The Connected Cybercrime Ecosystem & the Impact of the Capital One Breach

A company's security battle is not between that company and a specific fraudster; rather, it's between the company and connected cybercriminal ecosystem.

Kevin Gosschalk, CEO of Arkose Labs

October 14, 2019

4 Min Read
Dark Reading logo in a gray background | Dark Reading

It's been about two months since one of the biggest data breaches in history was announced: A hacker gained access to more than 100 million Capital One customers' accounts and credit card applications.

The announcement made global headlines and left consumers and businesses reeling, but it did not come as a surprise to us. With the recent increase in attack volumes within the Arkose Labs network, we knew something of this magnitude had occurred. It was clear that fraudsters had gotten access to new, powerful information to weaponize.

When analyzing attack patterns, the impact of any breach is instantly visible, sometimes months and years before the breach is discovered and reported. The size and severity of the Capital One breach, the type of data that was compromised, and the customers that have been affected (subprime borrowers and small and midsize businesses [SMBs]) are having a significant impact on the increasingly complicated — and connected — cybercrime ecosystem.

A colleague of mine worked at Capital One for years and remarked how it was there that she learned the value of data and analytics, how it affects profitability and growth, and how it can help predict customer lifetime value and engagement. She and her colleagues would hold heated, data-driven debates on the best ways to engage with the subprime population and successfully use data to build out the digital acquisition channel to target small-business owners.

She made it clear that Capital One understood — and championed — the value of customer data.

And now the same data — data used by Capital One to strategically fuel growth, target businesses, and identify which consumers would provide the most long-term value — is exposed on the Dark Web. Here, it will continue to be used to strategically grow the business of fraud, putting SMBs, consumers, and even large enterprises at heightened risk of attack.

The grim reality is that in today's digital landscape, it wasn't a matter of if but when we would witness another breach with the impact akin to Equifax in 2017 — where the quality of data exposed paints a frighteningly accurate portrait of one's financial health and where the devastating ripple effects of fraud will be felt by end users even years later.

And now, it's more important than ever that businesses understand the role that each breach plays in advancing a criminal's intel and the larger fraud landscape.

The cybersecurity ecosystem is fueled by data, and there are whole enterprises on the Dark Web dedicated to buying and selling customer data and running identity farms. What companies don't understand is that it takes a village to launch a good attack, and cybercriminals have sophisticated and connected networks that give them easy access to a host of compromised credentials from various disconnected attacks. When combined, fraudsters have a significant amount of customer data at their fingertips — from financial and bankruptcy status to Social Security numbers to even beauty preferences and consumer biometrics, as exposed in the Sephora and Suprema breaches. Criminals have unprecedented levels of insight into customers, which can be weaponized for future cyberattacks.

The Capital One incident underscores the fact that there is an abundance of data available that criminals can — and will — exploit to commit sophisticated fraud attacks, such as account takeover attacks, credential stuffing, and single request attacks. It's also a scary reminder that data and digital identity are the two currencies that matter most in our digital economy.

As we head into the holiday season, it's clear that the Capital One breach will play a big role in holiday retail fraud. The retail industry is very susceptible to seasonal and human-driven fraud. In fact, our recent "Fraud and Abuse Report" uncovered more than half of attacks on retail companies were human-driven. Unlike bot traffic, inauthentic human traffic is harder to detect because human behavior is unpredictable and highly nuanced.

Inauthentic human fraud is also powered by data.

We know that fraudsters are preparing to launch large-scale attacks on vendors by validating and testing stolen identities, credentials, and credit card information compromised in recent breaches.

A company's uphill security battle is not between the company and a specific fraudster; rather, it's between the company and connected cybercriminal ecosystem. Fraud is evolving, and the longstanding approach of removing a criminal's financial incentive to attack is the only solution.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"

About the Author

Kevin Gosschalk

CEO of Arkose Labs

Kevin Gosschalk is the CEO and Cofounder of Arkose Labs, where he leads a team of people focused on telling computers and humans apart on the Internet. Before Arkose Labs, Kevin worked on gaming hardware for the intellectually disabled at the Endeavour Foundation and built a unique device incorporating Microsoft's Kinnect Camera technology. Noted for his involvement in interactive development and machine vision, Kevin then turned his expertise to automated abuse and human verification — often regarded as the Internet's impossible problem. Today, Arkose Labs has transformed the irritating chore of comprehension into an SLA-guaranteed technology that prevents automated abuse for brands like Electronic Arts, Singapore Airlines, and Roblox.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights