Right now, almost every aspect of our daily lives is online. Details of who we are, where we work, where we live, where we shop, where we bank and even who we socialise with, is tied to our digital identity*.

The most common requirement to create a digital presence is the creation of a username and password for registration onto any digital platform. Often, people will reuse the same credentials for multiple services, as it is easier to remember a single record and far more convenient.

However, it is this common practise that hackers take advantage of, to launch what is referred to as a credential stuffing attack. Credential Stuffing is exactly what it sounds like. Cyber criminals literally stuff previously stolen lists, (available on the dark web), of unmatched usernames and passwords into a system that uses sophisticated Bot technology to test the usernames and passwords, to find working pairs.

This type of attack poses a greater risk to data brokers, than that of a brute force attack, because machines cannot determine intent. If the required log in detail is correctly entered, the system does not know that the user is not truly who they are claiming to be. No suspicious activity will be identified, so a hacker can remain in the system undetected.

A perfect example of an attack of this nature, is the breach of the South African operation of a large United Sates based credit bureau. The Editor of IT web released an article on the 17th of March 2022 detailing how a hacker group, claiming to be based in Brazil, contacted him via Telegram informing him of the data breach.

In the article, the journalist mentions his doubt as to the validity of the message, and how he challenged them to substantiate their claim. Within minutes he received confidential information detailing facts of the first home he rented, a complete history of any vehicles he had rented, or owned, noting make, models, VIN numbers, and colours for each of them.

Convinced of the magnitude of the crime, particularly the risk it posed to him personally, the journalist took the information seriously.

The criminal group who refers to themselves at “N4aughtysecTU” demanded $15 million (approximately ZAR 218 000 000) ransom, for the 4 terabytes of compromised data.

3 million customers, based in South Africa, have been made vulnerable, as their personal records containing official identification numbers, banking details, credit scores, gender, vehicle financing, employment status, employer history, as well as any other relevant personal information, have been compromised.

When the journalist from ITWeb asked the group how they managed to access the Blue-chip company system, their response was, “They left the door open. What a joke. They were using the word ‘password’ as their password.” Read the article

On the 19TH of March 2022, an announcement was released on the company’s website, confirming that a third party had obtained illegal access to an isolated server, through the misuse of an authorised user credential.

Whilst a data breach affects the corporate targeted by cyber criminals, in terms of legislative implications and fines by the relevant regulatory authority, it is the individual customer that is the true victim. The availability of their personal information on the Dark web renders them completely vulnerable to Identity theft, financial risk, fraud, and extortion in their personal capacity.

Test the theory; contact your banker to ask for an account statement, open a new account or check on an account balance. They will ask you to answer security questions to verify that you are who you are claiming to be. The answers to those questions are easily answered by the threat actor who is in possession of your personal, and what should be confidential information.

Intercepted one-time pins, cloned SIM cards and the like, enable criminals to approve interaction with institutions who believe that the person they are speaking to, is now verified. This means that your banking account, credit rating or information is vulnerable to misuse at great cost personal to you.

Protecting your digital identity today is just as important as keeping yourself physically safe from crime. People need the means to control, manage and protect their own Digital Identity which was one of the main drivers behind Synapser developing Entry a Mobile based Authenticated Digital Identity platform giving people the freedom to live safely in a digital world.

* A Digital identity is essentially any personal data existing online that can be traced back to the real you, however, with stolen credentials the digital identity can be assumed by criminals to commit fraud, theft and extortion.

Digital Identity Theft - Should you be worried?