The victims’ names read like the front page of a supermarket tabloid. Kim Kardashian, her mother Kris Jenner, Paris Hilton, and there even appears to have been an attempt to access accounts belonging to FBI Director Robert Mueller.
The thieves made off with in excess of $70,000, according to reports, and the scariest part is that the perpetrators were 19-year-old Luis Flores and his mother (some reports say simply roommate), 41-year-old Kyah Green.
What they apparently had in quantity in their apartment was digitized information about many celebrity accounts – MIchelle Obama, Tom Cruise and Beyonce also figured in the haul when the police raided. The information is believed to have been retrieved by Flores and Green from easily accessible Internet sites.
What has experts buzzing is how seemingly unsophisticated thieves have made identity theft look downright simple.
But that’s because it is. Huge data breaches have produced vast stashes of account information that, in the wrong hands, is being put to use to steal. No computer skills are needed, just a willingness to locate and, in some cases, pay for account information online.
At the same time, the Internet – and social media in particular – has produced rich personal data on just about everybody, but especially so on celebrities. It’s an era where secrets are a fantasy and that has made traditional challenge questions of doubtful value. Your high school mascot, name of your first date, favorite ice cream – all are findable online and, for celebrities, the information may be inescapable.
Add one part valid account information to one part true and plentiful personal details online and it is a recipe for disaster for unwitting financial institutions.
Call center employees are especially vulnerable, added Bryan Jardine, product manager for Easy Solutions, a fraud detection and monitoring company.
Pity the poor call center employee who fields the call that seeks to make an emergency wire transfer and, by the way, the caller probably knows “the last four digits of the social,” the home address, even the phone number associated with the account.
“The weakest link is the human,” said George Tubin, a consultant with security firm Trusteer.
Why? Call center employees are trained to be helpful, compassionate, sympathetic. If a debit card holder calls up, says, “I lost my card while on vacation in Moscow” – that employee, at most institutions, has been trained to say, we will overnight a replacement card to you.
How new-style fraud will get stopped is with toughened employee training, said the experts, where certain triggers (sending a replacement card to a previously unknown address, for instance) ought to send up an alert that triggers a second-level review.
At some institutions however – and many fingers point at credit unions that pride themselves on being member centric, friendly and helpful – that willingness to delay satisfying a member may be lacking.
That may be a big mistake because there is every indication that identity theft and account takeover – whether involving celebrities or just everyday people – will continue to rise, simply because there is so much account information available.
Worse news for credit union executives: “Fraud is moving down market. We have evidence this is occurring,” said Lou Anne Alexander, a senior vice president at Scottsdale, Ariz.-based security company Early Warning.
Her contention: the biggest institutions, the money center banks, have toughened their perimeters and that has prompted fraudsters to hunt for softer targets.
Like credit unions.
A slice of good news from Early Warning: “Security is not a competitive activity at financial institutions,” said Alexander who said that many may be cutthroat when it comes to mobile banking or auto loans. But when the issue is fraud prevention, there usually is a large willingness to share.
“We see many institutions sharing information,” she added, pointing to files of voices of habitual criminals that at least some institutions are making available so other institutions can compare the voice records to see if this caller is a known fraudster.
“We are encouraging more credit unions to get involved in these kinds of sharings,” said Alexander who indicated that institutional cooperation may be a fast track to stopping at least some identity theft.