Gone are the days when a user is defined solely by a username and password. In today’s online world where everything is tracked, safeguarding your digital identity is crucial both for individuals and for businesses. Solutions already exist to help safeguard digital identities, but the threat of identity theft is increasing steadily and it’s uncertain who is going to win the battle. To gain a deeper understanding of what’s happening and what’s at stake in this matter, I recently had a talk with Ariel Ainhoren, the head of research at IntSights, a company that focuses on discovering new cyber-trends, threats, hacker strategies, and vulnerabilities.
Understanding digital identities
I began our conversation by asking Ariel to explain exactly what is meant nowadays by the term digital identity. “Digital identities are the sum of a user’s activity on the web,” he replied. “Each interaction users have with online systems leaves digital bread crumbs that, when added up, creates a precise profile. A digital identity comprises sites a user frequents, activity hours, devices used to connect to the internet, and a multitude of other data points.”
I remarked that the gathering of such metadata must naturally pose some kind of threat that must be countered. Ariel agreed, saying, “Attacks like credential stuffing, password spraying, and account takeovers all originate from huge databases of username/password combinations that hackers obtain. As online fraud and hacking became prevalent, more and more companies add security measures to their sites to counter hackers’ abilities to carry out large-scale attacks. Advanced security systems verify users’ digital identities each time they attempt to log in.”
But while such gathered information can pose a threat to customers, it also poses an opportunity for businesses. “For businesses,” Ariel says, “monitoring their customers’ behavior is a top priority because the metadata collected by consumer digital behavior helps them to make business decisions, tailor offers for customers, or even profit by selling it to third parties. Tracking user behavior also enables businesses to secure their sites and services by identifying their users according to their digital identities.”
The market for digital identities
Whenever something can be stolen it can also be repackaged and sold, sometimes for a much greater profit than the original value of the asset. Ariel agrees that this description also fits the way stolen digital identities are marketed in secret places online. “Today, hackers can log in to digital identities markets and buy a complete user identity that enables them to impersonate victims and access any system that the victim can access,” Ariel says. “The market identifies sites of interest as social media, banking, e-commerce, transportation, government or any other sites that may store potentially lucrative information. Advanced offerings give hackers remote access to a user’s computer so they can further compromise the user’s computer. They can filter results according to country of origin, the presence of banking or credits details, bitcoin wallets, or the price of the identity, as wealthier profiles mean greater prices.”
But isn’t this just another form of fraud we need to guard against? “Although these markets are, at heart, an advanced form of fraud,” Ariel says, “they allow for much deeper invasion into a victim’s privacy. They also give every hacker, technically inclined or not, access to thousands of computers and digital livelihoods. I believe we will keep seeing these markets grow and evolve, offering more features and options according to the different demands of their customers.”
How digital identities are stolen
To protect an asset against theft you need to know something about the various ways the asset can be stolen, and the same applies in the realm of digital identities. “Stealing a digital identity,” says Ariel, “means mimicking the digital data points that sites check to such an extent that they are indistinguishable with the real user. This usually involves a malware infection to a computer or a smartphone. These infections can come from multiple avenues of attack: phishing attacks, malicious apps, illegal downloads, or algorithms that search for unpatched and vulnerable systems.”
The consequences of such theft of digital identities can be severe. “Individuals will surely suffer financial loss, be it through hacked bank accounts, credit card charges, or compromised e-commerce accounts. But their privacy can also be severely compromised, as hackers can gain access to their personal details. The risk for businesses is also severe, as many businesses have remote access systems for employees. Compromising an employee account can give hackers a foothold inside the corporate network with no indication that someone other than the real user is accessing their systems.” When I remarked that this sounded a lot like what has been happening recently in ransomware attacks, Ariel agreed: “This definitely correlates with recent targeted ransomware attacks, in which organizations are being specifically targeted by hackers for extortion purposes. A stolen digital identity could be a first step in gaining access to a network to facilitate this type of attack.”
Ways of protecting your business
When I asked Ariel how an individual or a business can protect their digital identity so it doesn’t get compromised and misused, he offered some suggestions. “For businesses, I would suggest using threat intelligence services to monitor these markets for any compromised accounts that have access to the company. Enabling multifactor authentication wherever possible will also help to mitigate some of the risks. If an organization already employs a fraud detection system on their site, adding additional data points will make the hackers work hard to keep up with improvements. Also, adding additional security questions that only the user will know how to answer can help combat this type of compromise.
“For individuals, my recommendations are to keep your devices updated with the latest security patches, beware of unfamiliar apps or apps from informal markets, avoid illegal software downloads, and mostly stay vigilant and monitor your accounts for any malicious activity that can indicate your devices are compromised. Clearing your browser cookies and avoiding keeping your login credentials in the browser can also mitigate a big portion of the risk.” All of these are good practices that anyone who is concerned with safeguarding their digital identity should make it a habit of performing regularly and consistently.
When I asked Ariel if he had any last words on the subject he ended with this ominous warning: “One point I want to stress is that while these markets are mainly used for fraud, they can also be used as frightening intelligence tools as well. For example, A pedophile can target kids’ accounts by going after a user that accesses known gaming sites. Governments could use these tools for corporate espionage or intelligence operations. This trend of granular access to victims’ computers and identities will keep expanding if left unchecked.”
And when I look at what’s been happening lately in this area, I wonder whether the trend of businesses relying on and trading upon digital identities may have grown so strong that it can no longer be brought under control.
It’s a brave new world, baby, isn’t it?
Featured image: Shutterstock