research-article

Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial Ecosystem

Authors:

Mehrnoosh Zaeifi,

Faezeh Kalantari,

Yan Shoshitaishvili,

Adam DoupéAuthors Info & Claims

CODASPY '24: Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy

Pages 55 - 65

https://doi.org/10.1145/3626232.3653266

Published: 19 June 2024 Publication History

Abstract

Online services leverage various authentication methods with differing usability and reliability trade-offs, such as password-based or multi-factor authentication (MFA). However, financial service providers face a unique challenge; authenticating the user's legal identity, which involves verifying Personally Identifiable Information (PII), which we call PII-based authentication (PII-BA). These methods assume that PII is private; however, identity theft victimizes millions annually and exposes their PII to criminals.

In this paper, we investigate the potential of identity fraud that breaks PII-BA with stolen PII in the financial ecosystem. First, we measure what PII is used in PII-BA across five different financial services for 17 U.S. financial institutions. We subsequently collect data where PII and associated illegal services are available for purchase by monetizers (who perform identity fraud via obtained stolen PII)operating within the underground economy and paste sites. Finally, we analyze how monetizers can make money from stolen PII by either breaking PII-BA or directly monetizing the PII with the associated cost. Our study reveals that payment processing companies (PPCs) impose lower PII requirements for password/username recovery service PII-BA compared to commercial banks. Consequently, criminals can bypass this PII-BA service across all PPCs by paying 3.5-50 as opposed to 10.5-600 for banks. We also outline potential mitigations which could be an essential step in addressing identity fraud resulting from PII-BA in the financial ecosystem.

References

[1]

Marina Sanusi Bohuk, Mazharul Islam, Suleman Ahmad, Michael Swift, Thomas Ristenpart, and Rahul Chatterjee. 2022. Gossamer: Securely measuring password-based logins. In 31st USENIX Security Symposium (USENIX Security 22). 1867--1884.

[2]

David Burnes, Marguerite DeLiema, and Lynn Langton. 2020. Risk and protective factors of identity theft victimization in the United States. Preventive Medicine Reports, Vol. 17 (2020), 101058.

[3]

Blake Butler, Brad Wardman, and Nate Pratt. 2016. REAPER: an automated, scalable solution for mass credential harvesting and OSINT. In 2016 APWG symposium on electronic crime research (eCrime). IEEE, 1--10.

[4]

Mark Button and Cassandra Cross. 2017. Cyber frauds, scams and their victims. Taylor & Francis.

[5]

Stéphane Ciolino, Simon Parkin, and Paul Dunphy. 2019. Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling. In SOUPS.

[6]

Federal Financial Institutions Examination Council. 2005. Authentication in an internet banking environment. FFIEC gencies (August 2001 Guidance) (2005).

[7]

Lyle Daly. 2020. have i been pwned? https://haveibeenpwned.com/.

[8]

Peter Eckersley. 2010. How unique is your web browser?. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 1--18.

Digital Library

[9]

Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 1388--1401.

Digital Library

[10]

Federal Trade Commission. 2022. New Data Shows FTC Received 2.8 Million Fraud Reports from Consumers in 2021. https://www.ftc.gov/news-events/news/press-releases/2022/02/new-data-shows-ftc-received-28-million-fraud-reports-consumers-2021-0.

[11]

Rajeev K Goel. 2019. Identity theft in the internet age: Evidence from the US states. Managerial and Decision Economics, Vol. 40, 2 (2019), 169--175.

[12]

Maximilian Golla, Grant Ho, Marika Lohmus, Monica Pulluri, and Elissa M Redmiles. 2021. Driving 2FA Adoption at Scale: Optimizing Two-Factor Authentication Notification Design Patterns. In USENIX Security.

[13]

Andreas Haslebacher, Jeremiah Onaolapo, and Gianluca Stringhini. 2017. All your cards are belong to us: Understanding online carding forums. In 2017 APWG symposium on electronic crime research (eCrime). IEEE, 41--51.

[14]

Bing-Zhe He, Chien-Ming Chen, Yi-Ping Su, and Hung-Min Sun. 2014. A defence scheme against identity theft attack based on multiple social networks. Expert Systems with Applications, Vol. 41, 5 (2014), 2345--2352.

Digital Library

[15]

Identity Guard. 2020. Identity Guard. https://www.identityguard.com.

[16]

ID.me. 2022. The Digital Wallet that Puts You in Control. https://www.id.mei.

[17]

Gokul Chettoor Jayakrishnan, Gangadhara Reddy Sirigireddy, Sukanya Vaddepalli, Vijayanand Banahatti, Sachin Premsukh Lodha, and Sankalp Suneel Pandit. 2020. Passworld: A serious game to promote password awareness and diversity in an enterprise. In SOUPS.

[18]

Gavs per Jordan, Robert Leskovar, and Miha Marivc. 2018. Impact of fear of identity theft and perceived risk on online purchase intention. Organizacija, Vol. 51, 2 (2018), 146--155.

[19]

Charles M Kahn and José M Li nares-Zegarra. 2016. Identity theft and consumer payment choice: Does security really matter? Journal of Financial Services Research, Vol. 50, 1 (2016), 121--159.

[20]

Soroush Karami, Faezeh Kalantari, Mehrnoosh Zaeifi, Xavier J Maso, Erik Trickel, Panagiotis Ilia, Yan Shoshitaishvili, Adam Doupé, and Jason Polakis. 2022. Unleash the Simulacrum: Shifting Browser Realities for Robust Extension-Fingerprinting Prevention. In 31st USENIX Security Symposium (USENIX Security 22). 735--752.

[21]

Sowmya Karunakaran, Kurt Thomas, Elie Bursztein, and Oxana Comanescu. 2018. Data breaches: User comprehension, expectations, and concerns with handling exposed data. In SOUPS.

[22]

Hana Kim, Byung Il Kwak, and Huy Kang Kim. 2015. A study on the identity theft detection model in MMORPGs. Journal of The Korea Institute of Information Security & Cryptology, Vol. 25, 3 (2015), 627--637.

[23]

Alekya Sai Laxmi Kowta, Karan Bhowmick, Jeev Ratan Kaur, and N Jeyanthi. 2021. Analysis and overview of information gathering & tools for pentesting. In 2021 International Conference on Computer Communication and Informatics (ICCCI). IEEE, 1--13.

[24]

James R LaPiedra et al. 2016. Identity Lockdown: Your Step-By-Step Guide to Identity Theft Protection. Lulu. com.

[25]

Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan. 2020. An Empirical Study of Wireless Carrier Authentication for SIM Swaps. In Sixteenth Symposium on Usable Privacy and Security SOUPS 2020). 61--79.

[26]

David Liau, Razieh Nokhbeh Zaeem, and K Suzanne Barber. 2020. A Survival Game Analysis to Common Personal Identity Protection Strategies. (2020).

[27]

Ariana Mirian, Joe DeBlasio, Stefan Savage, Geoffrey M Voelker, and Kurt Thomas. 2019. Hack for hire: Exploring the emerging market for account hijacking. In The World Wide Web Conference. 1279--1289.

Digital Library

[28]

Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand, Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. 2020. Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale. In 29th USENIX Security Symposium (USENIX Security 20).

[29]

Federal Bureau of Investigation. 2022. Criminals Increasing SIM Swap Schemes to Steal Millions of Dollars from US Public. https://www.ic3.gov/Media/Y2022/PSA220209.

[30]

U.S. Department of Labor. 2020. Guidance on the Protection of Personal Identifiable Information. https://www.dol.gov/general/ppii.

[31]

Jeremiah Onaolapo, Enrico Mariconti, and Gianluca Stringhini. 2016. What happens after you are pwnd: Understanding the use of leaked webmail credentials in the wild. In Proceedings of the 2016 Internet Measurement Conference. 65--79.

Digital Library

[32]

Ori Or-Meir, Nir Nissim, Yuval Elovici, and Lior Rokach. 2019. Dynamic malware analysis in the modern era-A state of the art survey. ACM Computing Surveys (CSUR), Vol. 52, 5 (2019), 1--48.

Digital Library

[33]

I Ponemon. 2018. cost of a data breach study: Global overview. Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC (2018).

[34]

Ryan Randa and Bradford W Reyns. 2020. The physical and emotional toll of identity theft victimization: A situational and demographic analysis of the National Crime Victimization Survey. Deviant Behavior, Vol. 41, 10 (2020), 1290--1304.

[35]

Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). 357--370.

[36]

Federal Reserve. 2022. Federal Reserve Statistical Release. www.federalreserve.gov/releases/lbr/current/.

[37]

I Sadgali, N Sael, and F Benabbou. 2019. Performance of machine learning techniques in the detection of financial frauds. Procedia computer science, Vol. 148 (2019), 45--54.

Digital Library

[38]

Paul Salvin and Nimkit Lepcha. 2019. Financial Frauds and Scams. Encyclopedia of Gerontology and Population Aging (2019), 1--7.

[39]

Irina Shamaeva and David Galley. 2021. Custom Search--Discover more:: A Complete Guide to Google Programmable Search Engines. Chapman and Hall/CRC.

[40]

Hossein Siadati, Toan Nguyen, Payas Gupta, Markus Jakobsson, and Nasir Memon. 2017. Mind your SMSes: Mitigating social engineering in second factor authentication. Computers & Security, Vol. 65 (2017), 14--28.

Digital Library

[41]

Zhibo Sun, Adam Oest, Penghui Zhang, Carlos Rubio-Medrano, Tiffany Bao, Ruoyu Wang, Ziming Zhao, Yan Shoshitaishvili, Adam Doupé, Gail-Joon Ahn, et al. 2021. Having Your Cake and Eating It: An Analysis of Concession-Abuse-as-a-Service. In 30th USENIX Security Symposium (USENIX Security 21). 4169--4186.

