Posts

The IDSA shares with the ITRC in the newest Fraudian Slip podcast exploring identity management & the future of identity

  • This week, the Identity Theft Resource Center (ITRC) celebrated Identity Management Day, hosted by the Identity Defined Security Alliance (IDSA). The day raised awareness on the importance of identity management, securing digital identities and sharing best practices to help organizations and consumers.
  • The ITRC sat down with the IDSA to discuss how identity management has changed, the future of identity, how identity crimes are changing and much more.
  • To learn more, listen to this week’s episode of The Fraudian Slip
  • You can also learn more about the identity-related crimes discussed in the podcast and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website.
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voice mail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started.

Below is a transcript of our podcast with special guest Julie Smith, Executive Director of the Identity Defined Security Alliance

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses. 

This month, April, we’re going to talk about one of the hottest topics in the world of cybersecurity, privacy and identity. Namely, the shift from what we think of as traditional identity theft to what is increasingly more common today – identity-based fraud.

As more organizations analyze their 2020 data and information from the first three months of 2021, there is a common theme. Cybercriminals are less interested in mass attacks seeking to scoop up as much information as possible about consumers. Instead, data thieves are focusing on attacking organizations where they can hold data for ransom, or where an attack against a single company can yield information from all the customers who rely on the breached business.

At the core of many of these attacks are identity credentials, little pieces of information that once upon a time was pretty much limited to your driver’s license, Social Security number and occasionally your mother’s maiden name. Today, identity credentials are everything from your login and password, which is more valuable than your credit card information to a cybercriminal, to the location where you use your smartphone.

The complexity of identity today makes it simultaneously more difficult to protect your identity while also making it easier to prove you are who you say you are.

This week we celebrated Identity Management Day to raise awareness of the importance of identity management, securing digital identities and sharing best practices to help organizations and consumers. Be Identity Smart. 

Identity Defined Security Alliance (IDSA) hosted the day.

We talked with Executive Director of IDSA Julie Smith about the following:

  • The IDSA, its members, and issues
  • How identity management has changed
  • A businesses role in managing and protecting consumer identities; the most important actions to take
  • The future of identity

We also talked with ITRC CEO Eva Velasquez about the following: 

  • How identity crimes are changing
  • Consumer self-management and protection; the most important actions to take
  • The future of identity

For answers to all of these questions, listen to this week’s episode of The Fraudian Slip Podcast

Contact the ITRC or IDSA

You can learn more about data privacy, cybersecurity, the future of identity and other identity-related issues by visiting the ITRC’s website www.idtheftcenter.org. If you want to learn more about the IDSA and its work, you can visit www.idsalliance.org.

If you have questions about how to protect your personal information, or if you believe you have been the victim of an identity crime or compromise, talk to one of our expert advisers on the phone (888.400.5530), by live-chat or by email during normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Be sure and join us next week for our Weekly Breach Breakdown podcast and next month for another episode of The Fraudian Slip.

  • Credential theft is when fake webpages are created that look real for the sole purpose of stealing logins and passwords to access legitimate accounts.
  • The top targeted companies for phishing scams from credential theft include Paypal with 11,000 fake login pages, Microsoft with 9,500 fake pages, and Facebook 7,500 fake pages.
  • To prevent falling victim to a credential theft attack, consumers should not click on any links unless they know they are legitimate, double-check the email address of the sender, and change their password if they believe they used a fake login page.
  • For more information about the latest data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Victims of identity theft can contact the ITRC toll-free at 888.400.5530, or by using the live-chat function on the website.

Credential stuffing is a term consumers often hear from cybersecurity experts. Credential stuffing is a type of cyber attack where stolen credentials, like usernames and passwords, are used to gain access to other accounts that share the same credentials. There is another term not heard as much, but just as prevalent: credential theft.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the last week in our Weekly Breach Breakdown podcast. This week, we are talking about creating fake websites that look real for the sole purpose of stealing logins and passwords used to access legitimate accounts. We will look at how security researchers found tens of thousands of fake website login pages that are used to collect credentials from consumers.

Credential Theft

To commit a credential stuffing attack, a hacker must have credentials. Where do data thieves get the logins and passwords needed to fuel these attacks? The most obvious way is through data breaches everyone has seen over the years, where millions of credentials are stolen in a mass attack. However, there are less obvious ways, too. One of those less obvious ways is credential theft.

Earlier in 2020, security company IRONSCALES began to look for a specific kind of webpage; fake login pages that look like they could come from real companies. From January until June, IRONSCALES found more than 50,000 phony login pages from more than 200 recognizable brands with a high volume of web traffic.  

These fake login pages are used in phishing emails as a way of getting people to click on what they think is a legitimate login page. Most people cannot tell the login page is fake, leading unsuspecting victims to enter their real login and passwords into a fake webpage. That is all it takes for data thieves to have actual credentials from live accounts. They do not even have to buy or steal any data.

Top Targets for Phishing Scams

Anyone reading this blog might be wondering if they have ever clicked on an email link connected to an account. If they have, was it a real login page?

IRONSCALES reports that PayPal is the top target for phishing scams, with more than 11,000 fake login pages spoofing the brand. Microsoft is not far behind with 9,500 phony login pages. The list continues with Facebook with 7,500, eBay with 3,000 and Amazon with 1,500 known fake login pages. Other commonly spoofed brands include Adobe, Aetna, Apple, Alibaba, Delta Air Lines, JP Morgan Chase and Wells Fargo.

All of these companies have people who do nothing but seek and shut-down these and other kinds of fake webpages, websites, social media accounts and text messages that are used to collect personal information from their legitimate customers and prospects. However, research shows that credential theft is easy for a couple of reasons. The first is because malicious phishing emails that deliver fake login pages can easily bypass cybersecurity tools and spam filters just by making small changes in the email.

Inattentional Blindness

The second reason is because of inattentional blindness; when something looks so familiar or causes you to focus so intently that you don’t see the apparent errors hiding in plain sight. An example of inattentional blindness comes from a study where people were told to watch a video to count the number of people wearing white jerseys as they passed a ball. More than 50 percent of people taking the test missed the fact that one of the players was wearing a gorilla suit.

How Inattentional Blindness Applies to Identity Theft

Credential theft attacks translate into the inability to spot the tell-tale signs of a phishing scheme, even among trained cybersecurity and fraud professionals. What should people do if they encounter what they believe is a phishing attack?

1. Don’t click on any links unless you are sure they are legitimate. When in doubt, navigate directly to the website or webpage you are trying to reach instead of using a link.

2. If the link arrives in an email, double-check the address of the sender. An email address can be masked to make it look legitimate in the sender line. However, if you click on the sender’s name to see the actual address, you may find the email from mybank.com is actually from bob@scams-r-us. Get into the habit of checking email addresses.

3. If you believe you used a fake login page, change your passwords and alert the security team at the company whose login page has been spoofed as soon as possible. While changing your password, consider switching to a 12-character passphrase with upper and lower case letters. It will take an automated hacker tool 300 years to break that passphrase, as well as be easier to remember.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor by calling toll-free at 888.400.5530, or on the website via live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches