ID fraud set to rise as O2 suffers credential stuffing

Thousands of O2 customers stand to have their identities stolen as a BBC investigation reveals that its customer data is for sale on the dark web including phone numbers, email addresses and passwords. 

It is thought that the data for sale has been created through a practice called credential stuffing. This is where a criminal uses a piece of software to repeatedly attempt to gain access to customers' accounts by using the login details it has obtained from elsewhere - in this case, a November 2013 attack on gaming website XSplit.

When successful, a customer's details can be retrieved and sold as a package. This suggests that Frank Abagnale of Catch Me If You Can fame is right. Last year he warned that it is likely that every person in the UK has already had their personal details stolen - it's just a matter of criminals matching them and activating them. 

Within this data haul statistically there will also be a number of accounts of people that have passed away. The personal data of people that are deceased are sold at a higher premium as typically the fraud goes unnoticed for longer meaning it is more lucrative.

This proves quite a problem for credit providers as it means thousands of pounds can be defrauded before the crime is discovered. The easiest way to stop it is to screen all credit applications against list of deceased individuals to highlight fraud attempts at the source.

As discussed in our pension blog last week identity fraud is an economic crime; when the country is financially stressed the number of these crimes tend to rise. Brexit is expected to create a period of economic instability and resultantly experts are predicting more incidents of ID fraud meaning more vigilance is needed to identify potential fraud before it happens.