Cleaning Up After the Evolve Bank & Trust Data Breach: How You’ll See Stolen Identities at Work

The recent data breach involving Evolve Bank & Trust and the LockBit ransomware group has sent shockwaves through the financial services and fintech market. Though the attack occurred in May and LockBit was out of Evolve’s systems within a few weeks, we’re just beginning to understand the impact of the breach among fintechs after LockBit released the data into the wild in late June.

Data breaches are always a mess – they are the fuel of identity and fraud attacks. But the Evolve attack is especially concerning for a few reasons. First, Evolve offers Banking-as-a-Service (BaaS) – when a sponsor bank is hit, their fintech partners are also exposed. Second, Evolve is a very large ACH originator, so even those who are not partners to the bank, but have sent or received payments from one of its programs, may have been compromised.

Most alarming, however, investigations of the exposed files from both Evolve and its fintech partners show that the data released — reportedly 33 terabytes worth — included consumer PII with Social Security numbers (SSNs) along with account routing numbers and card Primary Account Numbers (PANs); most breaches only expose partial identity elements. 

Exposing this “full monty” of data opens the door to a wide array of attack types, from synthetic identity fraud to account takeover, and, of course, full identity theft, which allows for massive new account fraud across institutions. 

Preparedness requires an integrated approach to applying identity controls that can cover every vector, adapt to new attack types and be applied across the customer lifecycle.

Identity Fraud Trends to Watch for Post-Breach

In an already complicated fraud landscape, we expect things to get even more challenging in the following ways:

Account creation fraud: Having stolen full identities intact — from PII to account number — we expect to see new account attacks at scale, especially if this data is operationalized through bots. Patterns will include:

• Rapid new account registrations: We’ll likely see an unusually high velocity of new account registrations in a short period.
• Repeat use of full or partial identities across organizations: We are likely to see the repeated use of the same identity across multiple organizations at high velocity in a short period of time. Additionally, we could also see elements of an identity, such as the same face or device, tied to multiple different identities with high velocity. 
• Inconsistent data: In these mass attacks, we’ll see a higher prevalence of  provided data that doesn’t match authoritative data sources or established user profiles. 
• Graph analytics are crucial: The ability to see velocity of both full identities and the elements of identities mismatched across organizations is critical to stopping attacks from this breach that are likely to show cross-org patterns.

Synthetic identity fraud: With so much PII and account information available, fraudsters have endless fodder to both manipulate and fabricate identities to brew synthetics. These attacks will likely play out over a longer period of time. 

Synthetic attacks often look like: 

• Data combination attempts: Look out for new accounts being created using valid but mismatched or manipulated personal data.
• Unusual patterns: Monitor for inconsistent or irregular patterns in identity data, such as mismatched names and Social Security numbers.

Account takeover attacks: Fraudsters will look to make non-monetary account updates, such as changing the account’s related phone number, to gain unauthorized access to existing accounts and bypass controls such as one-time-password. Signs of this type of attack could include: 

• Device, account ownership, and location changes: We expect to see sudden changes in the devices used to access accounts, or unexpected login locations. 
• Unverified changes to contact information: Correlate updates between changes to phone, email, or address information with one-time passcode requests to detect potential anomalous behavior.

Credential stuffing: Credential stuffing attacks, where hackers use automated tools to test stolen username and password combinations, may also increase in frequency and scale. This may look like: 

• Multiple login attempts: Watch for repeated login attempts using different credentials from the same IP address.
• High failure rates: Pay attention to a high number of failed logins, which can indicate attempts to use stolen data to gain access.

Payment fraud: The interconnected nature of fintech ecosystems means that a breach at one institution can have far-reaching consequences across the industry. Using stolen personal information, criminals may attempt to initiate unauthorized transactions or add compromised payment methods to accounts. They may also try to link accounts together for funding purposes. Fintechs must remain vigilant and adopt robust, multi-layered security measures to protect their platforms and validate bank account ownership to preserve customer trust and maintain the integrity of the financial system they’re working to innovate.

• Unusual transaction patterns: Track large or atypical transactions, especially those deviating from the user’s regular behavior.
• New payment methods: Be wary of new or seldom-used payment methods being added to accounts.

Addressing the Evolving Threat Landscape: Socure’s Comprehensive Approach

The Evolve Bank & Trust breach highlights the vulnerability of interconnected fintech ecosystems, and the ways stolen identities can impact consumers every time they engage with the financial system.

To solve these challenges, Socure applies integrated identity controls that are designed to block potential attacks, including new account fraud, account takeover scams, synthetic fraud, and payment manipulation. These integrated solutions are powered by identity graph-based intelligence that allow us to see attacks as they occur across organizations and across the market in real time.

Socure’s advantage lies in a decade-plus of building AI-based solutions for identity and fraud prevention. We have built a consortium of over 2,500 institutions, giving us real-time graph intelligence across a vast network that allows us to continuously update our fraud models with the latest attack patterns. 

Our advanced feature engineering and models capture differences between victims and fraudsters, providing protection against stolen or manipulated identities across our network. With a 360-degree view of the identity, Socure offers an additional layer of security through our patent-pending Entity Profiler, which links PII to device and behavioral data at an enormous scale. These robust profiles and anomaly detection capabilities make it impossible for fraudsters to mimic legitimate users, as they cannot replicate their victims’ devices and behavioral tendencies. 

How Socure Can Help

Offering a fully integrated suite of fraud solutions — as opposed to a range of point solutions that don’t prevent multi-vector, cross-channel attacks — is critical. This looks like: 

1. New account fraud prevention 

Our Digital Intelligence, Sigma Synthetic v4, Sigma Identity v4, and Address, Phone and Email RiskScores, as well as DocV work in concert to stop fraudsters from using stolen PII to open new accounts. Sigma Identity v4 captures extensive digital footprint and continuously assesses behavioral patterns and anomalies across PII. When combined with the RiskScores, Sigma Synthetic v4 and Digital Intelligence, Socure provides a 360-degree view of a consumer identity with near perfect accuracy. DocV is further instrumental in offering high-assurance verifications at new account creation.

2. Account takeover prevention 

Socure’s Phone, Email, and Address Risk Scores along with Digital Intelligence and DocV for step-up halt ATO attempts at PII account changes, logins and high-risk transactions. These solutions carefully and accurately evaluate attributes and assess their correlations, detecting recent PII changes, and identifying unusual login and behavioral patterns.

3. Enhanced verification for high-risk activities 

Socure’s DocV solution offers a layered defense by assessing the validity of a government-issued ID, comparing it to the user’s selfie as well as the PII, ID barcode, and device and behavioral intelligence. The guided capture experience, passive liveness detection, and a response time under 1.5 seconds ensure a frictionless experience for the users. Additionally, companies can use an authoritative data source like eCBSV to capture synthetic risk where fraudsters reuse slightly manipulated identities to maximize their profit. 

4. Organized fraud attack prevention 

Our Digital Intelligence and DocV Image Alert List elevate repeated use of identities and attack patterns across the graph network, effectively multiplying fraud detection efforts with real-time collective intelligence. For instance, Socure actively captures device, geo location, IP, image anomalies, and more across the network to flag fraud risk and prevent coordinated and organized attacks.

5. Socure Reverification 

For existing DocV users, selfie-based reverification strengthens security during high-risk activities like account changes or money transfers by verifying the identity of the previously approved user.

6. Stolen bank credential protection 

Socure Account Intelligence combined with Socure’s broader identity verification suite ensures the account belongs to the person claiming ownership and that person’s identity wasn’t compromised in the breach and used by a fraudster. With both account and routing numbers exposed in this recent breach, this combination helps ensure that the stolen credentials are not used to fund or steal money from legitimate accounts.

To stay ahead of evolving threats, we recommend using the latest versions of Socure’s solutions and regularly reviewing risk thresholds with your Socure account team. Our recent updates bring further innovations in document verification, enhanced RiskScores, and expanded international coverage, reflecting our commitment to continuous improvement and customer-driven excellence.