Attacks/Breaches
11/14/2012
02:38 PM
Connect Directly
RSS
E-Mail
50%
50%

Study Finds More Than 10,000 ID Fraud Rings In the U.S.

Georgia, South Carolina, and Florida are among the hotspots for identity theft

The misuse of personally identifiable information (PII) can take many forms, from the filing of fraudulent bank applications with stolen information, to manipulating personal data, to game unsuspecting companies. In a new study released today, ID Analytics' ID: A Labs reveals that this murky underworld is compromised of more than 10,000 identity fraud rings that are operating in the U.S. alone -- many of which are groups of families and friends as opposed to organized crime.

The study analyzed more than 1 billion applications for wireless services, bank cards, and retail credit cards, and uncovered identity fraud rings attacking all three industries. According to the study, Georgia, Florida, and the Carolinas are hotbeds for fraudulent activities across all three industries. Wireless carriers got hit the worst, the report notes.

There are several types of identity fraud, ranging from criminals who become aware of enough information about a specific account to impersonate a victim and take unauthorized actions, to targeting a specific individual and then assuming that person's persona. There is also "synthetic identity fraud," where an identity is completely fabricated and used to commit fraud, as well as people who make subtle or slight changes to their PII in order to commit fraud.

"Another emerging fraud trend which is not identity fraud is that of 'credit muling,' which involves paying a person to use their legitimate PII with the intention to defraud," according to the report. "Note that this is not really identity fraud since the applicant is using only their correct identity information; it's just that they have no intention to repay the debt. This technique is becoming more frequent with wireless customers who have previously earned a decent credit rating."

The report offered no insight into how the fraud rings were actually stealing information. However, it did create a profile of some of the rings, many of which comprise groups of friends and family members, rather than professional crime groups. These familial-based groups often improperly share their personal information with each other and use it as part of fraud schemes.

In one example, the report cited a friends-and-family identity fraud ring in the Indianapolis area that consists of a male and female over the age of 70, a woman who is 48 with the same family name, and a second woman who is 48 with a different last name. All the members of the ring used multiple Social Security numbers and last names, and three used alternate first names and birthdays. According to the report, this ring perpetuated 345 falsified credit card applications and a fraudulent payday loan.

"In this latest research, we have taken a broader approach, looking at connections among bad people rather than studying individual activity," says Dr. Stephen Coggeshall, chief technology officer of ID Analytics, in a statement. "This information enables us to build new variables into our fraud models so we can help our customers to make better decisions and improve protection for consumers."

In the digital world, identity fraud can be used as part of larger targeted attack schemes, notes Richard Henderson, security strategist at FortiGuard Labs.

"There is definitely an identity theft component involved in the information-gathering phase of a targeted attack on corporations -- last year's successful spearphishing attack on RSA involved only four employees," he says. "Undoubtedly, a large amount of doxing or online research was spent tailoring a spear-phishing email that the targets were likely to open."

"Two-factor authentication, using either hardware tokens, software tokens, or lookup tables, is in use by major finance institutions and other high-risk systems," he adds, explaining that passwords should not be considered fool-proof. "Passwords can be easily compromised, whereas some form of two-factor authentication is not so easy to defeat. For access control to vital data, two-factor authentication should be considered as another tool in a corporation's general security strategy."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.