We have written much on the subject of the Modern Face of Identity Theft, and how technological advancement has changed the game for criminals involved in the ID theft racket.
But how has this quick-adaptation of technology affected the cost and availability of stolen identity information? To what extent has the exponential rise in the volume of stolen identity data altered the marketplace in which such data is bought and sold?
The answer is: quite significantly.
In a recent report released by Dell SecureWorks, it was revealed that the average cost for a complete stolen identity profile dropped by nearly 40% in the past two years, alone. Such a profile would include:
date of birth
Social Security number, and;
information on bank and credit card accounts
The cost for such information? Just $25.
A credit card number with the CSV number included can be had for as little as $4. While for just $300, you can purchase the credentials needed to access an online bank account with a balance between $75,000-$150,000.
Don’t be. In 2013, at least 100 million Americans had some form of identity data stolen. These are just the thefts that are publicly known. The actual number may be much higher than this.
In a classic example of supply and demand, the influx of such a large quantity of available data has pushed the price down for the “cashers”, e.g. – the people on the ground who actually convert the stolen identity into monetary losses.
We’ve written several times about the concept of the “dark market”. These are aggregators of stolen data, who utilize database management and data scrubbing techniques to match stolen data and compile complete identity profiles, called “fullz” in the parlance of the marketplaces.
With so much more data available, the average price of a “fullz” profile has dropped by more than 50% since 2008.
Technology – not so much our friend?
It gets worse. In the modern realm of identity thieves, finding and purchasing this data has become as convenient as shopping for a book on Amazon. The “data dumpers” (which is what the sellers of the data are called) have created user-friendly marketplaces, with complex search engines. They even sell advertising to the “vendors” of the stolen data, who can place targeted banner-ads on the dark market websites in order to capture customers in what has become an increasingly competitive industry.
These same dumpers will often offer complementary services – such as linking buyers of the identity data with professional forgery operations who can create ID documents and other credentials with the buyer’s picture that feature the personal information of the just-purchased “Fullz” profile. With this in hand, the “Casher” is set to go about accessing and draining the victim’s assets.
Fortunately, not all the technological news is bad. Many companies are working on the problem. Current solutions range from forensic auditing of transactions, to querying the individual at the time of transaction utilizing intelligently-structured questions designed to catch impersonators who do not know all the personal details of their victim’s past.
While effective at detecting casual identity thieves, these techniques may not be able to catch the new, modern identity thief, who may be armed with answers to the historical questions, and may also be careful to only transact at locations where the victim has previously transacted.
In the (maybe not too distant) future, we will almost certainly see a move towards biometric credentialing. This would mean that individuals would provide a biometric credential (iris scan, fingerprint, index finger vein-pattern, or (for real!) brain wave patterns) at the time that they establish a relationship with whatever entity it is that is charged with protecting their assets. Future access to such assets would only be granted to those with matching credentials.
In the meantime, financial institutions, medical providers, government offices and other organizations are challenged to conduct genuine identity authentication during a transaction.
Here at FraudFighter™, we believe the solution MUST be ID Document Authentication, utilizing forensic tools that can authenticate whether an ID document was created by the genuine issuing authority, and not a highly advanced forgery operation.