Fraud Prevention Blog

The Equifax Data Breach and your Loss Prevention Operation

Posted by Sean Trundy on Mon, Oct 02, 2017 @ 08:56 AM

How the release of personally identifying information (PII) of nearly half the US population should change your approach to preventing fraud losses at your business

Earlier this month, an absolute bombshell announcement was made by Equifax – one of the three major credit scoring bureaus in the United States.

“We identified a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. ”
– Equifax

Later revealed was the fact that the approximately 143 Million records included Social Security Numbers, birth dates, addresses and, in some instances, driver’s license numbers.

In other words, much of what may be required in order to fill out an application for a credit card, auto loan, home equity line of credit, in store credit account, cellular phone account, Medicare or Medicaid services, healthcare services under private insurance, and a slew of other commercial and personal benefits was made available in this one breach.

For almost half of the US population!

The Implication of Data Breaches for U.S. Businesses: Expect a Spike in BOTH ACCOUNT TAKEOVERS AND New Account Fraud

If your business must, as a routine part of its daily practices, accept a customer’s representation of their identity as the primary basis upon which you choose to conduct a transaction-of-value with them, then this recent event must have a profound effect on your operations.

The Path to Profit from Stolen Identity Data

Criminals sell stolen personal data on the “DarkWeb” via sites accessed through special software called Tor. These websites specialize in facilitating an illicit economy, from drugs, to prostitution, to stolen identities. In the modern economy, the DarkWeb has enabled the critical missing piece to make identity theft into the high-growth industry it has become in recent years - a distribution network.

In days past, when a hacker got hold of massive quantities of identity data, they would only be able to utilize a small percentage of the total number of records. However, with DarkWeb websites (like the now-defunct SilkRoad) the hackers have a place to sell their inventory of PII, to the people who will actually attempt to capitalize on the stolen data by producing forged identity documents and cashing-in on the opportunities.

Related Articles You May Find Informative:
Why Hacks like the Equifax Hack Mean Identity Authenticaiton is More Imporatant than Ever
Each New Data Breach Leads to Higher Account Take-Over Losses
Why New Account Fraud's Financial Mayhem Will Only Get Worse
IDentity Theft Continues to Increase in Volume & Value

Stolen PII data is now selling very cheaply on dark markets. Individual Social Security numbers may run a few dollars. A family's Social Security numbers -- two parents and a child, let's say -- cost $10 on one marketplace - information sold as a family unit is more valuable for tax fraud.

Armed with PII data purchased in a DarkMarket , and often introduced to professional document forgery operations in the same DarkWeb marketplace where the data was sold, the stolen data is ready to hit the streets in the hands of the identity thieves.

The person who ends up attempting to capitalize on stolen identity information – known as a “casher” in the parlance of the online world of identity data trading - can use stolen identity information two different ways: either through “account takeover” fraud and/or through “new account” fraud.

Account Takeover

An account takeover scenario occurs when a criminal uses a victim's personal identifying information to literally "takeover" a victim’s existing account. Basic personal data - such as names, addresses, and birthdates - can provide enough identifying information to enable the fraudster to make changes to their victim’s account - for example, changing the billing address and/or the contact phone number or email. 

In 2016, account takeover fraud was about $2.3 billion worldwide, up 61 percent from just one year earlier. In light of the recent Equifax breach, however, this number is expected to skyrocket in 2017. 

When someone takes over an account, they can change the victim’s security questions and passwords. The nasty part about it is that when the true account owner calls to try regain control of the account, they are the one who sound shady — since they no longer know the password or the security questions. Thieves are now taking over all kinds of accounts and locking the true owner out. Cellular phone accounts, credit cards, auto loans, demand deposit accounts, checking accounts and 401(k) accounts, to name a few, have all been targeted. 

However, basic data like name, address, and phone number of a person can only go so far. It typically would not be possible to open a new line of credit in that person's name using only basic information. To accomplish this, the thief will need additional forms of PII.

4 FREE iPhone 8’s?
With a fake driver license that matches an account-owner’s name and personal information a criminal can go into a cell phone carrier store (T-Mobile, AT&T, Verizon) and present themselves as the account owner in order to “upgrade” their account to 4 phone lines and four new top-of-the-line cell phones. The victimized company wouldn’t know about the fraud until weeks or months later, while the fraudster walks out the door with nearly $3,000 worth of products.

New Account Fraud

New account fraud, in turn, describes a fraud in which a criminal uses a victim's personal identifying information to open new accounts in that victim's name. The aforementioned situation in which a fraudster opens a new line of credit is an example of new account fraud. In order to open new accounts, criminals typically need not only the victim's PII – e.g. the full name, current address, and birthdate - but also the victim's Social Security number.

What makes the Equifax breach so unnerving is that the Social Security numbers of 143 million people are now potentially in the hands of those who would use that information to profit from fraud as much as they can. Once a criminal gets a person's SSN, a complete take-over of a person's identity is more than possible.

Every US business should expect a sharp increase in the number of attempts to conduct both new account fraud and account takeover fraud!

New Call-to-action

What Should Exposed Businesses Do?

In the end, it really is quite simple. If you want to prevent identity theft in your locations, then you need to authenticate identities of individuals conducting transactions. Period.

This may mean a shift in mentality for some companies. Up until now, the single-minded focus on “customer experience” has meant many organizations are unwilling to alter the customer service dynamic by asking a client for their ID. However, more and more, this perspective is becoming the exception, not the norm. As FraudFighter argued back in 2010, when the ID theft epidemic really began, there is a marketing and customer service argument to be made in favor of authenticating IDs.

“The companies that prove themselves to be secure and vigilant in protecting clients from fraud may well prove to be the long term winners in the market”

This means training your frontline employees to address client concerns when asked about why they are being asked for identity. They should be trained to use messaging that ensures the client that your organization is simply making sure that no one unauthorized is accessing their assets. Obviously, every organization will have its own unique way of saying this.

How to Authenticate Identities

This is a long and involved topic. Suffice it to say that – if the client is physically in your store or branch, you should authenticate their government credential document(s), e.g. driver license, state ID card, military ID card, passport, etc.

For more on this topic, we have a number of resources available for you to read:

Manual versus Automatic

Generally speaking, ID document authentication can be conducted either manually or automatically. An example of manual ID authentication is the use of ultra-violet (UV) light. Most ID documents are manufactured to include a special kind of “invisible” security feature that can only be seen under the correct wavelength of UV light. Our clients, such as the Department of Homeland Security (Travel Safety Administration) uses this type of UV solution to check ID documents as passengers pass through airport security all across the US.

The second type of solution is a more advanced hardware/software based solution that uses machine logic to analyze ID documents. These solutions will capture images and data from the ID document then submit this information to rigorous forensic examination to determine whether or not the document is genuine.

The correct solution for your particular circumstance will depend upon many different factors. If you have questions, we encourage you to contact us:

support@fraudfighter.com
800.883.8822
Monday - Friday
7:00 - 5:00 PST

Topics: identity theft, data breach, identity authentication, identity fraud, equifax

Discussions