Online accounts are protected by the three factors of authentication: something you know (like a password), something you have (like a phone), and something you are (like a fingerprint). These factors are designed to keep our accounts secure, but the games fraudsters play constantly find new ways to compromise them. Something You Know: The Data Breach Bonanza Fraudsters scoop up usernames, passwords from compromised companies. And they have been doing that since digital passwords were invented. Fraudsters develop phishing scams to fool users into handing over credentials thinking they are interacting with legitimate businesses. Don't click that link! And let’s not forget malware. It is estimated that more than 1 billion malware programs are currently in existence (with more created every day), automatically mining and sending information without the user knowing. It's like a digital spy in a computer, stealing information right from under a user's nose. 2022 saw a record 24 billion passwords exposed. - New York State Attorney General Something You Have: The Social Engineering Shuffle "Something you have" isn't safe either. Fraudsters use social engineering to convince users (or your cell carrier) to give them access to a phone or SIM card. They might pretend to be from a user's bank or phone company, and before the scam is discovered, they've got control of the accounts. It's like a magic trick, but instead of pulling a rabbit out of a hat, they're pulling your money out of the user's bank account/s. Don't click that link! Something You Are: The Metadata Mimic Even "something you are" can be compromised. Fraudsters can't change a fingerprint or a face, but they can mimic metadata. They log into accounts with stolen credentials and make their activity look just like the account owner. They use the same IP address, the same browser, even the HTTP referrer. It's like they're wearing a digital mask, and it's good enough to fool even the most sophisticated security systems. September 2013 - Apple introduces the iPhone 5S with TouchID September 2013 - Computer Chais Club bypasses Apple’s TouchID November 2017 - Apple introduces FaceID on the iPhone X November 2017 - Vietnamese firm Bkav bypasses Apple’s FaceID Even one of the largest, most tech-savvy companies in the world isn’t immune to hackers getting past their security measures. The Bottom Line The three factors of authentication are supposed to be our digital fortress, but fraudsters are constantly finding new ways to breach the walls. They're clever, they're persistent, and they're agile, always working to stay one step ahead. So, what can be done? Be risk aware of where you are inputting passwords Don’t reuse passwords Use strong, unique passwords Regularly scan for viruses Update computer software and operating system Be vigilant of phishing scams Use multi-factor authentication where it makes sense Carefully evaluate links before clicking Don’t assume urgent text/emails are from legitimate sources Remember, the three factors of authentication are only as strong as the weakest link. By staying informed and taking precautions, we can make it harder for fraudsters to compromise our accounts and keep our digital lives safe. Author For more than 20 years, Georgia-based myNetWatchman has been examining attack traffic and monitoring criminal activity as it happens, even years before a company realizes a data breach has occurred. This method of “watching” the bad guys means myNetWatchman gives customers access to the earliest detection and highest remediation of compromised logins and account credentials on the market. Earliest detection on the darknet of the testing, use, or sale of compromised credentials is the most foolproof way to protect against account takeover, Active Directory exploits, ransomware attacks, industrial espionage, and more.

In the world of online security, it's tempting to take a rigid, unyielding stance against bad actors. Block any suspicious IP address, and bam – problem solved, right? Not quite. As a fraud prevention expert, I've learned that a more nuanced approach, (instead of simply blocking IP addresses, and being blind to threats, "Be like water" as Bruce Lee said, and adapt to threats) often yields better results. The Problem with IP Blocking Many security solutions rely heavily on IP address blocking as a primary defense mechanism. While seemingly straightforward, this tactic is fraught with issues: Dynamic IP Addresses : IP addresses aren't static. They can change frequently, leading to the blocking of innocent users who now share an IP address previously used by a bad actor. Imagine getting locked out of your favorite online store because of someone else's malicious activity! Unwitting Accomplices : Legitimate users can become collateral damage. Malware on a user's device can generate malicious traffic, triggering an IP block and preventing the actual user from accessing a website, even though they are unaware of the problem. Transparency Aids the Enemy : Blocking an IP address after a certain number of failed logins can inadvertently reveal your security measures to attackers. Savvy fraudsters can adjust their tactics, using "low and slow" attacks or rotating proxies to circumvent these thresholds. You Can’t Fix What You Can’t See : By blocking IP addresses, fraud mitigation systems cannot see what the fraudsters are doing, they are essentially blind to the tactics being deployed by the fraudster. Embrace Fluidity, Not Rigidity Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it. - Bruce Lee Instead of outright blocking, consider a more adaptive approach: Gather Intelligence : Allowing suspicious activity, while closely monitoring it, provides valuable insights into attacker behavior. Track patterns in login attempts, analyze user agent strings, and observe browser language configurations. This data paints a more comprehensive picture of the threat landscape. Develop Comprehensive Signals : By observing these patterns, you can identify unique indicators that transcend IP addresses. This allows you to track and mitigate malicious activity even when attackers switch proxies or employ other evasion techniques. At myNetWatchman, we still see millions of attacks against organizations that are using IP blocking tools. And, as fast as those IP addresses get blocked, miscreants change IP addresses making it a cat and mouse game. Meanwhile, user credentials are still being used causing ATO to continue and most likely, increase. Stopping ATO at the root cause with compromised credential screening is independent of IP address and helps organizations be more like water and adapt to the threat of ATO. Want to know more visit us at www.myNetWatchman.tech .

