5 key online identity fraud threats for 2021
Head of Product
Online fraud has accelerated during the coronavirus pandemic, meaning organisations must be more vigilant in the face of the ever-increasing threat and its impact on business.
As a result of the global pandemic, businesses have had to embrace digital transformation in more ways than ever before. Identity solutions are evolving and becoming more reliable at a fast pace – but malicious actors are upping the sophistication of their attacks in response.
In this extract from the Times Digital Identity Report 2021, Davey Winder, IT Security Journalist of the Year, takes an in-depth look at five major types of identity fraud criminals are now using, the loopholes they exploit, and advice from security experts on how to counter them.
1: Account takeover
Why go to the effort of creating a new identity when you can hijack a real one? That's the premise of account takeover, as employed in the Twitter hack of July 2020. Focusing a spear-phishing attack on a small number of employees, criminals gained access to credentials and visibility of internal processes that ultimately helped take control of high-profile accounts, including now US President Joe Biden and American celebrity rapper Kanye West.
Matthew Gracey-McMinn, head of threat research at Netacea, warns that commonly used passwords can also be fed against known email logins using bots. 'We have recently seen a streaming service hit by an attacker who tried 300,000 unique username and password combinations during a five-hour attack,' he says. The 0.005 per cent success rate, with 1,500 correct guesses, is a big win.
- If you’re offering a digital service, relying on username + password alone leaves you vulnerable to these threats, which is why a second factor of authentication – one that’s passwordless and possession-based – is so essential.
2: Frankenstein fraud
Synthetic ID, or Frankenstein fraud, combines genuine and falsified information to create a new identity. According to Keith Price, former US Department of Defense director of security operations and current cybersecurity director at Littlefish, it is 'one of the fastest-growing methods of financial crime'.
In July 2020, two men were arrested in connection with fraudulent applications for pandemic 'bounce back' loans, totalling £550,000, using such identities. GBG's general manager Gus Tomlinson is concerned this type of fraud could be further complicated by the September 2020 database breach at Nitro PDF. Along with credit data breaches, she says, fraudsters will be able to 'present corroboratory evidence of previous financial activity that could be deemed as valid proof'.
Deepfake technology manipulates video and audio so convincingly that it presents what appears to be a real person. 'The criminal underworld is not far off from making deepfake attacks look and sound truly authentic,' warns Ben King, chief security officer, Europe, Middle East and Africa, at Okta.
Because video and voice are more persuasive than an email or text message, deepfakes can 'falsely trigger a person into an action, such as handing over data or transferring funds', according to Daniel Cohen, chief product officer for anti-fraud at RSA. Indeed, in 2019, it has been reported that the chief executive of a UK-based energy company was tricked by deepfake audio of his German parent company boss to transfer almost £200,000 in a sophisticated fraud.
User caution is the most effective counter weapon, says Paolo Passeri, cyberintelligence principal at Netskope. 'My advice is to always double check every request,' he continues.
4: Replay attacks
A replay attack happens when an attacker sits in the middle of a supposedly secure communication, intercepting the traffic and then resending the communication later, often to conduct financial fraud. An attacker could fool the victim into completing a transaction to them rather than the originator, for example.
A protocol designed to protect devices against such an attack, the replay protected memory block was recently found to have a vulnerability that could allow it to be bypassed. Although there are few readily available mitigation technologies on the market, Steven Jupp, chief executive at High Impact Office, says the 'consensus for solution is to utilise time-stamping and random key pairs, which are used just once in a message transaction'.
5: SIM swapping
In a smartphone-centric world, SIM swapping is becoming more of a problem. Using a variety of open-source intelligence methods, trawling social media postings or corporate site profiles for example, fraudsters seek to get enough information to convince your mobile phone network provider you are the owner of the account. They then request a SIM swap to seize control of the phone number. This gives them visibility of two-factor codes sent via SMS and from there control of the accounts they protect.
Kaspersky principal security researcher David Emm points out that Action Fraud found a 400 per cent increase in reports of SIM-swap fraud last year. One couple had £25,000 stolen by an attacker while on holiday and a Californian man reportedly lost $1 million in SIM-swap fraud. John Gilbert, general manager UK and Ireland at Yubico, advises account takeover attempts can be thwarted with 'stronger two-factor authentication, boosting login security beyond just SMS text messages'.
- To learn more about how to protect your clients from SIM swap, read our comparison of tru.ID’s authentication vs SMS here.
tru.ID: mobile authentication, reimagined
tru.ID can help you to implement a 21st century approach to user identity. Our range of API-based products enable you to quickly and easily implement deterministic, secure, frictionless mobile user authentication, reducing fraud and helping you to increase mobile revenues.
Instant PhoneCheck provides instant authentication of the mobile number of the connected mobile device, greatly improving the user experience and reducing drop-off rates.
Strong SubscriberCheck provides real-time verification of the mobile number and SIM card identity, providing a high-security, low-friction mobile authentication solution that also eliminates the risk of SIM Swap fraud.
Or, if you really, really want to stick with SMS OTP, and so need an easy add-on security solution, we offer:
Active SIMCheck, which allows you to check that there has not been a SIM swap before you send the SMS OTP to the user. (Of course, there are still all the other risks related to SMS OTP, but this is a big improvement and a short-term fix while you plan the full solution.)