Small-time ID fraud goes big time

The entrepreneurial small-business spirit is alive and well in cyberspace. Unfortunately, a significant piece of it is devoted to crime, and a significant piece of that involves identity fraud.

A study released Wednesday by ID Analytics' ID:A Labs found more than 10,000 identity fraud rings in the U.S. -- some of them led by career criminals, but a surprising number amounting to mom-and-pop operations involving friends and family, said the author, Stephen Coggeshall.

Coggeshall told CSO Online while about two thirds of ID fraud attempts are shut down before they do any damage, that obviously leaves a third getting through.

While the average income of fraud ring members is unclear, it is clearly paying off, he said. "If these people weren't successful, they wouldn't be doing it."

The study, which covered the past decade but put most of its focus on the past three years, included an examination of more than a billion applications for bankcards, wireless services and retail credit cards. It found identity fraud rings attacking all three industries, with wireless carriers the favorite target.

Coggeshall said he found fraud rings throughout the U.S., but most were in a "belt of fraud stretching through the rural Southeast," from Virginia to Texas. He said one of the things that surprised him was that while lone individuals involved in fraud tend to come from urban areas, the fraud rings tend to be in rural areas.

"Another thing was that I expected to see mafia-type professionals who were not related, but just in business together," he said. "We do see that, but we also found large numbers of family and friends -- fraud rings where they share last names and addresses, so they're siblings, parents and children."

One of the things that likely makes this an attractive business opportunity in a poor economy is that even when attempted frauds are caught and rejected, the chance of perpetrators being arrested and prosecuted is low.

Coggeshall's report gave examples of several fraud rings that included significant detail. One, he reported, included, "a male and female over the age of 70, a woman of 48 with the same family name, and a second woman of 48 with a different last name."

"All participants are using multiple SSNs and last names; three have alternate first names and birthdates," he said. "Together, this identity fraud ring has perpetuated 345 falsified credit card applications and a fraudulent payday loan. The male is retired, but uses a former email address from a respected institution to increase credibility. This fraud ring is located in a subdivision in the Indianapolis area."

Yet, Coggeshall said, to his knowledge, none of the members of that ring or two others he profiled, in Washington, D.C. and McAllen, Texas, has been prosecuted or even arrested, which meant that he had to leave some details out of the report "to protect the privacy of the individuals involved."

"We work with the fraud shops at financial institutions, not directly with law enforcement," he said. "But I would think the FBI would be interested in working with us. Identity fraud around IRS tax returns is big problem. I would think."

Coggeshall said he broke down ID fraud into three major categories. "Most people know about identity theft," he said, "where somebody steals your personal information."

[See also: ID theft again tops consumer concerns]

ID theft of all sorts is enabled in part by organized cybercrime, said Richard Henderson, Security Strategist, FortiGuard Labs. "Selling of identities is one of the many services provide by organized cybercrime," he said. "Names and credit card numbers are among the more common forms that can easily be purchased."

And the risks in the crimeware business are about as low as they are in small identity fraud operations. "It's way too profitable," said Derek Manky, a senior security strategist at FortiGuard. "Crimeware equals high returns and almost zero risk for its creators."

What are less well known than ID theft are what Coggeshall calls synthetic identity fraud and identity manipulation.

The first is the fabrication of a new identity that has no connection to a real person. Generally, the creator will start by using that identity for purchases like a pre-paid cell phone "to try to build up some fidelity of it." Once that is done, it is then used to commit higher-level fraud.

Identity manipulation is more common and simpler. It involves things like changing one number of an SSN or a birthdate, while keeping other elements of a real ID the same. One technique, called SSN "tumbling," involves making repeated changes to known, valid SSNs for multiple account applications.

While it might seem that any amount of scrutiny would expose that kind of fraud -- how could a single person have 10 or 20 different SSNs? -- Coggeshall said, "It depends on the kind of product you're applying for. Sometimes a high credit score is required for approval, but sometimes they don't even check it."

Techniques to prevent that kind of fraud include the "layered" security approach recommended by numerous security firms. "Intrusion prevention, application control, web filtering, antispam and antivirus at a minimum," said Manky.

Coggeshall said his firm, recently acquired by LifeLock, provides a score for its clients on the likelihood of an application being fraudulent. He said the firm also offers a free service to consumers so they can find out how much of their identity is "in the wild."

"Most people are not at risk," he said. "But it's good to know for sure."

Henderson said consumers can protect their personal information by limiting who gets it. "Your SSN should only be given to your bank, your employer and the government," he said. "Credit card issuers and other companies who request this information do not have a legal right to it, nor can they deny you a service strictly because you wish to safeguard your personal information."

Read more about identity theft prevention in CSOonline's Identity Theft Prevention section.

Join the CSO newsletter!

Error: Please check your email address.

Tags ID Analyticsidentity theftsecurityAccess control and authenticationIdentity & Access | Identity Theft PreventionIdentity fraud / theftIdentity & Access

More about CSOFBIIntrusionIRSIRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts