 Hey everyone and welcome to identity crisis the mad rise of online account opening fraud My name is Yuri, and I'm chief cyber officer and co-founder at bio catch We are at an identity crisis point If you were asking Credit card companies and banks a few years ago About account opening fraud. They would say yeah, it's a kind of a minor inconvenience. That's not their reaction nowadays It's getting to be a tidal wave This is from Gartner a few years ago You can see things like account takeover fraud payment fraud These are the main areas of concern for a recent security management But there's one thing that tops all of these concerns and that's new account Synthetic or stolen identity fraud So it is becoming the number one concern We got in fraud in financial institutions Another interesting trend is to see what sort of information Financial criminals are stealing these days. It used to be credit card information That was the top priority for financial cyber criminals But now the number one data element is social security number, which is an identity element and in fact Identity is becoming a commodity. It's traded in the dark web and everyone every American Citizens records Have already been stolen several times over If we can look at this list for example, you know, it shows all sorts of data breaches Many of those are related to identity Specifically if we talk about the big credit reference agency the big credit bureaus Data aggregators that have been hacked over the years and this fuels this economy of account opening fraud Now the industry is fighting back Realizing that you know good old KYC know your customer is basically dead And long live next generation data So it used to be about what you know and matching all of the information about the user, you know looking at The data that the user provides and seeing that it all stacks and it's What the records show? But now we have additional data to look at for example what you have which is the user resources What you do which is your digital footprint and what you are user behavior that's behavioral metrics So a couple of examples for each of those categories again historically, this would be KYC data Residents license information credit history information those type of data points are already in the wrong hands and When someone a cyber criminal is doing account opening fraud they have access to all of this so therefore a lot of financial institutions and other Related industries have started to Untapped additional lines of defense starting with the device. This has been something that the industry started to adopt about 10 years ago 15 years ago What sort of device are you coming from? What's the reputation of that device information about your location? information about your phone and phone line and More recently, what are you doing? So what's your digital footprint any kind of social media reputation that you have email reputation? open source analysis on your identity and more recently we have a biometrics These are different types of analysis. For example If you're opening an account, you should be familiar with the data that you're providing It's your own personal information You should not be familiar with the process of account opening because hey, you just open an account a Criminal is going to be the opposite. They're going to be very familiar with the process But not familiar with the data and that's the sort of sort of analysis that be able by a metrics is now providing so and Be able to metrics you kind of heard about be able by a metrics before but more in the context of profiling So the idea of be able by a metrics when it actually Started was to create a profile of a regular user behavior and then watch for anomaly This is a classic example. You see someone That logs in and then interacts with their online banking application What you see on the screen is the person's mouse motion in you know, these are several sessions several pages But the mouse motion is basically the same So that's how you create a profile of the regular user behavior. You can use Keyboard analysis you can analyze mouse motion if the user is operating on a mobile device You're going to look at accelerometer gyro and touch a data The idea is to create a baseline and then watch for anomalies like in this specific case This account was compromised the user provided the credentials to a criminal and now the criminal is accessing the account You're going to see a very different type of behavior. So now it's not the same mouse motion there's a strange bump in the center of the motion and essentially this is a way for the Financial institution for example to say hey, we do see an anomaly based on the profile based on the Baseline that was created another use of the urban metrics is to look for threats. For example remote access This is a mobile device user is interacting on a mobile device You can see this swipe motions. These are not going to be straight lines Even if you think that you move straight in a straight line on your mobile device here You actually have a small arc Then you see the tabs now the tabs Surrounded, you know the dot is surrounded by a blue circle. That's your finger pressing on the actual touch screen That's a normal situation for this account. And now this account was compromised with a help desk scam Hey, where the help desk there's something wrong with your account your bank account your mobile device something like that We're here, you know to help you just have to install something Allowing us remote assistance people fall for that and then install some sort of remote assistant tools tool or maybe Like a rogue application and then the attacker has remote access on their device. This does not look the same Typically the attacker is going to control that device using a mouse and keyboard and essentially you're