Thanks to the seemingly never-ending stream of data breaches, we almost take them for granted. Breaches have become so commonplace that society has a new term for it: data breach fatigue. We know our personal information gets leaked, and in response, many of us routinely practice good stewardship of our identities by changing our passwords on a regular basis, refraining from clicking on suspicious links, and even freezing our credit reports. We’re reminded of Scott McNealy’s quip from 1999, “You have zero privacy anyway. Get over it.” We have come to accept it. But we shouldn’t. Attacks on high profile targets such as Yahoo!, the federal government’s Office of Personnel Management, and the loss of millions more records from attacks on the numerous employment databases of organizations around the world, have created an unprecedented wealth of information about us on the dark web. Information that forms the building blocks of profile assimilation for illicit purposes.
Email addresses (along with associated passwords), date-of-birth (DoB) records, Social Security numbers, checking account and bank routing numbers, home and work addresses, the name of our spouse, children, answers to security questions and a host of other data is sitting there for the taking by bad actors who seek creative ways to monetize that information. Such information is viewable for free, or for a fee. A database called LeakedSource contains two billion passwords, and can be viewed for as little as $2.00. There is a multitude of dark web market places that act as exchanges for buyers and sellers of PII, drugs, stolen intellectual property, etc. Many of these markets have been in existence for several years, and are even rated by users for the quality of their customer experience, security, payment options and fees!
Social Engineering Is The New Back Door
Time is money, and in the business of cybercrime this is especially true. Most cybercriminals focus on the lowest hanging fruit — vulnerable targets that yield the biggest returns for the least amount of work. While sophisticated hacks resulting in headline-grabbing data breaches dominate the news, they often require significant time and technical sophistication. As security controls become more sophisticated and widely adopted, cybercriminals are turning to social engineering techniques to gain access to data. This is where all that information on the Dark Web comes in. It is getting easier for cybercriminals to use that data to impersonate a targeted individual through social engineering. No sophisticated Stuxnet-like malware development required. Given the ease with which a one can access this information and amass a startling amount of information on a given target, it’s not surprising that social engineering is growing in popularity.
Recent examples of how accessible personally identifiable information (PII) is used to commit crime:
- It was reported by The Wall Street Journal that the hackers who accessed personal login credentials of the head of the CIA, a senior FBI official, and the Justice Department’s case management system, accessed their victims’ accounts by calling help desks and impersonating, or by posing as employees of the targets’ internet service providers. The perpetrators were arrested on September 8.
- In March, the IRS released a statement warning companies about a surge in scams designed to trick payroll departments into handing over their employees’ W2 and other personal information to the attackers, who often used personal information to pose as the companies’ CEOs or other senior executives.
- In one of the more unusual malicious uses of PII, according to The Hutchinson News an individual in Dodge City, Kansas, impersonated a police office and informed targeted residents that he could get their named relatives out of jail if they paid him. As of this writing, this individual is still at large.
Call Centers – The Next Achilles Heel?
The number of schemes that make use of PII data on the dark web is limited only by cybercriminals’ imaginations. In some cases, PII is used in email phishing. But there is a marked increase in the use of PII for call center fraud. According to Pindrop’s 2016 Call Center Fraud Report, call center fraud has increased 45 percent in two years, primarily because of the rising use of credit card chip technology and the ability to use stolen PII credentials to deceive a call center representative into believing the fraudulent caller is legitimate. An attacker needs just a few details about an individual (such as phone number, email, DoB, credit card number, mother’s maiden name, last four SSN digits) to trick a call center representative into opening a bank account, issuing a credit card, providing access to secure systems, routing tax refund checks, etc. The list goes on.
Most organizations and individuals are obsessed with defending against malware, but there needs to be more focus on cybercrime that makes use of the wealth and growing supply of readily accessible personal information. Use of stronger, multifactor authentication techniques, email and VOIP anti-spoofing, governance and risk, and perhaps regulatory and industry compliance changes should be considered to address this growing risk In a future blog, I will explore how new technologies can be used to combat this problem, and what individuals and organizations should consider doing to help protect themselves from the rise of profile assimilation.