Credential stuffing is a middle step in a multi-faceted process that sees consumer login credentials go from being compromised to being monetized. Credentials can be compromised through a data breach, captured via keystroke logger malware, or a consumer falling for a phishing attack. Cybercriminals then use credential stuffing to identify the compromised username/password pairs that are valid on other sites. The compromised credential pairs are often sold on the dark web to other cybercriminals who use the data to make fraudulent purchases, steal gift cards or reward point balances, scrape personally identifiable information (PII), ATO and so on... The reality is most companies only become aware that an account is compromised after a bad actor commits fraud or steals data. In this case the consumer isn't going to be happy with the outcome, or the experience of changing their credentials. Often they’ll blame the company even though they most likely hold some blame for the compromise. While most consumers will return to a solid brand company, they typically will shop somewhere else for a while. The company will likely lose some future business, reducing the lifetime value of the customer. Some consumers won't return to a company after they learn their account was hacked. Early detection and remediation of compromised credentials can increase lifetime value of a customer while reducing loss. When done right, account protection has minimal impact on the customer experience and maintains the confidence and trust of customers. 24 hours is all it takes a sophisticated fraudster organization to steal, test, and put compromised data out on the dark web markets for sale. Experienced criminals have these steps optimized so they can maximize the value of the data they have acquired. - Don Bush, myNetWatchman In a recent blog post, we discussed the trade-offs between approaches to managing account takeover (ATO) risk that rely more on prevention versus remediation . Early detection of compromised credentials are presented as an example of prevention, but emphasis should be placed on early detection, which reduces risk and screening costs at subsequent events like a transaction. The challenge: how quickly compromised credentials can be detected. This Forbes article recommends real-time monitoring and detection tools as a best practice. But how is this done? Here’s how we take on this problem. Our Solution Our unique data and web insights allow us to see credential stuffing attacks in action across 1.5 million web domains each month, adding on average 10 million new compromised credential pairs every day to our proprietary data repository of over 35 billion exposed credential pairs. myNetWatchman’s Web Monitoring service continuously monitors an organization’s domains and/or email addresses, detecting credential stuffing attacks and compromised credentials, and sending you the signals you need to know about the attacks and what accounts were compromised. Our AllCreds service takes early detection further. When you include a check with AllCreds when your customer presents a credential (e.g., login or account creation), you’ll know if that credential was ever compromised anywhere, whether a bad actor was targeting your systems or not. Alerting a company's fraud prevention system of compromised credentials at the account login process or email usage rather than discovering a problem at the fraudulent transactions saves time, money and future losses. The time between a credential stuffing attack and fraudulent purchases can be your opportunity to act, even if it is only 24 hours!

