INSIGHTS
Identity Intelligence
Identity Intelligence
The digitally connected world we live in is powered by identity. Without the ability to prove that we truly are who we claim to be, the countless online accounts, devices, and services that we use each day would be almost worthless. From email accounts to social networks, and from digital wallets to eCommerce sites, our digital existence depends on our ability to manage identity effectively. But precisely because identity is so powerful and so ubiquitous, it is also a tempting target for cybercriminals. Fraudsters use increasingly sophisticated methods to obtain personal information such as passwords, social security numbers, and account numbers. Armed with that information, cybercriminals can then impersonate their victims to hijack their accounts, steal their data or money, secure illicit loans and lines of credit, access government benefits, or perpetrate other kinds of fraud.
In fact, by some estimates losses relating to identity fraud now total more than $62 billion, making identity a critical battleground in the fight against global cybercrime.
How does identity impact cybersecurity?
Identity is the new perimeter for cybersecurity.
Companies that can successfully verify and authenticate a user’s identity can keep their customers and their data safe, create more compelling products, and gain a substantial advantage in the marketplace. Fraudsters that successfully penetrate authentication systems and spoof or hijack a user’s identity, meanwhile, can wreak havoc, steal huge sums, and seize ontrol of a wide range of valuable assets.
Only by understanding and managing identity effectively, and using next-gen software to proactively secure identity in real-time across the entire operational ecosystem, can organizations ensure their users’ safety. That requires a clear understanding of how identity diffuses through digital networks, along with robust security technologies capable of validating identity at every step in the customer journey. Deduce is here to help you achieve those goals. Learn more about Deduce’s approach to managing identity, or request a free demo to learn how you can prevent identity fraud.
How do companies verify and authenticate identity?
How confident are you in your company’s overall ability to effectively manage and secure all type of identities — both human and non-human?
Managing identity depends upon two key concepts: verification and authentication
Verification
Verification is the process of establishing a new online identity, and ensuring that a person truly is who they claim to be when they first set up an account or present themselves to your organization. This is the foundation-stone of digital identity: the user’s verified identity — who they really are — is the ground truth upon which all subsequent authentication processes depend.
Verification methods can include checking voter rolls, credit records, and other databases to make sure names, addresses, birthdates, and other details are accurate. Organizations can also use social security numbers, state IDs and driving licenses, or micro-transactions to and from financial accounts to verify that a person truly is who they claim to be.
Authentication
Authentication is the process of confirming the identity of a user who’s already known to your organization, such as an existing account-holder. This is typically managed using passwords, digital keys, or other credentials previously associated with a verified identity. The aim is to ensure that a person who’s returning to your site or network is the same person who previously claimed a given identity.
Authentication has traditionally relied on passwords or PINs, but many organizations now augment such methods with two-factor systems such as SMS codes; PIN readers that require physical access to a credit or debit card; and biometric technologies such as fingerprint or face-recognition tools.
Essentially, the verification process is to do with generating identity credentials, while the authentication process is concerned with checking those credentials. Both are important, but how much weight needs to be given to each step depends on the use-case in question.
A loan issuer might need to take extreme care when originally verifying an applicant’s identity for instance, while an entertainment website might allow users to use a simple email address for verification purposes.
Similarly, a bank might require rigorous authentication before enabling transactions, while a low-stakes entertainment website might use a simple cookie-based system to recognize returning users and apply their browsing preferences.
When you partner with Deduce, you can leverage our data coalition to put customized verification and authentication tools in place to meet your organization’s specific needs.
When you partner with Deduce, you can leverage our data coalition to put customized verification and authentication tools in place to meet your organization’s specific needs. Check out our one-page guide for tips on using collective intelligence to keep customers safe.
What is identity fraud?
Identity fraud is the improper use of someone’s personal information for illicit financial gain. As the connective tissue binding together websites, digital services, and online accounts, identity is a key target for fraud.
Once a person’s identity has been compromised, fraudsters can drain their financial accounts, gain access to other online accounts, or use their information to claim benefits, take out loans, make purchases, open new credit cards, or conduct many other kinds of fraud.
There are three major types of identity fraud:
Traditional identity fraud
Traditional identity fraud, in which criminals overcome institutional security systems, perhaps by credential-stuffing or using malware, and often gain accessto a user’s data or assets without the victim realizing anything is amiss. Rates of traditional identity fraud have fallen slightly thanks to tougher institutional security, but according to Javelin Strategy such fraud still causes $13 billion in losses each year.
Scam-based identity fraud
Scam-based identity fraud, in which criminals contact victims and convince them to disclose personal information, grant access to their accounts, or hand over the information needed to commit identity fraud. With people communicating and transacting remotely in vast numbers during the pandemic, scam-based fraud has increased sharply and now accounts for $43 billion in annual losses.
Synthetic identity fraud
Synthetic identity fraud, in which fraudsters combine real and fictitious information to create composite identities that can be used for crimes such as benefit or loan fraud. Since the new identities don’t correspond to real people, fraudsters can scale up without their victims alerting authorities. A new form of fraud, synthetic identities have been linked to $6 billion in losses, and are the fastest-growing form of financial crime.
What’s the difference between identity theft and identity fraud?
Identity theft is when a cybercriminal gains improper access to personal information, such as obtaining an individual’s social security number or date of birth. Identity fraud is when a person’s stolen information is subsequently used for unlawful financial gain, such as by transferring funds out of a compromised bank account.
By aggressively monitoring for and responding to potential identity theft, it’s often possible for organizations to prevent financial losses from identity fraud. Deduce can give you the broad-spectrum security intelligence you need to achieve that. Request a free demo today to see how Deduce puts you back in control of account security.
How do fraudsters steal someone’s identity?
Fraudsters can gain access to personal information in many ways, making it hard to defend against. All forms of personal information — even apparently trivial and freely shared scraps of information such as a pet’s name, a holiday photograph, or a city of residence — can be potentially valuable to fraudsters. Among the main ways that fraudsters steal information:
Physical theft
Stolen credit cards, ID cards, passports, bank statements, checkbooks, and other materials can be used to obtain identifying information about an individual. “Dumpster diving” and poring through improperly shredded personal or business records can be valuable sources of information for fraudsters.
Card cloning
Card cloning. Card-readers, ATM machines, or even the WiFi networks used by retailers can be compromised and used to invisibly harvest information from victims’ credit or debit cards. The stolen information can be sold online via the Dark Web, or copied onto “cloned” cards that can be used for fraudulent purchases or withdra
Social engineering
Fraudsters sometimes manipulate people — account holders. customer support agents, or even friends and family — into granting access to accounts or disclosing personal information. Phone scams in which fraudsters claim to be FBI or IRS representatives are increasingly common examples of this approach.
Informed guesswork
Using information gleaned from public sources, such as social media posts or electoral rolls, fraudsters can make educated guesses about users’ passwords, or their likely responses to common security challenges such as birthplaces, mother’s maiden names, or the names of their children or pets.
Phishing
Online fraudsters often lure unwary victims into clicking on bogus links that send them to legitimate-looking websites where they are asked to enter in their login details. The captured information can then be used by fraudsters to impersonate their victim and gain access to their digital accounts.
Brute force attacks
Simple passwords can often be cracked using automated software tools to rapidly run through dictionaries of commonly used or previously compromised passwords. More laboriously, fraudsters can run through every possible alphanumeric combination to guess short PINs or passwords.
Malware
Both individuals and organizations can be targeted by malware that captures personal information such as login credentials, or provides a backdoor through which large amounts of credentials and other personal data can be removed from individual computers or institutional networks.
Read more about the threats you face and how Deduce can help you comply with regulations and minimize your risk exposure.
Who commits identity fraud, and why?
