Two-factor authentication. An authentication process in which the user who is authenticating needs to provide more than one type of evidence (factor) to verify their identity. For example, after entering a username and password (one factor), they are prompted to provide a code (second factor) received via email or text message. A two-step MFA.

Online profile associated with a username that allows a user to conduct transactions and a service provider (e.g., a streaming service or online retailer) to manage your experience. For example, you may have an online bank account, an account at a retailer like Amazon, an account at a streaming provider like Netflix, and so on.

The person or entity doing an action or activity. In computing, “actor” is used because it can represent an unknown person (a criminal actor), an organization, or a computer process. In cybersecurity, often used interchangeably with miscreant, criminal, fraudster.

Application Programming Interface. A way for computer programs or software components to communicate with each other. It is a type of software interface, offering services to other software. Modern APIs adhere to specific standards (typically HTTP and REST), which enable APIs to be developer-friendly, self-described, easily accessible, and understood broadly. For example, myNetWatchman offers an API so our clients can augment customer login to check for compromised credentials with a quick and easy API query to our repository of billions of compromised credentials.

Account Takeover. Unauthorized access to a legitimate account. A type or category of fraud in which a bad actor is able to successfully authenticate to or access a legitimate account, regardless of whether the bad actor does any activity in the account.

The action of validating that a user has the rights or permission to access an account (or a requested resource). When you sign in to online banking, you are using your authentication credentials (likely a username and password) in the authentication process.

Business Email Compromise. A type of social engineering attack where the criminal poses as a business contact, such as a CEO, lawyer, or vendor, and tricks an employee into taking actions such as wiring funds for false invoices or providing sensitive employee information. The criminal typically uses a "spoofed" email address which mimics a real business email address.

Derived from “robot.” A program on the internet or other network that can interact with systems or users. Bots are autonomous, meaning they run without a human user having to start them or interact with them while they’re running. Cyber security is typically concerned about malicious bots that scrape content, spread malware or spam, or carry out credential stuffing attacks.

Exposure of information or data that is meant to be confidential. “The company had a data breach and all their customer information was exposed.”

A type of cyberattack that uses trial and error to guess passwords or login credentials. Bad actors typically use automated software (e.g., bots) to attempt as many guesses as possible in order to gain access to an account. The attackers may know the username and are using brute force techniques to guess the associated password, including the use of dictionary words or variations of common passwords, such as “password123”. The success rate is typically much lower than a credential stuffing attack where bad actors use credentials from a data breach at one company to attempt to login to another company’s service.