- Security TWENTY Home
- Women in Security Awards
People of all ages can be at risk of identity fraud but with growing numbers of young people falling victim, it is claimed. The City of London Police and fraud prevention membership body Cifas released new figures showing a 52pc rise in young identity fraud victims in the UK. In 2015, just under 24,000 (23,959) people aged 30 and under were victims of identity fraud. This is up from 15,766 in 2014, and is more than double the 11,000 victims in this age bracket in 2010.
A new short film, Data to Go, has been launched online to raise awareness of this type of fraud. Filmed in a London coffee shop in March, the film uses hidden cameras to capture baffled reactions from people caught in a stunt where their personal data, all found on public websites, is revealed to them live on a coffee cup.
Identity fraud happens when a fraudster pretends to be an innocent individual to buy a product or take out a loan in their name. Often victims do not even realise that they have been targeted until a bill arrives for something they did not buy or they experience problems with their credit rating. To carry out this kind of fraud successfully, fraudsters usually have access to their victim’s personal information such as name, date of birth, address, their bank and who they hold accounts with. Fraudsters get hold of this in a variety of ways, including through hacking and data loss, as well as using social media to put the pieces of someone’s identity together. 86 per cent of all identity frauds in 2015 were perpetrated online.
Cifas is calling for better education around fraud and financial crime. Simon Dukes, Cifas, Chief Executive said: “Fraudsters are opportunists. As banks and lenders have become more adept at detecting false identities, fraudsters have focused on stealing and using genuine people’s details instead. Society, government and industry all have a role in preventing fraud, however our concern is that the lack of awareness about identity fraud is making it even easier for fraudsters to obtain the information they need.
“The likes of Facebook, Twitter, LinkedIn and other online platforms are much more than just social media sites – they are now a hunting ground for identity thieves. We are urging people to check their privacy settings today and think twice about what they share. Social media is fantastic and the way we live our lives online gives us huge opportunities. Taking a few simple steps will help us to enjoy the benefits while reducing the risks. To a fraudster, the information we put online is a goldmine.”
Commander Chris Greany, pictured, City of London Police and national co-ordinator for economic crime said: “We have known for some time that identity fraud has become the engine that drives much of today’s criminality and so it is vitally important that people keep their personal information safe and secure. In the fight against fraud, education is key and it’s great that Cifas and its members are taking identity fraud seriously and working together to raise awareness of how the issue is now increasingly affecting young people through the launch of this film.”
Cifas commissioned a survey with Britain Thinks to seek 18-24 year olds’ attitudes towards personal data and identity fraud. The survey found young people unaware that they are at risk:
Only 34 per cent of 18-24 year olds say they learnt about online security when they were at school
50 per cent of the 18-24 year olds surveyed believe they would never fall for an online scam (compared to the nationalaverage of 37 per cent)
Only 57 per cent of 18-24 year olds report thinking about how secure their personal details are online (compared to 73 per cent for the population as a whole);
They are also less likely to install anti-virus software on their mobile phone than the national average (27 per cent compared to 37 per cent).
This is of little surprise, said Matt Peachey, VP and GM EMEA, Pindrop. “With so many consumers on social media, the amount of personal information and data people now reveal online is worrying. Just think about your own habits, how many times have you revealed your mother’s maiden name on Facebook or provided personal information to friends on twitter over the past year?
“With this in mind, it’s easy to understand why fraudsters see social media platforms as a goldmine, with crucial information, such as date of birth, addresses and e-mail accounts available in abundance. Fraudsters can quickly build up an individual’s profile and begin to mirror their identity. This process, known as “pre-fraud” can have wide-ranging implications for the targeted individual as well as any businesses and financial institutions they are associated with. Once a fraudster has someone’s basic information, it’s worryingly simple for them to engineer their way into an account.
“Criminals are also using the information obtained on social channels to attack businesses on the their weakest line of defence – the phone. As efficient social engineers, fraudsters know that when speaking to a call centre representative, whose objective is to rightfully prioritise being helpful and professional, that relaying some basic personal information can get them far. Combine this with some clever social engineering techniques and getting into someone’s account is surprisingly easy. It’s therefore crucial that businesses take note and work quickly to improve these traditionally weaker channels.”
Likewise, John Lord, Managing Director at the identity verification and checking product company GBG said: “Social media sites are a goldmine of information for those with malicious intent. Your name, your first school and even your mother’s maiden name are now just a few clicks away for a fraudster. We all have a responsibility in preventing incidents of fraud, and for the user, thinking about what information you want to be publicly available is a good start. However, once that information has been compromised, what then?
