Three Lessons from an ID Theft Kingpin’s Fraud Factory

September 30, 2020

Brian Krebs recently posted “Confessions of an ID Theft Kingpin,” recounting the cybercrime career of Hieu Minh Ngo, who began dabbling in online fraud as a teenager in his native Vietnam before operating a series of online services popular with worldwide identity thieves looking to get their hands on “fullz,” or stolen identity records containing more than just login credentials or credit card numbers. Instead, fullz contain an individual’s name, date of birth, Social Security number, e-mail and physical addresses.

The story is remarkable (read the two-part series here and here). Krebs does an impressive job combining compelling plot lines, from how Ngo first started down a criminal path and the FBI’s years-long efforts to arrest him, to his conviction in the U.S. and public remarks today following his release from prison warning people to avoid the cybercrime underground. The narrative offers a rare window on the lucrative, nearly invisible brokers and supply chains affording criminals the pieces of information necessary for pulling off costly impersonations and account takeovers.

Reading this storyline during 2020’s unprecedented months of remote work and COVID-19 business disruptions, I took away three important lessons. These resonate in our stress-tested days, if we are to meaningfully curb cybercrime threatening our growing reliance on essentials like mobile devices, fintech apps and services and cloud-native business applications.

1.) Trusting online identities is a three-dimensional problem – much bigger than “passwords.” In cybersecurity conversations, we can hyper-focus on specific root-cause exploits and overlook the bigger contributing picture. Take password security, for example. There is an entire economy of password management tools and reinforcing research reminding us too many people reuse passwords and that even unique, “good” passwords are chronically sold in bulk on criminal forums. These are important messages to be sure, but Krebs’ reporting on the devastating power of “fullz” shows even unattainable, perfect password security cannot eliminate fraud.

If you are armed with a credit agency-grade dossier of someone’s entire life history, as Hieu Minh Ngo helped furnish to criminals, you have an overwhelming amount of valid details to use in a social-engineering attack on a bank or retailer’s call center. The answers to a victim’s challenge questions for resetting a password are right there in your hands. If establishing UserIDs is one dimension of identity and fighting password abuse is the second, the third dimension is realizing attackers will always find a way to clone or steal anything that can be cleanly duplicated. So the last line of defense must be composed of things malware or a polished phone scam cannot duplicate – the innate, unique behavioral patterns of typing, swiping and device handling we all have. This is how BehavioSec verifies and protects human digital identities by understanding how we uniquely type and swipe across our ever-changing devices, intercepting fraud even when attempted with valid credentials.

2.) Economies of scale drive risk – and efficiency – in commerce and communications. As consumers, we can take interoperability for granted when we quickly shop, order groceries or pay bills on our smartphones between remote working days’ endless home tasks and video calls. Yet many of these convenience and lifeline benefits are only possible because of things like APIs, single sign-on through Apple, Google or other platforms and more apps letting us link accounts to make user experiences more seamless and intuitive.

However, fraud keeps pace in the interoperability race too by exploiting fewer walls between accounts and services. On the provider side, Krebs notes that one of Ngo’s unauthorized persistent connections at a data broker became a criminal gold mine when that broker was acquired by credit agency giant Experian, which inherited Ngo’s foothold. Similarly, a compromise at any one of our favorite apps can cascade into a far-reaching breach, depending how effectively brands and developers police their APIs and encrypt data.

As COVID-19 accelerates more businesses’ digital transformation paths out of brutal necessity, it is imperative to revisit the balance of security and user experience (UX), where zero-trust strategies can minimize problems from favoring one over the other. Zero-trust is another perfect use case for behavior-based anti-fraud and authentication.

3.) Mobile exposes outdated security traditions and assumptions – particularly during a pandemic.

Fraud loves disruption and change – 2020’s signature themes. Companies are shuttering offices indefinitely. Employees fail-over to a multitude of home networks and devices, plus myriad apps for video calls, file-sharing and collaboration. Corporate IT HelpDesks are swamped with remote troubleshooting and deprived of visibility and control from security tools focused on what happens between corporate walls. At the same time, we have seen federal stimulus programs trigger fraud schemes and more livelihoods rely on mobile apps for payroll, loan disbursement and resilience – in the face of elevated attacks on those platforms.

Together, this is the perfect backdrop for phishing attacks and fraud schemes pleading someone to help them “access an account on a new device,” “get a file from the finance team in time for a last-minute meeting” or make an “urgent payment” at the “CFO’s” behest. Mobile devices help us do more, faster but at the risk of slipping into a trap when we’re multi-tasking and reply or install things too quickly. This is why low-tech business e-mail compromise (BEC) scams rake in billions of dollars.

Brian Krebs and Hieu Minh Ngo remind us that while the motives, means and opportunities for Internet-scale identity theft are relentless, countries, businesses and consumers fighting through COVID-19 do not need to cede any ground. Reorienting to stronger identity and zero-trust strategies for the mobile transformation that will keep booming after the pandemic lifts is the surest way to counter criminals and upend attacker economics for a change.