Files and links (1)
Published, Version of Record (VoR)Open Access via Drexel Libraries Read and Publish Program 2024Open Access (License Unspecified), Restricted
Conference proceeding
Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial Ecosystem
CODASPY '24: Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy, pp 55-65
19 Jun 2024
Featured in Collection : Research Supported by Drexel Libraries' OA Programs
Abstract
Online services leverage various authentication methods with differing usability and reliability trade-offs, such as password-based or multi-factor authentication (MFA). However, financial service providers face a unique challenge; authenticating the user's legal identity, which involves verifying Personally Identifiable Information (PII), which we call PII-based authentication (PII-BA). These methods assume that PII is private; however, identity theft victimizes millions annually and exposes their PII to criminals.
In this paper, we investigate the potential of identity fraud that breaks PII-BA with stolen PII in the financial ecosystem. First, we measure what PII is used in PII-BA across five different financial services for 17 U.S. financial institutions. We subsequently collect data where PII and associated illegal services are available for purchase by monetizers (who perform identity fraud via obtained stolen PII)operating within the underground economy and paste sites. Finally, we analyze how monetizers can make money from stolen PII by either breaking PII-BA or directly monetizing the PII with the associated cost. Our study reveals that payment processing companies (PPCs) impose lower PII requirements for password/username recovery service PII-BA compared to commercial banks. Consequently, criminals can bypass this PII-BA service across all PPCs by paying 3.5-50 as opposed to 10.5-600 for banks. We also outline potential mitigations which could be an essential step in addressing identity fraud resulting from PII-BA in the financial ecosystem.
Metrics
Details
- Title
- Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial Ecosystem
- Creators
- Zhibo Eric Sun (Corresponding Author) - Drexel University, Computer ScienceMehrnoosh Zaeifi - Arizona State UniversityFaezeh Kalantari - Arizona State UniversityAdam Oest - Arizona State UniversityGail-Joon Ahn - Arizona State UniversityYan Shoshitaishvili - Arizona State UniversityTiffany Bao - Arizona State UniversityRuoyu Wang - Arizona State UniversityAdam Doupe - Arizona State University
- Publication Details
- CODASPY '24: Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy, pp 55-65
- Conference
- CODASPY '24: Fourteenth ACM Conference on Data and Application Security and Privacy (Porto, Portugal, 19 Jun 2024–21 Jun 2024)
- Publisher
- Association for Computing Machinery; New York, NY
- Number of pages
- 11
- Resource Type
- Conference proceeding
- Language
- English
- Academic Unit
- Computer Science
- Web of Science ID
- WOS:001273595200007
- Scopus ID
- 2-s2.0-85199095968
- Other Identifier
- 991021883715204721
InCites Highlights
Data related to this publication, from InCites Benchmarking & Analytics tool:
- Collaboration types
- Domestic collaboration
- Web of Science research areas
- Computer Science, Information Systems
- Computer Science, Theory & Methods
- Mathematics, Applied