Breaches in July exposed the highest number of sensitive records (104,546,381) yet this year, according to the Identity Theft Resource Center (ITRC). July’s total is four times the number reported in June 2019.
This massive influx of new records is expected to further drive down the price of personal identifying information (PII) for sale on the dark web. According to research by Armor, complete personal fraud kits (aka Fullz) had been selling for $30 to $40. For an extra $10 to $25, sellers would add an individual’s credit card data, bank account data, bank security questions and answers, employer name, or other critical information, says a Dark Reading article. Social media accounts are a true bargain, Armor claims, with one vendor selling 1,000 Instagram accounts for $15.
Cheap data is a powerful incentive for would-be criminals to enter the game and take their shot at easy money. But if that’s not enough of a lure, as a bonus, PII merchants provide criminal education for free. For example, they’ll tell you how to use purchased information to commit bank fraud, and give practical tips, like directing buyers to Ancestry.com to find their victim’s mother’s maiden name – a common out-of-wallet verification question.
Prepare for the Onslaught
With plenty of data and incredible technology, even the greenest of criminals can fool traditional identity verification and risk-screening methods. Once they have broken down your metaphorical security gates, you had better hope your multiple layers of fraud detection solutions perform as they should. One of the first systems to be tested will be those that screen non-monetary transactions related to profile changes and new accounts.
To take over an existing account, the fraudster will have to disintermediate the legitimate customer from their account by changing the account’s contact information. Screening and fraud-scoring every request to change a mailing address, phone number, or email address can thwart the takeover attempt.
Scoring algorithms should examine identity, geo-demographic, and behavioral data points to detect fraudulent customer profile changes. When examining these non-monetary transactions, it should be able to detect out-of-pattern behaviors and high-risk factors such as:
- Addresses – For example, it could be a temporary address; an address that is not currently receiving delivery; a known fraud address; or an address recently associated with several different last names.
- Phone numbers – For example, it could be a prepaid phone; a voice-over-IP line; have a significant distance between the area code of the new phone number and the area code of the old phone number; or be a recently ported phone number.
- Emails – For example, it could be first-time-seen; be disposable; have an overseas domain server; or be unable to verify as previously used in association with the account holder’s name.
Newly opened accounts
If a fraudster slips by your applicant underwriting process and is granted a new account, you need to find out fast – before it can be used for nefarious purposes. Ideally, your multi-layered fraud-detection approach includes immediate screening and scoring of all new accounts.
The most effective solutions examine hundreds of data attributes to identify out-of-pattern behavior related to identities, crime dynamics, historic mobility patterns, previous fraud activity, and other risk-mitigating data sets.
Velocity indicators are important, too. A consortium of new account inquiry data shared among many different financial institutions helps to protect your institution, uncover fraud rings, and keep criminals out of the banking system.
Assess Your Vulnerabilities
The pace of new threats and schemes has increased exponentially in recent years. You need to ensure that your risk and fraud solutions are evolving just as quickly, and that you don’t have gaps where fraudsters can slip through. Fortunately, although fraudsters have more data and tools at their disposal, providers like ID Insight out-gun them – in a big way. With massive data sets, machine learning, flexible decision engines, and advanced computing technologies, those of us protecting your monetary and non-monetary transactions will work together to illuminate dark web threats.