Cryptocurrencies, Blockchain and Fraud, Uncategorized

Synthetic Identity Theft – What Blockchain Users Need to Know

Main Points for Consideration:

  • Traditional Identity Theft schemes steal the identity of a known person to impersonate the victim.
  • Synthetic Identity Theft uses a Social Security Number for form a new, but fake person.
  • Synthetic identities can satisfy known loan underwriting procedures.
  • Synthetic identities create additional risk factors for Blockchain systems.
  • Synthetic identities can be formed before being included into a Blockchain system.
  • Synthetic identities may be used to impersonate known participants.

Advances in Blockchain technology can develop platforms to protect individuals’ identities from theft and also help businesses authenticate participants. But how can Blockchain provide assurances that the identities are valid in the first place? Answers may be found by understanding the threats of Synthetic Identity Theft, and how to mitigate those threats.

In a more traditional identity theft scheme, a perpetrator will steal Personally Identifiable Information (PII) to impersonate the victim. But Identity Theft has evolved into a hybrid form known as Synthetic Identity Theft where a perpetrator is not trying to impersonate the victim. Instead of stealing and impersonating the identity of actual persons, a new persona is invented by the perpetrator. This is accomplished by using a Social Security number to create a completely fictitious personal profile.

Synthetic Identity Theft – How It’s Done

Identity thieves obtain Social Security numbers using familiar techniques like Phishing schemes; forming phony websites to collect PII from victims; using corrupt internal employees who have access to PII; and even buying stolen SSANS obtained from data breaches. The fraudster will add a name, date of birth, and address to create new PII for a fictitious person. The new identity is then used establish records in public databases, credit files, phone and utility records, and social media profiles, etc. Afterwards, the perpetrators can monitor the payment history, credit score and public persona of the fake person. The new accounts established by the fraudster can be immediately used for financial fraud schemes, or, used as sleeper accounts that lay dormant for long periods of time. The dormant accounts can be sold on the black market to other criminals.

Synthetic Identity Theft Schemes – Where Are They Found?

Fictitious synthetic identities are often used to attack internet-based business transactions. As an example, the automobile industry uses internet-based sales for purchasing vehicles without face-to-face interactions with a sales person. Some dealerships have been victimized by perpetrators forming fake identities used to satisfy standard loan underwriting requirements. Financing arrangements were completed with fake personas and vehicles were delivered to other locations where the vehicles were used in other criminal activity.

These schemes have impacted government operations including Veterans’ benefits, Social Security benefits, Medicare and Medicaid programs, Health Care systems, and private medical insurance systems. For example, synthetic identities have been used to obtain health insurance policies from private insurance companies. Also concerning is the potential use of fake synthetic identities by terrorist groups to launder money through established government financial systems and/or cryptocurrencies. The laundered money can fund terrorists for living expenses, safe houses, renting cars, international travel, and purchasing restricted goods.

Fraudulent identity profiles have also been found in the mortgage process, auto insurance claims, staged accident schemes, schemes involving the IRS, Small Business Administration, FEMA, and other government entities. Within the health care industry, the government is encouraging the digitalization of medical records, and these records are based on the PII of patient. This creates more opportunities for the theft of PII.

Anyone’s Social Security number can be stolen, but certain demographic groups are specifically targeted. SSANs of minors are more likely to be stolen because the younger a child is, the longer the fraudulent identity can be used. The SSANs of elderly people, college students, and indigent people are also targeted. The fraudsters have been known to solicit financially destitute people to buy their identity.

Synthetic Identity Fraud is a Worldwide Problem

In 2017, the World Bank released a study concluding that more than 1.1 billion people in the world lack access to vital government services because they are unable to prove their identity. The World Bank Group’s Identification for Development (ID4D) initiative launched a High Level Advisory Council to advance the realization of robust, inclusive and responsible digital identification systems as a sustainable development priority.

The United States Federal Deposit Insurance Corporation (FDIC) recently estimates there are 10 million unbanked or underbanked households in the country. The FDIC defines unbanked as those adults without an account at a bank or other financial institution and are considered to be outside the mainstream for one reason or another. Many people are squeezed out of normal banking systems because of poor credit. Others choose not to participate in government systems to avoid regulation, oversight, and excessive fees.

Why is This a Concern for Blockchain Technology?

The World Bank ID4D recommends efforts to provide reliable digital identities to 1.1 billion people who want to participate in the economy, but lack provable identities. Similarly, unbanked people choosing to use alternative financial instruments, think cryptocurrencies, also desire a safe and reliable system to conduct financial transactions.

Blockchain technology is envisioned as the record keeping system for new digital identities and/or established identities. And it may be safe to assume that the immutable Blockchain distributed ledger can make it more difficult to use a stolen identity. But vexing questions continue to appear: Prior to the adoption of a Blockchain ecosystem, could a criminal or terrorist form a fake Synthetic identity only to be added to the Blockchain ledger? If so, the Blockchain may then become a hiding place for persons intent on doing harm.

Also, once a permissioned Blockchain system is formed with approved participants, could a synthetic identity be formed to impersonate a participant? If so, could a fake participant cause harm to the information being added to the Blockchain?

These possibilities may not be surprising to persons who use ledgers for normal accounting and business purposes. The ledgers can accurately record numbers and information. As accountants and auditors will certainly attest, ledgers can also accurately record falsified information. The ledger system cannot guarantee the integrity of the information before entries are made, and neither can Blockchain. Only people can determine the integrity of other people.

Mitigating Synthetic Identity Theft:

Synthetic Identity Theft schemes can defeat known preventative measures such as credit checks, locking down credit, changing passwords, two-factor authentication because the schemes do not necessarily involve obtaining credit. The fight against Synthetic Identity Theft will be waged by combining known preventative measures with improved Artificial Intelligence (AI) to study behavior, and Biometric verification, such as voice, face, fingerprints, and DNA to verify the identity of actual persons. As such, maintaining a balance between Security and Privacy will always present challenges.

Conclusion: The intention of raising these issues Synthetic Identity theft is not to discredit the Blockchain infrastructure. Instead, and just like any other new technology, it is imperative to understand risk factors as the technology is developed and implemented. Identifying and understanding risk factors should result in strong measures to mitigate the risks. Blockchain developers and end users will certainly need to develop and improve counter-measures to mitigate Synthetic Identity Theft threat vectors.

Forensic Accounting Issues

Current Cybercrime Threats to Businesses

Cyber Security.jpg

Introduction: I mentioned in a previous discussion and blog that Knowing Your Cyber System is imperative to protecting your business. This discussion is intended to introduce the concepts of immediate threats experienced by most, if not all, business structures to their cyber environment. There will certainly be additional cyber threat considerations at the business grows and prospers, but these concepts should get you thinking about how to make the business a hard target against attacks.
Main Talking Points:
1. Business Email Compromise (BEC), Email Account Compromise (EAC) scams, and Ransomware attacks continue to cause tens of millions of dollars in losses.
2. Primary attack vectors are BEC, EAC, Ransomware, theft of PII, and Theft of Data from inside and outside actors.
3. The weakest links in cyber defense are e-mails, attachments, and apps.
4. Small Businesses are frequently attacked.
5. Attacks can be motivated towards financial gain, obtaining competitive advantage, or from hostile governments intent on stealing secrets.
6. Potential for corrupt insiders cannot be overlooked.
7. Cyber fraud and cyber crime attacks are often treated as technological problems, but they are also personnel problems.
8. Best mitigation steps recommended by the FBI and U.S. Department of Homeland Security are discussed.

I queried several different sources to gain an understanding of the main cyber related threats to business enterprises, to include the FBI, U.S. Department of Homeland Security, National Institute of Standards and Technology (NIST), Kapersky Labs, CSO Online, and the American Institute of Certified Public Accountants (AICPA). Most tend to agree that the top threats are listed as:
BEC and EAC Schemes
Identity Theft
Data Theft (Inside and Outside Threats)

Business E-mail Compromise and E-Mail Account Compromise Schemes:

There are many definitions of Business E-mail Compromise (BEC) schemes to let’s start with the definition used by the FBI: Business E-mail Compromise is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
E-mail Account Compromise (EAC), according to the FBI is a sophisticated scheme that targets the general public and professionals associated with, but not limited to, financial and lending institutions, real estate companies, and law firms. The EAC scam is very similar to the BEC scam, except that it targets individuals rather than businesses.
Criminals can obtain the necessary information to execute BEC and EAC attacks through social engineering and computer intrusion techniques. Social Engineering is the psychological manipulation of people to perform actions or divulge confidential information. The goal of the criminal actors is to gain access to the internal communication systems of the victim business to surveille the business practices of the payment systems. The scams are usually committed by the perpetrator using a hacked or “spoofed” e-mail address. A spoofed e-mail is created by the hacker to mimic a legitimate vendor e-mail to convince the victim to send money to an account held by the criminal. The financial institutions conducting the wire transfers are using actual funds and therefore, are not exposed to losses. The losses are sustained by the victim company.
Ransomware is a form of Malware that targets both human and technical weaknesses in organizations to deny the availability of critical data and/or systems. When the victim organization determines they are no longer able to access their data, the criminals demand payment of a ransom in exchange for regaining access to their systems. Ransomware attacks are decreasing in number but increasing in variants. Ransomware is also known to infect smart phones, as well.
The top targets of Ransomware are academic organizations, government agencies, healthcare organizations and hospitals, and any organization with sensitive client data such as law firms.
Victims are targeted through e-mails, attachments, or links containing malicious code. Opening corrupted attachments and links results in the encryption of files that restricts access to files, or entire systems, until an extortion payment is received. In addition to siphoning data from the victim, criminals hold the data hostage until payment, often in the form of Bitcoin or other cryptocurrencies.
Executive management will have to decide to pay or not pay the ransom based on the facts of the situation, but, in general, payment of the ransom is not recommended. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved.
Identity Theft:
Referring to the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) illustrates that money is not the only target of cyber thieves. Criminal actors sell the stolen PII on underground markets, i.e., the Dark Web. PII is any information about an individual, including any information that is used to distinguish or race an individual’s identity such as name, Social Security number, date and place of birth, mother’s maiden name or biometric records, medical, educational, financial and employment information. Theft of PII often leads to other crimes such as tax-refund fraud, credit card fraud, loan fraud, synthetic identity theft, and others.
Data Theft:
According to the American Institute of Certified Public Accountants (AICPA), sensitive data is an attractive target for cyber thieves. The crimes occur when a cyber criminal gains access to the internal cyber system of the victim to steal the sensitive data. Sometimes, these crimes target governments or other large organizations with more resources using a combination of malicious methods to first gain access to an organization’s networks, referred to as an Advanced Persistent Threat (APT). Then, the actor proceeds to monitor activity and siphon data in an undetected manner over an extended period of time.
Smaller businesses are also targeted for the theft of sensitive data. The theft schemes targeted towards businesses can be conducted by actors outside of the company, but also from insiders. Corrupt employees, to include contractors and vendors, have access to the most valuable secrets of an organization. Those bent on stealing the intellectual property will exploit weaknesses in the internal controls to copy, download, and remove the valuable information. They can sell the information to competitors, steal the information to start their own companies, or steal the information to take jobs with competitors. Some are complicit with hostile foreign intelligence services intent on stealing the secrets for use by their respective governments. Businesses should also consider the potential for corrupt insiders to plant malware or viruses to destroy the cyber environment. Some insiders will implant hidden “back doors” to the systems for later access by themselves or complicit actors.
The FBI advises that the insiders are interested in the following areas: Information and Communication Technology; Business information pertaining to scarce natural resources to provide global actors an edge in negotiations with the U.S. Government; Military Technologies, Civilian and Dual-Use technologies in clean energy, health care/pharmaceuticals, and agricultural technology. Motives could include greed or financial need, unhappiness at work, allegiance to another country, vulnerability to blackmail, the promise of a better job, and/or drug use or dependence.
The FBI also advises that certain behaviors of the actors may be missed that could have been picked up ahead of time. Those behaviors and warning signs include:
(1) They work odd hours without authorization.
(2) Without need or authorization, they take proprietary or other information home in hard copy form and/or on thumb drives, computer disks, or e-mail.
(3) They unnecessarily copy material especially if it’s proprietary or classified.
(4) They disregard company policies about installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential material.
(5) They take short trips to foreign countries for unexplained reasons.
(6) They engage in suspicious personal contacts with competitors, business partners, or other unauthorized individuals.
(7) They buy things they cannot afford.
(8) They are overwhelmed by life crises or career disappointments.
(9) They are concerned about being investigated, leaving traps to detect searches of their home or office or looking for listening devices or cameras.
FBI Recommended Cyber Crime Preventative Measures:
(1) Employee Training – because end users are often targeted, employees should be made aware of the threats, how attacks are delivered, and trained on best practices for good cyber hygiene.
(2) Patch Operating system, software, and firmware on all devices. All endpoints should be patched as vulnerabilities are discovered, which is made easier through a centralizes patching system.
(3) Ensure anti-virus and anti-malware solutions are set to automatically update.
(4) Manage the use of privileged accounts. Implement the principle of least privilege: no users should be assigned administrative access unless absolutely needed; those with a need for administrator accounts should only use them when necessary and should operate with standard user accounts at all other times.
(5) Similar to administrative accounts: file directory, and network share permissions should also implement least privilege. If a user only needs to read specific files, they should not have write access to those files, directories or shares. Configure access controls with least privilege in mind.
(6) Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
(7) Implement Software Restriction Policies or other controls to prevent programs from executing from common locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the APPData/LocalAppData folder.
(8) Back up data regularly, and regularly verify the integrity of those backups.
(9) Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing offline.
The United States Department of Homeland Security provides the following seven strategies to defend control systems as suggestions to protect the cyber environment:
(1) Implement Application Whitelisting – Application Whitelisting (restricting systems      from running software unless it has been cleared for safe execution) can detect and          prevent attempted execution of Malware uploaded by adversaries.                                          (2) Ensure Proper Configuration/Patch Management – Adversaries attack unpatched          systems. A configuration/patch management program centered on the safe                          importation and implementation of trusted patches will help keep control systems            more secure. Use best practices when downloading software and patches destined for      your control network. Take measures to avoid “watering hole” attacks (attacker                  guesses which websites the group often uses and infects one or more of them with              Malware). Use a web Domain Name System (DNS) reputation system. Get updates              from authenticated vendor sites. Validate the authenticity of downloads. Insist that            vendors digitally sign updates, and/or publish hashes via an out-of-bound                           communications path and use these to authenticate. Don’t load updates from                       unverified sources.
(3) Reduce Your Attack Surface Area. Isolate ICS networks from any untrusted                     networks, especially the Internet. Lock down all unused ports. Turn off all unused             services. Only allow real-time connectivity to external networks if there is a defined           business requirement or control function. In one-way communication can accomplish       a task, use optical separation (“data diode”). If bidirectional communication is                     necessary, then use a single open port over a restricted network path.                                     (4) Build a Defendable Environment. Limit damage from network perimeter breaches.     Segment networks into logical enclaves and restrict host-to-host communications               paths. This can stop adversaries from expanding their access, while letting the normal     system communications continue to operate. Containment provided by enclaving also       makes incident cleanup significantly less costly.
(5) Manage Authentication – Adversaries are increasingly focusing on gaining control       of legitimate credentials, especially those associated with highly privileged accounts.         Implement multi-factor authentication where possible and emphasize strong                       passwords. Require separate credentials for corporate and control network zones and       store these n separate trust stores.
(6) Implement Secure Remote Access. Some adversaries are effective at gaining remote     access into control systems, finding obscure access vectors, even “hidden back doors”       intentionally created by system operators. Remove such accesses whenever possible         especially modems as these are fundamentally insecure.
(7) Monitor and Respond. Consider monitoring programs in the following five key             areas:
a. Watch IP traffic on ICS boundaries for abnormal or suspicious communications.
b. Monitor IP traffic within the control network for malicious connections or content.
c. Use host-based products to detect malicious software and attack attempts.
d. Use login analysis (time and place for example) to detect stolen credential usage or        improper access, verifying all anomalies with quick phone calls.
e. Watch account/user administration actins to detect access control manipulation.
Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for Malware, disabling affected user accounts, isolating suspect systems, and immediate 100% password reset. The Plan may include incident response, investigation, and public affairs activities.
Have a restoration plan, including having “gold disks” ready to restore systems to known good states.

Conclusion: The common link in these vulnerabilities is often the lax behavior of people using e-mails corrupted apps. The careless use of e-mails provides criminals the easiest avenue of penetrating the cyber environment. One of the most effective methods of surveilling the cyber systems is to compromise the internal mailboxes of executives and key employees. From this position, the actors can learn about job positions, levels of authority, speech habits, bank accounts, decision making authorities, travel, vendors, customers, and attachments to emails. Such knowledge allows the actor to successfully mimic the language of users to misdirect wire transfers, steal sensitive information, or plant Malware to inflict damage to the system.
No one can prevent all attempts at cyber fraud making it important to recognize that all business structures, regardless of the size, are targets of adversarial actors. Often, cyber-fraud and cyber-crime attacks are treated as technological problems, but they are also personnel problems. Reviewing past cases have shown that the victims failed to have quality preventative measures in place, as well as cases where controls were in place but disregarded by careless employees. Effective defenses necessarily will have to be multi-layered, continuously upgraded, and rigorously tested to offer the best chance to prevent damage or to discover problems at the early stages.