Attacks/Breaches
11/14/2012
02:38 PM
50%
50%

Study Finds More Than 10,000 ID Fraud Rings In the U.S.

Georgia, South Carolina, and Florida are among the hotspots for identity theft

The misuse of personally identifiable information (PII) can take many forms, from the filing of fraudulent bank applications with stolen information, to manipulating personal data, to game unsuspecting companies. In a new study released today, ID Analytics' ID: A Labs reveals that this murky underworld is compromised of more than 10,000 identity fraud rings that are operating in the U.S. alone -- many of which are groups of families and friends as opposed to organized crime.

The study analyzed more than 1 billion applications for wireless services, bank cards, and retail credit cards, and uncovered identity fraud rings attacking all three industries. According to the study, Georgia, Florida, and the Carolinas are hotbeds for fraudulent activities across all three industries. Wireless carriers got hit the worst, the report notes.

There are several types of identity fraud, ranging from criminals who become aware of enough information about a specific account to impersonate a victim and take unauthorized actions, to targeting a specific individual and then assuming that person's persona. There is also "synthetic identity fraud," where an identity is completely fabricated and used to commit fraud, as well as people who make subtle or slight changes to their PII in order to commit fraud.

"Another emerging fraud trend which is not identity fraud is that of 'credit muling,' which involves paying a person to use their legitimate PII with the intention to defraud," according to the report. "Note that this is not really identity fraud since the applicant is using only their correct identity information; it's just that they have no intention to repay the debt. This technique is becoming more frequent with wireless customers who have previously earned a decent credit rating."

The report offered no insight into how the fraud rings were actually stealing information. However, it did create a profile of some of the rings, many of which comprise groups of friends and family members, rather than professional crime groups. These familial-based groups often improperly share their personal information with each other and use it as part of fraud schemes.

In one example, the report cited a friends-and-family identity fraud ring in the Indianapolis area that consists of a male and female over the age of 70, a woman who is 48 with the same family name, and a second woman who is 48 with a different last name. All the members of the ring used multiple Social Security numbers and last names, and three used alternate first names and birthdays. According to the report, this ring perpetuated 345 falsified credit card applications and a fraudulent payday loan.

"In this latest research, we have taken a broader approach, looking at connections among bad people rather than studying individual activity," says Dr. Stephen Coggeshall, chief technology officer of ID Analytics, in a statement. "This information enables us to build new variables into our fraud models so we can help our customers to make better decisions and improve protection for consumers."

In the digital world, identity fraud can be used as part of larger targeted attack schemes, notes Richard Henderson, security strategist at FortiGuard Labs.

"There is definitely an identity theft component involved in the information-gathering phase of a targeted attack on corporations -- last year's successful spearphishing attack on RSA involved only four employees," he says. "Undoubtedly, a large amount of doxing or online research was spent tailoring a spear-phishing email that the targets were likely to open."

"Two-factor authentication, using either hardware tokens, software tokens, or lookup tables, is in use by major finance institutions and other high-risk systems," he adds, explaining that passwords should not be considered fool-proof. "Passwords can be easily compromised, whereas some form of two-factor authentication is not so easy to defeat. For access control to vital data, two-factor authentication should be considered as another tool in a corporation's general security strategy."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.