Just today I received an email from one of my financial services providers warning me about imposter scams and fraudsters. Their warning was to alert me that fraudsters are impersonating financial institutions and contacting their customers. My institution's goal was to help me understand how to identify someone taking the first steps to perform identity fraud, which involves gaining some user credentials or parts of my identity to commit fraud. It's a good first step in fraud prevention, but more is needed.
Attackers are innovative and highly motivated to use new technologies and techniques in pursuit of a big payoff. With data from prior breaches and publicly available information, they have access to a wealth of identity tidbits, if not rich data, that they can use to commit identity fraud.
Our personal information is everywhere, ripe for misuse
Every month my identity monitoring service warns me about pieces of my personal information turning up on the dark web, enriching the information fraudsters need to execute their plans. This didn't come as a huge surprise to me. According to the ForgeRock 2023 Identity Breach Report, users' names and physical addresses were in at least 99% of breached records and, in the last year, there's been a sharp increase in more valuable information, such as date of birth and protected health information (PHI). And an eye-opening 72% of U.S. breaches contained Social Security numbers.
With all this information, layered with artificial intelligence (AI) and generative AI, perpetrators gain fidelity and higher-quality information to use in their activities. They can analyze and predict the credentials I might use for one account based on what they have seen with my other accounts. What is my password selection process and what might I have created?
With bots, fraudsters gain scale and speed to carry out identity fraud attacks. In the event that I opt-in for multi-factor authentication (MFA), they can attempt to get me to click the wrong button through MFA prompt bombing attacks.
The fraudsters' goal is to garner login credentials to do harm, mostly for financial purposes. If they are successful in an account takeover (ATO) attack, they can fraudulently purchase goods and services, abuse healthcare processes and claims payments, steal tax refunds, or open new bank accounts and move money around.
With the help of AI, cybercriminals are also creating synthetic identities using pieces of information gleaned from identity theft. A synthetic identity may use a valid Social Security number and birthdate and combine it with fraudulent information, such as a fake name, to obtain a new credit card. Using bits of information either stolen or obtained from public sources (social media posts can be a rich source for pet names, schools, birthdays, and much more), can enable identity fraud if organizations do not have controls in place to help prevent it — whether the fraudsters have pieces of information or even full credentials.
How IAM can stop identity fraud
In addition to facilitating the login process, identity and access management (IAM) systems can perform a variety of actions to detect and prevent identity fraud and other misuse of a user's identity that results from a successful ATO attack.
IAM systems can generate risk scores during the login process, calculated based on IP address, geolocation, and other user behaviors. These and other access patterns can also identify and block bot attacks, such as credential stuffing, password spraying, and MFA prompt bombing.
Even if a bad actor has the right credentials, IAM can detect anomalous behavior, such as an unusual location or device, and demand further proof of identity, known as step-up authentication. With MFA, the identity system moves from basic authentication to include an out-of-channel factor from, say, a mobile device authenticator app.
Implementing passwordless authentication can reduce the risk even further, making one piece of the authentication a cryptographic function instead something on a sticky note. With different factors to reduce risk in the user authentication process, identity orchestration comes into play to build a workflow that integrates risk factors and tailors the user experience based on the goal of reducing identity fraud.
The ForgeRock Identity Platform can help you reduce the risk of identity fraud using its full-suite IAM capabilities and our AI-driven fraud prevention product, ForgeRock Autonomous Access. Learn more and see a demo in this webinar replay or read Preventing Identity Fraud with Risk-Based Authentication.
