Digital Identity Is an Increasingly Popular Attack Vector for Cybercriminals

by nlqip
April 22, 2024

Introduction

In part one of this two-part series, we define digital identity and explore the attack vectors cybercriminals use at each stage in the identity lifecycle.

Everything that we do as individuals has found its way into the digital world. From communicating with friends to purchasing good or services—even getting an education and managing investments can all be done online today. Consumers wholeheartedly embrace this “digital channel” for the broad reach and convenience it offers.

To provide the right services and maintain appropriate privacy, companies doing business online maintain data about every user in the form of an account. To grant users access to their accounts, proper user identification is a must. However, when you combine the great trail of personal information people voluntarily provide about themselves online with the vast amount of identity data that has been compromised in data breaches, it’s becoming a lot more difficult to identify legitimate users online. Because identities can so easily be stolen and faked, user accounts are put in jeopardy. Even as organizations amplify their defenses, cybercriminals find digital identity and identity fraud too lucrative an attack vector to ignore.

In this article, we look at the different techniques cybercriminals use to commit fraud at different stages in the “identity lifecycle.” But first, we must understand what digital identity is.

What Is Digital Identity?

In the physical world, everyone needs to assert their identity, and trust is established based on something the person is (their physical presence and appearance) combined with something the person has (an identity card, which often includes a photo to validate their identity). Identity in the digital world has some commonalities with the physical world, but user attributes, such as date of birth, age, gender, location, and government-issued identity numbers that are stored in a digital format, also become part of a person’s digital identity. Over time, the activities users perform and the devices they use also contribute to their digital identity. But without a physical document or physical presence to validate identity, the digital world must rely on authentication to validate an identity assertion. This is typically done using a combination of the following factors:

something the user knows (such as a password, passphrase, or PIN)

something the user has (such as a token generator)

something the user is (a biometric factor, such as a fingerprint, voiceprint, or iris scan)

Depending on the confidentiality of data and user tolerance for the inconvenience of the validation process, organizations combine one or more of these factors to enforce identity assertion/authentication. Some factors can be easily faked, so it’s becoming more common to augment these three factors with a contextual factor such as location, time of day, or the device used for a particular transaction. Together, these factors can help detect anomalies and improve the identification process. The sum of these factors that enable organizations to uniquely identify a user constitute digital identity. Usually this association between an account and the required authentication factors is made during the sign-up process for an online service.

How Cybercriminals Weaponize Digital Identity for Fraud Schemes

In the rapidly expanding digital universe, identity is a frequent attack focus for abuse. Fraudsters have figured out ways to carry out different malicious schemes at each stage of the identity life cycle (see Figure 1). In most cases, the end goal is to steal data or procure services intended only for the authorized user. Digital identity has a lifecycle that includes three stages: creation, operation, and dormancy. Let’s look more closely at each stage and some specific identity fraud vectors within each.

Source link
lol

Introduction In part one of this two-part series, we define digital identity and explore the attack vectors cybercriminals use at each stage in the identity lifecycle. Everything that we do as individuals has found its way into the digital world. From communicating with friends to purchasing good or services—even getting an education and managing investments…

Tags: account takeover, ATO, Client, Credential stuffing, Cybercrime, Education, Fraud, Identity Theft, insider threat, Phishing, social engineering

Previous Post

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

April 22, 2024

Next Post

A Vulnerability in Cisco Unity Connection Could Allow for Arbitrary Code Execution

April 22, 2024

Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
Comment *
Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

Search
Recent Posts
Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms

How to reduce cyber risk during employee onboarding

Germany seizes 47 crypto exchanges used by ransomware gangs

Police dismantles phone unlocking ring linked to 483,000 victims

Ahead Adds Former Google Cloud VP To Board To ‘Fuel’ AI, Hybrid Cloud

Recent Comments
No comments to show.