X-Labs
October 31, 2022

Who's Afraid of Digital Ghosts? Synthetic Fraud and the Identity Crisis

Future Insights 2023 Series—Part 1
Audra Simons

Welcome to the first post from Forcepoint's 2023 Future Insights series, which offers insights and predictions on cybersecurity that may become pressing concerns in 2023.

 

The following post from Audra Simons, Senior Director of Global Products, G2CI kicks off this year's Future Insights series:

The world is becoming increasingly more digital, and the metaverse is perhaps the most visible example of this digitization. But is an online identity crisis beginning to emerge?
 

Your Customer Might Not Exist

The more we shop, talk, browse, or bank online, the fewer chances there are to verify someone’s identity in-person. Some might point to the fact that you need a credit card, or a passport, or some type of genuine, government-provided identification to take part in all of this.

However, synthetic identity fraudsters are already rampant in the financial sector. They “blend” identities, cobbling them together from fragments of identifying information that are picked up from stolen identity data. Businesses stand to shoulder the cost of an estimated $2.43 billion in fraud in 2023 because of it, according to the Aite Group.

These identity ghosts are more ghoulish than friendly, using a combination of real and fake personal information to craft virtual identities. In lieu of a brute-force style crime, these digital thieves use stolen information to begin building a credit rating for a person who doesn’t exist.

Before long, the trail of records they’ve left behind – applications for credit or loans, online purchases, and other activities – begins to precede any real identity. From there, they’re able to take out loans and capitalize on high credit limits with no intentions of paying them back.

 

Tying Digital Identity to Services

If synthetic identity fraud is already an issue, then why is it a cause for future concern?

We’ve already seen content tied to identity come under fire in recent years, with anywhere from 5 to 15 percent of Twitter users found to be bots and not real people. These are synthetic identities with a malicious agenda: shape the conversation of the digital town square to sway public opinion.

And as more government services move online, such as access to social assistance or tax services, the desire to shift everything to the web grows.

The United Kingdom attempted to roll out a digital identity assurance platform named GOV.UK Verify.

Its goal was simple: verify your identity through one of a small number of trusted financial institutions with partners Digidentity and the Post Office, and gain access to public services online.

Verify has since fallen out of the public conversation and the Post Office doesn’t even accept new customers anymore. But the urge to create a digital identity platform is still there: the UK government recently revealed plans to reinvent the program.

It’s not inconceivable to think that in the future, some form of a “Verify” would extend to most of the content we engage with online; from banking to social media to shopping for groceries, our digital identity might be accessible across the web.

 

It’s not too far off from the theory of blockchain."

But one trait that blockchain has, which isn’t immediately visible in a Verify-style program, is the immutability or dependability of information. The level of trust that would have to be extended to these digital identities would need to be infallible.

That’s difficult to do when we already know that the companies entrusted with verifying identities are victims of synthetic identity fraud on a massive scale.

Forcepoint Future Insaights 2023 series - What will you need to think about in 2023?
 

Securing the Future of Identity

Despite the trouble it’s having, the financial sector’s interconnectedness with digital identity will only grow more over time.

With bankers, lenders, and creditors seemingly set to become the standard bearer for digital identity, one very important question arises: are these companies secure enough to store all that information?

These institutions will need to collect passports, legal documents, financial statements, and other sensitive documents at a nation-wide level to verify identities. These would be millions of documents flooding into the businesses from applicants – any of which could contain malware embedded inside.

For this activity these businesses need to keep themselves secure in the online document collection process. This is where Zero Trust Content Disarm and Reconstruction (CDR) is invaluable.

Zero Trust CDR assumes nothing can be trusted and rather than try to detect malware, it extracts the valid business information, verifies it is correctly structured, and then builds new and fully functional files, all within seconds.

The tool is useful for an industry that must constantly evaluate documents which are submitted by users. Where a website is involved for a loan, organizations are also using Remote Browser Isolation (RBI) to limit any potential malicious attack. RBI enables users to browse and interact with the web safely neutralizing online threats by hosting users' web browsing sessions on a remote server instead of the user's endpoint device, separating the web content from the user's device to reduce its attack surface.

Stamping out synthetic identity fraud will be a difficult challenge that will take years to resolve. While Zero Trust CDR and RBI do not stop synthetic identity fraud, they do alleviate security concerns for an industry that might soon contain every piece of sensitive information about you – if they don’t already.

We can’t yet fully verify that an online entity’s information is real. However, the very least we can do is verify that the data collected on an identity is safe.

Audra Simons

Audra Simons is the Senior Director of  Global Products, G2CI. Audra is part of the Forcepoint global governments team, where her goal is to break new ground in the area of non-ITAR global products and engineering with a focus on high assurance critical infrastructure customers,...

Read more articles by Audra Simons

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.