Top 3 Identity Security Trends for 2024 – and How to Combat Them
Here's a look at the year ahead for identity security trends and tech.
by Ralph Rodriguez, CPO
January 9, 2024
Identity fraud rates have risen dramatically since the beginning of the pandemic – and they show no sign of slowing down as we enter 2024. This puts increased pressure on companies to secure customer and employee data while keeping cybercriminals out of accounts and business systems.
The latest Australian Cybercrime Survey found that 20% of respondents had experienced identity crime in the past 12 months. In its “This is Fraudscape 2023” report, Cifas found that the highest-ever volume of identity fraud cases was reported in the UK in 2022. The U.S. News & World Report Identity Theft Survey 2023 found that 73% of respondents had experienced one case of identity theft, 27% had experienced more than one case, and 30% had been victim to at least one company data breach in 2023.
The cost of identity fraud is steep, with Javelin Research and Strategy reporting losses due to traditional identity fraud at $20 billion in 2022. Over the past two years, the Australian Tax Office lost more than $557 billion to fraudsters who accessed legitimate taxpayers’ accounts. According to the Guardian, UK losses to identity theft were up by more than 50% over the first six months of 2023, totaling £33 million.
With bad actors constantly adopting new technologies and new methods of deploying them, it’s more vital than ever for businesses to be informed of identity security trends – and how to secure their organization and their customers, both in the New Year and in the future.
1. Growing incidence of using synthetic identities combined with deepfake content
Fraudsters create synthetic identities in several ways: by combining stolen personal information from several people into a new identity; combining true elements of someone’s personal information, such as their social security number, with false address and date of birth information; and by inventing a new identity that’s completely fictitious and doesn’t rely on real personal data. They then begin using these identities in ways that allow them to build at least a shallow history for them to later use when attempting to get around the checks that banks, retailers, and other businesses use during identity proofing, a critical process that enables them to verify that a person opening a new account is truly who they claim to be.
Synthetic identities, however, aren’t new. It’s been four years since the Federal Bureau of Investigation (FBI) called synthetic identities the fastest-growing financial crime in the U.S. Their use has only grown since then, and synthetic identities are now a major global concern. In April, Thomson Reuters Legal Solutions called synthetic identity fraud “the fastest growing form of fraud in the world,” estimating losses in 2023 between $20 and $40 billion. According to LexisNexis, 52% of companies globally reported an increase in synthetic identity fraud in 2023.
In 2024, it will be even harder to keep these fabricated identities from opening accounts and gaining access to business ecosystems, as they will increasingly be augmented by deepfake content. The latest advances in artificial intelligence (AI) and machine learning (ML) make deepfake images, videos, and audio more sophisticated and harder to detect. This presents a unique challenge as businesses continue to adopt biometrics security – like facial scans, fingerprints, and voice recognition – because, although it offers exponentially better security than passwords, biometrics alone (without advanced PAD, or presentation attack detection, technology) will not stop these fraudsters in their tracks.
A bad actor attempting to open a new account with a financial institution, for example, can present false information (name, address, DOB) and, when asked to provide a biometric factor like a selfie that matches the image on the fake ID document they present, instead offer a deepfake image.
Combatting synthetic identities and deepfakes in 2024 requires an identity assurance platform that uses biometrics combined with advanced AI technology to detect manipulated content – and one that also offers an identity proofing process integrated with enough validated government and third-party databases to spot holes in the background of synthetic identities and deny them access.
The best solutions have the flexibility of being integrated into an existing system or to stand alone as an added layer of protection, and should use PAD technology and proprietary algorithms to automatically detect various cues that indicate digitally generated or altered content at the very beginning of a user interaction, giving identity systems time to request step-up authentication or flag alerts for human agents.
2. Continued rise in account takeovers (ATOs)
An account takeover occurs when a fraudster gains access to a customer’s account or a company’s accounts and systems using legitimate user credentials that have been stolen or purchased from the dark web. An ATO can also occur during a session, after the user has logged in with their credentials. Once they control a user’s account, fraudsters can steal money, loyalty points, and other valuable digital items; they can also commit credit card fraud, money laundering, and even gain deeper access to business systems and data to leak private information.
ATOs accounted for over one-third of the fraudulent activity reported to the Federal Trade Commission in 2022. SEON found that 22% of Americans have been victimized by ATOs, with average losses totaling $12,000 per case. In its Global Fraud Trends Survey 2023, Ravelin found that “over 50% of merchants globally say they’re losing up to $5 million a year as a result of account takeover.”
Account takeovers will continue to rise in 2024, too, as the data breaches that fuel them continue to increase. In “The Continued Threat to Personal Data: Three Factors Behind The 2023 Increase,” a study sponsored by Apple, Professor Stuart E. Madcheck, Ph.D., reported that “in just the first nine months of 2023, data breaches in the U.S. have already increased by nearly 20% compared to all of 2022.”
Another reason behind the increase in ATOs is that criminals are focusing on the vulnerabilities of the mobile devices that so many people now use to access their banking, retail, work, and other accounts – devices users are accustomed to using when asked to verify their identities during multi-factor authentication (MFA) scenarios. In fact, Statista found that by August 2023, mobile ecommerce sales had reached $2.2 trillion and made up 60% of global ecommerce sales. In a survey completed for the American Bankers Association, 48% of bank customers reported using apps on their phones or mobile devices as their top option for managing their bank accounts.
ATOs are also being driven by the use of bots and other automated tools that make it easier for criminals to use stolen identity data to attack businesses. According to research released in November by Arkose Labs, in Q2 2023, there was a 202% increase in bots attempting ATOs of consumer financial accounts, and the 2023 Enterprise Bot Fraud Benchmark Report from HUMAN found a 108% YOY (year-over-year) increase in bot-backed ATO attacks.
Biometrics-based authentication can help businesses protect against ATO. The replacement of KBA (knowledge-based authentication) like passwords and codes, which can be easily stolen in data breaches and from mobile devices, with biometric factors that are much more difficult to steal or duplicate, decreases the likelihood of ATO success. Behavioral biometrics, which monitors consumer and employee behavior across online user sessions using uniquely identifiable elements, such as how a user touches and types, moves their mouse, or swipes between screens, provides protection against ATOs that occur after login (during a session), alerting a business when those behaviors change.
Daon offers advanced behavioral biometrics solutions that protect businesses, their people, and their data from an array of fraud attacks – from ATOs to generative AI.
3. Expanding use of automation by cybercriminals
ATOs aren’t the only type of fraud that’s accelerated with bots and other automated tools. Other common uses of automation include credential stuffing, in which businesses are barraged with passwords stolen from other sites, and new account fraud.
Arkose Labs research found a 164% increase in bots attempting to establish fake new bank accounts. Research by Barracuda Networks discovered that over the first six months of 2023, malicious bots made up nearly half of global internet traffic. The 2023 Enterprise Bot Fraud Benchmark Report from HUMAN reported a 102% YOY increase in bad bot traffic.
The use of automated tools and bots and the number of attacks they enable will continue to grow in 2024 as AI increases both bot intelligence and the speed with which they can process data.
While biometrics systems are not infallible (nothing is when it comes to identity security), they remove the weakest point exploited by bots during credential stuffing and other types of attacks: the password. The paradox of passwords is that to be more secure, they must also be longer and more complex – which makes them harder for humans to remember. As a result, users tend to either create simpler, less secure passwords they can remember, or to reuse the same password across multiple accounts. This reuse is the basis for many successful attacks on businesses whose data has not been breached or stolen.
By removing passwords, biometrics-based identity assurance systems make it both more difficult for criminals to get in and easier for legitimate users to get the access they need.
Staying ahead of identity fraud in 2024
While we’ve looked at three key identity security trends here and how to combat them, there is one more trend that will drive a dramatic increase in all areas of cybersecurity risk and fraud: the growth of Cybercrime-as-a-Service (CaaS). The CaaS digital tools and software that would-be fraudsters can now affordably purchase from criminal organizations around the world include bots, ransomware, distributed denial of service, and malware that are often used in data breaches and in the phishing, social engineering, and other attacks that enable theft of personal data and credentials directly from individuals.
As this CaaS trend opens the playing field to fraudsters who lack the sophisticated technical knowledge previously required for cyber and identity crimes, more businesses and organizations of all sizes and across all industries will be under attack in 2024. This poses extreme danger to those who have continued to use passwords and other “good enough” security models for customer and employee access to accounts, networks, and systems.
See how our biometric solutions integrate the advanced technology, futureproof features, and Identity Continuity approach unique to Daon that can help businesses combat identity fraud in 2024 and beyond.