The PowerSchool data leak, as detailed in the Infosecurity Magazine article , serves as a stark reminder of the critical importance of protecting user credentials by implementing a service to check users username and passwords to see if they are known to be compromised and enforcing a strong password change policy. Here's what happened and how credential security--or lack thereof--was the real culprit. The Breach: Hackers gained access to PowerSchool's system, likely through stolen credentials, exploiting a vulnerability in the PowerSource support portal. This highlights a common attack vector: compromised credentials. Weak passwords, phishing scams, or credential reuse across platforms can grant unauthorized access to sensitive data. Why Protecting Credentials Matters: They are the First Line of Defense : Usernames and passwords are the frontline defense against unauthorized access. Strong, unique credentials make it significantly more difficult for attackers to break in. And in this case, username and password could have been required to be updated and monitored for security. Stolen Credentials Can Have Far-Reaching Impacts : In PowerSchool's case, compromised credentials led to the exposure of millions of students' and educators' personal data. This can have serious consequences, including identity theft, financial fraud, and even emotional distress. However, the damage goes beyond that when we consider that most often, a stolen credential is used to get into other accounts the user has online, for example where the user has reused the same credentials at banks, e-retailers, airlines or anywhere they have done business. Compromised Credentials Can Lead to Lateral Movement : Once attackers gain access with stolen credentials, they can move laterally within a system, potentially accessing even more sensitive data. According to the 2024 Data Breach Report from the Identity Theft Resource Center, Education has been in the top five industries targeted by cybercriminals for the past two years. Lessons Learned: PowerSchool could have avoided this breach, or at least minimized its impact, by following the four steps below. Assess - PowerSchool could have found weaknesses in their system with a simple credential pentest, highlighting areas that needed additional attention for proper security. Detect - By deploying tools that constantly screen credentials for weaknesses, compromised users would have been identified before they caused a problem. Prevent - Once identified, users should have been required to update compromised credentials, usernames and passwords, for the best protection against infiltration of the PowerSchool system. Respond - Lastly, after a breach is confirmed, limiting exposure and liability is key. Comparing the breached data to data that has been actively used points where to focus efforts of containment and limiting damage. The PowerSchool incident exemplifies the critical need for robust credential security practices. By following the outlined steps above, organizations like PowerSchool can significantly reduce the risk of data breaches and protect the sensitive information of staff and consumers entrusted to them. Learn more about MFA Learn more about credential monitoring What would we do? myNetWatchman has a full suite of products that manage every stage of an organization's security needs from assessing weaknesses in ATO security, to detecting and preventing ATO events and breach response. See more at our website www.mynetwatchman.tech. However, since the breach happened, a proper response is necessary to remediate the impact of the breach. Compare the breached data against our repository of 35 billion compromised credentials to see if we have already seen some activity using compromised credentials. Determine whether the credentials have been used by bad actors previously Determine which credentials are actively being used/tested, contact those users and have them take steps to secure their credentials. Require usernames and passwords to be updated.

The old practice of a canary in a coal mine served as an early warning system, detecting harmful gases before they claimed lives. Similarly, active web monitoring can be a digital canary, alerting businesses to potential threats before they escalate into full-blown account takeovers. Credential stuffing, a common cyberattack, leverages stolen credentials to gain unauthorized access to accounts. It's akin to a thief trying multiple keys on a set of doors. If successful, attackers can wreak havoc, from stealing sensitive data to fraudulent transactions. - David Montague, CEO MyNetWatchman Common fraud prevention tools, such as bot detection or IP blocking, are essential first lines of defense, allowing you to “blunt” an attack. However, they can lead to a false sense of security because it can be difficult to tell when an attack occurred, unless you are watching, and they won’t tell you what accounts were targeted or successfully compromised. An active web monitoring service is a crucial second line of defense, alerting you to ongoing attacks and compromised accounts. For example, we recently saw a company attacked, where millions of accounts were targeted for account takeover and over 1500 were successfully compromised. The attack occurred over the period of a week and while the company was able to stop the scaled credential stuffing attack, we could see from our data they weren’t aware of the 1500 accounts the bad actor compromised out of the 8 million attempts. We have found that bot prevention and IP blocking security tools may reduce the size of most attacks, but they don’t really prevent all attack activity from an adversary; they can still hit you with smaller scale attacks and other forms of attacks. Active web monitoring service is like a digital canary, constantly testing the environment and sounding the alarm when a compromised identity is detected. You