I’ve been stealing people’s identities for over 20 years. No, I’m not a criminal—I’m a hacker hired by companies to stress-test the digital identities of their workforce and verify that cybercriminals aren’t able to sneak onto company networks disguised as an employee.
But after cracking virtually every login combination you can think of throughout my career, I no longer need to “hack” my way in—instead I can just log in.
For cybercriminals it’s becoming something alarmingly easy to do, too. Last year, most cyberattacks that IBM responded to were caused by cybercriminals using employees’ identities to access their company network. Add to that, there was a 71% uptick in the volume of these attacks compared to the year prior, telling us that the tactic is gaining in popularity amongst cybercrime groups.
You might be wondering what’s changed that’s made this tactic so popular. Well, your identity is no longer as safeguarded as you think it is. There are little fragments of it exposed, stolen, or (unbeknownst to you) public that cybercriminals are stitching together for a big payout. In fact, with generative AI at their disposal, locating those fragments and linking them together will become much easier to do.
The Bytes and Pieces of our Identity
Our identities are made up of multiple components that need to be protected at all times. In the physical world, this would include (for the most part) whatever information you keep in your wallet—credit cards, ID, various insurance cards, medical ID cards, business cards, etc. In the digital world, beyond digitized versions of this same data, your usernames, passwords, and emails are also identity components. In fact, all of this classifies as personally identifiable information (PII).
Now, what if I told you that the same information that’s in your wallet is likely already available on the Dark Web, or on public records websites? While you may not consider your privacy severely violated if someone got ahold of your Costco membership card, your sentiment may change if a cybercriminal stitched together multiple personal identifiers revealing your hobbies, commutes, and other traits.
That online access would not only reveal where you shop, but what you buy; what car you drive; when and where you’re vacationing. All of this can be valuable to someone with a malicious cause. In breaches that IBM responded to, we’ve seen cybercriminals collect information from the type of pizza their victim ordered to the diaper size they stock up on for their baby.
An Identity Destined to Be Used Against You
It’s only a matter of time before your identity is exploited amid the growing adoption of generative AI and cybercriminals showing more interest in its use cases. My team has seen hundreds of thousands of discussions on Dark Web forums on this very topic already. They could use these tools to sort through and monetize on the billions of records they’ve collected from breaches over the years, collating all the information they have available on an individual and prioritizing them as a target based on their value or the likelihood of a successful compromise. Similar to how marketers will use AI to optimize their customer acquisition, cybercriminals will use it for “target acquisition.”
This identity crisis will not only exacerbate the situation, but it will also take on a different form as cybercriminals use generative AI to distort our identities for their attacks. A few years ago, when banks and internet providers prompted customers to use their voice as an added form of authentication, it sounded like a bulletproof safeguard. Now, generative AI chatbots are making it all too easy for malicious actors to clone someone’s voice or use a deepfake service to authenticate in your stead to a telephone agent.
Don’t Blame the User
While human error might trigger a security incident, it’s important to dispel the notion of users as the “root cause” of a data breach. Cybercriminals are continually investing in ways to access identity data. Just last year, the FBI and European law enforcement took down a cybercrime ring that had collected login details for 80 million user accounts—the problem is too big to place upon consumers to solve.
When access to this data is beyond users’ control it becomes a critical security issue that’s incumbent on enterprises to combat, considering this data remains the primary method that organizations adopt for user authentication—at work and across personal online activities.
The less we rely on it online, the more we lower the risk of our identifiers being used for malicious purposes. This growing problem has incentivized large organizations to move toward overhauling their access management processes—the more this movement scales, the more individuals will be able to regain control of their digital identities.
For criminals, pretending they are you is easy, but acting like it, too—not so much. Take it from me. This is why more and more businesses are making behavior—not identity per se—the foundation of their online authentication. Habits, typing speed, keystrokes, etc. all make up part of the behavioral analytics that can verify a unique user is legitimate.
Another tactic that’s gaining momentum is reducing the need for users to input their credentials into a system to access their accounts. Anytime a user is prompted to enter a password is an opportunity for a cybercriminal to exploit. More organizations are realizing this and investing in building an identity fabric that weaves together all the different identity profiles used across the various tools in that environment. This centralizes and even simplifies protection of users’ credentials for organizations, as opposed to managing this data in multiple different places.
Once identity data is exposed, it’s irreversible. That’s the ugly truth. This is why enterprises first—and consumers second—need to make identity a harder and longer path to success for cybercriminals to pursue. The harder it is to monetize on this data, the less incentivized will cybercriminals be to exploit it as a “pawn” for their schemes.