Identity thieves have adopted technology more quickly than the organizations charged with protecting customers’ assets
Last year in America, hackers were able to infiltrate supposedly secure networks at retail companies, merchant processors, and financial service providers and compromise as many as 100 million records containing private identity information. As many as one out of every three American adults may have had personal identifying information stolen. The implications are astonishing. Due to the unprecedented affect these breaches may have on the lives of many Americans, this is perhaps the most disturbing economic event to have occurred in years.
In this article, we propose to discuss the aftermath of the massive data breaches that have been in the headlines for the past 12 months. What is going to be done with this data now that it has been stolen?
Expect a Spike in Activity
According to a recently released report by Dell SecureWorks, one immediate effect of this glut of identity data is already being felt. The price of a complete identity profile containing name, home address, email addresses, phone numbers, date of birth, Social Security number, and information on bank and credit card accounts has dropped by almost 40%, to the unprecedented price of just $25.00.
With such a sharp drop in the cost of stolen identities, it would be reasonable to expect an increase in the number of attempts to purchase and use them.
Big-Data Meets Organized Crime
The criminal community has embraced digital technology at rates so alarming it has caught most organizations unprepared. This has been evidenced by the data breaches which have made front page news in recent months. However, where the adoption of digital technology has really taken off is seen in what happens to the data after it has been stolen. As recently as just 7 or 8 years ago, much of the data would have gone unused, due simply to the fact that the hacker often did not have the distribution network necessary to disseminate thousands of identities to the “cashers” who actually use the data to convert it into fraudulent gains.
Add social media and eCommerce to the picture. Now, numerous “Dark Markets” exist to provide this very service to the data thieves. Imagine that you have just hacked 10 million records from a large retailer. The dark markets serve as a place where the data can be collated, stored and sold. Data is purchased by the dark market operator, who then treats the data the same way any other “Big Data” management firm might – trying to match records hacked from multiple different sources in order to build complete ID profiles – called “fullz” in the market parlance of the underground data thieves.
The (dark) Market for IDentity Data
Because many dark markets are operated by international organized crime rings, they have a ready-built network of potential “cashers”, located around the globe, who are ready, able and willing to convert this bounty into monetary gains. Using common social media apps like Twitter or FaceBook, the word will go out that the market will be online soon. Interested parties make direct contact and receive log-in credentials. Typically, such dark markets are located on the deep web, that portion of the Internet which cannot be seen or indexed by search engines. Also, typically, the dark market will only be hosted during specific operating hours, and will often utilize the DarkNet – an anonymous peer-to-peer hosting process that makes it difficult-to-impossible to discover where the initiating fileserver is located.
Once logged-in to the dark market, the potential buyer will see an interface very similar to eBay or Amazon. Vendors with data to sell may have banner ads, offer fee trials, or even make coupon codes available. Search engines within the market will allow the potential casher to locate victims in their geographic locale, which allows them to partially circumvent the forensic algorithms relied on by payment processors and financial institutions to detect fraud.
In one famous case, a dark market (now, busted, thankfully) hired data scrapers to go out and find public records data, such as place of birth, previous residence addresses, previous phone numbers, mortgage balances, etc. which would arm the “casher” with information required to answer questions posed by identity verification software utilized as part of the credit-application process in many financial institutions.
Enter the Professional Forger
After purchasing the identity “fullz”, the more sophisticated markets will then offer the buyer connections to professional forgery operations. Or, they will offer matching documentation as part of the package purchased by the end-user.
This is another area where digital technology has really changed the game. No longer is your local criminal attempting to churn-out passable fake documents using his home computer and printer. Instead, professional forgery labs produce high-quality documents, utilizing document templates that have been improved over successive generations by using iterative processes to incrementally improve their products over time. In many cases, the forged ID documents produced by such printers are impossible to detect using just the naked eye.
Armed with professional ID documents bearing his or her own picture, containing the identifying credentials of an unsuspecting victim who is a local resident, and armed with many of the details of this person’s economic history, the “casher” is ready to go into business.
Technology’s not All Bad
Technology is a boon to most of us. It has made our lives immensely easier to manage, and has increased individual productivity many times over. These same benefits have been manipulated by the criminal element to gain advantage over the unsuspecting public.
Time, now, for those organizations that are charged with protecting individuals’ assets to step up and start seizing the advantage back. It is a war, with each side striving to find an advantage. Not until one side concedes the fight and stops innovating new solutions will the other see victory.
