You may think your critical data and assets are protected by network intrusion detection systems, firewalls and the latest technology. However, it’s become increasingly clear this is not enough when cyber fraudsters impersonate real people for criminal purposes. In particular, there’s a shift toward the use of stolen identities online due to the availability of massive amounts of personal data from major data compromises or breaches like those of OPM, Target, eBay, Anthem, Home Depot, and the like. As a result, identity thieves can more easily penetrate legacy cybersecurity solutions, rendering many woefully inadequate.
As I read the recent GCN article, Extending cybersecurity to fraud analytics, which reviewed instances where sensitive information was stolen and used to fraudulently access government systems (with no obvious attack), it’s clear more can be done to defeat this type of cyber threat. Fraudsters are smart and getting smarter every day. They constantly find and exploit cracks in verification and fraud detection programs and they’re counting on us to fall behind. As a matter of fact, fraudsters continuously engage in strategic sessions and conversations, so I would expect a counter blog to be posted within minutes of this blog.
Think of this simple analogy—a thief can use brute force to attempt to break into your home, but chances are the doors and windows are locked and the security system is armed. This is equivalent to traditional cybersecurity. However, if the thief approaches your home impersonating a friendly neighbor, you’re more likely and willing to unlock the door and let them in. Traditional security measures become inadequate at this point. This challenge is at the root of the GCN article—impersonating someone to nefariously access sensitive data is a key factor in the cybersecurity threat playbook. With the rise in online transactions and other “faceless” channels, more than ever before, stolen identities can be used to process transactions where criminals easily pose as legitimate applicants.
The IRS Get Transcript incident was a clear example of access using stolen identities. Addressing this type of cyber security threat comes down to more than identity verification. As stated in the article, “Organizations must start by establishing a baseline of normal and valid user activities for their systems. By first understanding the intricacies of the business and expected user behavior, organizations can begin to identify atypical behaviors. Such analysis may include session rates or lengths, transaction velocity, geographic location and time or date anomalies.” This speaks to not only understanding the identity, but also to how it’s being used and how often it has been used before. In addition, there must be knowledge of whether there is something suspicious about the device being used, among other “risk” factors. As the article states, this depth of intelligence is not traditionally considered a part of current cybersecurity systems; however, as cyber threats continue to grow, it’s absolutely paramount that it be added to cybersecurity systems if we’re to keep pace with those seeking to do harm.
Digital verification is just one part of the necessary solution. Verifying the digital attributes associated with an individual is as important as verifying the individual exists and is not a potential risk.
At TransUnion, we know cyber fraud can be prevented with integrated identity management tools that provide digital verification and ID authentication, as well as identification of digital behaviors indicative of cyber fraud. Integrated cyber fraud detection verifies information provided by the applicant, identifies risk associated with the device being used along with digital behaviors, and initiates a risk-based assessment.
Further, verifying the digital attributes associated with an identity is equally important as verifying that the identity actually exists and is not a threat or potential risk. No longer can you rely on simply deploying network intrusion to detect someone “breaking into your house”. You also need to initiate strategies that go beyond historical cybersecurity controls and look at protection methods that verify identities, devices and behaviors. With the right tools and analytics, organizations can begin to further advance their overall cybersecurity capabilities and keep the fraudsters at bay.
To have a Government expert contact you, fill out the form below.
Learn how FinTech leaders foster an innovative culture
What do FinTechs look for in a data partner?
Four Questions with Dennis Ambach – Vice President, Government Relations at TransUnion
In Data We Trust: Information Integrity is a Two-Way Street