Identity fraud is conducted on a vast scale, with upwards of 10,000 fraud rings believed to be active in the United States alone. Many low-level fraud rings are casual operators who use friends and family members’ IDs, checkbooks, or social security information to unlawfully claim benefits, secure loans, or open credit cards. Others are street gangs that have branched out into financial crime and now run credit card and tax scams.
Larger cybercriminal rings use digital tools and networks of hijacked computers to perpetrate identity fraud on a global scale.
One 11,000-member fraud network based in the U.S., Europe, and Australia penetrated more than 4.3 million online accounts, causing losses of over $530 million. Another group based in China and the former Soviet bloc stole information from 45.7 million credit and debit cards over a 17-month period.
During the pandemic, such crime rings have only stepped up their activity. Remote workers make an enticing target for fraudsters; so do new government relief programs, emergency business loans, and unemployment benefits. One West African identity fraud ring is known to have defrauded U.S. states of millions of dollars in bogus unemployment benefit payments since the beginning of the COVID crisis.
It’s important to remember that fraudsters seldom work alone: a local crime ring might sell stolen credit cards or bank statements online to cybercriminals specializing in more sophisticated kinds of fraud, for instance. Other fraudsters might combine multiple strategies, such as using information gleaned from social-media sites to personalize social engineering scams, then harvesting more sensitive information for use in financial fraud.
Who do identity fraudsters usually target?
The reality is that anyone is a potential target for identity fraud. Research shows that all age-groups and demographics suffer from identity fraud,
with about 9% of all United States residents reporting having been the victim of identity theft at some point in the previous 12 months.
Notably, the people who feel most tech-savvy — such as early adopters of new technologies — are among those most likely to fall victim to fraud.
Identity fraudsters are increasingly sophisticated and well-resourced, and leverage global information networks to share both stolen personal information and effective strategies for committing fraud. That makes it hard for either individuals or organizations to anticipate new kinds of identity fraud, or to take preemptive action to protect themselves at the scale that’s needed.
By joining Deduce’s data coalition, you can get the identity intelligence you need to protect your users from fraudsters. To find out more.
What are the consequences of identity fraud?
For victims of identity fraud, the cost of a successful attack can be high.
According to the U.S. Department of Justice, about 70% of identity theft victims report being negatively financially impacted, with average losses of about $930 per victim.
Many also report significant emotional distress as a result of the fraud.Victims also spend significant amounts of time trying to resolve identity fraud, with victims of account misuse spending an average of 14 hours clearing up the resulting problems. For a subset of victims, things take far longer: about 6% of identity theft victims report spending 6 months or longer trying to restore their accounts and credit records.
How does identity fraud hurt businesses?
How long ago was your company’s most recent identity-related breach?
Globally, organizations suffer hundreds of billions of dollars in direct losses each year as a result of identity fraud — and while the direct financial impacts are the easiest to quantify, they aren’t the only harm suffered by affected businesses.
Nine out of 10 identity fraud victims expect the organizations where the accounts were held to resolve the fraud, so organizations are forced to invest large sums in customer support and fraud detection and remediation resources.
Research also shows that as many as 38% of identity fraud victims subsequently close the affected accounts, so organizations face an significant indirect financial impact relating to lost future business, enduring brand damage, and increased customer acquisition and retention costs.
Finally, security countermeasures come at a cost — and not just the cost of implementing new data infrastructure or software. Consumers typically report abandoning transactions that take longer than 30 seconds to complete, so organizations must take pains to implement seamless security measures and authentication protocols that are robust enough to keep customers, but frictionless enough to avoid diminishing the user experience.
Get in touch today to learn how Deduce can help you level up your identity risk management, and give your customers peace of mind without inconveniencing them or holding them back.
How can you detect identity fraud?
Because identity fraud is typically perpetrated by cybercriminals who’ve already obtained significant information about an account-holder, it can be remarkably difficult to spot — even for the victims themselves.
About 44% of identity fraud victims say they ultimately discovered they had been targeted after they were notified of unauthorized or suspicious activity by their financial institutions. Only about a fifth of victims say they noticed the suspicious account activity themselves.
Among the most common red flags for identity fraud:
Account changes
Such as password changes or updated contact information, which are often used alongside identity fraud as part of an account takeover attack.
Opening or linking new accounts
Which can pave the way for fraudulent withdrawals, loan applications, or credit card issuances.
Unusual withdrawals
In which fraudsters either rapidly drain an account, or make small “try-out” withdrawals before using the account for other fraudulent purposes.
Unusual transactions
In which fraudsters make purchases for products or gift-cards that they either collect themselves, or use as part of more complex refund scams.
Chargebacks
In which fraudsters improperly reverse credit-card payments in order to withdraw the cash themselves.
For identity fraud that doesn’t pertain to an existing account, such as benefits fraud or the use of stolen identities to open new credit cards or loans, detecting fraud can be significantly harder. Almost 37% of victims don’t realize they’ve been targeted until they’re hit with an unpaid bill, encounter problems when subsequently applying for loans or benefits, or notice an unexpected ding on their credit record.
How to beat identify fraud with data democratization
Because identity fraud is so complex, it can be hard to reverse engineer an attack: only about a quarter of victims know how fraudsters first obtained their personal information, making it hard for either individuals or organizations to put effective countermeasures in place.
That makes it all the more important for organizations to pool resources, and share security intelligence in order to proactively identify fraudulent activity, and use behavioral analysis software to halt bogus transactions or account changes before the fraud is executed.
Learn more about Deduce’s democratized approach to managing identity risk.
Learn More or request a free demo today
How should enterprises respond to identity fraud?
All organizations, from SMBs to major corporations, are now potential targets for identity fraud. The key to minimizing losses is to spot ongoing attacks quickly; respond decisively to prevent data breaches or financial losses; and take effective ongoing measures to ensure that your users continue to view you as a trustworthy partner.
How long ago was your company’s most recent identity-related breach?
Among the most common red flags for identity fraud:
Quantify the risk
Preventing identity fraud begins with gauging the risk posed by any given user behavior, and putting appropriate and proportional countermeasures in place to prevent bogus transactions or other unauthorized activity.
Deny access
The primary countermeasure should be to deny fraudsters access to accounts they’re seeking to compromise. Upon flagging a login attempt as suspicious, organizations should automatically deny access until the user is re-authenticated.
Verify suspicious activity
Any perimeter can potentially be penetrated, so make sure you have post-authentication security tools in place to monitor for and respond to high-risk behaviors. If a user who ordinarily makes small deposits suddenly tries to drain their account, your system needs to ensure they’re truly who they say they are.
Alert customers
Many identity-based security systems operate behind the scenes, quietly verifying and authenticating users as they use your service. But it’s also valuable to reach out to users directly: if an attempt is made to change their login credentials, to access their account from an unusual location, or to make large withdrawals, effective customer alerts can help ensure the activity is genuine.
Communicate effectively
It’s important to keep users in the loop before, during, and after a potential cyberattack. Educating users effectively, alerting them to ongoing threats, and offering support in the wake of attempted fraud can help to reassure customers and mitigate any potential damage to your brand.
These steps might sound straightforward, but the reality is that a third of identity fraud victims currently say they don’t get the support they need from the organizations where they held the affected accounts. Many ultimately close their accounts and take their business elsewhere as a result.
For both individuals and organizations, the cost of identity fraud is real — so make sure you have an effective response strategy, and the software and tools in place to rapidly identify and intercept identity fraudsters. Read more here about how you can partner with Deduce to give your users the support they need.
How can businesses prevent identity fraud?
Preventing identity fraud is no easy task, and requires a multi-pronged approach.
Start by educating your end-users. This vital step is especially effective when it comes to preventing scam-based fraud: consumers need to be made aware that any unexpected contact from someone claiming to represent a financial institution or government agency is potentially a scam. Users also need to be encouraged to use two-factor authentication, anti-malware software, good password hygiene, and other basic security measures to protect their identity online.
Next, toughen your perimeter. There will always be a subset of users who fail to take proper precautions, so detect, and respond to identity fraud. Using best-of-breed software to verify and authenticate users effectively, with risk-based analytics to ensure additional scrutiny of suspicious logins, can help prevent wrongdoers from gaining access to your network.
Authenticate everywhere. Identity isn’t a single attack surface that needs to be hardened — it’s something that flows through and saturates the online world. Since no single checkpoint or perimeter can be completely effective, it’s important to monitor identity throughout your entire ecosystem, and to assess risk and authenticate appropriately wherever and whenever users seek to transact, access or change data, or otherwise conduct activity that requires authorization.
The key to effective security is to stop thinking of identity as a set of credentials used to grant or deny access. Instead, view identity as a proxy for your relationship with the end-user, and a source of intelligence about how they use your service. By leveraging that intelligence effectively, it’s possible to detect fraudsters seeking unauthorized access to protected assets.
What are businesses’ regulatory obligations regarding identity fraud?
Under the Federal Trade Commission’s Red Flags Rule, many organizations that handle financial transactions or extend credit to consumers need formal policies in place to detect and prevent identity fraud. The rule requires that organizations regularly update their methods to adapt to changing technologies and strategies used by fraudsters, as well as new technologies that can be used to detect and prevent identity theft.
That’s a sound policy for any organization, of course — but staying ahead of fraudsters and keeping up to speed on the latest technological countermeasures can be a complex and costly business.
To fend off identity fraud, you need broad-spectrum security intelligence and specialized support. Learn more about how Deduce helps you meet your regulatory obligations, and puts you back in control of your users’ identity.
What is identity intelligence?
Traditional identity checks are credential-based: if a user has the right token, they’re granted access and allowed to download data or execute transactions. That’s an important part of any security system, and by incorporating sophisticated credential checks — such as biometrics, card readers, or two-step verification processes — it’s possible to halt many kinds of fraud.
But in the modern era, with synthetic identities increasingly common and scammers obtaining users’ passwords and personal identifiers, authentication alone isn’t enough. Organizations need robust point-of-entry checks and post-authentication security tools to spot anomalous behaviors and halt bogus transactions before they’re executed.
To achieve that, we need a richer understanding of who our users actually are, and how they access and use our services.
That’s where identity intelligence comes in: by using big datasets and AI tools, it’s possible to glean powerful insights about how legitimate users act, and proactively detect and intercept fraudsters even if they possess an account holder’s personal details, passwords, or PINs.
Identity intelligence is a quantum leap beyond traditional fraud countermeasures, which focus on spotting bots or automated traffic. Using collectivized identity data, it’s possible to create risk metrics for any user activity, based on how legitimate users ordinarily act — then use that metric to augment existing tools and flag suspicious logins or post-login account activity.
Does identity intelligence focus on people or devices?
Identity can pertain to a particular individual, such as authenticating that the person claiming to be Fred really is Fred. It can also pertain to a device: it’s useful to know if a user claiming to be Fred is logging in from a computer known to belong to the real Fred, for instance.
Often, security checks view such relationships simplistically. A system might require additional questions if a person logs in from a new device, but let them check a “trust this device” box to avoid similar questions in future.
With fraud victims typically having 33% more connected devices than non-victims, though, it’s important to take a closer look.
The identity intelligence approach views individuals’ device usage as a rich source of behavioral insights. Perhaps Fred usually uses cloud tools on his smartphone during his morning commute, accesses an on-site network during office hours, and uses a VPN from his laptop in the evening. Those times, networks, devices, and locations contribute to a richer, more three-dimensional understanding of Fred’s behavior — and divergences from those behaviors might automatically trigger additional layers of identity authentication.
When you partner with Deduce, you can leverage our data coalition to get the rapid, actionable intel you need.
Check out our one-page guide for more tips on using collective intelligence to keep your customers safe.
How can identity intelligence prevent cybercrime?
Identity intelligence is based on the key insight that identity isn’t simply a digital test used to grant or deny access to a particular account, network, or file. It’s something richer and more granular: a means of describing the full spectrum of behavior that constitutes your relationship with a user, and using that to determine how risky or benign any user activity is likely to be.
Rather than painting risk in black and white, identity intelligence deals with shades of grey, leveraging a nuanced understanding of how users — both individually and collectively — operate in the real world in order to identify when any given online activity is more or less likely to be the result of (or precursor to) identity fraud.
This rich understanding of identity as a proxy for real-world user behaviors, both in general and in the specific context of your own organization, allows businesses to strengthen all aspects of their security, including:
New user registration
By ensuring that new users are legitimately who they claim to be, and by spotting the telltale behavioral fingerprints of stolen or synthetic identities.
Account takeover detection
By identifying subtle behavioral patterns that reveal the use of automated tools or the occurrence of unusual or risky activity.
Phishing and social engineering
By flagging anomalous logins, identifying compromised credentials, and preemptively blocking suspicious transactions
Risk-based authentication
Enabling low-risk logins or activities to be executed seamlessly but elevating higher-risk behavior for additional levels of validation
Account breach detection
With unusual behaviors — such as logins from non-standard devices or geographies, or changes to login credentials and linked accounts — automatically triggering additional levels of security and oversight
In addition to identifying and halting attempted identity fraud, identity intelligence allows organizations to plan more effectively, with advanced monitoring and reporting enabling CISOs and teams across your organization to quickly spot and remediate potential vulnerabilities, and to implement new security features in efficient, proactive, and cost-effective ways.
Finally, software solutions powered by identity intelligence can enable you to reassure customers that their data and assets are properly safeguarded. Automated, intelligence-enabled customer alerts can proactively communicate with users to highlight risky behaviors, check on anomalous account usage, and clearly communicate that cybersecurity is your organization’s top priority.
Want to find out more? Read Deduce’s one-page guide to protecting your users
Read Deduce’s One-Page Guide or request a free demo today.
How can businesses use identity intelligence most effectively?
Identity intelligence depends on a clear understanding of the way that real-world users access and use online resources — and also of the increasingly sophisticated methods used by cybercriminals to steal identities, emulate legitimate behavior, and perpetrate online fraud.
It’s possible to glean important insights from the way that your own organization’s users operate. But unless you’re running security at one of a handful of global tech giants, your organization’s data universe simply isn’t big enough to rapidly capture new trends in identity fraud, or to distinguish between evolving consumer behaviors and the rapidly changing strategies and techniques deployed by cybercriminals.
The result: most organizations are left flying blind, without the intel and data resources they need to keep their users safe from harm. That often drives companies to overcompensate and implement new security features that diminish user experience, even as customers ultimately remain vulnerable to identity fraud.
The solution: stop trying to go it alone. By using security software to pool resources and share anonymized data about identity fraud and other cybersecurity threats, organizations can gain access to the same level of security intelligence used by the biggest global financial institutions and tech giants to detect and prevent identity fraud.
How data democratization helps businesses to prevent identity fraud
Organizations can’t solve this problem by flying solo. Instead, businesses need to band together and share data effectively, giving all organizations and enterprises access to rich identity intelligence that help create more responsive and resilient security systems without reducing utility for end-users.
The more organizations share data, the easier it becomes for everyone to detect and prevent identity fraud.
That’s why Deduce has built a data coalition uniting 150,000 member websites, and giving merchants, businesses, and other organizations access to insights from data gleaned from 200 million users and billions of historical account interactions
Our commitment to collaborative identity intelligence gives our partners an incredibly rich window onto the countless different ways in which legitimate account users behave, and the telltale signs that betray bad actors. Together, we’re democratizing security data and beating identity fraud.
Want to find out more? learn more about our mission
Learn More About Our Mission or get in touch to find out how to get involved.