Beware address hijacking

“Why are 25 people from all over the country moving to a vacant lot in Brooklyn?”

Adam Elliott not only asks questions like that, his company, ID Insight, was founded on designing algorithms that can help companies like banks ask such questions, in an automated fashion.

Elliott explains that the sheer volume of data breaches in recent years has stocked the shelves of the “dark web” and other sources of illegally obtained consumer data with a massive supply of raw material.

“The good news is that there are not enough fraudsters to fully consume the data that’s out there,” says Elliott.

How crooks work

The methodology of choice of many fraudsters using such data is the account takeover. Typically financial accounts rely on several means of reaching the account holder, including a physical address, a phone number, and an email address. If, using access obtained via a breach, a criminal can get a bank’s records changed to divert communications from their bank to a false address or phone number, they have a chance to grab the legitimate customer’s assets.

“Address discrepancies are the biggest pain point of any ID verification solution,” Elliott explains, “as it drives so many mismatches and it is where the identity thieves are hiding.” Elliott’s firm relies in part on a system incorporating many sources of legitimate address changes, including those reported to its own customer companies. Scoring of risk of given addresses comes into it—not all reported address changes are necessarily true, obviously.

Even if certain details as Social Security number are used for verification, that may not mean anything, Elliott says. A fraudster who has breached files likely has such data. The data will match what’s on file with credit bureaus and other such sources, but that just means the fraudster has very reliable information at his fingertips.

With such information at hand, criminals can get account addresses changed to an address they control. Likewise an email or phone number.

So, the consumer may not even be receiving account information anymore, with the data going to the criminal’s destination, such as that vacant lot or a house being used as a letter drop.

Such destinations change fairly frequently.

“Fraudsters aren’t living in owned homes, waiting for the postal inspector to show up,” says Elliott. Similarly, they love prepaid phones, since they can be used and ditched before they become a liability for the criminal. Elliott says Google Voice phone numbers can be used anonymously, providing another source of contact for a hijacker.

“Yes, of course I’m me”

Elliott says his firm has seen a large spike in fraudulent phone number changes. He says a very large bank recently called a phone number that had been changed. The intent was verification for a large wire transfer that had been requested. The “customer”—actually, a criminal with enough information to convincingly pose as such—authorized the transaction. All the verification call did was confirm, after the loss, that the criminal had all the right credentials to pose as the customer.

The wealth of illicitly obtained data out there has wrought a change in the account takeover scam, according to Elliott. It has become much more organized, given the vast amount of potential waiting to be exploited.

Elliott’s firm provides nearly 600 financial companies with screening services that rely both on external databases that ID Insight has access to, as well as information shared among client customers through the company. Scoring of information under review helps highlight individual risks, while the view of the vendor’s community of banks helps spot trends where a criminal is trying to pass off the same address or other fake destination on multiple institutions.

“We’re always interested when we are seeing a lot of activity at a single address over a short period of time,” says Elliott.

The change of address, phone number, email address, and such are what Elliott calls “the setup event,” the step that puts the criminal in control.

After that, absent detection, the crook just starts the process to rake in the take, whether it be a funds transfer, obtaining a new credit card with a healthy credit line, or grabbing some other asset in a legitimate customer’s name waiting to be exploited.

Unfortunately, says Elliott, no matter what detection is applied such threats never go away.

“It’s like a balloon,” he says. “You squeeze on one side, it bulges on the other.”