Fraud stories, Part 1

My cell phone rings. It’s my daughter. She is hysterical. “Mom, you must come home right away! The government called and they said that you owe some taxes and if you don’t pay it right away, you can go to jail! I am so scared; please come home now!”

Identity laundering is the new form of identity theft

While I have spent the last 20 years focused on biometrics and identity issues, the fact that twice as many Americans rate identity theft and bank fraud as their top concern over terrorism and the loss of a loved one, according to the latest FICO research, shows how pervasive and far-reaching the problem has become. Identity theft used to be about deadbeat dads, convicted felons and others seeking a new identity to escape a past life and start a new one; one of the earliest success stories in facial recognition was identifying a person who had 27 licenses under various names. Today, identity theft is a fast-moving game more akin to identity laundering. Get a list of stolen credentials, move through it to figure out which are legitimate as fast as you can, see what money you can make from it, and move on to the next victim. By the time they figure it out, the money is gone from their bank account and almost impossible to trace. In 2016, more than 15 million consumers were affected by these kinds of fraudulent acts.

It starts with identity vetting and providing online credentials. Doing a background check based on information entered online or authenticating someone’s identity via single sign-on or other static techniques is a feel-good measure but most CSOs and Risk Managers acknowledge that the fraudsters have figured out how to circumvent all of it.  The fact that personal information is widely available on the dark web, means that fraud today comes from authenticated sessions and the notion of digital identity and how we manage identity assurance online needs to be rethought.

How do we prove someone’s identity? How do we ensure someone is who they claim to be? 

Checking the boxes is not enough

These are not easy answers. I attended a session several years ago in which a high-level government official told a small group of C-level executives from top tier organizations, that they had all already been victims of a hack or an attempted hack; it was just a matter of time before they all knew about it. Yet, we see continuously that the executive suite is underinvesting in cybersecurity, partly due to lack of resources but mostly resulting from failure of imagination, and failure to take action, knowing that the status quo is not good enough. A common misconception is that regulatory compliance equals best security practices, that by checking the boxes, the fraudsters will go somewhere else. Oftentimes, convenience and user experience trumps security, and budgets are easily reassigned when there is no glaring emergency (i.e., known or publicized breach or compromised account).

Corporate responsibility should include cybersecurity

This is not acceptable. Just like companies have committed to promote social responsibility through various initiatives, they should also promote “cyber responsibility” and do as they preach. The drumbeat of data breaches that expose our personal data continues and each incident portends its own aftermath and its own set of victims. There are solutions out there to minimize false alarms while providing better security, and this will be the forum where we bring these issues to light and help to redefine how we think about identity in our digital world.

I invite you to join me in the discussion and comment on the blog as we dive deeper into these topics.