Countering Identity Theft and Synthetic Identities: Measures to Mitigate Losses
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
What is synthetic identity theft? • Involves the use of a fictitious identity in perpetrating a fraud • Enables thieves to create identities based on new and fictitious ID • Fraudsters use fictitious identity to obtain credit, open deposit accounts and obtain driver’s license info • Fraudsters seek SINs that are not actively used (e.g., children/deceased)
2
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
How do “shadow thieves� operate? Fraud Diamond Capability
Incentive
Rationalization
Opportunity Fraud Diamond
3
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
How pervasive is synthetic ID theft • • • •
Volumes have increased exponentially over last 5-7 years CBC - $1-1.25B per year in North America Children’s SINs are 51X more (Carnegie Mellon CyLab) likely to be used for ID theft than those of the adult population threat to children is clear
Why use children as a target? • • • •
4
Generally inactive for max 18 yrs No public info linked to their SIN Fraud is unlikely to be discovered unless tipped off Greater damage is when child reaches 18+ as negative info appears on their file (e.g., company background screening)
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
?
How is a credit filed created? • Credit history is created and maintained by CRAs – Equifax / TransUnion • CRAs gather info from FIs to create a detailed credit report • When consumer completes credit app, info is sent to CRA • CRAs gather the info and determine if credit report exists • CRAs scrub public records for financial info – bankruptcies/foreclosures • Record of inquiries are kept on the credit file; if match, credit info is returned to lender for decision • All credit requests sent to CRA will generate a credit file • Lenders send updated credit info to CRAs
5
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
How do fraudsters apply for credit? The taxonomy • Create a synthetic ID and build a credit card profile – e.g. credit card issuer • Initial application will be declined, while credit file created • With new credit file, fraudster will apply for credit with a credit card issuer • Credit inquiry will indicate that a profile exists from CRA • The profile has no credit history • Card issuers targeted - $300-$500 credit line • Fraudster makes payments to establish favorable credit history, thereby using this to secure higher credit levels
6
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
What is the authorized user approach?
• This is how most synthetic IDs are created • Adding authorized users is legal and allowable (spouse/child)
7
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
What is an example of using this approach and its loss magnification impact? Bank A $10,000
Retail 1 $16,000
Bank C $50,000 Bank E $20,000
Bank B $10,000
Retail 2 $16,000
Bank D $5,700
Investigation showed that most purchases involved a retail gift and some high-end goods. A CRA investigator noted that telecom merchants are being targeted for phones (iPhones)
8
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
How do I most effectively mitigate against synthetic ID theft?
• 1. Safeguarding personal information • 2. Ensure computer / internet security
9
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
How do I most effectively safeguard personal information? • Ensure laptop/PC encryption • Ensure to encrypt the hard-drive (by default) • If PC/laptop stolen, trivial to retrieve data • Windows 7 or above – Professional version, can all encrypt HD • Old PCs/laptops – life expiry, all old HDs should be encrypted • Standard enterprise encryption policy – i.e., embed in Disaster Recovery Planning (DRP) module – enables internal consistency
10
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
How do I most effectively safeguard personal information? • Create awareness with all stakeholders where there are touchpoints – all within the circle of influence • • • •
Customers Vendors Suppliers Staff
• Policy/guidelines must include physical documents destruction of physical documents by shredding • ID theft monitoring services – retail customers
11
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
encourage the
…How do I most effectively ensure computer / internet security? • The basics are usually not done to avoid ID theft – Anti-virus, anti-malware • Use an authenticated password security system – adds a massive layer of protection to mitigate against transactions • “Last Pass” (www.lastpass.com) • Free version – no authenticator • $12 USD/yr. for premium service (for multiple devices)
12
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
…How do I most effectively ensure computer / internet security? • Generates highly secure passwords that don’t require password recall (i.e., use master password) • It is a strong authenticator that resides as an app on your phone (6-digit number) • Adds a critical layer of protection • Phone becomes a powerful authenticator • LastPass has not been known to be compromised • Authentication code changes every 60 seconds – scrambling code reduces risk • To compromise it, physical access to phone (e.g., must lock the phone) required • LastPass will log-in for you (with no need to type, it can’t be logged removes this risk)
13
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
What is Ransomware and it’s link to ID theft? • • • • • •
This is has become very pervasive in last three years Email received by fraudster that locks you out of key data – denial of data Don’t open links from unknown or suspicious sources/individuals/entities Comes from trusted sources/friends Becoming more common with Facebook account hacking Social engineering – compromise PC, thereby obtaining SIN
14
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
Summary – Putting it All Together • ID Theft and Synthetic ID Theft have both becoming pervasive • Safeguarding personal info can be done through encryption and standards/guidelines • Ensuring internet security is mainly through rigorous encryption • Use of mobile devices requires added layer of security protection – e.g., LastPass • Ransomware is a new ID theft vulnerability that can be mitigated through encryption and abstention
15
Securefact Transaction Services, Inc. Jack J. Bensimon September 22, 2016
Any Questions or Comments?