may need active web monitoring if: You rely on existing bot detection solutions : While your current tools may be effective, they might not be able to detect all types of attacks or on what accounts were compromised. You're experiencing account takeovers : If you're still facing account takeover issues, web monitoring can help identify the root cause and implement additional safeguards. You need to assess the effectiveness of your security measures : Web monitoring can provide valuable insights into the performance of your security tools and identify areas of weakness that you weren’t aware of. With active web monitoring, you can proactively detect compromised PII, credential pairs, and mitigate these threats. Add it to enhance your security detection plan to cover: Real-time Monitoring : Continuously monitor for suspicious activity, such as unusual login patterns or unauthorized access attempts. Behavioral Analytics : Analyze user behavior to identify anomalies that may indicate a compromise. Threat Intelligence : Stay informed about emerging threats and vulnerabilities to proactively protect your systems. Prompt Response : Have a well-defined incident response plan to quickly address security breaches. Active web monitoring is not a complex development effort, for most clients, it is minimum effort. In many scenarios there is no development and straightforward implementation - up and running in 24 hours or less. When you really need to know, web monitoring tools provide the ease of mind in knowing you can see issues before your customers, or worse the press, tell you about them. By acting as a digital canary, active web monitoring tools can significantly reduce the number of surprises from accounts being taken over and protect your business from financial loss, reputational damage, and legal liabilities. For more information and real-world cases using active web monitoring, click the links below. MNW Case Study - Customer M - 10% of successful credentials were successful previously at other locations Post - Anatomy of Email Compromise - myNetWatchman investigated the case of a Yahoo.com email account that was compromised and accessed by bad actors nearly each day over a 3-month period

Okay folks, gather 'round, let grandpappy regale you with a tale from the olden days... the retail days. Back then, we had these magical boxes called "cash registers" – no, not iPads, young'un, these were machines – and they had a wondrous key called "no sale." This little gem lets you open the cash drawer without actually, you know, selling anything. Now, my wise old mentor (he had a killer mustache, that guy) told me to never disable that key. Why? Because it's way easier to review footage of every time the drawer pops open than to squint at the end of every transaction, wondering if Brenda left it hanging. Some folks are obsessed with blocking IP addresses like they're swatting flies in Savannah in the summertime. Fast forward to my current gig battling fraudsters in the digital Wild West, and guess what? The same logic applies! But here's the thing: IP addresses are like pigeons – they move around. Think of it this way: Your smart fridge might be a Russian spy. That's right, little Timmy's WiFi-enabled icebox could be the reason poor Mrs. Miggins in Florida can't buy her catnip online. See, Timmy's fridge got hacked, used to launch a cyberattack, and bam – the IP address is flagged. Now Mrs. Miggins is collateral damage. Your computer might be possessed. Even if you're squeaky clean, your machine could be harboring some nasty malware, spewing out login attempts like a Pez dispenser. Suddenly, you're the one locked out, scratching your head and wondering if you accidentally subscribed to "Hacker Monthly." Blocking is like a neon sign for bad guys. "Hey, you've reached the limit!" it screams. "Better try a different tactic!" Congratulations, you just helped the cyber-crooks refine their approach. So, what's the solution? Embrace the "no sale" philosophy! Let those baddies think they're getting away with it. Use that visibility to gather intel: Weird browser language? Red flag! Funky user agent string? Houston, we have a problem! Suspicious HTTP referrer? Time to investigate! Instead of playing whack-a-mole with IP addresses, be like water, my friend. Adapt, flow, and outsmart those digital delinquents. As the great Bruce Lee once said (probably while fighting off a horde of hackers with nunchucks), "Be soft like water and flexible and adapt...to the opponent." Drop the ban hammer, pick up the magnifying glass, and let's catch some crooks!

Credential stuffing is still a popular cybercrime. What is it and what makes it so popular? What is it? Credential stuffing (AKA “cred stuffing”) is a type of cyber attack in which username and password pairs (“credentials” or “creds”) obtained from one source are attempted against other sites and systems. Criminal actors, sometimes referred to as Cred stuffers, use automation to test large numbers of known credentials against various target systems, typically done systematically with credential testing tools that include proxies and bots. The goal of the cred stuffer is to find valid credentials - ones that can successfully access the target system. Why does it work? Credential stuffing works because people use the same username and password combinations on multiple sites. A valid credential at one site is likely to be valid at one or more other sites. Cred stuffing is effective because it is relatively easy to deploy on a large scale and can be difficult for targeted organizations to detect. It can appear to be a temporary distributed denial of service (DDoS) attack. Cred stuffing attacks leverage botnets and automation tools to include “IP hopping” capabilities, making the attack harder to detect because the traffic comes from multiple sources. Most companies don’t make use of fraud detection