Equifax breach aftermath: Account takeovers
Cyber criminals have the most to gain by taking ownership of bank, brokerage and retirement accounts using people’s PII. Are traditional authentication systems obsolete?
Yes, there will be some tax and banking fraud as a result of the gargantuan data breach at Equifax. The biggest impact, however, will be felt by enterprises that rely on credit reporting bureaus to verify the identity of people they are doing business with.
Think employment verification, social services verification, and other forms of identity verification that rely on credit reports. These services depend on the idea that only the individual knows all the details used to verify identity, but that assumption requires ignoring the sheer amount of personally identifiable information (PII) that has been exposed over the past few years. Among the Office of Personnel Management, Anthem, and scores of other data breaches at universities, retailers, enterprises, and healthcare organizations over the last two years, a lot of PII is available for criminals to use.
“Armed with stolen, up-to-date PII data, criminals can more easily impersonate their target victim in order to get into their account,” Gartner distinguished analyst Avivah Litan wrote on the Gartner Research blog.
As previously reported, unknown attackers exploited a vulnerability in an Equifax web application and accessed personal information for up to 143 million individuals, including Social Security numbers, personal names and addresses, and in some cases driver’s license numbers. The attackers had unauthorized access from mid-May to July of this year, Equifax said in its statement disclosing the breach. The bulk of the attention so far has focused on the potential for identity theft and criminals opening new accounts using victim information, but Litan said she does not expect to see massive fraud as a result of the data theft.
“Based on what I’ve seen in the past, I would estimate that less than 5 percent of Americans will have new loans, bank accounts, credit cards and other financial accounts taken out by a criminal in their name over their lifetime,” Litan said. What’s more likely is that stolen information will be used to take over existing accounts, such as banking, brokerage, phone service, and retirement accounts. Call centers and online systems rely on these pieces of information to verify identity when conducting high-risk transactions, such as moving money across accounts or changing the information associated with the account.
“It makes no sense to solely rely on static personally identifiable information to identify an individual a business is engaged with when there is a greater than 50 percent chance that data is in criminal hands,” Litan said.
The digital ecosystem relies on a complex web of trust, and a weakness in one of the players can impact everyone else. The United States consumer credit system is heavily reliant on the credit bureaus to act as a “backstop for digital identities,” said Patrick Harding, CTO of identity management provider Ping Identity. With the information in the wrong hands, one of the main authentication systems organizations—especially those in the financial services industry—depend on breaks down because they can no longer trust the results.
“This particular data breach will impact a utilized authentication stack that many organizations and federal agencies use to combat their own forms of fraud,” said Adam Meyer, chief security strategist of threat intelligence company SurfWatch Labs.
If criminals have all the information they need to pass identity verification checks, what good is this authentication system?
Security and fraud experts like Litan have been warning organizations to stop relying on static personal data for identity verification in favor of dynamic identity data for a while now. For example, Threatmetrix uses crowdsourcing and machine learning to establish the user’s identity based on the user’s dynamic behavior and attributes.
“Based on conversations with Gartner clients, including tax authorities, my estimate is that over half of Americans have already had their identities compromised before this latest hack, and their records are already resident in criminal databases,” Litan said.
While individuals should be worried about financial and phone service account takeovers, tax refund fraud, Social Security and other government-benefit fraud, Litan said there were other things to worry about, such as nuclear war or an attack against the power grid. “I fully understand that my stolen personal data is much more likely being used to further those goals, than it is to help some criminal get a new fake mortgage,” Litan added.