Almost every day we see news about another organization compromised and potentially millions of data records leaked. While the amount of data that's been exfiltrated is unquantifiable, it's clear that everyone's personal data is out there in some form and fashion.
For threat actors, accessing these data sets has been a common attack vector for years. We experience them daily, from phishing attacks and scam phone calls all the way through credit card fraud. However, lately there has been an unnerving sophistication in these common attacks.
Recently, organizations and individuals are falling victim to innovative criminals that have developed methods of linking compromised data sets based on common fields and attributes. Previously simple data leaks for email addresses, names and birthdates, phone numbers, and even something as obfuscated as the last four digits of a Social Security number are being linked, merged, and correlated with other data breaches to produce partial profiles for millions of people. The end result makes it easier for threat actors to commit identity-based crimes with enough information to spoof a user's identity with a high degree of electronic confidence.
In fairness, this technique is an old attack vector with a new name. Dubbed "synthetic identities," this resurrected identity attack vector contains nearly an individual's complete profile based on multiple previous data breaches and has recently been cited in the consumer banking industry as an attack vector that has left thousands of people with fraudulent bank accounts associated with their identities. While not a new technique for banks to contend with, the ramifications have created a void in the cybersecurity industry and worse, a gap in security best practices for identity validation and verification because the electronic profiles of the fraudulent accounts are near complete at the time of creation.
First, let’s start with a modern definition for a synthetic identity. According to Equifax, synthetic identities are a form of financial fraud in which a real person’s information, such as their Social Security number or date of birth, is stolen and combined with other falsified personal information to create a new identity.
The weakness that leads to this type of attack manifests itself in the lack of validation of falsified information used in the creation of a synthetic identity. The consumer's name and Social Security number may be correct, but subtitle nuances from their home address through phone number are often falsified to conduct the attack.
In fact, it’s not unusual for someone’s contact information to change and therefore not be a reliable attribute when validating an identity during account creation. This occurs when someone moves, takes a new job, or even has a change in relationship. Businesses rely on name, birthdate, and Social Security number (or last four digits), and that has now become a new liability. Even if the organization bundles this information and sends it to a third-party identity verification service, confidence in the data is only as good as the threat actors hack and partial semblance of the synthetic identity. After all, the more real data they have, and the careful manipulation of the synthetic data they inject, the more likely they are to succeed in their attack.
While this has obvious consequences for businesses to consumers, businesses employing staff and leveraging contractors and vendors can easily suffer from similar attack vectors. Ask a very basic question: How much personal data does the organization collect and verify in its human resources system when a new employee, contractor, or vendor gets onboarded? And, does the company periodically re-validate the information to ensure personal changes do not nullify the information?
While these may sound like basic operating procedures, gaps in this process can easily lead to a wide variety of financial fraud within a business. For those not sure how these attack vectors could materialize, consider the following:
Synthetic identities are not new, however, it’s new terminology for an old problem. The primary difference is the amount of data used to falsify an identity and the techniques used to create that profile. Falsifying contact information and posing as someone else's identity has been a technique criminals have been using for literally hundreds of years. While consumers bear the brunt of these attacks, businesses can modify their policies to ensure employees, contractors, and vendors offer complete up-to-date information to mitigate an attack. And, to ensure staff does not become a victim of an attack, deny the changing or dissemination of this information using unsecure and non-verifiable communications like email. These simple changes can help mitigate the company’s risks from synthetic identity attack vectors.
Morey Haber, chief security officer, BeyondTrust