HSBC Data Breach Highlights the Dangers of New Account Fraud Attacks

New Account Fraud

HSBC, the world’s twelfth largest financial services organization, has reported that a little under 1% of its U.S. checking accounts were accessed by unauthorized users in early October. As industry analyst Ron Shevlin has pointed out, 1% of HSBC accounts is roughly the number of all accounts in a mid-sized bank or credit union. In this blog, learn why new account fraud is increasing and how you can stay safe.

What Is New Account Fraud?

New account fraud occurs when a criminal uses someone else’s personal information to open an account, usually with a financial services organization, in that other person’s name. Once that account is open, the criminal can take additional steps, such as applying for credit or using the account to gain access to another, even more lucrative account.

HSBC hasn’t released information about funds being stolen through this data breach. When these types of attacks occur, fraud operators often take advantage of account access to transfer funds to other accounts or to open new accounts, using information collected from the breached accounts.

Through this unauthorized access, fraud operators were able to collect:

  • Account holder names
  • Home addresses
  • Dates of birth
  • Account numbers
  • Account balances
  • Transaction histories
  • Payee account numbers


From Stolen Passwords to Stolen Funds

How did the attacks occur? The modus operandi seems to have been stolen passwords from other data breaches, such as the Yahoo! data breach of 2013.

How do data breaches from sites like Yahoo! in years gone by make it easier for thieves to pilfer HSBC bank accounts in 2018?

Let’s connect the dots.

First, there have been a lot of data breaches over the past few years. Some, like the Target data breach of 2013, leaked credit card and debit card information. Others, like the Equifax data breach of 2017, disclosed all sorts of consumer information, including names, addresses, and Social Security numbers of 143 million Americans.

The Yahoo! data breaches revealed about 3 billion usernames and passwords. It’s safe to say that, even if 25% of these Yahoo! accounts were duplicate accounts, these breaches affected about one out of three or four people on the planet.

There have been other big data breaches, too. About 2.3 billion login credentials were leaked in 2017 alone, the result of data breaches across 51 organizations.

Why Breaches Matter

Here’s why these breaches matter, beyond giving criminals access to accounts at sites like Yahoo!

The average consumer today is awash in login credentials. Consumers are prompted for passwords when they check their bank balance, check their email, upload photos, book a hotel, check airline prices, and so on.

The mental exertion of keeping all these passwords straight leads some consumers to select ridiculously easy passwords. In a 2017 survey of leaked passwords, software vendor SplashData reported that the most common passwords across multiple sites were ‘123456’ and ‘password.’ Other popular passwords included ‘iloveyou’ and ‘starwars.’ The consumers using these passwords choose to ignore warnings about necessity of using difficult passwords to ensure the security of their accounts.

But from the point of view of preventing account takeovers, the biggest problem is that password fatigue leads users to re-use passwords across multiple accounts. For example, a consumer, tired of having to keep track of three different passwords at work, might decide to use to the same password for his bank login, his login, and his personal email login, which happens to be Yahoo!

Password re-use is pervasive. The typical U.S. consumer has 23 online accounts that require passwords. But that same consumer is typically using only 13 passwords across all those accounts. And 31% of consumers–nearly a third of the U.S. adults–use only one to two passwords across all their online accounts.

The danger is obvious. If the username for each of these accounts is the consumer’s email address, then criminals who gain access to a consumer’s Yahoo! password have also gained access to the password for his bank account and his Macy’s account. Knowing a username and password turns out to open a lot of digital doors.

Large-Scale Hacking with Credential Spills

In the world of cybersecurity, data breaches involving account passwords are known as credential spills, because what’s being spilled or leaked are login credentials. Criminals use credentials spilled from one site to try to access accounts on other sites.

Criminals buy stolen credentials on the Dark Web (the online black market for stolen data and hacking tools), and they load them into scripts that automatically enter these stolen credentials on the login pages of popular sites.

About 90% of the login attempts on popular retail sites like are script-driven login attacks using stolen credentials. For consumer retail banks, the percentage is lower but still alarmingly high: “only” 58%.

In other words, nearly two-thirds of the login attempts at bank sites are using stolen credentials. And some of those credentials will work, granted criminals unfettered access to consumer accounts.

Security vendor Shape Security estimates that U.S. retail banks cumulatively suffer $5 million in losses every day from logins using stolen credentials. That’s over $1.6 billion per year. In the financial services industry overall, losses from account takeovers reached $5.1 billion in 2017, an increase of 120% from 2016, according to Javelin Strategy & Research.

Guarding against Account Takeovers

What should organizations do to minimize the risk of account takeovers? Here are four suggestions:

  1. Encourage customers to create unique passwords for their accounts, rather than re-using passwords from other accounts.

  2. Offer two-factor authentication, such as SMS codes, so if customers can avail themselves of more stringent security, at least when logging in from a new device.

  3. Require customers to present government-issued IDs (as they have to do legally when opening bank accounts) when opening any type of financial account and when engaging in risky transactions, such as high-value cash transfers.

  4. Implement real-time identity verification services across all digital channels, so that identity verification and account opening can be quickly, seamless interactions that never degrade the quality of the customer’s experience.

How Identity Intelligence Solutions Secure Access to Accounts from Any Device

At Accelitas, we provide Identity Intelligence solutions that leverage Artificial Intelligence (AI) and alternative data to provide highly predictive analytics for organizations of all kinds. Using our Accelerated Insight® API Platform, organizations can strengthen their account access controls across all channels by requiring consumers to present government-issued IDs for critical interactions such as account opening and fund transfers above a specific threshold.

Using Accelerated Insight, organizations can create applications and services that:

Preventing New Account Fraud with ID Authentication from Accelitas

How can Accelerated Insight services help financial services organizations, or any other business offering digital account opening, to prevent new account fraud? Here are three ways:

  • Authenticate IDs at account opening.
    Use Accelerated Insight to authenticate the ID of any user opening an account. ID authentication makes it much more difficult for a fraud operator to open an account using information stolen from another account. In addition, it provides the organization with a tokenized image of the consumer’s ID, which can be used to rapidly authenticate account holders upon subsequent occasions.

  • Require ID authentication for anomalous account access.
    Is a consumer accessing an account from another country, an unfamiliar location, or an unfamiliar device? Organizations have the option of requiring users to verify their identifies by re-submitting an ID for authentication, preventing fraud operators who have purchased stolen credentials from gaining access to accounts.

  • Require ID authentication for high-risk transactions.
    Is a consumer transferring large funds from an account? Organizations can enforce policies that require ID authentication before any high-risk transaction is approved.

By requiring fast, easy ID authentication–a process that authenticates submitted images form a smartphone, tablet, or desktop in under 10 seconds–financial organizations can prevent account takeover fraud from compromising accounts.

Credential spills have already occurred, compromising the security of billions of accounts. Relying on password-based authentication is simply not sufficient to protect financial services accounts.

ID authentication from Accelitas can helps organizations (financial institutions, alternative financial services, or any business that needs to conduct business online) prevent account takeover fraud and the loss of funds and reputations that result from those attacks.

To learn more about our Identity Intelligence solutions, schedule a free consultation by clicking the button below. 



Tags: Identity Intelligence

Posted by John Bennett on 11/21/18 9:47 AM