tools at login and won’t make a connection that a cred stuffing testing event is “bad” unless it ends up in a loss event or Account Takeover (ATO) for them . “ While DDoS attacks may persist for reasons that defy logic, stuffing attacks only persist for one reason: Because they are successful at monetizing validated credentials with an acceptably low corresponding effort.” Lawrence Baldwin, CIO myNetWatchman   Why do criminals do it? The short answer is because it's profitable. Credential stuffing attacks are successful at monetizing validated credentials with an exceptionally low corresponding effort . Low input costs  - Creds are cheap and readily available on the dark web from data breaches, phishing attacks, or keylogging malware. The supply of creds is literally in the billions. Additionally, cred stuffing automation tools are available for criminals who don’t want to create their own . A lot can be done with little effort  - An automation or bot can run thousands or millions of credentials in a relatively short amount of time. Some criminals also automate password iterations, like adding digits to the end of a current password to generate additional passwords. Think your site is protected by that password policy that forces a number? A cred stuffing bot can be designed to append a “1” at the end of each known compromised text-only password, for example . Easy to monetize  - The cred stuffer can use the successful credentials themselves to commit various types of ATO related fraud, like siphoning stored value, stealing other user data, fraudulent purchasing, funds transfer, etc. Cred stuffing increases the value of the inexpensive creds they purchased on the dark web. Or they can act as a middleman, simply selling the successful credentials to other criminals at a higher price for the guarantee of success .   “The main reason cred stuffing works is because people use the same username and password on multiple sites. A valid credential at one site is highly likely to be valid at another site.” Lawrence Baldwin, CIO myNetWatchman   Even though the success rate of credential stuffing is low (typically less than 1%), the low entry costs, high volume of playable credentials, and high usefulness of a valid credential make the effort worthwhile. Think of cred stuffing as a way to add value to a massive data set of stolen creds by providing a smaller set of stolen creds that are active and knowing where to use them . Organizations should be looking for credential stuffing attacks to keep accounts safe and limit damage from potential ATO. myNetWatchman’s web monitoring service alerts companies when live credential testing is being seen live on their site, not just notifying them that it is happening but specifying what accounts are being impacted. This is valuable and actionable information about credentials that are being presented in real-time, not just credentials known to have been compromised in a breach . In the small client case study below, you can see criminal tactics and that credential re-use by individuals helps criminals. Identifying Credential Stuffing Many organizations don’t realize credential stuffing is an issue because they don’t recognize that it’s occurring. Symptoms include a high volume of unsuccessful login attempts, a large number of successful logins followed by no subsequent activity, as well as tumbling and swapping attempts. Tumbling involves slight variations to the password on subsequent login attempts, such as trying “Qwerty1”, “Qwerty123” and other variations after the compromised password “Qwerty” did not work . A high volume of successful logins followed by no further activity is likely to stay under the radar for most organizations, but it is indicative of a criminal actor testing credentials to sell on the dark web to others. Similarly, an organization might see a series of actions taken after the login attempt, such as going to the user profile or edit user details page to scrape other information that may be included there, such as name, phone number and physical address . Organizations should not just assume that credential stuffing is not occurring if they haven’t actively looked for signs of it occurring. Even if actively looking, these signs can be difficult to uncover. It is critical to know when credential stuffing is happening and on what accounts. Organizations who do not have detection or mitigation strategies in place should consider a cybercredential assessment   Stuffing is costly to the targets Credential stuffing can harm organizations with direct financial losses through fraudulent transactions, theft of intellectual property, or ransom demands for stolen data. The brand risks and loss of customer lifetime value associated with account takeover that results from cred stuffing is difficult to quantify, but undoubtedly large. There are likely other indirect costs associated with incident response, legal fees, and regulatory fines. “The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs .”   Business guide for credential-stuffing attacks | New York State Attorney General Users whose valid credentials were obtained through stuffing can suffer in many ways from account takeover (ATO). Depending on the account taken over, criminals can steal stored-value or gift cards, commit identity theft with stolen personal information, or create fraudulent transactions of all types. Consumers may also lose confidence in the provider because of the frustration of dealing with ATO, or blaming the provider for poor security practices . Mitigating credential stuffing attacks is a way to protect consumers against themselves and their tendency to reuse creds across multiple sites. Consumers tend to conflate the issues or are unaware of the breach that compromised their creds initially, instead focusing that blame on the account or organization that allowed unauthorized access to their account .

Proven Fraud and Security Executive David Montague to Succeed Lawrence Baldwin as CEO. myNetWatchman today announced the appointment of David Montague as myNetwatchman’s CEO, effective as of May 1, 2024. Mr. Montague will succeed Lawrence Baldwin, who has served as the Company’s CEO since its formation in 2001. Mr. Baldwin founded the company and will continue to be at the company as the Chief Innovation Officer working closely with Mr. Montague to ensure a smooth transition. Mr. Montague is a risk and security executive and GM with highly specialized skills in eCommerce, fintech, payments, fraud, risk and security. His skills have been leveraged into executive positions at leading technology companies like Amazon, Expedia, IBM and consulting firms like The Fraud Practice Inc. A true technology leader, David blends business acumen, empathy and technical expertise to solve the toughest challenges facing enterprises today. From growth in the age of heavy and steady cybercrime, explosive enterprise application deployments through to accelerated digital transformation. “David Montague is an executive that brings a wealth of knowledge on the fraud and security industry and he has a track record for helping emerging fraud companies to become growth companies,” said Lawrence Baldwin, Founder myNetWatchman. “I am truly honored to have the opportunity to lead myNetWatchman as we build on the foundations established by Lawrence, Jen, Rob, the leadership team, and our workforce. I see tremendous opportunity for myNetWatchman as companies are starving for more effective and customer friendly approaches to confirm identity (email, credit card, username & password) and user credentials aren't compromised. I believe this need will only grow as bad actors make more use of ATO and synthetic identities in their attacks. I will work to grow the company by introducing products that make use of the company's unique ability to see into live bad actor traffic to become the markets leader in being able to say if these key identity attributes are compromised or synthetic. " David Montague, CEO myNetWatchman Mr. Baldwin continued, “On behalf of the company, I would like to welcome David, and I look forward to working with him.” About myNetWatchman Georgia based myNetWatchman has been providing cyber fraud intelligence data for more than 20 years to retailers, financial services, insurance, and other industries. With over 10 years of live data surveillance, the company manages a continuously growing data repository containing over 30 billion exposed credential pairs and protects over 550 million users for their clients.

At myNetWatchman, we see millions of email account compromises each year. Email account takeover is a dangerous starting point for further attacks such as takeover of other accounts that are using that email address as contact information, highly targeted phishing campaigns, or access to sensitive information to use later for ransom or exploitation. One of the aspects that makes email account takeover especially troublesome is that fraudsters can delete incoming emails, such as those confirming purchases or password changes, as they access other accounts associated with the compromised email. In short, an email account is the key to a consumer’s digital castle . Organizations unable to see signs that a user account’s email address may be compromised are missing out on an extremely valuable high risk signal. Businesses that use the email address as a point of contact, and especially businesses that use the email address as a method for completing 2FA, need to be aware when a user’s email address has been taken over. This renders 2FA relying on the email address insecure and is also a strong risk signal to consider when a user account attempts to change their password or other account details. Through our proprietary real-time data observations and analytics, myNetWatchman investigated the case of a Yahoo.com email account that was compromised and accessed by bad actors nearly each day over a 3-month period. During that time, over 4,000 email messages were retrieved from the inbox while the bad actor(s) performed inbox searches of 1,800 keywords. These keyword searches were telling in terms of what the bad actor was attempting to accomplish. This included searches on keywords such as: Bitcoin, Ethereum and other cryptocurrencies – These searches could unveil what trading platforms or services the email account holder uses to hold digital assets. This could lead to highly targeted phishing campaigns mimicking the platform the consumer utilizes. These same crypto trading platforms could also be targeted with credential stuffing or ATO attacks, in hopes that this compromised email address is a method used for completing two-factor authentication (2FA). PayPal and common bank names – Knowing what financial institutions and financial services companies a consumer uses enables the bad actor to craft highly targeted phishing attempts. If the bad actor sees emails with one-time passcodes for completing 2FA, the services sending these codes will also be targeted with ATO. Gift Cards and Virtual Gift Cards – often virtual gift card numbers are provided in plain text emails. Fraudsters can easily check the balances on these gift cards and spend them before the consumer does. Shipment tracking – Shipment hijacking is a common scheme where fraudsters attempt to reroute or change the delivery address on a shipment. High value or easily resold consumer products are prime targets. Loyalty programs and rewards points – Loyalty program fraud is a growing issue and something bad actors can pull off with relative ease once they take over a consumer’s account with a rewards point balance. They spend, transfer or claim the reward points balance, draining the customer’s account, resulting in frustration and brand damage. myNetWatchman’s Email Reputation service allows organizations to identify when a user’s email account has been, or is actively being, accessed by criminals. With Email Reputation an organization can get as much detail as they need for their risk decision or investigation: aggregated counts of how many different place we see bad actors testing or using the email names of the sites where it is being tested or used, if it was successful, and the dates the email was first and last seen we can share with you what the bad actor was searching for in the compromised email account Knowing if an email is compromised is a valuable signal if an organization sees account changes attempted, especially changing the username, contact email or login password. If an organization relies on email-based 2FA, then this risk signal is vital. Utilizing this as a valuable high risk signal further extends to purchase and transaction events, such as using a stored billing instrument to purchase and ship a product to a never-before-seen address. As email accounts serve as a consumer’s keys to their digital castle, understanding risk around email compromise is paramount for all organizations who leverage access to that email account as a means of verification.

