Synthetic ID fraud: who does it hurt the most? - interview
Criminals can easily combine your social media profiles with leaked personal data to create a so-called Frankenstein identity.
According to the FiVerity report, last year, financial institutions within the US lost at least $20 billion due to synthetic identity fraud (SIF). SIF is defined as the use of a combination of personally identifiable information (PII) to fabricate a person or entity to commit fraud.
Threat actors combine leaked information with publicly available information, for example, from their social media accounts, alter some information that needs to be changed, and use these synthetic identities to commit a dishonest act for personal or financial gain.
ID verification technology provider AU10TIX saw an 11% increase in identity fraud protection in 2021, preventing approximately $4.3 billion in fraud-related losses. However, it seems to be just a drop in the ocean. A report from Javelin Strategy & Research suggests that in 2020 alone, 49 million people fell victim to identity theft with a total cost of $56 billion.
"Identity fraud is something that is becoming more and more pronounced as we have moved our lives online," Carey O'Connor Kolaja, CEO at AU10TIX, told CyberNews.
The same report from Javelin Strategy & Research also states that active social media users are 30% more likely to be affected by identity fraud; account holders on Snapchat, Facebook, and Instagram are the most likely victims, with a 46% higher risk.
I sat down with Kolaja to discuss who does identity fraud hurt the most.
How big of a problem is identity theft, and what consequences can a victim face?
Every moment we connect to the digital realm is an opportunity for a bad actor or a cybercriminal to use our credentials, use a weak spot in the network, pretend that they are us and perform some nefarious behavior. Fraud doesn't stop at the borders of our digital interactions, and it has become very global, very organized, interconnected. Stolen identities are used online to create bank accounts, rent a home, or apply for a mortgage. It has consequences on individuals' lives that are hard to remediate.
Kids fall victim to identity theft, too. Why do malicious actors steal childrens’ identities, and what do they do with them?
If you think about a child - the name, the associated address, the social security number are in the system. It's legitimate information. Many organizations don't look at the age, so someone can take that information and create an ID, potentially even change the age of this individual, and that's when they can start to apply for a credit card, a loan, a bank, a crypto account.
They take advantage of the system, whether to pull money out or buy things that they shouldn't be buying or to own something they shouldn't be owning. Effectively, their failure to pay, because they will not pay, will damage the victim's future credit score or future ability even to create a credit score where, when they become eighteen, allows them to live a life and get access to things that they deserve.
These children might not learn that their identity was stolen until they become 18?
Look what could be done in ten years. That's what’s scary for me - it's different when you are an educated consumer. You have the tools or the technology of the services you signed up for to get alerted if maybe your credit card is being used in a place where you typically don't shop, or if someone has applied for a credit card in your name.
There are companies out there that will alert you. But when not everybody is aware of that, it becomes a very complex issue. When you are not in the system, it can go undetected for years, and that's where there's tremendous damage.
McKinsey said that extending full digital ID coverage could unlock economic value equivalent to 13 percent of GDP (gross domestic product) in 2030.
There are tremendous losses because we are not all handling identity theft or data breaches at the levels that we could and should. And it's having not just an impact on businesses and individuals but also on the economy.
Does identity fraud correlate with the big breachers?
When you start to see more and more data that is exposed about an individual, that's when you tend to see these hacks happen. For instance, our social security numbers in the US are very personal. We have been using them for decades to manage our finances, get a bank account, and get a driver's license. Once they are exposed, it becomes a huge problem.
It is important to think about what we are doing to stop the bleeding of the data, to inform individuals that information was exposed so that they can take steps to remediate that. We know that these hackers and cyber attackers are so intelligent and they are constantly adapting and changing how they attack companies, and we have to stay ahead of that.
According to the Gallup report, 67% of respondents frequently or occasionally worry about being victims of identity theft.
When credentials are exposed, like username and password, and people nine times out of ten use the same username and password, it creates additional vectors of attacks for these hackers.
So if you combine breached information with what's available on social media, you have a full profile on a person, right?
It is scary. Cybercriminals are going after student and children profiles. If a university or an education system is breached, attackers can use their collected information to create IDs and apply for credit cards. There's no history of these individuals or these children. They will start to build up a credit history, and then this ID ends up becoming a really good synthetic ID, and then once it builds up a credit history, it can be used for other things.
And it's not until the child becomes 18 that they are seen within the system, they may know that their identity has been stolen. I find it fascinating that you may see a breach in an education system or a university, and people may say that is not a big deal, but it is a big deal when you look at identity theft.
With the pandemic, we've seen a 300% increase in fraud and even beyond that, because you are witnessing sectors that are being forced to deliver services online, whether it's the healthcare or its education or it's the hospitality sector that never did this before and didn't have the protection measures in place to protect their business and their consumers from these types of attacks.
What about decentralized identity? Will it solve any of the issues that we are talking about? Or will it furtherly broaden the attack perimeter for attackers?
I'm fascinated by the concept of decentralized identity. We are seeing technology and the adoption of that concept become more mainstream, but it's not just technology alone that will put this on a better path.
It also has to do with policy and regulation, which, I know, across the world, is beyond just GDPR, but also about the roles that governments play in ensuring that if there's a breach, is it reported? How is it handled, what are the consequences of not handling the data appropriately?
The third piece of it is education. Consumers and end-data subjects need to understand the implications of their choices. I have had the privilege and the pain of being in the financial sector for the last 25 years, and as you are familiar with it, the world has changed when it comes to how you pay for something. From a physical store to digital, from a card to a token, from cash to digital currency, and in all of that transformation over the last couple of decades, consumers had to have become more financially literate.
It's the responsibility of the government, companies, and us as individuals to ensure that we use the technology and the techniques to ensure data privacy. We are taking those moments to educate the end data subjects and the consumers about sharing that information.
One of the areas that I am fascinated with is attached to distributed decentralized identity, which is the zero-knowledge proof technology, which allows someone to credential me as being over 18, and therefore, I can drink without actually sharing my birthday.
Do you see many returning fraudsters trying their luck with many companies instead of one?
We don't necessarily have a named fraudster. But we will see a fraudster who takes on a template, manipulates it by just changing the face or changing an address, and will attempt to penetrate one or many brands on our network. They modify these synthetic IDs that we call it, which have accurate information and fake information, it's like a Frankenstein ID, and they will make small changes to it and try to penetrate a brand or a customer of ours. We will see them do that across customers, and they'll take the same tactics and attack vectors across multiple companies.
Do you manage to find out whose identity was stolen? Do you then notify those individuals of the theft?
We do not inform the individual as we are a B2B player. But if we catch a Bad ID, we will retroactively inform the entity - our customer - that this was a bad ID. Then it is up to them what they do with that information.
You've got people who will rent a home in the sharing economy. They may rent it under a false ID, or they may rent it under the wrong age. Even though they claim to be using this home for one reason, like escaping the California wildfires, they may use it to have a party. These parties get out of control, and human lives are sometimes lost. In the future, I could see a world where many of us come together to ensure individuals are well-informed.
More from CyberNews:
Subscribe to our newsletter