Analyst Chat #19: Identity Vetting - Dealing With the Wave of Fraud During the Pandemic

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. Like in every edition, I will have one guest joining me, often a fellow analyst or another interesting partner, and we will have a 15 minutes or so chat around current topics. And my guest today is John Tolbert from Seattle.
Hi John. Hi Matthias. Great to have you again. And as I said, we are talking about current topics and this is really true for now. We had a, we had an episode together about fraud reduction intelligence platforms earlier. And today we have to talk about some really current cases of fraud that just going on during the pandemic crisis in the US.
Right? Yeah. Yes. Unfortunately, fraudsters have found new and innovative ways to exploit the pandemic crisis. So using fraud reduction intelligence platforms has become a real paramount issue for a variety of different kinds of organizations, including as we've read in the news here, recently state unemployment agencies, there's been a large amount of attempted fraud against various us states and their unemployment agencies by foreign fraudsters, who are attempting to create new accounts at the unemployment agencies to collect unemployment benefits from us states. I'm here in Seattle area of Washington, and we've been particularly hard hit in this state by this kind of a scan. And really the problem that they've experienced is that all it's taken to create an account at the unemployment agencies, really just a name, a physical address and social security number. And unfortunately, a lot of that information has been breached from many different sources over the years and has been available on the dark web.
So the fraudsters take these bits of information and use them to assemble accounts. And in the case, you know, here, state unemployment fraud, they take those three data points, great and account, and then assign a bank account, you know, outside the state where they, they can then go collect that unemployment. So we see this as a variation on what many call new account fraud or synthetic fraud, and a lot of this information that has been previously leaked from data breaches, like email addresses, phone numbers, names, physical address, social security number, date of birth are used to build these kinds of accounts. Yeah. Notified
By this great site have IP owned about recent data breaches. And when, when you just look at the numbers, 69 million breached accounts, and that will not last if I remember correctly, of course, this is information that can be easy to reuse for targeting such such systems for a new account.
Yeah. You know, oftentimes people, I think associate fraud, mostly against banks or other kinds of financial institutions, but, you know, in these cases where you're the bad guys are trying to create new accounts, they'll use records from healthcare. That's why healthcare agencies, doctor's offices, clinics, whatnot have been so heavily attacked over the last year or two, because they're unfortunately a really good source of this particular kind of PII, including social security numbers here in the U S you know, insurance accounts generally are tied to a person's social security number, same thing with, you know, government agencies, school records and employment records. So what wouldn't necessarily seem like a vector for financial fraud, all this PII can be used to build, you know, these new fake accounts, which then is used for financial fraud. You know, we see new accounts setting up new credit cards, lines of credits, but then also, you know, like this recent case of the U S around unemployment fraud, they use this to create a brand note count and try to collect benefits from the state, right? So
They are now harvesting what, what they, what they gathered before and use it for the second step. So the first gather the information and then really use it for this fraudulent method.
Yeah. A lot of the information might be a little bit harder to get ahold of, but once they, the fraudsters have it in their hands, it's, it can be more lucrative unfortunately than just say, stealing credit card numbers that might have a, a fairly low per transaction limit, or might, you know, the credit card. A lot of credit card companies are pretty good at detecting fraud and denying it. So again, the, the malicious actors here found a, a weaker site to attack, but, you know, there are ways around this. There are ways to prevent this. We look at the mitigations such as bot intelligence. Sometimes these things are perpetrated by different kinds of bots, and that really at the heart of it all is identity vetting. I think in the case of unemployment fraud, you know, fraudsters, if they're in possession or just those three, fairly easy to get data points to create accounts, state agencies share rely on more stringent forms of identity vetting. We can talk about that more in a minute as well. Right. But,
But if there's information that is used for, for really creating this a console for claiming unemployment, is that easily available as almost the duty to apply identity betting. And when it's that easy, you know, if there is so much information about different people around you to recent data breaches, I would expect that that this should be the standard there.
Yeah. States have to make a much harder in order to file claims than simply showing up with a social security number. I mean, that's such a, a well-known easily compromised bit of information it's, it should not have the value that it does, unfortunately. Okay. I got
It. And I assume, at least in the us Germany, the healthcare system and hospitals, especially are typically attached to them because their security is due to limited budgets due to limited resources. And because it's not that focused, their security often is rather weak and they get rather frequently hit by such breaches and attacks. Is this true for the states as well?
Yes, I wouldn't say so. I think financial industry does a much better job on the whole of protecting identity. And then also they're here, you know, they have better cyber security posture in healthcare of, of all different flavors. You know, whether it's on the clinic or the doctor's offices side or on the health insurance side as well. It's not nearly as rigorous a process for obtaining accounts registering and, and authentication as it should be. And, you know, when we know that there are much better methods for identity vetting and then, you know, strong or multifactor authentication that could help reduce the risk that healthcare companies and agencies are exposed to. In
The earlier episode, when we talked about this fraud reduction intelligence platforms, we were rather talking very theoretically. Unfortunately you have better, more practical and real life examples to share with us now, right?
Yeah. We've been collecting information about COVID 19 related fraud scams, and I've just put together about a dozen different kinds of scams right now in biotech researcher, account takeovers they're men, several cases where companies are being fished to get credentials of researchers early on in the beginning stages of the pandemic crisis saw huge numbers of registrations for coronavirus related domains, which are then used along with fake emails that, that really look like they're coming from the world health organization or the CDC in the U S they would create, you know, a malicious document or try to get victims to go to a malicious link. And the idea would be to get them there, take over the computer or capture their credentials so that they can be used in other kinds of fraud. There's been password spraying against health work, healthcare workers, not just against their corporate accounts, but also their personal accounts.
Same thing about healthcare nongovernmental organizations, and then attack both on the corporate and personal side intelligence agencies. It seems that everybody's, well, everybody's always fighting against everybody else, but there's been an significant uptick reported in various state actors trying to collect information about what others know, especially regarding COVID-19 stimulus scams, and other example, what we were just talking about with unemployment agencies, but one of the stimulus checks were coming out in the U S there were numerous scams around trying to get that benefit from the intended recipient. And they used everything from email, text phishing, vishing in a voice fishing to get that governed. And that,
That sounds scary.
Yeah. Yeah. It's, it's scary and sad all at the same time that people would try to manipulate a real global crisis for fraud. Right. But there's even more, yeah. Yeah. That's just, it's people have to be on guard for this. I've seen, you know, more vishing reverse vision, you know, send somebody an email or a text, make it look like it's coming from, you know, a bank or utility about a late payment, you know, because as we've seen too many people are unemployed as a result of the crisis. So the crafted email or a text that looks like it's coming from some kind of service provider and saying, you know, you've got a late payment click, this link that takes you to a malicious site. People put their credentials in, then, you know, the bad guys have those credentials. You know, this is particularly problematic with SMS because, you know, there are URL shorteners in use. So even if somebody is trying to, you know, be a little bit more on top of the situation, that can be hard to tell what the link is within SMS. Right. And
These are often shortened. And so they are almost used to it to clicking on that link when it comes from the telco or
Whatever. Yeah. And, you know, as a result of security awareness training over the years, many, many employees are kind of on guard against phishing emails, but it's, it's been less common over text until the last few months, same thing with the voice calls or, you know, sending an email and then asking someone to call a number where fraudsters are on the other end of the line, many, many twists, some variations and how this is happening these days. Right. More examples from your side. Yeah. I'm just going to quickly run through the list here. So phishing unemployed people with fake job offers again, maybe direct them to a site of the men or some credentials of that. Those credentials are, you know, reusing emails, passwords, fraudulent, charitable campaigns, collect money, PII, get shares on social media. This one's been really rampant, fake medical supply sites. People bad, bad actors are sending out a spam email about, you know, low cost masks or test kits.
And, and then people will order them and then not get what they're intending to order. There are pretty sophisticated work from home charity, scams, mule accounts in use the idea there's, you know, somebody is out of work. Do you want to be able to work from home, sign up here? The malicious actor will tell the person, oh, you need to go get a Bitcoin account. We'll transfer money in Bitcoin. Who wants you to move that Bitcoin into another account for us? It's just, it's really just money-laundering. So it's, it's a way of perpetrating fraud and preying on people who are looking for a work from home opportunity. And that lastly, lots and lots of coronavirus and political disinformation campaigns. And as we've seen multiple studies over the last few years, it seems that this information spreads easier and faster than information. Oh yeah. This, this,
I can confirm here as well. Right? Yeah. So what, what, what to do against that? What, what, what are the methods to prevent that from happen?
Well, you know, just focusing back on the, let's say the unemployment fraud or the other government aid fraud kinds of cases, I think there, as we covered in the last session, and then the fraud reduction, intelligence platforms, leadership compass, there are about six major techniques that vendors can utilize to reduce different kinds of fraud, but really just want to focus on identity proofing here. I think in the case of unemployment fraud requiring more than three bits of information to be able to assemble account and receive benefits is absolutely necessary. So identity proofing is really at the heart of it validating a person and their request against authoritative documents in order to establish a digital account of one kind or another really, you know, being able to tie this back to let's say, a passport, a driver's license number or some other authoritative document, you know, whether it be Eids in Europe or something like that, it has to be more than something that can be easily phished or gotten from the dark web to assemble accounts. I would say that, you know, implementing identity proofing as part of an overall fraud reduction strategy should be a paramount concern for government agencies, as well as any other financial or healthcare institution at this time, identity proofing plus multifactor authentication can significantly reduced the amount of fraud that can be inactive against these kinds of agencies and organizations. And it should
Be in the, in the interest of the organization or the governments themselves, because actually we have two victims here on the one hand, the payment is, is made by the government in that case. And the actual person behind the stolen credentials also is a victim because they have to prove that they actually did not. For example, apply for unemployment here.
Exactly. You know, it's a loss on the part of the taxpayers is you're saying, you know, the government agency loses money, but then it's a huge hassle for the victims of identity theft. And if somebody loses those three bits of information, including a social security number, then they can be used elsewhere. And yeah, there's, there's a lot of work that an individual has to do to be able to clear their record at that point. Okay. So
What else can, can be done when it comes to identity proofing?
Well, you know, it's, it's kind of a more advanced use case, but I have seen several instances where vendors have created pretty interesting. And in most cases, secure mobile applications that allow for identity vetting, especially for like financial use cases. In this case, it would take, you know, a user would check their phone, be able to take a picture of either a driver's license or a passport photo, take a selfie, compare those, maybe read the, the magnetic strip or use the NFC to, you know, get the information out of the physical passport and then tie those bits of information together at the time of account registration. So that, you know, there are a few mobile apps by a few vendors that can do this. And I think, you know, the technologies around and works. It's just not widely deployed yet. And I think this too can be a really good way of helping to reduce fraud, especially in times like a pandemic where it's not as easy to say, go in in person and register, share the documents and have, you know, close contact in order to be able to do that. I think mobile solutions are definitely something that both government agencies and other kinds of private sector businesses should be looking at to do identity proofing remotely,
Right? Although there are still some kind of social gap to be able to, to actually have a smartphone to run a mobile app. I think that it's really more and more getting common to almost every citizen of the U S to be able to, to use such a mechanism more or less.
Well, you know, you've got a really good point there. I mean, one of the drawbacks to technical solutions as making the assumption that everybody has the latest smartphone. So, you know, this would work for a certain percentage of the population, but it doesn't work for everybody. So you still have to make accommodations for those that, that may not have a capable smartphone. I mean, even older models, smart phones won't necessarily allow you to do all the sophisticated things that are required, let's say for a remote identity proofing use case. Okay. Okay. Yeah.
I think that might still be an issue and the solutions that a government agency has to provide meat to cover all use cases, so to cover the full population of the state.
Well, yeah. You know, and even in the U S I think it's somewhere under 30% of people have a passport and then not everyone has a driver's license either. So there's going to be a certain segment of the population that do not have these two particular authoritative documents so that they can use for identity proofing. But, you know, there are other options, you know, non-drivers identity documents that generally can be had, but, you know, what do you do when you're in a case like now where you can't go to the department of motor vehicles and get a, a brand new driver's license without seven difficulty. And that also varies state by state at this point, right?
Sometimes it's difficult to believe that it's 2020, but yes, I fully see the problem. And the same is true for the UK. Also, whether it's no ID card at all.
Exactly. Well,
Thank you, John, that you presented such an insight into current things that are happening. Although there are, I'm actually sad and tragic for those involved, but it's good to see that the work that we're doing has really to do something with the real life and real threats and that we might support in, in preventing people from falling victim to that, and to help organizations to be prepared to help their customers slash citizens here. And you mentioned the leadership compass already. What else can we, as KuppingerCole provide to them for two interested parties? Well,
Yeah, I would say government agencies or other organizations that need help selecting fraud reduction intelligence, if they don't have it, definitely get it, take a look at the leadership compass on fraud reduction, intelligence platforms. We have a couple of webinars that are out there also that were done sort of after the leadership compass. And then, yeah, in general, if people have questions, feel free to contact us, we would definitely be willing to help point agencies or companies in the right direction when they're looking for some help with reducing fraud. Yes. I can
Just confirm that that is true for the U S team. And that is true, of course, for the EU team of KuppingerCole and around the world also in APEC. So just get in touch with us at KuppingerCole dot com and please let us know if we can be of support and at least try to fetch the leadership compounds, maybe even with a 30 day freeze test account, just to make sure that we make the situation a bit safer here. So thank you, John, for telling us your insight and your experiences from, from what's going on right now in the US.
Thanks Matthias.
Yeah. Thanks to the audience for listening and stay safe, stay secure and stay vigilant when it comes to phishing and all these mechanisms that you described. So looking forward to the next episode, hopefully with better news. And thanks again, John bye-bye. Thank you. Bye