Identity theft: Insights from industry expert Daniel Söderberg

Interviews 2. October 2018.

One can practically steal your life.

The ever-rising threat of identity theft is tough reality. ID theft happened once every 2 seconds in 2017. You are more likely to have your identity stolen than your car taken or home burglarized.

We got together with Daniel Soederberg, CEO of EyeOnID, a company that provides an out-of-box solution for proactive identity theft protection, to understand the truths behind identity theft and get first-hand professional advice on how to protect ourselves from the bad actors.

What is ID theft?

ID theft (to make it simple) is when someone else is using your identity to do something. It could be malicious (=bad) or not that harmful (someone writing a post on your Facebook account when you forgot to logout on a public computer). In other words, identity theft is when someone else is acting under your identity, doesn’t matter if it’s harmful or not.

Why can it be so threatful?

Because you can do so much with it. Someone can go out there and act totally as if they are you: they can create a fake passport, take loans in your name, open up bank accounts in your name, create digital accounts on various sites and services, they can use your information go to the hospital (especially in the US) and get the medical bills sent to you, or even create a criminal record on you. In the worst-case scenario one can practically steal your whole life.

Who are the primary targets of ID theft?

Historically the threat actors in many cases acted on men in the age group of 25-55 as it was easier to get their information and they usually had most money. That has changed. Nowadays everyone is a potential victim: men, women, older, younger. The threat actors have found other ways of how they can profit from stolen identities.

Younger generations are a perfect target for digital services accounts (e.g. Netflix, Steam, Spotify)  and taking loans. Older generations tend to not actively monitor their bank account activity. They also tend to have a higher trust for people, for example if someone says that they are calling from the bank with malicious intention and are less suspicious. Meanwhile, children are the most unprotected generation as the industry is not there yet to ensure preventive measures.

What implications does it have?

Depends on the damage. If someone took over a teenager’s Facebook account – it happens. If in addition nude pictures of that person were posted and the whole school saw them – the psychological damage is unavoidable. For older generations, if a credit card gets stolen, the bank issues a new card and, in most cases, gives back the money. The trend we are starting to see though, is that banks have started to question customer fraud claims and, in some cases, refused to cover for lost money.

How do the bad actors choose their targets?

There are two sides of the coin: malicious actors targeting specific individuals or target groups and those that go wide. For this example, let’s say that Facebook has been attacked and the hackers got a hold of 50 million users sensitive data.

The malicious actors targeting specific groups have a wide range of ways to decide who and how they want to act. For instance, if the chat information was part of the leak they could easily filter out credit card information. They could also structure all the data in a database and use that to create specific target groups: Gender, Age group, Civil status, Country, Occupation, Interest, Joined groups, Mail address, Phone number, etc. From that information the malicious actor can create tailored phishing emails with the aim to get a hold of additional sensitive information or why not a ransomware. 

Malicious actors going for a wider alternative will most probably go for a Credential Stuffing Attack. The aim of the attack is to test the leaked credentials (username and password) from the breach against other websites and services in order to gain access to them. In this example the malicious actor will automatically test 50 million usernames and passwords against companies like Netflix, Uber, Spotify, Gmail, Steam but also smaller companies who do not have as high security standard.

The sophisticated tools that today is being used in attacks like these can almost mimic a human behavior making it harder to detect. Whenever they get access to a new site they will store that information in order to either sell, share or use it for additional malicious actions. Due to the fact that users in 80% of the cases are reusing one or several passwords it is easy to understand this is a popular method among malicious actors. It is so popular that 43% of all login attempts are done by bots.

On darknet you will find loads of sites selling various logins to sites like Netflix – you can buy a subscription for a lifetime, and whenever the current user account gets blocked, they will send you a new stolen one.

How bad is it when your credit card gets stolen?

When your credit card is stolen, it is more like a bump on the road – a week or two until things are solved, you get a new card and money back from your bank. Your credit card is an arm length away from you. Your social security number (SSN), on the other hand, is like a ring around you, tied very close. So, it’s always worse when bad actors go for other parts of your identity.

The effect of an identity breach is for life – you cannot change your personal ID in many countries. Identity theft can go on for years. In the majority of identity theft cases, a bad actor can exploit you for as long as they can make money off you. Once you block them with proactive services combined with reactive services, they will stop and move on to their next victim. There will be no reason for them to continue and the risks of getting caught will increase.

What about when your email as a username together with a password has been part of a breach?

