Mistaken identity is a perennial movie plot. Who can forget the classic suspense flick, North by Northwest which has ad man Cary Grant on the run after being mistaken for a government agent? Or Date Night which sees a romantic evening turn dangerous after a married couple take up the dinner reservation of a couple of no-shows?
Stolen identity is an equally dramatic real life issue that can be costly to fix and which rarely results in a happy ending.
It’s a problem which has affected hundreds of Australians whose only ‘crime’ is likely to have been oversharing on social media, using a poorly secured bank account or recycling a password rather than coming up with a new alpha-numeric string.
Any of these activities or omissions can result in a successful ‘in’ for criminals who are adept at obtaining sensitive and personal information and using it for illicit gain. Almost invariably it’s to impersonate an unwitting individual, in order to hijack their online accounts and gain access to money and goods.
Common methods of identity fraud include phishing, hacking, remote access scams and malware and ransomware.
Using fake social media or dating profiles to connect with targets is another popular modus operandi, as is the old school tactic of gaining access to private information by swiping mail from unlocked mailboxes or harvesting personal data from discarded bills and documents.
ID theft on the rise
Identity theft is nothing if not a growth ‘industry’. Globally, account takeover fraud increased by 80 per cent between 2016 and 2017, according to Signifyd’s 2018 Ecommerce Fraud Index.
In Australia, the Australian Competition and Consumer Commission’s Scamwatch received more than 11,000 reports of identity fraud in 2018. Losses, which are likely to be under-reported, totalled $1.375 million.
Phone gambits accounted for a little over half the incidents, with the remainder comprising email, text messaging, internet, social networking, mail, in person and mobile application approaches.
Significant data breaches have contributed to the rise in identity fraud and there have been no shortage of those over the past two years.
In Australia, a string of large organisations, including PageUp People, Ticketek, Austal and Commonwealth Bank made data breach notifications in 2018, for incidents which may have compromised the security of customer data.
Weak customer authentication methods – multi-factor authentication is still not the default security position for many organisations, despite evidence it’s effective – and a rise in the use of mobile devices for conducting transactions have not helped the cause.
The domino effect
Having your identity stolen can result in losses on multiple fronts – some of them potentially difficult to detect and stem.
While a stolen credit card gives thieves a brief window in which to charge up big before the loss is reported and the card cancelled, a digitally hijacked life can be harder to reclaim and repair.
Once they’ve gained access to one account, criminals can potentially use it as a stepping stone to access others. Taking on your identity may enable them to add new users to a credit card, make expensive purchases or transfer money from your account to their own or that of an associate. Fraudulent transactions may be hidden amongst your own bona fide ones, or take time to register on your radar, if the rogue ‘other you’ changes your communication preferences, to prevent you receiving statements or alerts.
Perpetrators of identity theft can act with relative impunity, given the difficulties historically associated with identifying and prosecuting them.
High tech protection
While there is an onus on individuals to be diligent about protecting their data and aware of the risks associated with posting personal information in the public domain, these actions are far from a solution.
Cyber-security technology has a vital role to play in deterring and frustrating digital fraudsters. Multi-factor authentication solutions which require individuals to go through additional steps to prove they are who they purport to be, can make it tougher for scammers to breach the security cordon.
The use of device-based identification – phone ownership details, device information and offline verification data – has also been touted as a useful tactic to tackle account and identity theft.
Cyber-criminals are infamous for their ability to breach defences and pivot speedily when thwarted or circumvented and it behoves banks and financial institutions to stay on the front foot when it comes to cyber-security.
As cyber-attacks and account theft occur more frequently, their commitment to doing so is likely to become a key differentiator. Organisations willing to dedicate the resources necessary to stay a few steps ahead of hackers and cyber criminals may enjoy a significant commercial advantage over those which fail to make it top priority.
About the author
Simon Howe, Director of Sales Asia Pacific at LogRhythm.