Identity theft is the unauthorized taking of another person’s PII (Personally Identifiable Information) for committing fraud or other criminal acts. Stolen PII can include names, personal ID numbers, SSNs, date of birth, credit card numbers, bank information, driver’s license numbers, and more. These details are then used for financial profit, often being sold on the dark web or used for impersonation. This blog post will explain how digital identity theft occurs and how to incorporate identity theft protection in your organization.
To learn more about Account Takeover, which is one of the main methods of Identity Theft, click here.
Why Identity Theft and Identity Fraud are Dangerous
PII and other personal information obtained by identity theft are used for financial gain and identity fraud. Though most users will probably not be impersonated by Mr. Ripley, identity theft can have severe consequences for any one whose credentials and PII are stolen and abused.
PII can be used for stealing money directly from accounts, for purchasing from e-commerce sites in your name or for impersonating you to get loans and benefits. Identity theft cost $14.7 billion in financial losses in 2018!
In addition, personal credentials can be used to assist with more sophisticated attacks on systems. During credential stuffing, for example, hackers try to access systems with leaked usernames and passwords. In such cases, the stolen credentials pose a threat to all users, not just the direct victim.
Personal data is also valuable as a social media follower - companies will pay to buy “likes” and “followers”. Finally, this information can be used for extortion.
As you can see, there are many incentives for perpetrators to try to steal user info. Especially considering the fact that many systems are not very secure and it can be fairly easily done.
How Identity Theft Works
Identity theft occurs when perpetrators are able to steal or acquire personal information. This can take place offline or online. We will focus on the online methods.
Account takeover is an aggressive method used by hackers to gain access to a user’s credentials.
4 Account Takeover methods:
Phishing - Usually performed by email, the attacker disguises itself as a trustworthy entity and tricks the victim into providing sensitive information like usernames and passwords.
Social Engineering - A psychological manipulation to get users to voluntarily give up their personal user details through phishing, DNS spoofing, and more.
Brute Force Attacks - Systematically submitting and checking a very large number of credentials and passwords with the hopes of finding a correct combination.
Credential Stuffing - Brute force attacks based on stolen or leaked lists of usernames and passwords.
Read more from the blog post “What is Account Takeover | How to Prevent ATO Attacks”.
Security data breaches release PII to the hands (and keyboards) of hackers. From usernames and bank accounts to medical history, personal user details are out in the open and can be exploited and sold for identity theft.
Just recently, Absa, a South African bank, and Shirbit, an Israeli insurance company, were the victims of severe data breaches. Both breaches resulted in personal info theft. Shirbit’s attackers demanded a high ransom, threatening to sell the information if their demands are not met.
Malware can steal and send personal details from a user’s computer to the perpetrator, without the user knowing. Criminals use pop-ups, links and fraudulent websites to encourage consumers to download the malware. Then, the consumer’s PII or even their keystrokes are stolen. They might be used by the cybercriminal, sold on the dark web or the keystrokes could be used for activating malicious bots.
Offline Identity Theft
Offline methods are not the focus of this post but users should also be aware of them. Some identity theft offline methods include rummaging through dumpsters and trash to find tossed away PII, peeking over shoulders to see credit cards and other personal details and skimming the magnetic stripes of credit cards.
How Identity Theft Can Be Prevented
10 Methods to Prevent and Protect from Identity Fraud
Our previous “Account Takeover” post details seven ways to prevent account takeovers:
1. MFA / 2FA - require multi authentication factors before enabling users to log in.
2. WAFs - Blocking, filtering and preventing attacks and malicious activities through a firewall.
3. Employee Education - Educate employees to behave safely online and question any digital request for personal information.
4. Security Questions - Users have to answer security questions before logging in.
5. Bot Protection - Malicious bot mitigation through activities like CAPTCHA.
6. AI Detection - Discovering hidden UEBA patterns by using ML/AI techniques.
7. End-to-end customer journey protection - Proactively analyzing user behaviour inside applications and systems in real-time while alerting about suspicious activities and blocking compromised accounts.
In addition, it’s also important to:
8. Constantly monitor - Encourage employees to monitor their financial accounts and check for any suspicious transactions and changes.
9. Install antivirus protection on computers - to protect from malware
10. Monitor all accounts on devices - Check personal accounts on company devices, like children’s accounts. Many hackers use less monitored accounts as a means for penetrating devices and systems.
SecureNative Identity Theft Protection
SecureNative’s user protection platform helps companies protect their customers from identity theft and fraud.
Use SecureNative for:
Account and identity protection across the entire journey
Identifying behavioral patterns and anomalies
Automating your user security in minutes
Customizing security playbooks to meet your specific needs