The fallout from the massive data breach at AT&T — where information tied to 73 million current and former account holders was leaked — has yet to be felt.
And changing passwords is a start, but by no means will it solve the problem.
Bryan Lewis, CEO of Intellicheck, noted to PYMNTS: “It’s not just the passcode you have to worry about.
The real issue in a beach of this size, with this data,” he said of the fraudsters in a Monday (April 1) interview, “is that they’re going to use it to steal your identity.”
The compromised data that’s now on the Dark Web spans everything from passwords and names to addresses and Social Security numbers.
And the data itself? It can be bought on the cheap.
As Lewis recounted, the Dark Web serves as an online marketplace where names, emails and other data points can be bought for $10 or $20. A driver’s license might go for $50. For a grand total of $80, Lewis said, an enterprising fraudsters can grab all the information they might need to pose as someone else. They could then essentially go shopping, trying every site they can to open accounts, run up bills and buy all manner of goods that can easily be resold for monetary gain.
“If you’re one of the people who’ve had their data breached,” at the telecom giant, he said, “you’ve really got to be vigilant now — especially anywhere credit can be issued.”
The vulnerabilities linger. The fact remains that individuals use the same passwords over and over, Lewis said. A prudent strategy would be that consumers make sure not to use the same passwords or PINs across multiple systems, particularly if they’re storing sensitive information with merchants and banks and enterprises.
Telecoms are especially appealing to fraudsters, said Lewis, who observed to PYMNTS that SIM card fraud and other scams allow bad actors access to victims’ phone and email accounts, and by extension their bank and brokerage accounts.
“Once I get access to your phone,” he said, “I can change your whole life… I’ve stolen your identity through your phone but now I’m really stealing your identity everywhere.”
He noted that more firms are looking beyond the passcode and two-factor identification, which still have a place in protecting customers’ identities, towards more robust identity validation, using government-issued ID and biometrics.
Banks and other credit-issuing entities are at the forefront of embracing such technologies and initiatives, he said, because they stand to lose consumer trust and take a financial hit when breaches occur. Identity theft, overall, accounted for $43 billion in losses across all companies as recently as two years ago.
Internal training is essential too, because often, data breaches take shape after an employee mistakenly lets a fraudster “in” by clicking on a seemingly official communication via text or email or even divulging information on a phone call.
Lewis noted that Intellicheck, for its part, conducts monthly training sessions with its employees and sends along “test” emails and texts to prod them towards a state of heightened vigilance.
Right now, it’s up to companies to take a proactive approach to identity management and verification, as the regulatory landscape has yet to truly become cohesive. Several states have their own rules on data privacy and facial recognition, and there’s currently no national ID in place for now.
Best practices at the company level demand that companies, Lewis said, identity-proof people before allowing major changes or major purchases, or as they move money out of accounts. And individuals, he said, would do well to sign up for credit monitoring services right away.
Asked by PYMNTS what might be a positive impact might be from the AT&T breach — not a silver lining, but a shift that winds up having benefits down the line — Lewis said that executives will “look at all of their systems and tighten them up… As they say: ‘We thought we though of everything. What vulnerabilities did we miss?’”
As he told PYMNTS, “These high-profile breaches make everybody up their game in terms of protecting data.