going to see These long lines, that's mouse motion not someone actually physically Scrolling up and down on the device and one of the dots you don't see the blue circle around them because no one's actually touching the screen It's all you know mouse clicks Beyond that because of the remote access. There's gonna be some latency The latency creates some disruptions to hand I coordination and if you have the right system You can actually spot that and say okay We now know that this mobile device is being remotely controlled, right? Now if we talk about account opening though, what's the use of behavioral biometrics? You cannot really profile anyone? They're just establishing the account, right? But if you actually look at the way criminals behave You can now analyze second by second what they're doing. We're gonna start with a very interesting Case from one of the top five Credit card issuers in the US They basically give you a credit card online within 30 seconds You go to the website you select the credit card you click apply now and then you start filling this online form Providing, you know your name email address date of birth mobile phone number Address social security number and other data points Essentially That's what regular users will go through but also what criminals will go through. So let's actually look at a specific application The session timeline here every vertical bar is an interaction like the user type something or interacted with the form it took one minute and 34 seconds to complete that and Interesting thing is that the first name was pasted three seconds into the session That's actually pretty incriminating You know, why are you pasting your first name? You're supposed to be familiar with it. And the other thing is how come it's so fast There's actually a video that will show us how fast it was So three seconds into the session already we see control V. It's not auto field by the way sound actually Was ready before the application started Form started and went to the application flow and then use control V to pay something. That's criminal behavior Another thing that was pasted was the social security number The birth was also pasted, you know, all of these suggest that whoever is doing this are not really familiar with You know the personnel information, but they're also quite familiar with the process, right three seconds and they're beginning to interact If we look at deposit fraud, that's another interesting trend So we talked about credit card account opening Of course a criminal will be interested in that to just get a credit card or a loan or some sort of instant credit But also deposit fraud Is another lucrative type of business because what you do there is you open a new account And then you move money from a compromise account that you have So let's say that you have money An account that you have compromised in bank a you open an account in bank B and say, hey, I'm the user I want to open an account. I want to deposit something from bank a Typically bank B will send some small transaction to bank a to prove You know that you know once you provide that Specific amount to prove that you own that account you access that account and you can provide that information and of course they're gonna do all of the Regular KSC checks, but of course if you own that account if you actually not own but control that account You can provide all of that KSC information because you've You have access to the identity information and you also control the account in bank a You can just open an account in bank B and move all of the money from account a to account B Thing is that bank B is now responsible for the fraud laws. Let's call deposit fraud and let's actually see someone opening an account They're pasting a lot of information in this case they're pasting the routing code the account number user ID password when they do the actual You know payment and then The interesting thing here is, you know, all of this is happening quite fast and what you can see is they completed the funding now They completed opening the account and look at the Analysis showing genuine users versus criminals about 2% of on an account opening sessions We'll have this behavior where we see a paste from a different application So essentially an alt tab to a different tab and then paste the information from that tab That's 2% of the users for criminals the 25% now. This is pretty, you know Significant, so it's quite informative seeing that at the same time We also understand that you cannot really incriminate 2% of the population or you know, we need more information because 25% is not gonna be a Good detection rate if you want to detect those sort of fraud cases. So in any case, that's like, you know, one type of analysis Obviously, you need much more than that But deposit fraud is another type of account opening fraud that is kind of rocketing these days So we talked about, you know, pacing information. We talked about You know typing information now, let's look at the difference between good users and bad users Criminals are gonna type off a list So if they choose not to you know, populate the field automatically with some sort of bot or to use a pasting Which you know, you've seen that it's only 25% of the cases. There were typically type of a list. They have a list of victims Thing is that short the memory is limited to just seven characters or items So think about someone typing a social security number that does not belong to them It will be very mechanical, right? So we see someone typing You know the social security number it takes them quite you know, like nine seconds to complete the SSN typically is gonna be something like four seconds for an SSN and That of birth it's like, you know, two digits. I'm looking at the list. I'm going back. Okay another two digits Okay, I know