In 2017, the number of identity fraud victims in the United States has risen to nearly 17 million.
As the US became the last of the G20 countries to adopt Chip and PIN/Signature cards, fraudsters – predictably and expectedly – moved towards online card-not-present fraud, which is, according to recent statistics, now 81 percent more likely than point of sale (card-present) fraud.
“The volume of data breaches has bolstered fraudster’s ability to waltz through the front doors of businesses using synthetic identities (identities of real people with some alterations, such as a child’s identity but with a changed age),” Sunil Madhu, Chief Strategy Officer of Socure, told Help Net Security.
And while social networks have made it more difficult and time consuming to turn a fake or synthetic identity into a real identity, they have also made it easier for fraudsters to mount social engineering attacks to take over accounts. (Account takeover tripled in 2017).
The present and the future
“Social networks have had a profound effect on the evolution of digital identities by making it possible for our connections to other real people to vouch for us, as that information cannot be easily reproduced or faked in a short period of time,” Madhu explains.
On the other hand, a fraudster being able to get targets’ name, email address, birth date, their dog’s name and similar information from Facebook means that they can easily attack password reset services at 100 different banks in a short period of time.
“An attacker could use the same information to contact call-centers and have customer service agents make changes on an account such as temporarily call forwarding a phone number to intercept a bank’s SMS verification message and use that to shape the attack,” he points out.
So, yes, social engineering remains a favorite attack vector, and attacks on call-centers have grown since fraudsters can combine stolen data and social engineering tactics to their advantage.
He says there have also been more coordinated attacks by nation-states looking to subvert opposing governments.
In the future, organizations should expect stealthier and more sophisticated attacks involving machine learning and AI, he warns. Also, IoT botnets will increasingly become employed in attacks.
The impact on financial institutions
The sad truth is that the economics favor the fraudster because they don’t follow rules or pay taxes while having access to cheap technology.
“Consumers lost $17 billion to identity fraud last year, while institutions lost in excess of $100 billion,” Madhu notes.
“The Federal Reserve estimates credit charge-off rates account for nearly 10 percent of all outstanding revolving consumer credit .That means that banks lose 10 cents for every $1 in receivables to credit charge-offs AND they lose an additional 15% to 25% on First Party Fraud charge-offs for those credit charge-offs. To put that into perspective, if a bank was managing $150B in receivables annually, the bank is losing $150B X 10% C/O Credit ratio X 15% FPF ratio = $2.25B lost annually to just First Party Fraud!”
Financial institutions should aim to change the economics of fraud – make it more expensive and time consuming for fraudsters to commit their crimes.
“Without robust identity verification, organizations are giving away the keys to the kingdom since 100% of all accounts opened by fraudsters will result in fraud,” Madhu points out.
“Move away from rules-engine based anti-fraud approaches and look for machine learning systems that are artificially intelligent and that learn collaboratively across industry consortiums with little assistance from humans.”