High-level strategies for defending against attacks to steal identities are twofold: solutions on the back end, and what consumers and business partners can do to protect themselves.
Almost daily, we hear about security breaches with millions of personal data records compromised, requiring companies to notify those affected, and to provide free credit and identity theft monitoring services. Invariably, local newscasters finish their reports advising viewers to “change their passwords.” Easily said.
There are other things both consumers and businesses can and should do to fight identity theft besides inconvenient password changes. These mitigating measures involve both the back and front ends of transaction systems.
But how do breaches like those reported happen?
Clearly the bad guys are finding access points to sneak into databases and steal massive amounts of data — sometimes all at once, sometimes in drips and drabs least someone notice the exfiltration of data.
Sometimes the attackers are politically motivated. For example, there is evidence that recent attacks on JPMorgan Chase originated in Russia in response to financial sanctions imposed on Russia for attacking Ukraine and seizing Crimea. Other times, it’s simpler criminal activity with the perpetrators motivated to make money through identity theft.
Individuals can take unwise actions opening themselves to attack. These actions include responding to spam and phishing attacks, or sharing on-line credentials with family members, friends or caregivers, leading to “friendly-fraud.”
Further, when small or medium sized business owners intermingle personal and business accounts, they become bigger targets than ordinary netizens because their accounts are of higher value. One of the biggest consumer vulnerabilities is created through social media behaviors. I’ve joked about the CIA/NSA-sponsored data collection project called “Facebook” where people willing give up personal information such as full birthday or Mother’s maiden name (hey, she’s a “friend”) which can be used for brute force password attacks or spear phishing. And then there are LinkedIn and Google+ users who have higher fraud rates than other groups, according to studies by Javelin Strategy and Research.
High-level strategies for defending against identity theft attacks are two fold: implementing systems on the back end, and steps consumers and business partners can and should take to protect themselves.
Back end strategies include Identity and Access Management programs that embrace not only internal users, but also customers and consumers. Out of band one time passwords (OTPs) using tokens or software equivalents for high value transactions and challenge questions all help. Biometrics also help mitigate identity theft for account takeover, new account fraud, stolen user names, or criminal payment channels such as counterfeit credit card accounts.
Database Activity Monitoring at the back end can alert if unauthorized inquiries are made against sensitive databases while Data Loss Prevention tools can alert and protect against the exfiltration of personal information.
The most direct product class for fighting identity theft at the back end are Web Fraud Detection solutions. These systems handle transaction scoring, link analysis and correlation analytics that work to verify that traffic is not coming from known threat sources.
These solutions work to verify the user location, what specific machine they’re using based on the endpoint’s “fingerprint,” and examine the types of inquires and transactions being initiated for policy violations. The findings are compared against expectations based on previous interactions with a specific user, or against rules about what behavior is expected. If something appears out of range, the session can be dropped, or additional information can be requested to verify the user. B
ecause credit card companies have a vested interest in fighting identity theft and fraud, some have acquired companies with relevant offerings: Accertify (American Express), Cybersource (VISA) and DataCash (MasterCard). Other providers of Web Fraud Detection products include Silver Tail Systems (acquired by RSA, the security division of EMC), Trusteer (acquired by IBM), Oracle and ThreatMetrix.
So mitigating technologies at the back end can help fight identity theft. But that’s only part of the solution. Consumers and business partners can set up credit/debit card and bank account alerts to notify about legitimate transactions, and those that are not authorized. Surveys conducted by Javelin Strategy and Research have found consumers increasingly willing to do this, as part of taking on more responsibility for protecting their on-line activities, supplementing safeguards and loss limits covered under consumer protection rules and regulations.
Another individual response is to use Identity Protection Services (IDPS) such as LifeLock, EZShield, and services offered by the larger credit bureaus. There are also companies such as Intersections which market directly to consumers, but also support private labeled services offered by banks or affinity groups such as auto clubs to their customers. IDPS vendors provide a range of services, but some also offer consulting and other services to enterprises to support regulatory compliance both before and after an identity theft breach occurs.
The services provided consumers include monitoring the credit bureaus for inquiries and changes, scanning databases such as court records for errors, shifting through black market and “darknet” bulletin boards for stolen identity data such as credit card numbers, and alerting on any unauthorized change attempts made to sensitive records such as Social Security.
If there is a breach impacting an IDPS customer, resolution services help to recover losses and to protect identity going forward. This includes assistance in cancelling credit cards, putting flags or freezes on credit bureau reports, aiding forensic investigations, and working with law enforcement.
True, consumers can do things like cancelling their own credit cards themselves. But for some, having a service with specialized knowledge backing them up provides a measure of peace of mind. However none of the IDPS companies can really prevent identity theft. They can just help make it harder for the bad guys and easier for the victim to recover — but at a cost.
There have been marketing and business practice controversies regarding IDPS. Regulatory and oversight agencies have fined some providers for signing up consumers against their will and for false promises. Some financial institutions that partnered with IDPS vendors have also been fined and have stopped offering such services.
One common complaint is that a vendor says it will alert customers when a credit check is performed on them but there are numerous instances of IDPS customers making significant purchases, such as applying for a mortgage, buying a car, or getting a new credit card, which require a credit check but the IDPS failed to alert the customer. Accordingly, promises are being made which some of these companies do not fulfill.
Nevertheless, IDPS companies, and knowledgeable consumers who monitor their accounts daily for questionable transactions, are part of a back end/front end strategy for fighting ID theft and the resulting fraud.
CISOs should be aware of the complementary nature of these offerings, as well as Web Fraud Detection and other technologies as they work to combat the increasingly creative bad guys looking to steal identities in order to commit financial and other fraud.