Automation is the Engine of Identity Crime

Automation is the Engine of Identity Crime


Knock, knock! Who’s there? It is an old joke, but one that has become very serious as companies struggle to identify their customers online. It is not as easy as it sounds with cybercriminals impersonating millions of identities online to steal money, products, and services.

Every major type of industry from healthcare to travel, and even the IRS, have been breached. This has allowed massive amounts of personal data to be stolen. In 2016 alone, an identity was stolen every two seconds, according to Keeper, a password management application provider. Since 2013, nine billion data records have been lost or stolen. Combine those numbers with an estimated $16 billion that was stolen from 15.4 million U.S. consumers in 2016 alone according to Javelin Research, and the amount of identity theft is mind boggling.

Automation Theft Cybercrime

With the advent of machine learning and artificial intelligence, even the most unsophisticated of criminals can easily buy personal information on the dark web and leverage automated scripts to easily test tens of millions of username and password combinations to see which will work. These are called brute force attacks. Once those username and password combinations have been confirmed, cybercriminals can pose as genuine customers to gain control of an account and hit the jackpot.

Automation systems such as GUI scripts are also utilized because they can not only mimic human users, but also manipulate web browsers to make it look like human input. Application fraud and Account Takeover (ATO) attacks against banks and financial institutions can result in serious fraud implications such as money movement or fund transfer schemes.

Botting Up

Cybercriminals have also added internet robots to their arsenal and while some bots are created for good, many carry malware. Malicious bots can be programmed to steal content, overwhelm websites, or even attempt to access a user account without permission. There has been a 36.65% increase in bad bot traffic since 2015 that have infiltrated the world’s top 10,000 websites as ranked by Alexa according to Distil Networks. The 2017 bad bot report also shows that 96% of login pages and 82% of signup pages were hit with bad bots along with 90% of sites with login pages like payment portals.

NuData’s threat intelligence for May 2017 alone shows ATO attacks on both mobile and web logins have risen 630% since February 2017 which included hackers using brute force automated scripting. Application fraud and ATOs can cause financial institutions serious fraud implications such as money movement or fund transfer schemes.

Unmasking the Impersonator

Armed with automation, passwords, and credentials, cybercriminals pose as real customers to gain access to bank accounts and go on shopping sprees. While this disguise seems foolproof, it also reveals a weakness that can be detected by passive biometrics. Bad actors cannot replicate the subtle, unique behaviors of customers in every instance of data input. Passive biometrics tracks and analyzes hundreds of behavioral aspects such as the angle of a handheld device when in use, the pressure applied to the keys or screen, and the length of gaps between typing and swiping. These behavioral inputs help to separate good users from bad. These factors are virtually impossible for a non-human interface to replicate. Anomalous behavior can be identified by analyzing and comparing the patterns of known human users with unusual patterns and to existing patterns of the good known user. This combination focuses on observed characteristics and specific behaviors to identify true customers and add context to the authentication of users.

In the war to fight fraud, retailers and financial institutions are now employing a layered security approach including passive biometrics and behavior analytics to identify customers by their behavior and not just their passwords and credentials. This approach is one way to unmask fraudsters while providing an easy and convenient experience for true customers.

Want to learn more about biometric authentication? Download our co-sponsored Aite Group report, Biometrics: The Time Has Come.

Want to read more posts like this? See our full blog here.