Get the latest news right in your inbox
The rise in identity theft crimes has been accompanied by a boom in digital transactions. While impersonation also takes place in physical environments, the vast majority of these criminal acts occur on the Internet. The means is always the same: impersonating another person by falsifying documentation or stealing passwords.
Whose fault is it? Many wonder about whose responsibility it is when impersonation has caused damage to a party. In this article we will take an in-depth look at the authentication systems implemented by companies to prevent these practices and what users can do on their side to prevent their accounts being used on their behalf without consent.
What is identity theft?
Phishing is a term generally used by IT professionals to refer to attacks involving the use of authentication factors to access customer accounts without the customer's permission. The objective of these attacks is to steal information, products, services or even money.
The falsification of data of various characteristics is one of the main problems in the face of online access, as it is the key for attackers to circumvent less secure identity verification systems. Spoofing is also known as impersonation, spoofing or identity theft.
On the other hand, we can also say that an identity has been impersonated when a fake profile is created from scratch in, for example, a social network or an email account. Images and information that are public on the network are often used to impersonate a person or company. Although it can cause very significant torts in terms of image - as stated in the Trademark Law - or defamation, it still will not go beyond this type of consequence. It is not possible to achieve the theft of one's own account or to authorize access to platforms of various kinds.
The real aggravation comes at times when criminals access platforms and tools that are a required authentication factor to be able to operate in, for example, through a bank account. A clear example of this is SIM Swapping.
This can happen through phishing techniques or the release of viruses by hackers. However, in many cases it is even simpler: some companies have not yet implemented anti-fraud controls that correctly verify the identity of their users and customers, so impersonating them is not very difficult.
How long does phishing take place? Well, this depends on many factors: from the attacker's ability to fake non-suspicious behavior to the controls that companies have put in place to detect fraud attempts. We will explore this later in this article, but first let's look in a little more detail at the types of spoofing and how the laws punish these illicit behaviors.
Crime of usurpation, penalty and types
In the area of IT and network security, professionals categorize attacks according to the type of means used to gain fraudulent access to a system. In this way we speak of identity theft of different types, among which the following stand out:
- E-mail spoofing: In many cases, this is done by simply obtaining a username and password by various methods and in other cases, an SMTP server is used to send spam en masse.
- Location or GPS: Many companies were encouraged to launch location-based authentication methods, especially for accessing wireless devices located in homes, although it has also been seen how inside the premises a smartphone will not require a fingerprint or pin. These GPS signals are spoofed and gain access.
- Those focused on connections: Based on usage under any protocol, there are IP-focused smurfing techniques, entries via DNS names or those centered on routers by spoofing ARP.
- Web page spoofing: It could be confused with phishing but its strength lies in the hidden redirection to proxy-like pages that either request information or introduce a virus.
These types of techniques end up with a clear purpose: accessing a user service without the owner's consent. The financial gain after the usurpation is the reason why it takes place, either to carry out a scam or to carry out covert operations.
Impersonation is the fastest-growing crime worldwide, far ahead of the most notorious crimes. Its rise is due to the democratization of the Internet and the push of users towards online shopping. The crime of impersonation is criminalized in virtually every state in the world, with a place in criminal codes. The fact itself is already a crime, but what carries more sanction or penalty is the action carried out afterward: stealing money, obtaining private information, etc.
Computer forensic experts work to obtain evidence of what happened with as much traceability as possible. Thanks to end-to-end digital solutions and the implementation by companies of identity checks throughout the customer journey, this is fully verifiable and probable with traceability sealed by a trusted partner.
Identity theft in banks
Yes, the main target of phishing attacks is access to banking platforms. It is undoubtedly the fastest and most feasible way to steal capital from a user. After traditional banking, there are all FinTech and financial services platforms, as well as, for example, trading and cryptocurrency accounts.
Why would a usurper want to access your bank? It's clear: to order transactions on your behalf or to make purchases and authorize payments for profit. Although thanks to the implementation of the standards required by the PDS2 standard - SCA, Strong Customer Authentication - this type of attack has been greatly reduced, hundreds of identity theft attacks still occur daily in banks.
The most critical identity theft techniques for accessing financial platforms focus on:
- Identity documentation (ID card, passport, permits, ID cards...).
- Signature forgery.
- SIM card duplicate.
- Debit and credit card cloning.
- Obtaining PINs, passwords or access to emails.
Fortunately, banks are required to comply with AML regulations and Know Your Customer standards. This means that if your bank, financial services or insurance platform has integrated a proper onboarding solution and secure KYC-based user authentication processes, the risk of identity theft to access your bank account is zero.
Now, all entities and companies in the BFSI industry can access SaaS identity verification and e-signature software that achieves zero risk rates throughout the customer lifecycle. On the other hand, companies in the telecom industry that are also integrating KYC into their processes have completely eliminated any possibility of sim swapping.
Regarding ATMs, although not yet widespread, it is already possible to integrate identity verification with facial biometrics of KYC controls in them for access, making it impossible to withdraw cash having duplicated a credit card and obtaining its PIN.
How to avoid impersonation
The main security controls must be established by the banks, platforms or websites we use. According to recent studies, 73% of users indicate that they take into account the IT security of a platform or bank when deciding to become a customer or user. Therefore, if during the registration process we are required to verify our identity with official documents and make a video of our face - especially assisted by artificial intelligence -, we can rest assured that the security implemented is of a high level.
Similarly, after registration and for authentication and access, if the credentials and authentication factors are based on that first registration (request for facial biometrics and other 2FA controls) the login process is virtually impassable to any attacker who wishes to impersonate our identity.
Beyond the typical advice on choosing complex and strong passwords or pins, the best option is to properly configure two-step authentication or multi-factor verification.
How do I report if I have been a victim of spoofing?
Many users wonder what to do if phishing has occurred. You should always report it. Many believe that the expenses derived from the report will be more expensive than the actual recovery of the lost money, but this is not the case. The first thing to do is to contact your financial institution or banking platform, submitting the report and providing all possible information and evidence.
Many of them already have software that allows you to trace all the activity, which will help in the case and provide more evidence and information. In addition, if the transaction has been promptly communicated to you via certified communication, there are reversible operations in certain periods of time, so it may not be too late to recover what was stolen.
The penalties for identity theft range from one month to four years. It all depends on factors such as how much damage was done to the victim, whether there is recidivist behavior and the amounts stolen or swindled. Lately there is a lot of talk about scams and usurpations around the instant messaging tool WhatsApp, however, there is no difference in terms of complaints, it is a medium just like any other.