Identity Fraud in the Modern Era
I suppose it is inevitable that as we witness a move from physical to digital assertion of an identity to gain access to financial, retail and payment services we should see an attendant rise in the number and types of digital identity scams.
In this round-up of recent reports, we find that the one thing that connects physical and digital identity fraud is the range of technologies and approaches used by bad actors.
Synthetic ID
Modern-day con artists have adapted to the brave new world of online commerce and moved on from phishing, credit card frauds and UPI scams targeting individuals to far more sophisticated, tough-to-detect methods that target institutions as well.
Among the new threats, synthetic identity frauds have emerged as a big concern for banks and financial institutions across the world.
In such cases, a fraudster creates a fake identity using, say, a national ID registration system, of one person and combining it with information, like photographs and date of birth, about multiple other persons with data scoured off social media platforms. They use this identity to create a fake bank account, build up a positive credit profile and borrow money from the banks with no intention of repaying.
Synthetic fraud is notoriously difficult to detect as it does not involve any impersonation like traditional scams. In these cases, con artists create an entirely new identity to cheat financial institutions. Authorities can spend weeks, if not months, trying to hunt down people who exist only virtually.
Voice Bots
Users are generally advised to use two-factor authentication (2FA) and one-time passwords (OTP) wherever possible to enhance the security of their respective accounts. But according to a report in The Vice1, hackers have found a way to steal these sensitive codes by using voice bots to trick users.
The hackers can either login or make money transfers or perform other sensitive functions by using the 2FA or OTP verification codes that the users are tricked into revealing. The hackers use voice bots that are sold online.
Hackers who, in a previous age, used to pose as bank executives or customer care agents to trick unsuspecting customers into sharing their verification or login information, now use customisable bots that can place automated calls and ask for the temporary passwords to access an account.
These bots are made to sound like you are talking to an authentic customer care agent and then they ask you to enter the 2FA/OTP during the call. Once you enter it, the verification code reaches the hacker, and they can now login to your account and perform cash transfer transactions.
The Vice, in their report demonstrated one such instance where the user gets a call from ‘PayPal’s fraud prevention system’.
According to the call, someone had attempted to make an unauthorised payment by accessing the user’s PayPal account. Over the call, it said, ‘in order to secure your account, please enter the code we have sent your mobile device now’. Once the code was entered, it said ‘Thank you, your account has been secured and this request has been blocked'.
Additionally, the voice call told the users ‘Don’t worry if any payment has been charged to your account: we will refund it within 24 to 48 hours'.
The call was actually from a hacker who used the customisable bot to trick the user into giving their one-time codes for verification. Similarly, hackers can target Apple Pay, PayPal, Amazon, Coinbase, and other accounts to steal cash or cryptocurrencies.
Database Hacks
Some of the world’s most powerful, wealthy and famous people are thought to have had their personally identifiable information stolen by a cybercriminal gang which hacked into the computer systems of exclusive UK jeweller Graff.
The data theft was carried out by Russian group Conti, believed to be based near St Petersburg, which has already leaked 69,000 confidential documents on the so-called dark web.
However, Graff believes the vast majority of people did not suffer any personal data loss - simply their name and address, which are typically available in the public domain from other sources - but not containing details that are considered sufficient to put them at risk of identity theft.
Irrespective of this, Conti is said to be demanding tens of millions of pounds in ransom money to stop the release of further sensitive information.
Cyber experts believe the extortionists will demand payment either in an untraceable cyber currency such as Bitcoin, or possibly jewels.
The UK’s Information Commissioner’s Office (ICO), which can impose multi-million pound fines on companies that fail to keep customers’ data secure, said it was investigating the breach.
Two key differences between physical and digital identity scams jump out from these examples. First, in each of these examples the location and identity of the criminals is well hidden behind veils of servers, routers and telecoms, making it difficult to point the finger of suspicion at any one person or group in particular.
There is also the obvious difference in scalability between a physical and digital breach of security. Setting up an enterprise to print or alter physical identity documents requires planning, resources and time – each of which presents a barrier to the criminals.
In the digital world, once the defences of a system have been breached, automation of the extraction of the data makes light work of the heist – irrespective of its size.
1 - https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo
Subscriber content
Read the full article
Full access to ID & Secure Document News articles, newsletters and archives.