Almost every day we see news about another organization compromised and potentially millions of data records leaked. While the amount of data that's been exfiltrated is unquantifiable, it's clear that everyone's personal data is out there in some form and fashion.
For threat actors, accessing these data sets has been a common attack vector for years. We experience them daily, from phishing attacks and scam phone calls all the way through credit card fraud. However, lately there has been an unnerving sophistication in these common attacks.
Recently, organizations and individuals are falling victim to innovative criminals that have developed methods of linking compromised data sets based on common fields and attributes. Previously simple data leaks for email addresses, names and birthdates, phone numbers, and even something as obfuscated as the last four digits of a Social Security number are being linked, merged, and correlated with other data breaches to produce partial profiles for millions of people. The end result makes it easier for threat actors to commit identity-based crimes with enough information to spoof a user's identity with a high degree of electronic confidence.
In fairness, this technique is an old attack vector with a new name. Dubbed "synthetic identities," this resurrected identity attack vector contains nearly an individual's complete profile based on multiple previous data breaches and has recently been cited in the consumer banking industry as an attack vector that has left thousands of people with fraudulent bank accounts associated with their identities. While not a new technique for banks to contend with, the ramifications have created a void in the cybersecurity industry and worse, a gap in security best practices for identity validation and verification because the electronic profiles of the fraudulent accounts are near complete at the time of creation.
First, let’s start with a modern definition for a synthetic identity. According to Equifax, synthetic identities are a form of financial fraud in which a real person’s information, such as their Social Security number or date of birth, is stolen and combined with other falsified personal information to create a new identity.
The weakness that leads to this type of attack manifests itself in the lack of validation of falsified information used in the creation of a synthetic identity. The consumer's name and Social Security number may be correct, but subtitle nuances from their home address through phone number are often falsified to conduct the attack.
In fact, it’s not unusual for someone’s contact information to change and therefore not be a reliable attribute when validating an identity during account creation. This occurs when someone moves, takes a new job, or even has a change in relationship. Businesses rely on name, birthdate, and Social Security number (or last four digits), and that has now become a new liability. Even if the organization bundles this information and sends it to a third-party identity verification service, confidence in the data is only as good as the threat actors hack and partial semblance of the synthetic identity. After all, the more real data they have, and the careful manipulation of the synthetic data they inject, the more likely they are to succeed in their attack.
While this has obvious consequences for businesses to consumers, businesses employing staff and leveraging contractors and vendors can easily suffer from similar attack vectors. Ask a very basic question: How much personal data does the organization collect and verify in its human resources system when a new employee, contractor, or vendor gets onboarded? And, does the company periodically re-validate the information to ensure personal changes do not nullify the information?
While these may sound like basic operating procedures, gaps in this process can easily lead to a wide variety of financial fraud within a business. For those not sure how these attack vectors could materialize, consider the following:
- How does an employee notify the business of a contact information change, including electronic banking information? If the company allows these changes solely through email, the human resources or accounting department is open to a phishing attack to misdirect correspondence or an electronic deposit of payroll. Never use email alone to change this information and consider verification via a phone call or service desk ticket a preferred process.
- When a new team member is onboarded, what’s the verification procedure the organization requires to validate the information provided? Odds are the new employee does not behave in a malicious manner, but how does the company validate their driver's license information? While state laws often require changes within 30 days it’s common to ignore this legislation. An old address in employee records can lead to a variety of issues including validation of I-9 forms for employment authorization and incorrect correspondence when postal mail is required.
- What kind of communications protocols for an emergency have been established? While synthetic identities generally do not involve emergency contact information, recent cyber and social engineering attacks posing as faux kidnappers or individual arrests have left family members in sheer panic while they reconcile how to respond. Employers should collect, protect, and periodically revalidate emergency contact information including a “code word” or “passphrase” to manage any emergency scenario that may arise. Voice phishing has become a very real attack vector we all experience on a regular basis and when disguised as an emergency could wreak serious financial fraud. Having the business manage emergency contact information just like any other personally identifiable information (PII) can mitigate this threat and a threat actor posing as a fake family member be identified by the lack of a shared “secret” to provide confidence in the severity of the event.
Synthetic identities are not new, however, it’s new terminology for an old problem. The primary difference is the amount of data used to falsify an identity and the techniques used to create that profile. Falsifying contact information and posing as someone else's identity has been a technique criminals have been using for literally hundreds of years. While consumers bear the brunt of these attacks, businesses can modify their policies to ensure employees, contractors, and vendors offer complete up-to-date information to mitigate an attack. And, to ensure staff does not become a victim of an attack, deny the changing or dissemination of this information using unsecure and non-verifiable communications like email. These simple changes can help mitigate the company’s risks from synthetic identity attack vectors.
Morey Haber, chief security officer, BeyondTrust
