The perils of fake users

anonymous spy privacy security
Credit: Flickr/Anonymous9000

It's a tough balance to encourage new users, while still ensuring user are who they say they are. Research shows just how tough.

Recently privacy and information security research firm Ponemon Institute published some research that took a look at the impact of fake users on businesses and the impacts on consumers. "The Fraud Report: How Fake Users Are Impacting Business" highlighted the average economic value of a company’s user base ($117M) and the financial and brand reputation damage that can be done if fraudsters are allowed to create fake accounts.

The research, undertaken alongside mobile identity vendor TeleSign, found that 82% of companies face some issues with fake users in their systems. More worrying was the fact that 43% of respondents admitted allowing fake users into their ecosystem in an effort to avoid user registration friction. Respondents reported user convenience (58%), cost efficiency (52%) and ease of use (42%) as the most important factors to an organization’s authentication strategy with security at a distant fourth (21%). Overwhelmingly, companies value ease of use over security against fraudsters, making them vulnerable to the threat of fake users.

The study surveyed 584 U.S. and 414 U.K. respondents who are involved in the registration, use or management of user accounts and hold such positions as product manager, IT security practitioner and app developer. The median revenue of companies represented in this study is $650 million. Larger companies in this study have spent as much as $14 million to respond to spam or fraud committed by fake users, with an average cost of $4 million per company.  A vast majority (60%) of those costs are being put to repair brand damage and reputational costs.

Additional findings from the Fraud Report include:

  • In the past 12 months, fake users victimized 21% of legitimate users, resulting in organizations losing an average of 9% of their legitimate user base.
  • On average, companies estimate 10% of their respective user bases to be fake users, yet 65% of respondents also report that knowing their user base is legitimate is of great value to their leadership.
  • Only 25% of respondents believe the traditional username and password(s) is a reasonably secure authentication method -- yet 59% say that the use of two-factor authentication is not an option on their service.
  • Sixty-nine percent of respondents believe their organization’s authentication process is difficult to manage, which directly contributes to allowing fake users to infiltrate the user base.
  • The majority (54%) of respondents agree that a phone number is enough to stop fraudulent registrations.

“Fake accounts are notorious vehicles for cyber criminals to commit abuses, from basic activities such as spam to devastating events like identity theft and account takeover. Battling these types of problems has brought a number of well-known brands to their knees and is continuing to cost businesses significant time, money and reputational capital,” said Steve Jillings, CEO of TeleSign. “Despite today’s aggressive threat landscape, 64% of businesses still admit to prioritizing convenience over security which means fake users are being allowed in just as readily as you or me.”

MyPOV

Worrying stats. If it was simply corporate losses that these fake users caused, that would be bad enough. But fake users are often the start of an ongoing chain of crime which impacts businesses and consumers alike. But if it was as simple as locking down access, it would be a simple problem to solve.

The real issue here is that organizations are trying to reduce the steps that users need to overcome before signing up for and using their service -- this balancing of ease of access and security is a seemingly intractable problem that will continue to impact everyone along the value chain. Clearly better practices (IP address logging, behavioral analytics and the like) can help, but this is one problem that isn't going away anytime soon.

This article is published as part of the IDG Contributor Network. Want to Join?

A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies