Identity is the new currency for global cybercriminals

Breached companies are naturally forced to release damage limitation press statements to stem what can be an inevitable tidal wave of customers suspending accounts, stopping transactions or deserting to a competitor.

What is slightly incredulous, however, is that companies seem to think that consumers should be reassured by assertions such as “no payment information was stolen” or “passwords were encrypted”. What fraudsters are showing us is that the critical currency in global, organized cybercrime attacks is in fact identity data. We see the proof of this in the ever-increasing fraud attacks in the ThreatMetrix Network: attack levels are currently sitting at 130 million over just one quarter, which is a 40% year-on-year increase.

Full and convincing stolen identities are the gateway to large-scale, successful fraud attacks including account takeovers and new account originations. The implications of these attacks are devastating for the legitimate user in question, and can take years to recover from. The latest quarterly ThreatMetrix Cybercrime Report* revealed that 1 in 10 new account originations are now rejected in the ThreatMetrix Network, illustrating just how widespread and pernicious the use of stolen identity data really is. In addition, automated bot attacks often surpass legitimate customer traffic as fraudsters attempt to test, validate and steal identity credentials online.

The anatomy of a fraud attack in 2016 evolved to encompass complex attack vectors, clearly evidenced in the multi-faceted ways organized crime rings monetize user data harvested through extensive data breaches.

What might begin as a simple account validation using a basic bot evolves to incorporate a complex bot to guess unknown passwords, and could progress to a bot that masquerades as genuine human traffic to trick unsuspecting businesses.

Identity has now truly become a “currency” with many fraudsters focused on augmenting existing identity credentials and using attacks to build up account history for synthetic identities before re-packaging them to sell on at a premium. Not only can these complete identities be sold at a premium, they can also be used to launch successful attacks worldwide, with users often none the wiser until they are rejected for a new credit card or mortgage agreement.

ANATOMY OF A FRAUD ATTACK – 2016 EDITION

That one breach, where consumers are being reassured their credit card details are safe, could provide the missing piece of the puzzle, which opens the door to more successful attacks elsewhere.

Cybercriminals are often now more adept than legitimate users at answering step-up questions, and that is because they have a vast bounty of information, which they put to good use. Passwords are now virtually ineffective in our post breach world. What’s more, organizations are sometimes blind to the crippling success of a simple social engineering attack, assuming that consumers in 2016 can spot these a mile off. The ubiquity of stolen identity data often makes these attacks more difficult to recognize, with fraudsters masquerading convincingly as the individual in question.

So, what are businesses and consumers to do? Information is everywhere, on public records, social media sites and on easily accessible dark websites. How can anyone really safeguard their online identities?

The answer lies in the way that we transact online: an intricate footprint that is actually unique to us, and provides a wealth of information that fraudsters cannot steal or fake. If businesses can really understand a user’s unique digital identity, the badly sewn seams of the fraudsters’ patchwork stolen identities can be seen for what they truly are: fake. Moreover, no match for the dynamic and real time intelligence that can be harnessed from the almost infinite connections a user makes as they transact online.

*The ThreatMetrix Cybercrime Report: Q3 2016 is based on actual cybercrime attacks from July 2016 – September 2016 that were detected by the ThreatMetrix Digital Identity Network during real-time analysis and interdiction of fraudulent online payments, logins and new account applications.

For similar stories, please check out our Web Fraud Prevention and Online Authentication Market Guide 2016/2017 here to get access to an insightful outline of the global digital identity and web fraud ecosystem.

About Vanita Pandey

Vanita leads the strategic vision and go-to-market for ThreatMetrix products and solutions. With extensive experience in strategy, innovation, product management and analytics within the payment industry, Vanita previously led merchant development and global go-to-market for Visa’s digital products.

About ThreatMetrix

ThreatMetrix, The Digital Identity Company, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions, supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network, ThreatMetrix secures against account takeover, payment fraud and fraudulent account registrations.