Attacks/Breaches
11/14/2012
02:38 PM
50%
50%

Study Finds More Than 10,000 ID Fraud Rings In the U.S.

Georgia, South Carolina, and Florida are among the hotspots for identity theft

The misuse of personally identifiable information (PII) can take many forms, from the filing of fraudulent bank applications with stolen information, to manipulating personal data, to game unsuspecting companies. In a new study released today, ID Analytics' ID: A Labs reveals that this murky underworld is compromised of more than 10,000 identity fraud rings that are operating in the U.S. alone -- many of which are groups of families and friends as opposed to organized crime.

The study analyzed more than 1 billion applications for wireless services, bank cards, and retail credit cards, and uncovered identity fraud rings attacking all three industries. According to the study, Georgia, Florida, and the Carolinas are hotbeds for fraudulent activities across all three industries. Wireless carriers got hit the worst, the report notes.

There are several types of identity fraud, ranging from criminals who become aware of enough information about a specific account to impersonate a victim and take unauthorized actions, to targeting a specific individual and then assuming that person's persona. There is also "synthetic identity fraud," where an identity is completely fabricated and used to commit fraud, as well as people who make subtle or slight changes to their PII in order to commit fraud.

"Another emerging fraud trend which is not identity fraud is that of 'credit muling,' which involves paying a person to use their legitimate PII with the intention to defraud," according to the report. "Note that this is not really identity fraud since the applicant is using only their correct identity information; it's just that they have no intention to repay the debt. This technique is becoming more frequent with wireless customers who have previously earned a decent credit rating."

The report offered no insight into how the fraud rings were actually stealing information. However, it did create a profile of some of the rings, many of which comprise groups of friends and family members, rather than professional crime groups. These familial-based groups often improperly share their personal information with each other and use it as part of fraud schemes.

In one example, the report cited a friends-and-family identity fraud ring in the Indianapolis area that consists of a male and female over the age of 70, a woman who is 48 with the same family name, and a second woman who is 48 with a different last name. All the members of the ring used multiple Social Security numbers and last names, and three used alternate first names and birthdays. According to the report, this ring perpetuated 345 falsified credit card applications and a fraudulent payday loan.

"In this latest research, we have taken a broader approach, looking at connections among bad people rather than studying individual activity," says Dr. Stephen Coggeshall, chief technology officer of ID Analytics, in a statement. "This information enables us to build new variables into our fraud models so we can help our customers to make better decisions and improve protection for consumers."

In the digital world, identity fraud can be used as part of larger targeted attack schemes, notes Richard Henderson, security strategist at FortiGuard Labs.

"There is definitely an identity theft component involved in the information-gathering phase of a targeted attack on corporations -- last year's successful spearphishing attack on RSA involved only four employees," he says. "Undoubtedly, a large amount of doxing or online research was spent tailoring a spear-phishing email that the targets were likely to open."

"Two-factor authentication, using either hardware tokens, software tokens, or lookup tables, is in use by major finance institutions and other high-risk systems," he adds, explaining that passwords should not be considered fool-proof. "Passwords can be easily compromised, whereas some form of two-factor authentication is not so easy to defeat. For access control to vital data, two-factor authentication should be considered as another tool in a corporation's general security strategy."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report