Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial Ecosystem

Mehrnoosh Zaeifi, Faezeh Kalantari, Adam Oest, Zhibo Sun, Gail Joon Ahn, Yan Shoshitaishvili, Tiffany Bao, Fish Wang, Adam Doupé

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

Online services leverage various authentication methods with differing usability and reliability trade-offs, such as password-based or multi-factor authentication (MFA). However, financial service providers face a unique challenge; authenticating the user’s legal identity, which involves verifying Personally Identifiable Information (PII), which we call PII-based authentication (PII-BA). These methods assume that PII is private; however, identity theft victimizes millions annually and exposes their PII to criminals. In this paper, we investigate the potential of identity fraud that breaks PII-BA with stolen PII in the financial ecosystem. First, we measure what PII is used in PII-BA across five different financial services for 17 U.S. financial institutions. We subsequently collect data where PII and associated illegal services are available for purchase by monetizers (who perform identity fraud via obtained stolen PII)–operating within the underground economy and paste sites. Finally, we analyze how monetizers can make money from stolen PII by either breaking PII-BA or directly monetizing the PII with the associated cost. Our study reveals that payment processing companies (PPCs) impose lower PII requirements for password/username recovery service PII-BA compared to commercial banks. Consequently, criminals can bypass this PII-BA service across all PPCs by paying $3.5∼$50 as opposed to $10.5∼$600 for banks. We also outline potential mitigations which could be an essential step in addressing identity fraud resulting from PII-BA in the financial ecosystem.

Original languageEnglish (US)
Title of host publicationCODASPY 2024 - Proceedings of the 14th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages55-65
Number of pages11
ISBN (Electronic)9798400704215
DOIs
StatePublished - Jun 19 2024
Event14th ACM Conference on Data and Application Security and Privacy, CODASPY 2024 - Porto, Portugal
Duration: Jun 19 2024Jun 21 2024

Publication series

NameCODASPY 2024 - Proceedings of the 14th ACM Conference on Data and Application Security and Privacy

Conference

Conference14th ACM Conference on Data and Application Security and Privacy, CODASPY 2024
Country/TerritoryPortugal
CityPorto
Period6/19/246/21/24

Keywords

  • Authentication mechanisms
  • Security and privacy
  • Underground community
  • Web security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Information Systems
  • Software

Fingerprint

Dive into the research topics of 'Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial Ecosystem'. Together they form a unique fingerprint.

Cite this