[42]

Zhibo Sun, Carlos E Rubio-Medrano, Ziming Zhao, Tiffany Bao, Adam Doupé, and Gail-Joon Ahn. 2019. Understanding and predicting private interactions in underground forums. In Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. 303--314.

Digital Library

[43]

Kurt Thomas, Danny Huang, David Wang, Elie Bursztein, Chris Grier, Thomas J Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, and Giovanni Vigna. 2015. Framing dependencies introduced by underground commoditization. (2015).

[44]

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, et al. 2017. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 1421--1434.

Digital Library

[45]

Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, Sarvar Patel, Dan Boneh, et al. 2019. Protecting accounts from credential stuffing with password breach alerting. In USENIX Security.

[46]

Tala Vahedi, Benjamin Ampel, Sagar Samtani, and Hsinchun Chen. 2021. Identifying and Categorizing Malicious Content on Paste Sites: A Neural Topic Modeling Approach. In 2021 IEEE International Conference on Intelligence and Security Informatics (ISI). IEEE, 1--6.

[47]

Steve GA van de Weijer, Rutger Leukfeldt, and Wim Bernasco. 2019. Determinants of reporting cybercrime: A comparison between identity theft, consumer fraud, and hacking. European Journal of Criminology, Vol. 16, 4 (2019), 486--508.

[48]

Rolf Van Wegberg, Samaneh Tajalizadehkhoob, Kyle Soska, Ugur Akyazi, Carlos Hernandez Ganan, Bram Klievink, Nicolas Christin, and Michel Van Eeten. 2018. Plug and prey? measuring the commoditization of cybercrime via online anonymous markets. In 27th USENIX security symposium (USENIX security 18). 1009--1026.

[49]

Zoran Vuvc ković, Dragan Vukmirović, Marina Jovanović Milenković, Slobodan Ristić, and Katarina Prljić. 2018. Analyzing of e-commerce user behavior to detect identity theft. Physica A: Statistical Mechanics and its Applications, Vol. 511 (2018), 331--335.

[50]

Cheng Wang, Bo Yang, and Jing Luo. 2017. Identity theft detection in mobile social networks using behavioral semantics. In 2017 IEEE International Conference on Smart Computing (SMARTCOMP). IEEE, 1--3.

[51]

Ke Coby Wang and Michael K Reiter. 2020. Detecting Stuffing of a User's Credentials at Her Own Accounts. In USENIX Security.

[52]

Wikipedia contributors. 2022. List of online payment service providers -- Wikipedia, The Free Encyclopedia. https://en.wikipedia.org/w/index.php?title=List_of_online_payment_service_providers&oldid=1123747838 [Online; accessed 6-December-2022].

[53]

Jim Zaiss, Razieh Nokhbeh Zaeem, and K Suzanne Barber. 2019. Identity threat assessment and prediction. Journal of Consumer Affairs, Vol. 53, 1 (2019), 58--70.

[54]

Yixin Zou, Kevin Roundy, Acar Tamersoy, Saurabh Shintre, Johann Roturier, and Florian Schaub. 2020. Examining the Adoption and Abandonment of Security, Privacy, and Identity Theft Protection Practices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. 1--15. io

Digital Library

Cited By

Kalantari FZaeifi MSafaei YBitaab MOest AStringhini GShoshitaishvili YDoupé AVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Browser Polygraph: Efficient Deployment of Coarse-Grained Browser Fingerprints for Web-Scale Detection of Fraud BrowsersProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688455(681-703)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688455

Index Terms

Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial Ecosystem
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
  2. Human and societal aspects of security and privacy
    1. Economics of security and privacy

Recommendations

SP 800-122. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
On the leakage of personally identifiable information via online social networks

For purposes of this paper, we define "Personally identifiable information" (PII) as information which can be used to distinguish or trace an individual's identity either alone or when combined with other information that is linkable to a specific ...
On the leakage of personally identifiable information via online social networks
WOSN '09: Proceedings of the 2nd ACM workshop on Online social networks

For purposes of this paper, we define "Personally identifiable information" (PII) as information which can be used to distinguish or trace an individual's identity either alone or when combined with other information that is linkable to a specific ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '24: Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy

June 2024

429 pages

ISBN:9798400704215

DOI:10.1145/3626232

General Chair:
João P. Vilela
University of Porto, Portugal
,
Program Chairs:
Haya Schulmann
Goethe-Universität Frankfurt | National Research Center for Applied Cybersecurity ATHENE, Germany
,
Ninghui Li
Purdue University, USA

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 June 2024

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY '24

Sponsor:

SIGSAC

CODASPY '24: Fourteenth ACM Conference on Data and Application Security and Privacy

June 19 - 21, 2024

Porto, Portugal

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
110
Total Downloads

Downloads (Last 12 months)110
Downloads (Last 6 weeks)21

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kalantari FZaeifi MSafaei YBitaab MOest AStringhini GShoshitaishvili YDoupé AVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Browser Polygraph: Efficient Deployment of Coarse-Grained Browser Fingerprints for Web-Scale Detection of Fraud BrowsersProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688455(681-703)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688455

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents