Selling Identities: Ordinary People are Selling, Criminals are Buying

Cybercriminals need to use identities to do a lot of the things they do. They can get these identities a lot of ways. But one of the ways is buying them from people who are selling identities. Not all of these sellers are other criminals, though. Some of them are ordinary people who are selling their own identities. Why would they do that? And what does that mean for protecting your own identity? Let’s look into it. See Identity Trafficking with Ofer Friedman for a complete transcript of the Easy Prey podcast episode. Ofer Friedman is the Chief Business Development Officer at AU10TIX, a global technology leader focusing on identity verification and fraud detection. He’s been working on technology for automated identity verification for almost twenty years. In his current role, he’s responsible for understanding markets, how decisions are made, how fraudsters are doing what they’re doing, and why. His goal is to foresee what’s coming to solve problems that aren’t yet in existence. He’s old enough to remember a world where identity verification required physically going somewhere and handing a person an ID. Now we’re in a situation where you don’t even know if you’re talking to someone real on a live video call. It’s exciting because of how fast everything is changing – it’s like living history in the making. The short answer of why people are selling their identities is because people are buying. People are buying because committing fraud that requires impersonation is pretty easy right now, and tools out there are making it easier to do at scale. Not every cybercriminal is doing this. These identities have very specific use cases. Most of them are bought by specific branches of organized crime. There are people selling [identities] because there are people buying, and there are people buying because right now the ability to commit fraud which requires impersonation is so easy. The people selling aren’t innocent victims. They’re getting money by giving their information to someone else. But often they are desperate. Ofer has researched it, and the people buying these identities are organized and professional. They’re advertising for it and taking advantage of people with financial issues who need quick money. The analyses he’s seeing are that a lot of the time, it’s students and unemployed people. There’s also been speculation about revenge selling, where you’re selling the personal information of someone else, similar to revenge porn . But either way, the result is the same – identity information ends up in criminal hands. They may be willing identity mules , but their information is being exploited all the same. You might assume that if someone is selling their identity to criminals to do who-knows-what with, they must be making a lot of money. But that’s generally not the case. Ofer has seen some of the figures, and it’s often a few dozen dollars. If you’re selling information on regular basis, you might get more. But nobody becomes a millionaire from selling their personal data. There’s a simple reason for that, too. There are about 8.5 billion people on the planet. But there are about 10 billion pieces of personal information out there to be stolen. There is more data available than people. And it’s easier than ever to create fake or synthetic identities , get existing information from a data breach or data broker , or scrape it from public profiles en masse. And in a world of AI, using personal data is one of the weakest ways to identify yourself. So there’s not as much value in selling your personal information to a criminal as you might suspect. The usage of personal data for the purpose of identifying people is one of the weakest ways of establishing who you are. Criminals don’t actually need much of your personal information to take over your identity. In fact, since the regulations that dictate identity verification are so thin, all they really need is the basic data on your ID. And that data probably exists in a thousand different places online. The problem for criminals isn’t getting your data – that’s why selling your identity isn’t hugely profitable. Their challenge is the ability to use that data into realistic, massive, real-time attacks. The problem now is not getting the data. … It’s the magnitude to implement that data into realistic attacks. Until now, the idea has been that you shouldn’t upload a photo to verify identification, because you could buy or design whatever. It’s become a standard process to do a live video showing your face, sometimes also with documents. Now with deepfakes and injections, even that loses credibility. Ofer has a video of himself where he changed his face and injected himself into the conversation after the camera. And all of that was done with free software. Now it’s even harder because you can do that kind of thing live and respond to requests to move a certain way or hold up hands. We’re already seeing Fraud-as-a-Service platforms. If you’re lazy, it’s the best way to do fraud. Go to the menu, select the company you want to attack, decide who you want to be, and let the software handle it for you. It will handle the live showing of ID and everything else the website wants. And this kind of thing is happening all over. Privacy is dead . With some new age verification laws, even going on social media or watching porn will expose you to these systems. If you thought data breaches were bad now, wait until after we have to provide all this authentication. And people will provide it. We’ll get used to the requirement. And if it can so easily be faked, there will be even more indicators required eventually. If your first thought on hearing that some people are selling their identities was about the consequences of identity theft , you’re not alone. Why would someone sell their identity if it’s going to make their life miserable and have long-term negative consequences? There are a lot of different reasons. People may have pressure points where the consequences of not doing it seem worse than the consequences of doing it. Or they may be outside the US. There are billions of people who aren’t active internet users or who live in third-world countries and don’t have the same risks in giving up their identity as a US citizen would. The US is actually trying to do something about this. They’re slowly transitioning towards digital identities. The TSA already allows you to fly with it, and it presumably makes you safer. It doesn’t transmit everything, just specific details that require sophisticated encryption to release. The assumption is that once that digital ID is safe in your wallet, no one can pretend to be you. But there are already indications that criminals can circumvent that, too. In the US, selling your identity leads to the same consequences as your identity being stolen. You could have difficulty opening bank accounts in the future, your credit can get destroyed, and more. But the consequences can be different in different areas. Global players in fintech, crypto, gaming, and more aren’t all American. The online domain is global, so there are more opportunities but also higher stakes. The online domain is global. That’s why the stakes are higher [and] the opportunities are higher. If you want to commit fraud at an American bank, it doesn’t make much sense to find someone selling identities somewhere else on the globe. You want to look like an American, so you need an American identity. Ofer assumes that enough people don’t understand the risks of selling identities or don’t see the changes that are happening. Even if the goal is fraud, criminals generally don’t open an account and immediately rob the bank. They usually take time to mature it. So people don’t see the consequences of selling their identity right away. It can also lead to a feeling of immunity. If the FBI comes knocking at your door, you can honestly say that you didn’t know it happened, it wasn’t at your house or on your phone, and someone else must be using your identity. So many people don’t think about the consequences until it’s too late. Interestingly, buying and selling identities won’t be an option forever. Eventually, criminals are going to find easier ways to get at information that’s already out there. At that point, they won’t need to pay money for people’s identities, because they can get it for free somewhere else. Buying identities will become a marginal use case. Next generation frauds aren’t going to just be about getting and using identities, but about using them at scale, and using them multiple times in ways that won’t get the criminals caught. It’s not just about identity information or deepfakes, but the ability to automate with randomization. Previously, criminals were just shooting one gun at a time. Soon, they’ll be able to put in a magazine of personal data, faces, and targets, press the button, and have a huge number of attacks done for them. Things we didn’t hear about even a few years ago are already on the table. It’s an arms race, and there’s no magical detection tool that will keep you safe for long. Selling identities will probably still make sense to certain people and in certain scenarios. But the challenge there for criminals is how many people actually want to sell their identities and the fact that they don’t get much for it. It’s a fast forward arms race, and … there’s no magical detection tool that will keep you safe for long. The conversation around identity needs to be not about verification but about risk. Regulations mandate a live process and checking liveness. But it’s possible to do a live session with deepfakes. The second line of defense needs to be collateral risk elements. This is things like device, location, network, and other things someone isn’t asked for directly but that a company can get through the process. The third line of defense is behavioral. If a criminal is paying for an identity, they want to get their money’s worth and use it more than once. Looking at these things, beyond just your name and what you look like, can make the process safer. There will always be a fight between privacy and security, and in the end, privacy will lose to security. If you want to exist, you can’t be entirely private. This is exactly why you privacy is dead. There will always be that fight between privacy and security. … Privacy will lose. On the consumer side, most of the conversation so far has been about how to keep someone from stealing your identity or how to not respond to scammers’ solicitations . But that’s like expecting you to stop viruses from attacking your computer. To quote Agent Smith from The Matrix , “Never let a man do a machine’s work.” It’s much better to let a good antivirus protect you from viruses. And identity protection can no longer be an individual human’s responsibility. The future of protection needs to be in tech-powered defenses. Technology is scaling up the threats, so we need technology that can spot and stop it. Ofer Friedman’s mission is to educate people, because these are complicated issues. You can connect with him and read his writing on LinkedIn .