a significant improvement among real estate agents that shot up to 73% from 40% in a year regarding the Business Risk Assessment.

Credit institutions made it to the top of the list with a 100% increase in having the Business Risk Assessment in place and the financial institutions made it to the second with 94%.

“The FIAU acknowledges the subject persons’ commitment to engage consultants to assist them in carrying out certain anti-money laundering and financing of terrorism obligations. However, subject persons remain solely responsible for the BRA and most importantly should ensure that they have knowledge of both the content and result of it,” the FIAU said.

The FIAU highlighted that the BRA must not be a side document that the operators are required to fulfil. It must be tailored to represent the business operations, scenarios, and models.

The financial watchdogs revealed that a number of operators took the help of consultants to carry out the risk assessment and they were responsible and understood the importance of the exercise.

FIAU analysed one risk assessment and discovered that “An operator listed the application of client due diligence (CDD) measures as a safeguard against risks arising from exposure to politically exposed persons (PEPs).” FIAU added, “This is not sufficient given that CDD measures are to be applied in all circumstances irrespective of the risk level. In cases PEPs, subject persons are expected to define in more detail the type of enhanced due diligence measures to be applied.”

Recent Posts

Blog
Periodic to Perpetual KYC — The Changing Landscape in Banks
The employment of effective Know Your Customer (KYC) procedures has long been a challenge for financial institutions, resulting in investments worth billions of dollars and numerous non-compliance penalties for major industry leaders. To counter the complexity and inconvenience of conventional methods of identity verification, KYC procedures must evolve in a way that lowers down the cost for a company while also maintaining regulatory compliance.

The Current State of KYC in Banking

In a traditional set-up, KYC processes are implemented on a periodic basis, with the frequency of the reviews varying between every financial institution. However, a significant amount of deficiencies within the traditional periodic KYC process have reinforced the need for a transition.

But before we get to that, let’s take a look at what happens in a periodic KYC review process.

What is KYC Periodic Review?

Periodic KYC involves the simple procedure of submitting the latest identity and address documents to the bank. This is initially done when the customer opens a bank account and the information is then updated at periodic intervals.
The Periodic KYC Process

Typically, compliance officers review the following elements during the periodic AML and KYC process:

Review of the customer’s information: This includes collecting and verifying their full name, date of birth, address, ID number, and the collection of the customer’s original ID documents to identify any material changes

Screening of the customer against global and country-based watch lists and sanctions

Reassessment of risk ratings in case of substantive changes in the ID documents (e.g. a different residential address)

Periodic review of the customer’s transactions and comparing it against forecasted account activity (this is generally performed via fully automated identity verification and screening tools)

Detection of potentially suspicious activities

Pinning Down the Problem

Responding back to periodic KYC data requests made by the bank drives customers crazy if handled incorrectly. At times, customers are even required to show up in person to have their documents verified. For most businesses, the emergence of artificial intelligence-backed identity verification solutions has eliminated the need for such manual methods of document verification. Nevertheless, a high amount of inefficiency still remains.

KYC experts are often caught up between the expectations of the bank and the customers. Repeatedly requesting for additional documents results in unsatisfied and frustrated customers — a situation that can prove to be detrimental to the financial well-being of a company.

With the bar on compliance being globally raised, the costs and resources associated with secure customer onboarding and periodic KYC checks have increased exponentially. Because of this, KYC procedures are often placed at the bottom of to-do lists, which ultimately harms the bank in the form of hefty non-compliance fines on top of reputational damage.

Is There An Alternative?

A basic solution to overcome the above-mentioned problems is to analyze the KYC process from the perspective of the customer i.e., the KYC procedures within a bank must be designed in such a way that the experience of the customer is optimized.

With the help of digital strategies – such as online customer portals, support for multiple channel communication, and direct engagement with bank branches or relationship managers, the inherent friction in obtaining the necessary customer documentation can be substantially reduced.

Further improvements in the efficiency, productivity, and customer experience can be gained by shifting from periodic KYC reviews to perpetual KYC.

What is Perpetual KYC?

In the perpetual “know your customer” process, also known as ongoing KYC, the information of the customer is updated based on specific triggers or events, rather than on the specified amount of elapsed time. Triggers for perpetual KYC can be determined by the bank’s internal KYC policies. Typically, it includes any event that indicates outdated information.

Once combined with robust KYC verification tools, customers can be engaged in the KYC process in a manner that makes sense to them and is not deemed as burdensome.

By gathering updated customer data on an ongoing basis, risk profiling can be enhanced which allows a bank to particularly focus on the customer accounts where the information or circumstances are changing. Additionally, whenever minor non-material changes occur, AI-powered automated processes will be updating records continuously.

What Makes Perpetual KYC Standout?

Due to ever-increasing AML and KYC regulations, having accurate and up-to-date customer information has become more crucial than ever. If banks aim to sustain themselves in a highly competitive market, they need to adopt a data-driven approach and perform ongoing KYC verification on their customers. The benefits of perpetual KYC include but are not confined to:

Mitigation of Friction in the Customer Relationship

For periodic KYC, relationship managers act as the middlemen. They are responsible for requesting current information and additional paperwork from customers and communicating this information back to KYC compliance officers. Repeated requests and resulting transaction delays, however, cause customers to feel dissatisfied with the bank’s customer service. This can result in long-lasting damage to the relationship.

Moving towards perpetual KYC procedures can eliminate this friction by greatly minimizing requests from clients. Customer information is updated based on event-based triggers, rather than a pre-defined period of time.

Risk Reduction

Imagine a scenario where a bank has onboarded a low-risk customer. In periodic KYC, their information is refreshed once every five years. After one year has passed in the five-year review period, this individual is nominated as the director of a firm and becomes a UBO. In addition, that firm’s parent company is domiciled in a high-risk territory. Unless the customer communicates this change to the bank, it may be left undetected for another four years. This can potentially increase the risk of financial crime exposure of the bank.

On the other hand, if this same bank had shifted towards perpetual KYC, the change in the customer’s circumstance would have been identified in mere seconds. Consequently, it would have initiated an immediate review and an updated risk assessment.

Key Takeaways

In a traditional set-up, KYC is implemented on a periodic basis

Periodic KYC has now become insufficient due to higher costs and lower levels of customer satisfaction

Perpetual KYC has the ability to fill these gaps and provides an edge in the form of risk reduction and elimination of friction

15 Billion Stolen Logins From 100,000 Breaches – Reveals New Dark Web Audit

The Current State of KYC in Banking

The Periodic KYC Process

Pinning Down the Problem

Is There An Alternative?

What is Perpetual KYC?

What Makes Perpetual KYC Standout?

Mitigation of Friction in the Customer Relationship

Risk Reduction

Key Takeaways

Let’s prove your

customer’s identity

with Shuftipro.

Let’s prove your customer’s

identity with Shuftipro.

Sweden

Cyprus

United Kingdom

Dubai

Add to your Homescreen!

15 Billion Stolen Logins From 100,000 Breaches – Reveals New Dark Web Audit

The Current State of KYC in Banking

What is KYC Periodic Review?

The Periodic KYC Process

Pinning Down the Problem

Is There An Alternative?

What is Perpetual KYC?

What Makes Perpetual KYC Standout?

Mitigation of Friction in the Customer Relationship

Risk Reduction

Key Takeaways

Let’s prove your

customer’s identity

with Shuftipro.

Let’s prove your customer’s

identity with Shuftipro.

Add to your Homescreen!