Evolution of Online Identity Theft

Increasing incidences of data breaches have led to more stolen identities on dark net markets. This has driven down the prices of various forms of personal identity online.

Here is how the number of personal breaches has changed over the years.

Number of breached records (US) by year

Advent of the internet has led to more mature, differentiated–between retail and wholesale– marketplaces for stolen goods over the years.

Online identity theft has evolved from aiming to just acquire data to oversupplying markets, leading to market-pages for specialisations in fraud, with stolen identities to retailing overly cheap identities with supplementary services.

First Generation: Internet-based identity theft

In 2002, there were 89,000 reported cases of online identity theft in the US. These were usually committed by individuals, and uncommonly by fraud rings. These individuals monetised thefts themselves as a result of underdeveloped markets and players.

The most sophisticated fraud ring was the Campbell Organisation, a group of fewer than twenty individuals responsible for $3 million in losses and the theft of about 150 identities in Florida.

Identities were primarily used and rarely sold. There was a specific focus on stealing Social Security Numbers (SSNs)3. Thieves would use identities to obtain bank accounts and loans, buy goods, etc.

Second Generation: Internet auctions and large-scale breaches

The second generation of online identity theft was marked by large-scale data breaches, more organisation in the markets and criminal groups, increased segregation between the individuals obtaining the identities and those cashing in on them, and the creation of free markets to auction and retail identities.

There was a continued focus on social security number, with a premium price on newly stolen identities4. Auctions remained popular on the wholesale side and bundles of identities became available for sale on dedicated forums.

In 2000, the largest confirmed breach of social security numbers to-date was by a hacker at the University of Washington Medical Center, who stole 5,000 records5.

Comparatively, in 2017, an Equifax breach resulted in the theft of the social security numbers (and substantially more sensitive personally identifiable information) of 143 million individuals in the United States6.

As the number of records being breached increased, the ability for a single individual or group of individuals to cash out became increasingly difficult, resulting in a differentiation between the individuals stealing the identities and the individuals operationalising fraud schemes based on the stolen identities7.

Third Generation: Specialisation, and value-adding services

Identity theft was now ubiquitous, with 1.077 billion identity records stolen just in the US as of 20188. Technological changes such as Tor (“The onion router”), a private browser for the dark net, and cryptocurrencies altered the risk/benefit ratio of identity fraud.

These technologies provided anonymous access, security, and payment methods. Given the reduced risk, individuals who would otherwise be disinclined to commit identity theft began selling identities.

The stolen identities, colloquially labelled “fullz”, got cheaper– from $10 in 2007 to $0.10 in 20169— and less useable. Below are the various identity elements and how often they are listed in ads.

Identity elements and their proportion of presence in dark net market listings

Sellers and marketplaces also started adding services to enhance their allure. Markets like RSClub and Tochka offered Pretty Good Privacy (PGP) encryptions of all transaction records making transactions private.

A third of sellers offered buyers the ability to select specific credit score ranges for their purchases. ~10% of the sellers advertised the ability to source identities from the demanded states or zip codes.

As stolen identities have gotten cheaper due to over-supply, sellers have adopted technologies and augmented their goods with services to increase the price and their profits.

References:
1. Privacy rights clearinghouse – Data breaches by year, 2017
2. Stearns, 2001
3. Berghel, 2000
4. Newman & Mcnally, 2005
5. Tehan, 2008
6. “Nearly half of US citizens hit by massive Equifax breach,” 2017
7. Steel, 2019
8. “Identity theft resource center,” 2018
9. Symantec

Subscribe to my mailing list to be notified about my posts.

3 comments

  1. Good insight into the topic. The data presented gives the credible evidence of exponentially increasing risk of identity thefts and the need of data security measures in terms of advanced technology deployments. The article should further elaborate on the exact types of value added services being offered by the thieves and also how security measures are catching up against these theft incidents.

Comments are closed.