Almost every day, someone calls me to inquire about how to deal with a compromised identity. It has become so common that I have come to the point of just assuming everyone has had their identity compromised in some way, shape or form after the last few years of large-scale data breaches.
In 2018, the trend of large data breaches continues with electronic toymaker Vtech settling for $650,000 after suffering a data breach that resulted in exposed personal information about millions of children. Just in the last few months, major breaches targeting payment processing systems at Chili’s, Rail Europe and Macy’s have occurred, resulting in the exposure of customers’ credit card details such as card numbers, CCV codes, expiration dates and in some cases additional information like addresses, phone numbers and emails.
For-profit criminals will move very quickly once they gain access to PII or payment information, so you will need to act fast. Harvester will target and launch a number of different attacks designed to obtain and steal your personal information from vulnerable or exposed databases. They are looking for a complete or partial set of information such as name, address, SSN, date of birth, mother’s maiden name, Personal Identification Number (PIN) used for credit and debit cards, passwords, bank and account numbers, credit report, investments, insurance, loan information or medical records so they can resell that information for a profit.
Aetna, CarePlus, Partners Healthcare, BJC Healthcare, St. Peter’s Surgery and Endoscopy Center, ATI Physical Therapy, Inogen, UnityPoint Health, Nuance Communication, LifeBridge Health, Aultman Health Foundation, Med Associates and more recently Nashville Metro Public Health, UMC Physicians, and LabCorp Diagnostics have all disclosed or settled major breaches in the healthcare vertical this year. Medical fraud can be one of the hardest to detect and is often only discovered after the victim receives a bill for a procedure that never took place. The reason why childrens’ records are highly targeted is often because they have clean credit and it takes longer for the parents to discover their child’s medical identity has been compromised.
Personal data is in demand and quite valuable on today’s black market. Criminals will normally sell the information obtained in bulk or in packages on private forums to other criminals who have the ability to quickly cash the accounts out or commit other types of fraud. Other data will also find its way to public auctions and marketplaces where the seller is trying to get the highest price possible for the data or attention for the hack.
Ultimately, the process of repairing your identity is not easy but it is a manageable process. Once you suspect that you have become a victim of identity theft, you should take immediate action.
How much does your data cost?
Stolen data can be found on both the clear and darknet. One is not exclusively better than the other. While public sites exist that sell this type of personal data, the more recent and sensitive data breaches are typically found on crime forums that are closed to the public.
When a criminal gets ahold of your Personal Identifiable Information (PII) such as banking account details or identification, they can use these types of data points to open phone contracts, loans, and create banking accounts.
In general, stolen credit card information is everywhere with the cost of a single card anywhere from $10 to $15 on average, depending on a number of factors such as card type, value and location. Normally this digital sell would include card number, expiration data, cvv2, cardholder name, zip, city, address and sometimes also email or phone number. Full bank account details can sell for $25 per record and includes first name, last name, phone, address, city, state, zip, date of birth, SSN, routing number, account number, and bank name.
Physical cloned ATM cards with PIN numbers can be purchased as well and normally sell for $300 per card. Physical identification such as passports and drivers’ licenses can also be found and sold online. They can be customized to your preference. For example, if you had someone else’s identity you could duplicate their physical identification cards for a number of malicious activities. The price for a physical passport starts around $1,000 and can dramatically increase in price based on the country and information required on the document. Physical drivers’ licenses and identification cards sell for around $250 per card.
Recently the more popular form of identification for sale in the marketplaces is digital passports and drivers’ licenses. These are fake digital copies designed to be used for account verification with websites like Coinbase or Facebook and sell for between $10 to $20.
In general, the price for data can dramatically vary. If you are looking for specific, one-off documentation on a target the price rises, but if you are buying in bulk the price per Fullz can drop to .50 cents per unit and below.
Sometimes the data obtained by the criminal is incomplete, but that data can be used as a stepping stone to gather additional information. Criminals can use partial information to design a spear-phishing kit designed to gain your trust by citing a piece of personal information as bait. If the target falls victim, they can end up disclosing enough details to complete the information required for the next step by the criminal.
How to check if your identity has been compromised
There are a few ways that you can check to see if your identity has been compromised. If you suspect that you may have been compromised, I would suggest that you first check your recent banking and credit card statements for any transactions you can’t explain, as well as reviewing your credit report. In the credit report you want to look to see if anyone has opened a new credit card or bank account in your name. You will also want to check your accounts to see if anyone has changed your billing address. One indication that someone may have stolen your identity is if you stop receiving your bills or other physical mail at your place of residence.
Other signs of identity fraud can include auto loans for a vehicle you do not own, medical bills for a service you haven’t received, maxed-out benefits, medical records showing a condition you don’t have, IRS notifications of multiple tax return files or a breach notification from a company you haven’t done business with.
What to do once it’s been compromised?
Once you notice or suspect that your identity has been compromised, you should immediately notify your creditors and banks that have been affected. The next step you should take is to place a fraud alert on your credit report. Contact one of the three credit-reporting agencies’ fraud department. This will prevent identity thieves from opening accounts in your name and will protect you from unauthorized charges made by the thieves. One you have reported the fraud to one credit agency, they will have to contact the other two.
Equifax Fraud Department
Experian Fraud Department
TransUnion Fraud Department
Continue to monitor your credit report. Victims of identity theft are normally entitled to a free credit report. I would personally suggest waiting 30 days until requesting an additional report so you can see suspicious activity on your account after placing the alert. When looking at this second report following your compromise, look for personal information that has changed, such as name, date of birth, SSN, address, employer and so on. Look for credit checks or inquiries from companies you didn’t contact, accounts and credit cards you didn’t open or charges on your account you can’t explain. You should also consider putting a freeze on your credit. At the very least you should contact your lenders, bank and insurance company and inform them about the situation. Ask to open new accounts with new personal identification numbers and passwords due to the breach.
You will also need to contact the U.S. Federal Trade Commission (FTC) and file an official report. You will find on the FTC website a number of resources for different types of identity theft and how to report them.
Report the identity theft to: https://www.identitytheft.gov/
File a police report with your local precinct and send a copy of that report to your creditors. They will need this information to investigate fraudulent activity on your report.
If your social security number has been found to be compromised, notify the office of the inspector general at: https://oig.ssa.gov/report-fraud-waste-or-abuse
Additional steps you can take when facing identity theft are creating a new email account and updating all of your profiles with a new username and password. It also might be a good idea to get a new driver’s license depending on the degree of compromise, along with a new phone number.
Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.