the years. It's gonna be 19 something. Okay. What's the number? Again, going to the list going back. This is a very mechanical process typing off a list is something that you can also Understand criminals do They want to be efficient. They have a list but Essentially, that's the way for them to You know, show the the fact that they are not familiar with that information. It's not top of their mind As opposed to something that we're gonna see right now Sometimes the newer customer checks actually conflict with the next generation analysis There was a specific case with one of the big card companies that Essentially said, hey, we're gonna decline in application because it's definitely fraud, you know, 96% chance of something being fraud But when we looked at the data, it was interesting The session timeline again is all of the activities that the user is doing and what you can see is that the social security Number is typed continuously And by the way, the other metric is not interested in the data itself. You're gonna see it's all, you know, one one ones When we actually look at it again The typing is quite confident, you know, you don't see the same thing like typing off of this Certainly, you don't see any pasting. It's not auto field Whoever is typing this information is quite familiar with the social security number Suggesting is their own social security number long the memory is a very strong inheritance field The other interesting thing here, look at the timeline There's a 58 second pause why because in this specific case, it's a hotel credit card So in order to open the account, you need to provide your hotel loyalty number You probably have some hotel loyalty numbers, but no one remembers them And it takes you a minute or two to fetch them maybe from your inbox or something like that Maybe it's in your wallet So about one minute is the norm and we do see that this user also, you know pause for about one minute to Fash that number and then continue with the application. This is a very very Positive sign, right? This person behaves like everyone else criminals I'm not gonna bother with waiting for one minute because they need this information They have this information. It's all ready for them It's gonna be right along, you know, the name there of birth and social security number Because they need it to open the account Whereas, you know, real users There's gonna be some type of information that you're gonna be very familiar with it. It's etched in your long-term memory But other types of information you have to research you have to fetch And that's essentially analyzing the way a genuine user will behave so what do we have here we have here a kind of a conflict because and The analysis suggests the next-generation analysis suggests that it's a good user, right for me with the social security number He has like everyone else But the card company said hey, that's bad We were actually curious about that. We asked the credit card company. Hey guys, what do you know? Why you think this is gonna be fraudulent application? He said well, we like you very much guys, but it has to be fraud because the guy is dead He's been dead for 10 years, you know, we check the social security number It belongs to a dead person Well, that was bad. I mean, we were so sure that this is you know an actual genuine person And you know, we ask the issuer Can you actually call the user you know to try to find out what went on here because you know It looks so real like it's a real genuine person. They said they're dead We're not gonna call them with a bit of an argument and eventually they caved in and said, okay We're gonna call them. Let's see what happens So the front operations team now calls the user. It was a miracle. He picked up the phone. He was not dead Ended up that he had a typo in the social security number. He just had a mistake. Let's see it again You know typed very confidently, but with a typo that the user did not realize This actually matched to a totally different person. The name was wrong. The social security was belonging to someone that died So sometimes the data is going to suggest that this is a bad application But some of the next-generation analysis, don't we care about the data? It cares about the way you behave It cares about, you know, your device your, you know, other elements and therefore Sometimes it's more trustworthy than actually, you know, looking at the data itself Let's move to synthetic identity and see that it is a very interesting new problem in the US relatively new It has been around for over a decade, but it's becoming more and more of a problem This is from ID analytics and what you can see is, you know Social security belonging to, you know, one identity A name is invented or, you know, belonging to a different identity, that of birth, etc, etc It's like combining a kind of You know, sort of Digital identity that does not really belong to any specific person because it's a mesh up of various identities Now then what do they do with this identity because that identity obviously cannot open a credit card, right? They don't have any kind of credit history. No, no, it's gonna give them a loan So the idea is to create a synthetic identity and then through some collusion with rogue lenders begin to apply for loans and then Build credit history by returning the loan. So it's reported as a positive thing. Another trick is to attach this Identity to someone who has a perfect FICO score like a credit card account order as a secondary User in that account. That's another thing that you can do to essentially get the tenure of a good user So whether you focus on building a credit history or just, you know, a very good tenure The idea is to create this identity and then You know, create a credit history and, you know, good credit for that person who does not exist, of course and then launch your attack, you know, you know, you just go to A credit card company, you open a credit card account, you maybe apply for a loan, a mortgage even, etc One in forcing telecom entities are actually using child's social security numbers and the You know, trafficking in child's social security number in the dark web has increased dramatically A lot of these are coming from healthcare breaches So that's a very interesting trend and of course not something that we want to see, you know, in the industry The reaction of the industry was to start suspecting lots of people So let's actually see One example We see someone who is 31 years old No driver's license Very thin credit history And the social security was issued recently just a few years ago Obviously highly suspicious. They were asked to provide, you know, government records, tax records, and then they never submitted the records So the transaction was canceled. The application was canceled Let's see the way they apply. This is from an iPhone. So They're applying via an iPhone. They're providing right now their email Um, they're providing Date of birth They had a typo in the date of birth. So they corrected it and just continually. Well, it's all natural and very confident. This is the phone number Um, a little pause before annual income. They kind of thought about it And then they provided the annual income and then went to type the social security and again You can see it's all very natural. No pauses. This is not someone typing off the list Not someone pasting information. They're familiar with all of the personal data fields Another interesting thing is they also looked at the rates and fees for 90 seconds Before even starting the application Now if you kind of look at all of these together, this is not going to be a synthetic identity This may be a suspect But it looks like a genuine person and when the credit issuer, you know, that had this level of analysis investigated further What they found was it's an immigrant. It kind of explains everything, you know, the ssn and the theme file This is someone who works for a big tech firm in san francisco area They're actually a great candidate a great acquisition target. So, you know Blaming them and pointing the finger and saying hey, you you probably some sort of a synthetic identity You have to prove yourself That was something that Almost killed that specific application. Of course That's not what banks and issuers would like to do Let's see the opposite now. Let's see someone who is too familiar with the process You know before we saw someone that was not familiar went to see the terms and conditions and stuff like that But this is someone who is too familiar Income source right when you click on the income source when you open an account There's this window that says okay employed retired self-employed unemployed military, etc It takes you maybe like four seconds five seconds to read through and say, okay. Well, I'm employed. So let's click employed And then if we look at specific cyber grant again that was attacking one of the banks It was less than a second. I mean they they knew what's Going to happen. They have been there before they are opening, you know, lots of accounts So they're not stuck on this screen. They know what to select It takes them less than a second to select something and then Proceed this is someone too familiar with the process. So if you think about all of the criminals, I mean they have the data They're attacking the same target, you know, again and again because they know the specific controls in that specific target Uh, they know they're not going to be caught Uh, so therefore they're going to be very familiar with the process They're not going to be familiar with the data Uh, and that's essentially what we see here another interesting trend Is looking at the age of the user reflected in their behavior And this is another a fascinating example. This specific user Applying for a credit card was born in 1918 You kind of remembered the year right because World War one ended and also the Spanish flu that was also 1918 Let's say someone who is over 100 years old applying for a credit card. So extremely rapid mouse motion Uh, extensive use of tab and mouse wheel, you know, this is not typical for someone who is over 100 years old Of course, it's all around statistics and probabilities, but it's highly unlikely that this person is um, you know such An elderly, uh, you know, uh citizen Um, the bottom line is that when you look at criminals and a lot of the behavior that they will display Is not going to be in line with genuine users Claimed age of the user or the known age of the user Etc um Another interesting thing is The fact that sometimes even without seeing any of the data You do know That something is wrong Um, and this is called the curious case of the straw company Um, let me explain. This is a straw company um The name of the company we kind of changed it's not the last straw but And it's a company based in San Diego. It provides quality Paper straws as you know in california, you know, it's the law you have to And provide your customers with paper straws And so people can buy those packs if you're a restaurant you buy a crate, you know full of straws Um, there was a sizable order of 62 crates 740 000 straws Costing $15 000 Plus $10 000 for urgent shipping to Tuvalu What's Tuvalu? Welcome to Tuvalu. It's an island in the pacific ocean 11 000 people. They don't need that many straws So this is all curious um, however In this specific case Even without knowing any of this data, you know, not the fact that it's a straw company, you know selling straws Not the fact that it's a very big order the number of straws the payment for the straws the You know $10 000 for the urgent shipping, you know the location in the middle of the pacific ocean Without seeing any of this data You could know that this is fraud simply based on the way Um, the information was provided and again, let's see a quick video. This is a someone pasting the credit card number uh, and the cv2 um typing the exploration and pasting the postal code think about your postal code Did you ever paste your postal code? It's easier to type your postal code, you know your zip code than to type it You know easier to type it than to paste it, you know people don't paste the the zip code In fact, when you look at the statistics, it's about 99.9 percent of the users. They never paste the zip code This is by the way one small fact, but there are you know dozens of features, you know around each of those fields another interesting thing about zip code is how fast you begin typing your zip code Because you're familiar with it. You have some muscle memory that immediately starts And you know going into action and almost like automatically typing your zip code if you go through some sort of online form Bottom line is this person is not familiar with their own zip code now This was a curious case because you can say okay Fine We shouldn't trust this transaction. You know it looks very very suspicious But but why would a fraudster? Go through all of the trouble of buying 62 crates Okay, all of these straws And ship them urgently to Tuvalu. What's the point? What are we trying to achieve? I mean are they trying to you know take the goods and then sell them in Tuvalu? What for? You know You might think of all sorts of creative ideas. I mean maybe they Maybe they need the straws to buy some you know to to build some some huts or You know Tuvalu is actually having water level issues. I mean the the surface Water level is rising all the time. Maybe they need the straws for emergency or something No, it wasn't something like that And the interesting thing about this specific fraud was the amount for the shipping $10,000 the entire thing was built to inflate the amount It's an urgent shipping to the middle of the pacific ocean 62 crates it will have to cost a fortune So what actually happened here was the following After making the payment go through right so you know using a corporate credit card one of the u.s banks The you know User called the merchant and said hey, I have made a terrible mistake. I didn't realize it's so expensive You know $10,000, you know your shipping company is crazy They charge $10,000 for this. I have another shipping company that I prefer using and they only charge $2,000 Can you do me a favor because I already paid you $10,000 Can you move $10,000 to that shipping company? And then they'll use it for this shipping and then additional shipping that they'll have in the future You know like like creating me And the merchant says are you sure I mean there's lots of crates here. Yeah They're fantastic. We work with them all the time. They're very cheap. You should you know use them for all of your shipping Um, and of course it wasn't the real You know shipping company it was an account created or opened by the criminal The bottom line is when you think about account opening, you know Even e-commerce fraud any kind of case and scenario where you have a new user You don't have any kind of profile on the user prior behavior to look at Transaction monitoring to look at and things like that You know that k y c is dead, but you do have more and more capabilities device reputation location analysis this sort of analysis called behavioral biometrics to Tell you hey something is either very good about this or something is terribly wrong about this Another interesting thing to notice that the a o fraud is really changing the ecosystem. Um, this is from california There was a new digital bank that was opened and When you actually look at a number of New users on a daily basis, you know, it's around 100 people on a daily basis And all of a sudden it jumped to about 700 people So this is crazy. I mean they said hey finding the marketing team is doing something No They're not it's an attack You have 100 good users and 600 bad users every day Okay, and essentially the bank did have device reputation An email reputation Meaning, you know, what do we know about this email? How does it relate to the device and the phone and other elements? This was Allowing them to stop about 50 of the attack, but there were still 300 people Okay, that we're registering every day as opposed to something like 100 good users This is not sustainable the bank will have to either, you know Stop receiving new customers or allow them in but then don't allow them to make, you know Any kind of money transfers or move money out until they sort out, you know Who's a good user and who's a bad user and that's difficult because the criminals will know everything about the good users Initially when I looked at that I thought that it may be like a bot that is opening all of these accounts No, it wasn't it was a human being And in fact it was a specific person that was opening all of these hundreds of accounts They were doing it very mechanically. They were very familiar with the onboarding process They were totally unfamiliar with the with the data. Okay, short the memory typing mechanically working off a list They're not pasting any information. They were just typing all you know all day long So that's essentially one of the risks that banks and Fintech companies are facing these days Whenever you launch a new digital product and you just open it to you know The entire world to register If you don't have the right Capabilities to detect those sort of attacks you can go down You you can really suffer from a massive campaign like this not the bot campaign not the DDoS attack nothing like that just you know Opening a lot of fake accounts that belong to real people And not synthetic