February 12, 2021

The International Nature of Identity-Data Abuse and the Importance of Cross-Border Data Coverage

by David Dubuque, B2B Marketing Copywriter -- Pipl

From account takeovers to new account fraud to synthetic identities, the vectors of identity-data abuse are becoming all too familiar, yet the manner in which they operate is often misunderstood.

The biggest misconception: that fraudsters are hoodie-wearing degenerates operating out of their parents' basements.

This is partially true. Up until the early 2000s, the most common types of fraud were counterfeit credit cards and check fraud. That is because identity information was harder to come by, and assembling complete profiles and putting them to work were labor intensive. But when the credit card companies started developing global standards and cards became harder to fake, fraudsters had to get creative -- or face the prospect of becoming respectably employed.

Now, small-time fraud is the exception rather than the rule.

At the turn of the millennium, as consumers began transacting online -- and companies began storing their personally identifying information and account-login data -- fraudsters began to find ways to collect this information and play the long con: assembling enough information to open fictitious accounts or take over accounts and wreak havoc.

But it was still a difficult task. So, just as people do in any endeavor, criminals figured out that many hands make light work. They began to collaborate, easing the task of organizing all of the pieces of their stolen identity data.

This teamwork thing really took off.

Modern fraud is perpetrated by sophisticated organizations that function as any international corporate entity would. Their cash flow is organized by accountants. Their business analysts solve problems and set goals. They have taken advantage of innovations in artificial intelligence and machine learning. They share information and best practices. Their dark web "stores," where everything from identity data to hacking services is bought and sold, make millions of dollars in advertising alone.

For every measure used to fight fraud, these organizations either have -- or are developing -- countermeasures. And they are always looking for new weaknesses to exploit, whether that means finding fresh vulnerabilities in security that allow them to steal information, developing new ways to put that stolen information to work, or moving their base of operations to countries that deprioritize the detection and prosecution of identity-data abuse.

Because large fraud organizations tend to operate out of and into different locations for strategic reasons, identity-data abuse is international by its very nature. Hackers can reach out across the globe to harvest information from the vast logs of retailers or financial institutions. With an email designed to look like a legitimate request from a superior, fraudsters can phish for identity data -- or trick recipients into sending funds. And, most importantly, all of the information that fraudsters steal is put up for sale on the dark web, a marketplace that can be accessed from anywhere.

The relatively recent implementation of PSD2 in the European Union -- a regulation that requires banks to make their customers' banking data available to qualified financial institutions -- was designed to promote innovation in banking. But it is also creating a shift in the landscape of fraud. Although PSD2 comes with increased security measures in the form of the 3DS protocol, loopholes exist when it comes to "one leg" transactions, in which one of the parties involved is located outside of the European Union. This, of course, incentivises fraudsters to plan their attacks on European countries from abroad.

As you can see, it is likely that an identity abuse crime that occurs in one country is likely to cross borders: the takeover of an account in the United States probably originated in another country, using data stolen by collaborating fraudsters who are located in many more countries.

For investigators seeking to fight identity-abuse crime -- and for banks, fintech companies, and merchants wishing to avoid losses due to fraud -- cross-border identity-data coverage has become essential.

An effective way to verify identities across borders

Here, it is useful to introduce the concept of an "online identity." Today, life unfolds online to nearly the same degree it does in the real world. Everyone -- fraudsters and honest folks alike -- leaves traces of their identity online as they create email and social media accounts or take part in online chat groups, whether on the conventional Internet or on the dark web.

If this online identity information is collected, it is possible to make connections between the individual pieces and corroborate those connections by cross-referencing them across the multiple instances where they occur online.

With sophisticated technology, collections of this connected online identity fragments can be assembled into complete online identities: clusters of identity information that are statistically determined to be associated with one another.

Surprisingly, online identities have become a more accurate means of ID verification -- and a better tool for investigation -- than traditional methods like credit headers, Social Security numbers, and government ID, since all of the latter are either easy to fake or are likely to have been compromised by security breaches.

Naturally, online identity companies that source their data from as many countries as possible will offer superior results when used to verify the identity of a customer -- or when implemented to combat fraud -- no matter what country the fraud organization calls home.

Providers that offer metadata, showing when each individual piece of an online identity first appeared publically, and how many sources they correlate to, make it possible to spot the telltale signs of the synthetic identities that international fraud organizations frequently employ to open accounts. The scale of these international operations can be enormous: in a 2013 case, an international ring stole over $200 million using 7,000 synthetic identities.

Providers that fuse online identity information with multi-national sources of authoritative data such as mobile phone-number databases add even more utility to their toolset. This is because the populations of many countries (especially Asia) are shifting to mobile phone numbers, rather than email addresses, as primary identifiers when creating online accounts. As a rule, opening phone accounts requires better Customer Due Diligence (CDD) protocols that creating a new email account does.

Online identities in action

An investigator seeking to identify the fraudster behind an account takeover may have just one piece of information to go on, like an email address that the fraudster has used to intercept communications. This email address can sometimes be associated with an online identity, which often provides clues as to location (ship-to info) or contains a mobile phone number that can lead to an actual person.

For merchants seeking to ensure a transaction is legitimate -- or a bank who wants to ensure the person opening an account is who they purport to be, online identities enable trustworthy, cross-border identity verification that has the added advantage of needing no friction-inducing input from their customers.

For fraudsters, this is all bad news, as the secrecy that they depend on is being threatened by identity-data tools that cross borders.

For more information on using online identities for cross-border investigations and identity-verification solutions, visit