By now everyone concerned about cybersecurity has heard of the Equifax hack and potential compromise of over 140 million identity records containing Americans’ most sensitive PII (Personally Identifiable Information). Avivah Litan, vice president and distinguished analyst at Gartner comments on how the stolen data will be used, what organisations should do when it comes to identity proofing, and what we should be most worried about as individuals.
New reports indicate that British and Canadian citizens’ data were also compromised, which makes sense given that Equifax houses their data too. Of course, lots of people are justifiably concerned about this hack – and it is in my estimation, the worst ever in terms of sensitive confidential consumer/personal information leaked.
But frankly, I don’t think this hack is going to result in tens of millions of fraudulent loans and credit cards being taken out using stolen identities. Based on what I’ve seen in the past, I would estimate that less than 5% of Americans will have new loans, bank accounts, credit cards and other financial accounts taken out by a criminal in their name over their lifetime. And while everyone is advocating getting a credit freeze on your credit bureau file, my view is that will only protect you from less than 5% of the types of financial crimes that can happen to you.
So how will the stolen data be used?
- It will be sold and resold in the underground.
- It will be used to update existing stolen identity records, which are already plentiful and abundant but a bit out of date in terms of phone numbers and addresses.
- Based on conversations with Gartner clients, including tax authorities, my estimate is that over half of Americans have already had their identities compromised before this latest hack, and their records are already resident in criminal databases.
- It will be used to take over existing accounts, for example bank accounts, brokerage accounts, phone service accounts (a common occurrence these days, for example with Bitcoin wallet holders), and retirement accounts. This compromised PII data is used by call centers and online systems to verify identities when they are conducting high risk transactions such as moving money or changing an account’s phone number on record. So now, armed with the stolen up-to-date PII data, criminals can more easily impersonate their target victim in order to get into their account.
- It will be purchased and used by adversarial nation states including Russia, China, North Korea and Iran who have their own nefarious plans to disrupt or steal from US society.
As noted in a previous blog on this subject, (see Where has all the Stolen Data Gone?) intelligence has become a data mining exercise. Cyber-warring nation states have long been known to be mapping out the US population, and how individuals are connected to each other, where they live and how they can be targeted in order to get to their goal.
As we have witnessed, goals can range from disrupting political processes or stealing valuable intellectual property used to manufacture weapon related systems such as missile defence to more innocuous missions like pilfering consumer goods’ blueprints for luxury handbags or perfumes.
What should organisations do when it comes to identity proofing and verification?
- First it makes no sense to solely rely on static personally identifiable information to identify an individual a business is engaged with when there is a greater than 50% chance that data is in criminal hands. We have been long advocating that organisations reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification.
- Some progressive fraud detection companies are trying to make this migration to an increasing reliance on dynamic identity data easier for you. For example, Threatmetrix has a technology that leverages crowd sourcing and machine learning to establish the legitimacy of a user’s identity based on an individual’s dynamic behaviour and attributes. WhitePages Pro has a similar concept and product. It’s time to evaluate and adopt these types of identity proofing options, as many of the world’s most progressive ecommerce companies have already done to keep their fraud rates down.
What should we be most worried about as individuals?
Be most worried about financial account takeover, phone takeover (used to get access to financial accounts), tax refund fraud, social security and other government benefit fraud, ransomware on your computer and social engineering by fraudsters or nationstates who want to get to you or someone you are connected to.
As far as national security concerns, we have little influence over what happens at that level but we all need to be more fully aware that cyberwarfare is real and here today, that it is in large part based on data mining. Innocent citizens are often used as pawns in cyberwarfare plans. That means we all have to be vigilant so as not to get socially engineered by some dark obtuse entity using us for nefarious gains and crimes against our countries.