identity is it right? It's just identity theft because the data is there and then it's going to be very very You know problematic to handle the situation. So new digital banks, you know, good luck with that Make sure that you have these sort of defenses in place another impact of account opening fraud on the economy is A new Service in the u.s. Called zeal and I'm sure most of you know zeal. It's a great service. It allows you to pay from your account You know, I think that in the uk you'll have similar Similar types of Money motion money movement Capabilities you basically can send money to anyone in your contact list You can send my money to an email account, you know things like that This is in the u.s. And and because of the ease of account opening and the ease of compromising email accounts The whole zeal industry is Is is essentially shaking because this is you know a single story But it kind of reflects the the underground, you know, underlying problem of the whole system So in this case frost has randomly compromised the business owners email account, right? So Just a regular, you know gmail yahoo, whatever sort of a account belonging to a person They saw that this person was interacting with the renters of their property And saying hey, if you want to move money Why don't you use zeal? You can you can you can send me the rent money using zeal So what the criminal did was Open a fake account. Okay using the same information At a top five bank and then enrolling for zeal at that bank using the compromised email Now the thing is that once you use The email of the user that new bank account is now attached to that email, right? The bank will obviously Send something to the email like a one-time code that you have to repeat So it basically proves that you control that email But if that email is compromised, okay, this check doesn't mean anything So essentially, you know beating the kyc checks and then beating the email email Check of a new registration Attaching that new bank account to that email And the bank said, okay But this email address is already linked to another account at another bank Do you want to change it to our bank and the process says yeah And the bank simply enrolled the processor In zeal, you know, because now this email account You know, basically is attached to this a new account And They basically at that point it's a game over because Any money any money movement that will go to this email account will automatically go to the process new account at this Top five bank All right So the renters send the money to the zeal email address as normal But now going to a newly open account controlled by the criminal rather than the real user game over so essentially The fact that account opening So far was not top priority for banks credit card companies, etc and It's changing the industry, right? You have all of these cases It doesn't have to be fraud. It can also be money laundering. It can be mule accounts. Let's actually talk about mules because and There is an implication of a high account opening fraud world This is like a diagram a very crude one showing and you know a typical Fraud supply chain Obviously, it's not a single person that can do everything As a fraud server, you typically choose between, you know, am I going to harvest information? you break into accounts and break into databases or Do phishing pros and etc collect the information or am I going to use that stolen information to cash out You know, typically people make that choice um You know the harvesting process would use tools and hosting and delivery mechanisms to you know In fact, more people or send them phishing emails and stuff like that or just break into database The cash out process will be the ones that are tasked with Empty all of these accounts. They understand everything about the specific bank defenses the credit card defenses They know how to move money. They know what sort of controls are in place And they also need to send them money. Obviously not to themselves But to some sort of collaboration A account and for many years those were new accounts because it was very difficult to open an account And let's say locally if you're a criminal outside of the uk to use an account in the uk If you're outside of the u.s. Use an account in the u.s. So you always recruited local collaborators Some of them knowingly Some of them unknowingly I mean in Australia, for example, there was a case where The criminals went to high schools and said hey, you have like like a teenager account We are kind of a charity company charity, you know big charity and don't donors people that have, you know, lots of money will You know send money to your account You're going to pass it to us where the charity in east europe and you're going to get a commission. So The the the tears didn't really realize they're actually collaborating with this sort of scheme So sometimes the mules know that they're mules. Sometimes they don't know that their mules are being recruited Mules have been You know a very important part of that ecosystem But now you don't need them You can be your own mule. You can just open an account online. It's so easy these days and just send money You know from your compromise account to your newly established account Saving the need to work with mules It's saving you a lot of money opening an account is free You don't have to pay anyone and once the money is in your new account You can just you know, do whatever you want with it. You can send it anywhere. You can buy things Whatever So this is changing a lot of the You know economics of online fraud All right, so let's actually summarize What have we learned today? Identity is totally broken Criminals behave differently And one in doubt Called the dead guy I hope you enjoyed the presentation and let's see if you have any questions