TY - GEN
T1 - Nothing Personal
T2 - 14th ACM Conference on Data and Application Security and Privacy, CODASPY 2024
AU - Zaeifi, Mehrnoosh
AU - Kalantari, Faezeh
AU - Oest, Adam
AU - Sun, Zhibo
AU - Ahn, Gail Joon
AU - Shoshitaishvili, Yan
AU - Bao, Tiffany
AU - Wang, Fish
AU - Doupé, Adam
N1 - Publisher Copyright:
© 2024 Copyright held by the owner/author(s).
PY - 2024/6/19
Y1 - 2024/6/19
N2 - Online services leverage various authentication methods with differing usability and reliability trade-offs, such as password-based or multi-factor authentication (MFA). However, financial service providers face a unique challenge; authenticating the user’s legal identity, which involves verifying Personally Identifiable Information (PII), which we call PII-based authentication (PII-BA). These methods assume that PII is private; however, identity theft victimizes millions annually and exposes their PII to criminals. In this paper, we investigate the potential of identity fraud that breaks PII-BA with stolen PII in the financial ecosystem. First, we measure what PII is used in PII-BA across five different financial services for 17 U.S. financial institutions. We subsequently collect data where PII and associated illegal services are available for purchase by monetizers (who perform identity fraud via obtained stolen PII)–operating within the underground economy and paste sites. Finally, we analyze how monetizers can make money from stolen PII by either breaking PII-BA or directly monetizing the PII with the associated cost. Our study reveals that payment processing companies (PPCs) impose lower PII requirements for password/username recovery service PII-BA compared to commercial banks. Consequently, criminals can bypass this PII-BA service across all PPCs by paying $3.5∼$50 as opposed to $10.5∼$600 for banks. We also outline potential mitigations which could be an essential step in addressing identity fraud resulting from PII-BA in the financial ecosystem.
AB - Online services leverage various authentication methods with differing usability and reliability trade-offs, such as password-based or multi-factor authentication (MFA). However, financial service providers face a unique challenge; authenticating the user’s legal identity, which involves verifying Personally Identifiable Information (PII), which we call PII-based authentication (PII-BA). These methods assume that PII is private; however, identity theft victimizes millions annually and exposes their PII to criminals. In this paper, we investigate the potential of identity fraud that breaks PII-BA with stolen PII in the financial ecosystem. First, we measure what PII is used in PII-BA across five different financial services for 17 U.S. financial institutions. We subsequently collect data where PII and associated illegal services are available for purchase by monetizers (who perform identity fraud via obtained stolen PII)–operating within the underground economy and paste sites. Finally, we analyze how monetizers can make money from stolen PII by either breaking PII-BA or directly monetizing the PII with the associated cost. Our study reveals that payment processing companies (PPCs) impose lower PII requirements for password/username recovery service PII-BA compared to commercial banks. Consequently, criminals can bypass this PII-BA service across all PPCs by paying $3.5∼$50 as opposed to $10.5∼$600 for banks. We also outline potential mitigations which could be an essential step in addressing identity fraud resulting from PII-BA in the financial ecosystem.
KW - Authentication mechanisms
KW - Security and privacy
KW - Underground community
KW - Web security
UR - http://www.scopus.com/inward/record.url?scp=85199095968&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85199095968&partnerID=8YFLogxK
U2 - 10.1145/3626232.3653266
DO - 10.1145/3626232.3653266
M3 - Conference contribution
AN - SCOPUS:85199095968
T3 - CODASPY 2024 - Proceedings of the 14th ACM Conference on Data and Application Security and Privacy
SP - 55
EP - 65
BT - CODASPY 2024 - Proceedings of the 14th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
Y2 - 19 June 2024 through 21 June 2024
ER -