Login processes can make or break a user experience. Excessive reliance on multi-factor authentication (MFA) often deters users from returning to a site more often. You may have experienced the frustration when logging in to an account, your cable or streaming provider, for example. You complete the MFA to sign in, then navigate to view your billing statement and get presented with MFA again, even though you’re still on your provider's platform. Or if you’re a frequent online shopper, you may find yourself getting asked for MFA multiple times a week (or day!) and wondering if it is worth the hassle. You’re not alone - according to a 2021 PingIdentity survey , 56% of global consumers—and 61% of U.S. consumers—would stop using an online service if the login process became too frustrating. Worse, 65% of U.S. consumers would switch to a competitor offering easier authentication. Businesses aren’t immune to these frustrations. Employers frequently prioritize account security over user experience, assuming that a few extra seconds of MFA are negligible. But when multiplied across daily logins for hundreds or thousands of employees, this “minor” inconvenience can result in significant productivity losses and increased support costs for help desks with minimal impact on reducing security risk. MFA Exhaustion Step-up authentication methods like one-time passcodes (OTPs), mobile notifications, captchas, and security questions introduce friction that annoy users and damage the users' experience going forward. Delays in receiving codes, forgotten answers to security questions, or the need to fetch a mobile device can derail the login process entirely. And while hardware authentication tokens offer strong security, they’re impractical for many scenarios. Yet abandoning MFA isn’t the answer either. Relying solely on passwords exposes accounts to takeovers, leading to financial losses and reputational damage. We all know more isn’t always better. Sometimes better is just better. Striking a balance between security and usability is essential. MFA is a powerful tool, as is having a strong password policy. But using MFA everywhere all the time or requiring frequent password changes just leads to annoyed users. (For an in-depth discussion of MFA, read our paper or watch our webinar “There is no Silver Bullet: User Credentials are not Secured with 2FA Alone.”) The Solution: Focus on “risk based” authentication controls Organizations can no longer afford to see authentication as an all-or-nothing choice. Tools like AllCreds enable them to embrace risk-based authentication, protecting user accounts without alienating their users. By strategically applying friction only when necessary, businesses can enhance security, boost productivity, and create a login experience that works for everyone. In the battle of security versus user experience, the winner doesn’t have to be one or the other—it can be both. AllCreds takes a smarter approach by introducing friction only when it’s necessary. Powered by a vast database of over 30 billion compromised credential pairs, AllCreds detects when a user’s login credentials have been compromised elsewhere. This signals an elevated risk and justifies additional security measures like one-time passwords, security questions, other MFA approaches—but only in those instances. Here’s how it works: Behind-the-Scenes Protection : AllCreds operates invisibly, allowing most users to log in without interruption. Real-Time Risk Detection : Each day, 15 million new compromised credentials are added to AllCreds’ repository, ensuring up-to-date protection. Beyond Login Events : AllCreds can also flag compromised credentials during account creation or password changes, proactively mitigating risks. Why It Matters By tailoring authentication requirements to the risk level, AllCreds ensures that low-risk users enjoy a frictionless experience while high-risk scenarios are met with appropriate security measures. This balanced approach not only safeguards sensitive information but also improves user satisfaction and reduces churn.

myNetWatchman is delighted to welcome Sandra Feinberg as the new Head of Sales & Account Management. Sandra (Sondra) is an innovative payments and fraud prevention executive with over 20 years of experience driving sales and customer success initiatives within the financial risk and payments technology industry. Having honed her expertise at renowned companies such as Microsoft, Forter, and ACI Worldwide, Sandra brings a wealth of knowledge in enterprise deals and partner program creation. “I am excited to have Sondra join our executive team, her strong industry experience combined with her grasp of key security and fraud best practices will make her a key asset in meeting our strategic growth plans” said David Montague, CEO myNetWatchman Known for her competitive spirit and creative thinking, Sandra is a thought leader and is highly respected in the fraud protection industry. Outside of her professional achievements, she enjoys reading, boating, and spending time with her husband and their dog, Jasper, in sunny Florida. “I am excited to join myNetWatchman as Head of Sales & Account Management. As an experienced fraud fighter, I strongly believe myNetWatchman has a unique place in the market. What really drew me to the company is their ability to detect compromised customer credentials before a breach even happens. As I come from the world of pre-Auth risk for payment transactions, I think having the ability to know that an Identity has been compromised in real-time is a game changer.” Sandra Feinberg, Head of Sales & Account Management, myNetWatchman. About myNetWatchman Georgia based myNetWatchman has been providing cyber fraud intelligence data for more than 20 years to retailers, financial services, insurance, and other industries. With over 10 years of live data surveillance, the company manages a continuously growing data repository containing over 30 billion exposed credential pairs and protects over 550 million users for their clients. To learn more about myNetWatchman, please contact Sandra Feinberg at: sfeinberg@mynetwatchman.com or contactus@mynetwatchman.com .

Deciding on your strategy for protecting your company from account takeover (ATO) begins with deciding whether to rely more on prevention or remediation. Prevention maximizes your opportunity to avoid loss, brand reputation risk and customer loss but it also comes with a higher cost to implement and more friction for your customers or employees when they are really more focused on purchasing or productivity. Remediation can allow you to reduce your cost to implement along with the number of people who experience heavy security friction, but it comes with more risk of bad actors getting through and more likely than not some bad customer experience. Balancing both is a viable solution, based on your company’s product and client mix combined with your go to market strategy. The case for remediation: Focusing on remediation can mean that you’re limiting customer disruption to only those who are victims of ATO. If you have a very low likelihood of customers being targeted for ATO, a remediation-based strategy can save you the expense and effort of trying to prevent something that is unlikely to occur (low ATO frequency). Similarly, if you have very low potential loss or liability from an ATO, you can save the effort and cost of prevention (low ATO impact). Whether ATO risk is low because of low frequency or low impact, a focus on remediation not only saves on cost, but also provides a better user experience as users can avoid the friction caused by most forms of prevention. Drawbacks of a remediation-only approach: ATO can be very difficult to detect until there is an obvious loss, e.g., a customer reports a purchase they didn’t initiate. If you can’t detect the ATO until there’s a loss, bad actors with access to your systems may be stealing information (e.g., private customer details) over an extended period of time in order to commit more serious fraud, like identity theft. Customer satisfaction and your business reputation are at higher risk - we all know that unhappy customers are more likely to speak publicly than happy customers. Every ATO event is a threat to brand reputation. The case for prevention: Focusing on prevention limits the number of successful ATO events, maintaining strong brand reputation and trust among customers. Preventing ATO limits your exposure - whether that is to direct loss like refunds or chargebacks, or indirect loss of proprietary information. By definition, prevention is proactive - putting you in control of when and where to apply the preventative measures. Drawbacks of a prevention-only approach: Focusing on prevention means more users will face friction, and this will often be legitimate users at legitimate login attempts. Some prevention measures can be very difficult to implement accurately; e.g., device recognition, IP address geolocation, and user behavior pattern recognition need sophisticated technology. For workplace accounts, more friction means reduced efficiency. For consumer accounts, more friction can lead to lower sales conversion, or reduced use/access of service. Balancing your identity solution is the ultimate way to prevent bad actors from harming your business or your employees. Consider the risk of an ATO (likelihood and impact) versus the risks that come with prevention (cost and user friction). You need to weigh the factors and find the solutions that are right for your business. At myNetWatchman we have solutions for both prevention and remediation, enabling our clients to support whichever is the right mix for them. For prevention, we offer AllCreds , our credential screening service leveraging our repository of over 30 billion compromised credential pairs. This screening occurs behind the scenes and presents no friction to users, unless the use of a compromised credential pair is detected and you choose to apply multifactor authentication (MFA) or other forms of friction. You strategically apply the friction that comes with stronger forms of prevention. For remediation, we offer Web Monitoring and Email Reputation services. myNetWatchman’s Web Monitoring service monitors the web domains, email addresses, usernames, or credit card BINs (for card issuers) our clients request to have monitored so we can detect when the organization is being targeted with credential stuffing attacks via web, APIs, a portal, login page or elsewhere. Earlier detection leads to earlier remediation and less time for the bad actor to cause financial and brand damage. Email Reputation tells you if bad actors have access to an email inbox, a common point of communication for executing password resets as part of the remediation and account recovery process. myNetWatchman’s Email Reputation service makes the remediation and recovery process more secure by alerting clients when they may be sending the new password or account recovery link right into the hands of a bad actor.