Security Experts:

Over 10,000 Online ID Fraud Rings Uncovered in United States

Researchers at ID Analytics estimate there are more than 10,000 criminal rings dealing in identity fraud in the United States. Most of these rings consist of family and friends, not professional criminals, the researchers found.

While there are rings consisting of two or more career criminals working together, the majority are family members or groups of friends stealing victims' identities or improperly using victims' personal data on various financial applications, according to a report released Wednesday from ID:A Labs, the research division within ID Analytics. In the study, ID:A Labs researchers defined an identity fraud ring as a group of people actively collaborating to commit identity fraud.

The ring members may be misusing dates of birth and Social Security numbers when applying for credit cards, loans, or other financial services. Researchers determined collusion, where people were working together, when people used similar personal identifying information on different applications.

Selling identities, such as names and credit card numbers, is just one way cyber-criminals can make money, Richard Henderson, a security strategist at FortiGuard Labs told SecurityWeek.

ID:A Labs analyzed the data collected within the ID Analytics ID Network between January 2009 to September 2010 for the study. The network includes approximately 1.7 billion "identity risk events," which include applications for credit cards, wireless phones, payday loans, utilities, and other financial services products, as well as requests to change names, addresses, dates of birth, and Social Security numbers.

The report examined "connections among bad people rather than studying individual activity," said Stephen Coggeshall, CTO of ID Analytics. Understanding how fraudsters are connected helps customers make better decisions, Coggeshall said. The report excluded incidents where it appeared the family was sharing identities to avoid being flagged as a bad credit risk and focused on incidents where the intent was clearly fraudulent.

A large number of families were working together, using each other's Social Security numbers and dates of births, ID Analytics found. For example, ID:A Labs identified a family of five in Florida, ranging in ages from 24 to 37, who had filed at least 130 fraudulent applications using more than eight Social Security numbers and 11 dates of birth over a three-year period.

A six-member team operating out of Washington, DC was run by a pair of sisters, according to the report. The team used 10 Social Security numbers, multiple names and birthdates to commit fraud. The group also used stolen identities to complete more than 69 credit card applications, the report found.

Two families appear to have teamed up near McCallum, Texas, to submit 142 fraudulent applications, the report found. One part of the gang targeted wireless providers while the other focused on retail and bank credit cards, the report said.

"Crimeware syndicates aren’t going away anytime soon. In short, it’s way too profitable–crimeware equals high returns and almost zero risk for its creators," Derek Manky, a senior security strategist at FortiGuard Labs, told SecurityWeek.

States with the highest number of fraud rings included Alabama, North and South Carolina, Delaware, Georgia, Mississippi, and Texas, the study found. When ID Analytics filtered the fraudulent activity on the first three digits of the zip code, researchers found that areas around Washington, DC, Tampa, Fla., Greenville, Miss., Macon, Ga., and Montgomery, Ala., had the most fraud rings. Fraud wasn't limited to just the urban areas, either, as researchers found a "surprisingly high number" in rural areas.

While some states had more fraud activity in one industry over another, South Carolina and Georgia was a "hotbed" of fraudulent activity for three—wireless, bank cards, and retail credit cards—major industry sectors, the study found. ID Analytics also identified two fraud rings focused on bank cards in Gainesville, Fla., and Orlando each filed 200 applications.

Wireless carriers suffered the most fraudulent activity, according to the report.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.