Identity theft is a type of fraud in which someone illegally obtains and uses another person’s personal information, such as their name, Social Security number, credit card numbers, or other personally identifiable information (PII) without their consent or knowledge.

The main goals of identity thieves are to steal money from the victim’s bank accounts, open new credit lines and take out loans in the victim’s name, obtain government benefits, rent apartments, or even get medical services using the victim’s identity and insurance information. Some common methods used by identity thieves include:

• Stealing wallets, purses, mail, or going through trash to find personal documents
• Skimming credit/debit card numbers when processing payments
• Phishing scams to trick people into revealing login credentials
• Hacking into corporate databases to access customer records
• Using malware to log keystrokes and steal login information

Once they have enough personal details, identity thieves can essentially masquerade as the victim to open new credit accounts, take out loans, access benefits, commit tax fraud, or make large purchases—all of which are linked back to the victim’s real identity.

Identity theft causes major financial losses, impacts credit ratings, and creates tremendous hassles for victims as they try to restore their compromised identities and deal with the aftermath. Protecting personal information and monitoring for signs of identity theft is crucial in today’s digital age.

Identity Fraud Statistics

Identity fraud is a growing problem that costs businesses and consumers billions annually. In 2023 alone, identity thieves stole over $43 billion, according to reports. No company wants their customers’ personal identifiable information (PII), like names, emails, passwords, and financial data, to fall into the wrong hands. Yet major breaches and leaks happen regularly, often due to preventable security lapses.

Three high-profile examples illustrate the damage identity fraud can cause:

• Equifax breach: In 2017, nearly 150 million Americans had sensitive personal data like names, birth dates, social security numbers, and addresses exposed due to a website vulnerability.
• Yahoo breach: In 2017, all 3 billion Yahoo user accounts were compromised, with names, emails, passwords, and security questions stolen.
• Target breach: In 2013, 41 million customers had encrypted PINs accessed after hackers infiltrated the retailer’s payment systems.

Identity Fraud Tactics

Criminals use a variety of underhanded means to steal PII, including:

• Phishing: Sending legitimate-looking emails to trick people into entering login credentials on fake sites.
• Malware: Infecting computers and mobile devices with code that logs keystrokes or screenshots.
• Brute Force Attacks: Using automated tools to guess login and password combinations rapidly.
• Breaching Databases: Exploiting vulnerabilities to gain unauthorized access to corporate systems.

Companies must implement rigorous security practices to protect customer data. This includes using strong encryption, promptly patching software vulnerabilities, training staff on security protocols, and limiting data access.

Multi-Factor Authentication

One of the most important preventative measures is implementing two-factor (2FA) or multi-factor authentication (MFA) that goes beyond simple password logins. This adds additional verification steps like:

• One-Time Passwords sent via text/email that expire promptly
• Authenticator apps that generate fresh login codes every 30 seconds
• Biometric phone unlocks using fingerprints or facial recognition
• Push notifications requesting user consent on a separate device

Passwordless authentication using WebAuthn is also growing in adoption. This encryption standard lets people log in without ever typing passwords, relying instead on biometrics, security keys, and other dynamic factors.

SaaS Precautions

SaaS providers can implement several architectural safeguards to make it extremely difficult for hackers or phishers to acquire (PII). Here are some key architectures and approaches:

• Zero Trust Architecture: Assume networks are hostile and constantly verify every request. Use least-privilege access controls and strict user authentication. Implement microsegmentation and perimeter-less security models.
• Confidential Computing: Use secure enclaves where PII is encrypted away from the host operating system. Data remains encrypted even during processing, preventing exposure.
• Homomorphic Encryption: Data is encrypted so that computations can be performed on ciphertexts. When decrypted, results match operations as if done on plaintext. PII never needs to be decrypted, eliminating exposure risks.
• Distributed Data Storage: Split and store PII across multiple storage systems in different jurisdictions. No single database contains complete PII records, so hackers would need to breach multiple systems to reconstruct data.
• Anonymization and Pseudonymization: Strip or replace PII with randomly generated tokens/aliases. Apply data masking, hashing, and other obfuscation techniques. Separate storage of authentication keys from obfuscated data.
• Privacy Enhancing Services: Leverage secure multi-party computation (MPC) protocols. Data is encrypted, split and computed across multiple service providers. No single provider has access to complete sensitive data.

By architecting with cutting-edge approaches like these, SaaS companies can make it cryptographically and computationally infeasible for attackers to access intelligible PII, even in the event of a breach.

The consequences of identity theft and fraud are devastating for both companies and individuals. By making customer data protection a top priority and implementing modern MFA protocols, businesses can safeguard against criminal tactics and maintain hard-earned consumer trust.

©2024 DK New Media, LLC, All rights reserved.

Originally Published on Martech Zone: Protecting Customer Data from Identity Thieves: Marketing, SaaS, and Business Responsibilities