This is the most common type of leaked information, we are talking about billions of credentials circulating. First of all when notified you’d need to change passwords on all the websites you registered with your email, and it’s a lot to remember. Rule of thumb, always remember the 5-10 accounts you have with the most sensitive information about you and start with them. Most people have 2 private emails: one they use for regular sites and one for ‘crappy’ sites. The problem though is that we are lazy and for that reason we reuse our passwords on all different usernames (emails) we have for various sites including our email for work. Finding out other emails connected to you as an individual is in many cases easy.

With everything being connected to the internet, we are looking not just at identity theft, but privacy theft. The ring around you is getting bigger: your IP number will be more and more critical, tied to you via IoT devices: your refrigerator, TV or vacuum cleaner will have your private information. We are inclining towards using the term ‘privacy protection’ instead of ‘identity protection’ as the next step.

What are the steps to take if you fall victim of ID theft?

If you are a victim, using ID monitoring will give you an idea of where your information have and is going. If you don’t have an assistant service, you need to be proactive yourself.

Inform the police, notify banks and credit bureaus

Start with a police report as it is needed for insurance claims. Step two is calling the credit bureaus – put a block on your name if possible (various from country to country), preventing bad actors from taking loans and affecting your credit score. Talk to the bank directly to have this information in the log book and check your account status for any suspicious transactions. If you have an ID-Theft insurance, you should naturally call them first for guidance. Advice: keep big sums on your savings account, minimize your amounts on the transactional account to minimize damage. Block your credit card if you see any fraudulent transactions.

Check your mailbox

The loan papers are often sent to your mailbox at home, so make sure you have a lock on it. Sometimes the bad actor can wait for the mailman, take your post and sign for it in your name. Keep track of all the post that is coming: act immediately upon receiving any confirmation for activities you did not do.

Protect your email account

Change your logins for mail accounts – it’s extremely important. Bad actors will download everything off your email box and work through it to find sensitive data: anything from a photo of your credit card to private information from family members.

Remember: do not reuse your password, do not give out more information than is needed, do not be so trustworthy with information!

Think of it like this: businesses want to collect as much information about you as they can, in order to make money. You may not give it out knowingly, yet you have agreed to all their terms and conditions. GDPR states: service providers shouldn’t take more information than is necessary to provide a service. However, it is not always being followed.

The internet is the worst place – just by accessing a site you give out your information, such as your IP number. We are foreseeing a big shift: your IP number/numbers will have a higher value than your Social Security Number (SSN) as it will be tied up to more places.

Think of the internet the way you act in your normal life: you wouldn’t give out all information about yourself when going grocery shopping. If you intend to be anonymous, you can pay cash. When you buy food online, you give out your name, phone number, address, password, email etc. Understand that the online store will track everything you do on their site and enrich your data with the analytic result (buying behavior, when you buy, what you eat, for how many people, trending brands etc etc) – in many cases sensitive information about you that attackers can use. Ask yourself: what would I have done in the analogue world?

How can EyeOnID help?

EyeOnID have created what we call EyeOnID 360° Modules. These modules are created for creating a 360° protection around our Identity/Privacy. 

Monitoring

ID-Monitoring is one part. We cover the digital part by creating proactive 360° Modules/services. As an example, the ID-Monitoring Module is like a filter that warns you when your information has been part of a leak that is being spread on the Internet or Darknet. We create higher awareness of users by doing risk scoring and by the Module password check we make sure users are not reusing the passwords that have been part of a previous breach. The higher the awareness, the less likely a user will become a victim.

Support & Assistance

Secondly, we provide Support and Assistant services that customers can always consult to prevent the attacks or ask for proactive advice after it happened. It is the support service they can always call if they are worried about something, get tips and advice on how to act or get explanations on warnings and notifications they have received from the proactive modules, like ID-Monitoring. If they would fall victim, the Assistance service is there to hold their hand, to lead them through various steps, block what happened and prevent more things from happening.

Insurance

Finally, we provide the insurance to cover the costs that might occur – anything from having to stay home from work, legal aid, court costs etc.

The proactive digital 360° Modules are like a fishing net, we will catch a large number of fishes (threats) in the net but if a fish swings by, we will catch it at the assistance service. Otherwise, we pick it up at the insurance part. These are the three steps to help you as a consumer.

To find out more about EyeOnID, contact us.

Stay updated. Subscribe to the MMV newsletter