In the first instance, identity thieves will use the real identity of an individual and thereafter, create synthetic identities compiled from elements of the data stolen from a user. Taking a ‘sledgehammer’ approach to blocking the original identity to avoid the identity theft is often a waste of time as fraudulent activity usually only happens for less than a month after the crime has occurred. Organisations, therefore, need to use more data, analytical insights and triangulation of multiple identity proofing techniques when identity theft occurs, to minimise the effects for both the user and the businesses serving them.”
Matthias Maier, Security Evangelist at Splunk said: “It’s not surprising that the number of people experiencing identity theft has skyrocketed, as knowledge of how to properly secure yourself online remains low. The challenge this highlights for businesses is the risk employees will unintentionally allow their work credentials to be stolen or access hijacked. This has the potential to trigger security breaches and data leaks, and hacks tend to be more effective when attackers have personally identifiable information and can speak to employees in context. Recent research by IDC found that hapless users are a greater threat than malicious insiders. 27 per cent of businesses are worried about poor user security practices, compared to just 12 per cent of businesses who are worried about malicious insider threats. Businesses need to understand where the threat is coming from in order to respond appropriately and secure themselves.”
John Marsden, Head of ID and Fraud at Equifax, said: “When personal details fall into the wrong hands, it presents a very real and significant threat not just to the affected individuals, but also to businesses. As the number of victims continues to rise year on year, individuals and businesses must step up the protection of personal data. In addition, businesses must protect themselves from attempted fraudulent transactions using the stolen data.
“Businesses need to determine the appropriate level of security and identification checks for their customers based on considerations such as the type of product they provide, and the associated risk. Failing to appropriately screen customers can incur significant financial losses for any type of business, and lead to long-term brand damage if genuine consumers are put at risk.
“While organisations must identify genuine customers and screen out fraudsters to tackle this growing problem, they must also keep in mind the customer experience. Good customers rightly demand fast and efficient service, and if their expectations aren’t met they will take their money elsewhere. For a business to protect itself and still provide a good customer experience, it’s paramount to run the relevant identity checks without compromising or alienating real customers.
“A recent research project by University of Portsmouth and accountancy firm PKF Littlejohn estimated the cost of fraud to be considerably larger than the UK’s state spending on education. It is not a problem that anyone can afford to ignore and businesses must take the threats seriously.”
And Robert Capps, VP at fraud mitigation company, NuData Security, said: “We hear about data breaches all the time, but we rarely hear about what happens to the stolen data afterward the initial theft. We may not think much of losing one user name and password combo or having to cancel a credit card, but when seemingly innocuous data is stolen, it doesn’t just disappear. Stolen data is collected and combined by the bad guys, in to a vast data set of consumer data, which is extremely useful to today’s fraudsters to thwart existing online security and identify verification systems used so often by online organisations. With 86pc% of all identity fraud happening online, organisations have to deploy the very best layers of security available to them; while not getting in the way of their good customers. With so much rich consumer data available to anyone with money to spend, the challenge of securing good consumer access is becoming more difficult by the day.
“Since 2005, more than 675 million data records have been involved in data breaches in the US alone, according to the Identity Theft Resource Center. These records include incredibly personal data such as a person’s Social Security number, name, address, phone number, date of birth, credit card number, email address, name of local bank branch and so on. Data thieves sell this information to aggregators, who cross-reference and compile full identities – called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.
“With this level of information, fraudsters can create new bank accounts or take out loans under an actual person’s name. They can even access a consumer’s legitimate accounts, impersonating the real consumer. When these actions take place, they cannot be traced back to the fraudster and can cause serious and lasting harm to the fraud victim, for years down the road.
“When it comes to social media, consumers need to be careful what is posted on social network profiles. Your status updates — about your whereabouts (are you at work? heading out to watch a game?) and upcoming travel plans — may expose your lives to criminals who will take advantage of your absence. If you provide personal information, like your phone number, birthday, or where you went to school, they can take this private information and use it to steal your identity because banks and other agencies use precisely this information to verify that you are you. By looking at your photos or videos, they can also figure out where you live and work. They can find your spouse’s name and who you socialise with – even the name of your pet that you may use as an answer to stronger security questions – even your mother’s maiden name, a favorite data point used by creditors and financial institutions to verify your identity.”
As for personal information being too readily available on social media, Paco Garcia, CTO of Yoti says: “This worrying trend highlights the need for our online identities to be biometrically linked to a government issued document, such as a passport, preventing opportunistic fraudsters creating fake profiles. Unfortunately, in the current climate, where sharing is second nature, it’s got to a point where it’s not a case of if your identity will be comprised, but when. But what’s the solution? Rejecting social media platforms, and other innovations that make many people’s lives easier, is not a solution; it’s a surrender. It would be our way of saying that the digital, online world is not safe and cannot be made safe. Unless the system changes, and we start to take greater control of our identities, the number of cases of identity theft will only continue to rise.”