LEGAL
White Paper
Banks need next-generation KYC to
confront the Dark Web’s black market
CLEAR ID Confirm allows you to quickly identify and confirm individuals, making the KYC process seamless from the beginning stages of identity verification.
In the digital age, cybercrime has evolved to exploit gaps in enterprise data security and disrupt identity theft in the process. Specifically, economic digitization has spawned a parallel black market on the Dark Web, where criminals transact in bitcoin to anonymously trade stolen data, minting hundreds of billions in annual and often untraceable proceeds for sellers.1 With cybersecurity firm FireEye exposing hacker syndicate Fin6 as the operator of one Dark Web forum that was soliciting 20 million credit card numbers – the spoils of a single data breach2 – it seems the ID theft ecosystem has never been more amenable or accessible to the criminal class. In fact, Javelin Strategy & Research’s 2017 Identity Fraud Study said ID theft hit a record high in 2016, victimizing some 15.4 million people, or roughly two million more victims than the previous year.3 ID theft is generally a precursor to credit card fraud, which a 2016 Nilson Report newsletter attributed to worldwide losses of $21.84 billion in 2016.4
According to a 2016 Nilson Report, credit card fraud accounted for worldwide losses of
21.84 billion dollars
What’s more, card issuers such as banks and credit card companies incurred 72 percent, or $15.72 billion, of those losses last year. Assuming constancy in Nilson’s issuer-loss rate, card fraud will siphon a grand total of $88.87 billion out of the global financial system over the next four years. Further, a 2016 credit card fraud survey5 led by payment research firm Aite found that the confluence of surging data theft and issuers’ shift towards EMV chip card products has reduced counterfeit-card fraud at the point of sale (POS), but caused a massive spike in card-not-present (CNP) fraud. In fact, Javelin’s report pegged the year-over-year growth of CNP fraud theft at 40 percent last year. The Aite study queried 16 of the largest credit and debit card issuers in the U.S. that collectively represent over two-thirds of the nation’s cardholders. By 2020, Aite said that CNP fraud losses will reach a record high of $7.2 billion, punctuating a total CNP loss in the U.S. of $25.9 billion over the next four years.
Learn how CLEAR ID Confirm can provide data-driven KYC solutions
Beyond standard ID theft, synthetic identity fraud (SIF) schemes, where criminals use stolen data to create fictitious, but bankable, identities, are also hitting lenders hard.6 ID theft and SIF schemes are increasingly enabling new account fraud (NAF), which can derail money laundering inquiries and is integral to the furtherance of application fraud. The latter entails the use of stolen or synthetic credentials to open fraudulent accounts, which the scammer exploits to build a credit history and then, once the limit is desirable enough, obtain a large personal loan that they will never repay. The Aite report pegged 2015 U.S. loan application fraud losses at $966 million, a theft deficit projected to reach roughly $1.37 billion in 2017 and another $2.1 billion in 2020.
In addition to application fraud, the emergence of NAF-enabled crime complicates anti-money-laundering (AML) investigations by adding more hidden layers to transaction structuring for scammers and criminal organizations. This threat landscape constitutes a digital identity crisis for financial institutions (FIs) and demands industry-wide action to improve outdated know-your-customer (KYC) processes. But if FIs are to safeguard their KYC systems in the golden age of ID theft and Dark Web data trafficking, they must build a new customer authentication model informed by the following three principles: understanding the Dark Web, recognizing the growing threat of SIF schemes, and exploring new regulatory technology solutions (regtech). The following report will create a conceptual framework through which banks and fintech providers can address and resolve the deepening digital identity crisis.
Understanding the vast supply-and-demand mechanism of the Dark Web economy is integral to KYC strategy for banks. The Center for Strategic and International Studies pegs the worldwide cost of cybercrime at $445 billion a year.7 According to the Ponemon Institute’s 2016 Cost of Cybercrime Study, data breaches, cyber-fraud, and related disruptions impact U.S. organizations the hardest, with the average cyberattack generating $17.36 million in costs. Of the 4,149 data breaches and 4.2 billion records exposed in 2016,8 as reported by cybersecurity firm RiskBased Security, the U.S. comprised 47.5 percent and 68.2 percent of those numbers, respectively.
The median price of a stolen
identity fetches
$21.35
Based on the monetization model of the Dark Web, it is safe to assume that most of those 3 billion stolen American data records are being trafficked on anonymous “eBay-like marketplaces,” where the median price of a stolen identity fetches $21.35.9 Consider that the 2013 Yahoo breach, which the company only disclosed last year, resulted in the theft of a record-high, one billion user credentials, which were then sold to three parties in $300,000 increments. Just like Amazon® sellers, stolen data buyers then packaged their wholesale purchases into more consumer-friendly bundles, segmenting unit pricing by factors such as credit score, age, and geo-location, and resold Yahoo credentials to other criminals on the Dark Web.10 Although stolen identity data is a depreciating asset that becomes less valuable with each passing second on the market, new SIF schemes prove that high-volume data theft can still yield enduring dividends for financial criminals.
The Wall Street Journal ranked synthetic identities as one of the top three risks facing the banking industry in 2016.11 In SIF schemes, scammers construct partially or entirely falsified consumer or legal entity data to open new accounts, obtain credit cards, or apply for loans. Beyond the unfathomable deposits of stolen financial and ID data available on the Dark Web, criminals can create fake pay stubs, fake businesses, and fake references to further confound bank customer due diligence (CDD) and KYC filters. In 2014, technology research firm Gartner estimated that SIF schemes accounted for 20 percent of credit charge-offs, where creditors determine that a debt is not going to be paid, and 80 percent of all card-fraud losses.12
SIF schemes can also obstruct money laundering inquiries by inventing a web of fictitious account beneficiaries, thus layering multiple firewalls between the scammer or the criminal organization. While there is no official estimate for the total cost of SIF-enabled crime, in 2013, authorities exposed a New Jersey fraud ring that created 7,000 fake IDs to obtain more than 25,000 credit cards, enabling the theft of over $200 million from issuers. Still, FIs should be aware that scammers typically create synthetic IDs in one of the following three ways:
A 2013 New Jersey fraud ring created 7,000 fake IDs, enabling theft of over
$200 million
As the Dark Web economy reveals, never in history has data been more valuable, monetizable, or accessible to criminals. As such, banks, fintech companies, and other financial services platforms need a data-driven KYC solution to enhance their customer authentication processes and properly safeguard their organizations. In the midst of a deepening digital identity crisis, financials – which the Ponemon Institute identified as the sector most ravaged by global cyber-enabled crime – need next-generation KYC onboarding.
In the midst of a deepening digital identity crisis, financial institutions need next-generation KYC onboarding.
FIs across the board should partner with a regtech vendor that screens risk by using best-in-class data, with real-time and continuously updating information streams. As criminals increasingly weaponize data to victimize FIs and their account holders, banks and other financial institutions require a solution that repurposes Dark Web ID data batches and inactive SSNs to score risk more accurately. Further, the financial services ecosystem must embrace more progressive local suspicious activity data sharing between institutions, because the most prolific identity and bank frauds cast a wide net and target many lenders. As criminals use the complexity of data to undermine bank customer verification, FIs need to adopt a next-generation KYC strategy, rooted in data sharing, Dark Web risk monitoring, and regtech optimization.
Are they actually who they say they are? Be sure with Thomson Reuters CLEAR ID Confirm --the premium electronic identity verification program that allows you to quickly identify and validate customers:
For more information, go to legalsolutions.com/CLEAR.
References
1https://www.sec.gov/news/speech/threefold-cord-challenge-of-cyber-crime.html
2https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf
3https://www.javelinstrategy.com/sites/default/files/17-1001J-2017-LL-Identity-Fraud-Hits-Record-Highs-Javelin.pdf
4https://www.nilsonreport.com/upload/content_promo/The_Nilson_Report_10-17-2016.pdf
5https://www.iovation.com/resources/reports/emv-issuance-trajectory-and-impact-on-account-takeover-and-cnp
6https://www.americanbanker.com/news/spike-in-fake-id-schemes-confounds-banks-fraud-filters
7https://www.csis.org/news/report-cybercrime-and-espionage-costs-445-billion-annually
8http://www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf
9https://qz.com/460482/heres-what-your-stolen-identity-goes-for-on-the-internets-black-market/
10http://money.cnn.com/2016/12/16/technology/yahoo-for-sale-data-dark-web/
11https://blogs.wsj.com/riskandcompliance/2015/12/30/three-big-risk-issues-for-banks-in-2016/
12http://www.darkreading.com/synthetic-identity-fraud-a-fast-growing-category/d/d-id/1316830
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.
-->
