Defusing the identity theft time bomb

It seems that everyone knows someone who has been a victim of identity theft these days. Identity theft occurs when a criminal gains access to an individual’s personal information – for example, name, address, date of birth or bank account details - to steal money or gain other benefits. And it’s definitely a global problem. It costs the Australian Government upwards of $1.6 billion each year, with the majority (around $900m) lost by individuals through credit card fraud, identity theft and scams. In the U.S., the Identity Theft Resource Center reported a 45% increase over 2016 figures. In the United Kingdom, identity fraud has risen by 125% over the past ten years.

Insatiable thirst for data

There is more personal data available on the web than ever before. In the digital world, organizations collect information about their customers, users and clients to try to better understand their needs, and deliver a better experience. Every digital touchpoint a user makes has the potential to create data that every industry wants, from your age, location, preferred websites, downloaded apps or much more. The retail industry, for example, has access to a myriad of data mining tools that promise to gather sought-after personal information that allow them to better understand the needs and wants of their customers. The healthcare fraternity, a favourite target of criminals, has undergone a rapid digitization which puts confidential patient data like personal details, medical history and financial information online, and at risk. Verizon’s managing principal of investigative response, Ashish Thapar, comments “Keeping customer data secure is absolutely a priority for organizations today. Any data breach which reveals personal information can be devastating for a company’s brand and reputation.”

A cyber-crime syndicate that has obtained access to your confidential information can use this information in a number of ways. For example, they can:

• apply for a credit card, credit line or a loan in your name
• register for a vehicle
• apply for a job
• apply for a mobile phone
• make false insurance claims

“The fact that any company can now harvest third party data means that they have a far greater responsibility to protect the data, particularly under the current regulatory landscape. It can take months for a company to discover a data breach, which can have devasting implications for any individuals whose personal credentials turn out to have been compromised.” - Ashish Thapar

The unspoken web

So what becomes of stolen personal credentials? Most people know the ‘surface web’ – the part of the World Wide Web that is readily accessible and searchable to the general public. The less well-known part of the Internet is the dark web, which is only accessible through special browsers. It contains non-indexed, peer-to-peer, encrypted content that was originally designed to give a lot of protection to people like researchers, law enforcement professionals and even whistleblowers. Unfortunately, today, as with most useful platforms, it is also exploited by cyber criminals to host and trade volatile/stolen/confidential content.

The dark web hosts general marketplaces, just like a general store, but also specialty marketplaces – for example, stores selling stolen credentials, PII dumps, iPhones, malware, stolen payment-card dumps, drugs, medicines and other contraband, and even stores related to extortion and physical crimes. Thapar observes: “Criminals almost never use the data they steal themselves due to the fear of being traced. They sell it to other criminals or syndicates on the dark web, who in turn monetize the stolen data through several layers of anonymity. Your personal data can enable a criminal to, for example, apply for a credit card, credit line or a loan; register a vehicle; apply for a mobile phone or make false insurance claims – all in your name. And you might know nothing at all about it for months.”

Prevention is better than cure

After investigating more than 2000 confirmed data breaches, the 2018 Verizon Data Breach Investigations Report (DBIR) has revealed that 68% of breaches took months or longer to discover, even though 87 percent of the breaches examined had data compromised within minutes or less of the attack taking place. Crucially, it also flags a shift in how social attacks, such as financial pretexting and phishing, are being used, which infiltrate organizations via employees. These are now increasingly a departmental issue, with Human Resource (HR) departments across multiple verticals now being targeted in a bid to extract employee wage and tax data, so criminals can commit tax fraud and divert tax rebates.

Thapar gives seven steps that organizations should undertake to help protect themselves against data breaches:

1. Stay vigilant - log files and change management systems can give you early warning of a breach
2. Make people your first line of defense - train staff to spot the warning signs
3. Keep data on a “need to know” basis - only employees that need access to systems to do their jobs should have it
4. Patch promptly - this could guard against many attacks
5. Encrypt sensitive data - make your data next to useless if it is stolen
6. Use two-factor authentication - this can limit the damage that can be done with lost or stolen credentials
7. Don’t forget physical security - not all data theft happens online

What can individuals do?

When a company is breached, executives can turn to a myriad of consultants and service providers to help them overcome risk and reputational challenges. But when an individual’s personal online information has been compromised, they’re often left to fend for themselves. Thapar advises in particular being mindful of what information is shared online, and what consent – whether implicit or explicit – you give to an organization. He also advises against using the same passwords across different websites – tempting as that can be! – and enabling two-factor authentication whenever this is available. Finally, he suggests considering personal cyber insurance, which is specifically designed to protect individuals against online threats to their personal computer network, hardware, IT and communication systems.

If the worst happens, and you find out that your personal credentials have been compromised, here’s what Thapar advises you should do next:

1. Enable credit monitoring/identity theft protection services and place a fruad alert on your credit reports
2. Review access activity to your online accounts and review credit reports
3. Consider enabling an extended fraud alert or a security/credit freeze on your credit file
4. Notifty all relevant institutions and close all fraudulent accounts/lines of credit that may have been opened using your identity
5. Make a police complaint if the information stolen was issued/maintained by a government entity and request a replacement ID
6. Change your passwords/secret questions on all websites/portals; activate multi-factor authentication wherever possible
7. Put out a fruad alert with your local in-country credit bureau

Thapar concludes: “In a perfect world, cybercrime wouldn’t exist. Unfortunately, today’s world is far from perfect, and it’s a growing threat. But if organizations AND individuals all work together, we can help to minimize its impact.”

To find out more about how criminals are using stolen credentials and PII,  read Verizon’s 2018 Data Breach Investigation Report.

Verizon Communications Inc. (NYSE, Nasdaq: VZ), headquartered in New York City, generated $126 billion in 2017 revenues. The company operates America’s most reliable wireless network and the nation’s premier all-fiber network, and delivers integrated solutions to businesses worldwide. Its Oath subsidiary reaches about one billion people around the world with a dynamic house of media and technology brands.