Aberdeen Group - Home
The Asymmetry of Information Security – Part 3
Derek Brink, Aberdeen Group
SEP 11, 2013 05:00 AM
A+ A A-

Previously on my little blog series on The Asymmetry of Information Security:

In Part 1 (25 July 2013), we looked at the underground market value of stolen healthcare credentials (about $20 each) – and the even higher prices commanded by value-added packaging options called fullz (about $500) and kitz (between $1,200-1,300) – as compiled by the research team at the Dell SecureWorks Counter Threat Unit.

In Part 2 (1 August 2013), we looked beyond healthcare at the underground market value of a wide variety of stolen credentials – which shows a range from as little as $1, to more than $1,000.

As I had noted, these figures represent the values for key “raw materials” used for identity theft and fraud – but of course the payoff for committing the actual fraud itself is substantially higher. But how much higher? In this Part 3, I aim to give us at least a little bit of calibration on how the payoff for criminals grows as they move along the fraud value chain, by using one public example.

In February 2013, the US District Attorney’s Office in Newark, New Jersey charged 18 individuals with stealing more than $200 million in a three-step process that was repeated thousands of times:

Make Up – create a false identity, along with associated identification documents and credit profiles, and obtain credit cards

Pump Up – provide fraudulent information about the false identity to the major credit bureaus, inflating its associated credit ratings

Run Up –  spend and borrow as much as possible using the false identity, and default on paying the debt

Specific allegations against the defendants detailed in the complaint included:

Creation of more than 7,000 false identities, to obtain over 25,000  fraudulent credit cards

Maintenance of more than 1,800 houses, apartments, and post office boxes used as the mailing addresses for the false identities

Creation of dozens of sham companies that established a merchant account with a payment processor, submitted charges and accepted payments, and furnished false information to the credit bureaus

Collusion with several complicit businesses (e.g., jewelry stores) to process fraudulent transactions and share in the proceeds

Use of at least 169 bank accounts to withdraw cash and wire millions of dollars to Pakistan, India, United Arab Emirates, Canada, Romania, China, and Japan

Each defendant was charged with one count of bank fraud, punishable by a maximum penalty of 30 years in prison and a fine of $1 million.

Based on these facts, we can make a few simple calculations at various stages of the fraud value chain:

The 7,000 false identities in this particular example should be valued at least as much as fullz ($500), and more likely as much as kitz ($1,300) – for a range of roughly $3.5 million to $9 million.

But in fact, these false identities were the foundation for 25,000 fraudulent credit cards, along with mailing addresses and pumped-up credit ratings – presumably these would fetch the highest valuation for kitz or even higher, which translates to a total value of between $30M to $35M.

Yet as we know, the total amount of confirmed losses filed in the complaint exceeded $200M – which means that the criminals netted an additional $165M to $170M from the actual fraudulent borrowing and spending.

Said another way, the payoff from fraud:

Goes up between 3.5- to 10-times, by moving from mere false identities to complete, pre-packaged identity theft kits

Goes up by an additional 6-times, by moving from full-featured identity theft kits to actually carrying out the fraudulent borrowing and spending

Put this in perspective: the value of false identities is not that far off from the type of royalties that a high-tech vendor might command as a royalty payment in a technology license agreement – about 4-5 cents on the top-line fraud dollar! It seems that business is business, no matter which side of the law one happens to be on.

The interesting topic not yet addressed is the total cost to society for this type of fraud. That is, in addition to the $200M in confirmed losses, there is:

The cost of increased interest rates and fees on all legitimate commerce, as a result of fraud, waste and abuse

The cost of preventative measures that ultimately are not 100% effective

The cost to detect and respond to fraud

The cost of charging, prosecuting, and jailing criminals

Undoubtedly, there’s even more – which leaves the door open one day for a Part 4 to my little series.

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: