Just when you thought we had enough variations of IAM, along comes FIAM. Fake digital identities are not new, but they are getting a lot of attention in the press these days. Some fake accounts are very sophisticated and are difficult for automated methods to recognize. Some are built using real photos and stolen identifiers, such as Social Security Numbers or driver’s license numbers. Many of these accounts look like they belong to real people, making it difficult for social media security analysts to flag them for investigation and remove them. With millions of user credentials, passwords, and other PII available on the dark web as a result of the hundreds of publicly acknowledged data breaches, it’s easy for bad actors to create new email addresses, digital identities, and social media profiles.
As we might guess, fake identities are commonly used for fraud and other types of cybercrime. There are many different types of fraudulent use cases, ranging from building impostor identities and attaching to legitimate user assets, to impersonating users to spread disinformation, and for defamation, extortion, catfishing, stalking, trolling, etc. Fake social media accounts were used by St. Petersburg-based Internet Research Agency to disseminate election-influencing propaganda. Individuals associated with these events have been indicted by the US, but won’t face extradition.
Are there legitimate uses for fake accounts? In many cases, social network sites and digital identity providers have policies and terms of service that prohibit the creation of fake accounts. In the US, violating websites’ terms of service also violates the 1984 Computer Fraud and Abuse Act. Technically then, in certain jurisdictions, creating and using fake accounts is illegal. It is hard to enforce, and sometimes gets in the way of legitimate activities, such as academic research.
However, it is well-known that law enforcement authorities routinely and extensively use fake digital identities to look for criminals. Police have great success with these methods, but also scoop up data on innocent online bystanders as well. National security and intelligence operatives also employ fake accounts to monitor the activities of individuals and groups they suspect might do something illegal and/or harmful. It’s unlikely that cops and spies have to worry much about being prosecuted for using fake accounts.
A common approach that was documented in the 1971 novel “The Day of the Jackal by Frederick Forsyth is to use the names and details of dead children. This creates a persona that is very difficult to identify as being a fraud. It is still reported as being in use and when discovered causes immense distress to the relatives.
In the private sector, employees of asset repossession companies also use fake accounts to get close to their targets to make it easier for them to repo their cars and other possessions. Wells Fargo has had an ongoing fake account creation scandal, where up to 3.5 million fake accounts were created so that the bank could charge customers more fees. The former case is sneaky and technically illegal, while the latter case is clearly illegal. What are the consequences, for Wells Fargo? They may have suffered a temporary stock price setback and credit downgrade, but their CEO got a raise.
FIAM may sound like a joke, but it is a real thing, complete with technical solutions (using above-board IDaaS and social networks), as well as laws and regulations sort of prohibiting the use of fake accounts. FIAM is at once a regular means of doing business, a means for spying, and an essential technique for executing fraud and other illegal activities. It is a growing concern for those who suffer loss, particularly in the financial sector. It is also now a serious threat to social networks, whose analysts must remove fake accounts as quickly as they pop up, lest they be used to promote disinformation.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
The EU GDPR (General Data Protection Regulation), becoming effective May 25, 2018, will have a global impact not only on data privacy, but on the interaction between businesses and their customers and consumers. Organizations must not restrict their GDPR initiatives to technical changes in consent management or PII protection, but need to review how they onboard customers and consumers and how to convince these of giving consent, but also review the amount and purposes of PII they collect. The impact of GDPR on businesses will be far bigger than most currently expect. [...]