Small-time ID fraud goes big time

Study finds more than 10,000 ID fraud rings, many among friends and family

The entrepreneurial small-business spirit is alive and well in cyberspace. Unfortunately, a significant piece of it is devoted to crime, and a significant piece of that involves identity fraud.

A study released Wednesday by ID Analytics' ID:A Labs found more than 10,000 identity fraud rings in the U.S. -- some of them led by career criminals, but a surprising number amounting to mom-and-pop operations involving friends and family, said the author, Stephen Coggeshall.

Coggeshall told CSO Online while about two thirds of ID fraud attempts are shut down before they do any damage, that obviously leaves a third getting through.

While the average income of fraud ring members is unclear, it is clearly paying off, he said. "If these people weren't successful, they wouldn't be doing it."

The study, which covered the past decade but put most of its focus on the past three years, included an examination of more than a billion applications for bankcards, wireless services and retail credit cards. It found identity fraud rings attacking all three industries, with wireless carriers the favorite target.

Coggeshall said he found fraud rings throughout the U.S., but most were in a "belt of fraud stretching through the rural Southeast," from Virginia to Texas. He said one of the things that surprised him was that while lone individuals involved in fraud tend to come from urban areas, the fraud rings tend to be in rural areas.

"Another thing was that I expected to see mafia-type professionals who were not related, but just in business together," he said. "We do see that, but we also found large numbers of family and friends -- fraud rings where they share last names and addresses, so they're siblings, parents and children."

One of the things that likely makes this an attractive business opportunity in a poor economy is that even when attempted frauds are caught and rejected, the chance of perpetrators being arrested and prosecuted is low.

Coggeshall's report gave examples of several fraud rings that included significant detail. One, he reported, included, "a male and female over the age of 70, a woman of 48 with the same family name, and a second woman of 48 with a different last name."

"All participants are using multiple SSNs and last names; three have alternate first names and birthdates," he said. "Together, this identity fraud ring has perpetuated 345 falsified credit card applications and a fraudulent payday loan. The male is retired, but uses a former email address from a respected institution to increase credibility. This fraud ring is located in a subdivision in the Indianapolis area."

Yet, Coggeshall said, to his knowledge, none of the members of that ring or two others he profiled, in Washington, D.C. and McAllen, Texas, has been prosecuted or even arrested, which meant that he had to leave some details out of the report "to protect the privacy of the individuals involved."

"We work with the fraud shops at financial institutions, not directly with law enforcement," he said. "But I would think the FBI would be interested in working with us. Identity fraud around IRS tax returns is big problem. I would think."

Coggeshall said he broke down ID fraud into three major categories. "Most people know about identity theft," he said, "where somebody steals your personal information."

[See also: ID theft again tops consumer concerns]

ID theft of all sorts is enabled in part by organized cybercrime, said Richard Henderson, Security Strategist, FortiGuard Labs. "Selling of identities is one of the many services provide by organized cybercrime," he said. "Names and credit card numbers are among the more common forms that can easily be purchased."

And the risks in the crimeware business are about as low as they are in small identity fraud operations. "It's way too profitable," said Derek Manky, a senior security strategist at FortiGuard. "Crimeware equals high returns and almost zero risk for its creators."

What are less well known than ID theft are what Coggeshall calls synthetic identity fraud and identity manipulation.

The first is the fabrication of a new identity that has no connection to a real person. Generally, the creator will start by using that identity for purchases like a pre-paid cell phone "to try to build up some fidelity of it." Once that is done, it is then used to commit higher-level fraud.

Identity manipulation is more common and simpler. It involves things like changing one number of an SSN or a birthdate, while keeping other elements of a real ID the same. One technique, called SSN "tumbling," involves making repeated changes to known, valid SSNs for multiple account applications.

While it might seem that any amount of scrutiny would expose that kind of fraud -- how could a single person have 10 or 20 different SSNs? -- Coggeshall said, "It depends on the kind of product you're applying for. Sometimes a high credit score is required for approval, but sometimes they don't even check it."

Techniques to prevent that kind of fraud include the "layered" security approach recommended by numerous security firms. "Intrusion prevention, application control, web filtering, antispam and antivirus at a minimum," said Manky.

oggeshall said his firm, recently acquired by LifeLock, provides a score for its clients on the likelihood of an application being fraudulent. He said the firm also offers a free service to consumers so they can find out how much of their identity is "in the wild."

"Most people are not at risk," he said. "But it's good to know for sure."

Henderson said consumers can protect their personal information by limiting who gets it. "Your SSN should only be given to your bank, your employer and the government," he said. "Credit card issuers and other companies who request this information do not have a legal right to it, nor can they deny you a service strictly because you wish to safeguard your personal information."

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies