By now everyone concerned about cybersecurity has heard of the Equifax hack and potential compromise of over 140 million identity records containing Americans’ most sensitive PII (Personally Identifiable Information). New reports indicate that British and Canadian citizens’ data were also compromised, which makes sense given that Equifax houses their data too. Of course, lots of people are justifiably concerned about this hack – and it is in my estimation, the worst ever in terms of sensitive confidential consumer/personal information leaked.
But frankly, I don’t think this hack is going to result in tens of millions of fraudulent loans and credit cards being taken out using stolen identities. Based on what I’ve seen in the past, I would estimate that less than 5% of Americans will have new loans, bank accounts, credit cards and other financial accounts taken out by a criminal in their name over their lifetime. And while everyone is advocating getting a credit freeze on your credit bureau file, my view is that will only protect you from less than 5% of the types of financial crimes that can happen to you.
So how will the stolen data be used?
- It will be sold and resold in the underground.
- It will be used to update existing stolen identity records, which are already plentiful and abundant but a bit out of date in terms of phone numbers and addresses.
- Based on conversations with Gartner clients, including tax authorities, my estimate is that over half of Americans have already had their identities compromised before this latest hack, and their records are already resident in criminal databases.
- It will be used to take over existing accounts, for example bank accounts, brokerage accounts, phone service accounts (a common occurrence these days, for example with Bitcoin wallet holders), and retirement accounts. This compromised PII data is used by call centers and online systems to verify identities when they are conducting high risk transactions such as moving money or changing an account’s phone number on record. So now, armed with the stolen up-to-date PII data, criminals can more easily impersonate their target victim in order to get into their account.
- It will be purchased and used by adversarial nation states including Russia, China, North Korea and Iran who have their own nefarious plans to disrupt or steal from U.S. society. As noted in a previous blog on this subject, (see Where has all the Stolen Data Gone?) intelligence has become a data mining exercise. Cyber-warring nation states have long been known to be mapping out the U.S. population, and how individuals are connected to each other, where they live and how they can be targeted in order to get to their goal. As we have witnessed, goals can range from disrupting political processes or stealing valuable intellectual property used to manufacture weapon related systems such as missile defense to more innocuous missions like pilfering consumer goods’ blueprints for luxury handbags or perfumes.
What should organizations do when it comes to identity proofing and verification?
- First it makes no sense to solely rely on static personally identifiable information to identify an individual a business is engaged with when there is a greater than 50% chance that data is in criminal hands. We have been long advocating that organizations reduce reliance on static personal data and increase reliance on dynamic identity data when engaging in identity verification. See previous blog on this subject The Global Identity Dilemma; Static Biometrics are NOT the Answer and see published research Absolute Identity Proofing is Dead; Use Dynamic Identity Assessment Instead.
- Some progressive fraud detection companies are trying to make this migration to an increasing reliance on dynamic identity data easier for you. For example, Threatmetrix has a technology that leverages crowd sourcing and machine learning to establish the legitimacy of a user’s identity based on an individual’s dynamic behavior and attributes. WhitePages Pro has a similar concept and product. It’s time to evaluate and adopt these types of identity proofing options, as many of the world’s most progressive ecommerce companies have already done to keep their fraud rates down.
What should we be most worried about as individuals?
Be most worried about financial account takeover, phone takeover (used to get access to financial accounts), tax refund fraud, social security and other government benefit fraud, ransomware on your computer and social engineering by fraudsters or nationstates who want to get to you or someone you are connected to.
As far as national security concerns, we have little influence over what happens at that level but we all need to be more fully aware that cyberwarfare is real and here today, that it is in large part based on data mining. Innocent citizens are often used as pawns in cyberwarfare plans. That means we all have to be vigilant so as not to get socially engineered by some dark obtuse entity using us for nefarious gains and crimes against our country.
For example, an adversary trying to steal missile defense blueprint plans will find its way into the missile defense company network through the company’s employees and their desktops. The easiest way to do that is by socially engineering an employee of the company using information gleaned from a criminal database that compiles information on the employee and all of his/her connections. (Again please refer to Where has all the Stolen Data Gone? for a discussion on these databases).
Social engineering is typically manifested in realistic and cleverly written emails purporting to be from a legitimate trusted sender. When this ‘spear phishing email’ is opened by the target, malware is then planted on the target employee’s desktop and is then used to initiate lateral movement throughout the organization until the blueprint is found, extricated and moved out of the organization to a criminal server.
So what’s going to make me sleep better at night? A credit freeze on my file?
Hardly. That’s probably worth 30 extra seconds of sleep a night. Instead, I worry (but not enough to stay awake at night) about the 95% of the bad stuff that can happen to me financially (e.g. account takeover) for which a credit freeze and credit report monitoring won’t help. I monitor my financial accounts closely so that I can report a crime as soon as possible and have a better chance of getting a refund. I’m also highly suspect of emails and phone calls from unrecognized senders or callers.
I also think about all the bad stuff that can happen to my family and me over which I have zero control, e.g. nuclear war, an attack against our power grid, a failure of our air traffic control system, foreign manipulation of our election systems and disruption of our democratic processes, etc. This stuff does sometimes keep me up at night, especially since our election last November. And I fully understand that my stolen personal data is much more likely being used to further those goals, than it is to help some criminal get a new fake mortgage.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Its time to abandon SSN as identifier. It was never intended to be one.
I agree with everything you are saying Avivah but I’d also say at the corporate level, and within the number of privacy regulations we have, we need to adopt a model of “least priviledge”. Too many people hold credentials to applications and systems that hold sensitive data they simply do not need in order to do their jobs. This is the result of systems written before the dawn of the cyber war we find ourselves in as well as companies simply not building security into the build process as a critical component.
Companies need to look at new solutions to protect data pervasively because the major threat is no longer a server disappearing from your data center. Perimeter Security is important but any IT person knows, its one layer in a comprehensive approach. This will take resources, it may demand some changes to business processes but there is technology that would have prevented or significantly limited the impact of many of the largest breaches we have seen in recent years.