The term “fullz” is used by criminals on the darkweb when they are buying or selling stolen credentials. It is short for “full information.” “Fullz” is a complete set of identity information on a fraud victim, with enough detailed information to impersonate the individual online, open fraudulent accounts in their name, and steal their identity. Use of fullz by bad actors presents a risk to businesses who allow for digital identity verification, as fullz give fraudsters a deep ability to impersonate a legitimate customer.
What information is included in the definition of fullz?
At minimum, when a identity thief purports to have fullz on a particular use they will be selling access to:
- Full name of the victim
- Billing address
- Credit card number, including expiration date and CVV code
- Social Security Number
- Date of birth
- Phone number (in some cases)
Because fullz provides such deep data that can be used to perform identity theft, each set of fullz can fetch around $150 on the black market. Incomplete sets of data are far cheaper.
How to protect your business against the risk of fullz
Use of fullz presents a real business risk because this data gives criminals enough information to represent themselves as the identity theft victim online. This opens your business up to account fraud, purchase fraud, return fraud, and other types of fraud, since fullz will allow the criminal to operate as though they are a legitimate user.If criminals use fullz to conduct fraudulent transactions, your business could also be subject to chargebacks. And if your business is subject to strict KYL/AML protocols, you could be liable for failing to identify the illegitimate users.
There are several key ways you can protect your business from fullz usage.
Requiring a photo of the ID for account creation
Fullz might mean that a criminal has access to the ID number and social security number, but rarely do they have access to the physical ID of the identity theft victim. So by requiring a photo of the front and back of the ID, you’ll be creating a major speed bump for fraudsters who thought they could get away with just entering information as plaintext.
While some businesses allow for upload of a previously taken image of the ID, we recommend requiring that the user take the photos during the account setup process, as this reduces fraud from stolen or out-of-date photos and requires that they have the ID in-hand during the remote ID validation process.
Two Factor Authentication
Two factor authentication (2FA) is now part of NIST and most government standards. 2FA requires that users have access to an email or device where the identity verification request can be sent. 2FA is a powerful deterrent against fraud, but it only works if you already have contact information for a particular individual. Truly sneaky fraudster can also sometimes move the victim’s phone number to a phone they control, where they can receive 2FA codes.
Knowledge-based authentication (KBA)
Security questions based on data obtained from a third party database can provide another great speedbump to fraudsters who have fullz on a victim. KBA questions are generated based on things like DMV records and utility bills and are designed to be questions that only the true individual knows the answer to. A criminal who has only access to basic information will likely not know past addresses, family member names, or cell phone providers.
True identity verification includes matching a real person to the individual on the ID, or associated with the credentials being used. A quick video can create a 3D mask of the user and use face match technology to confirm that the live individual is the same person on the ID. Very few criminals will have access to the deepfake or 3D mask technology to defeat anti-spoofing technology.
Which businesses are at the highest risk of fullz-related fraud?
Financial businesses are the top targets for fraudsters. Loan and new account fraud with banks, credit unions, car dealerships, and other financing organizations are on the rise. Additionally, the government itself is a top target for benefit theft, tax fraud, and fraudulent unemployment benefits.
However, fraudsters are increasingly targeting less-sophisticated companies such as small retailers, video game companies, and even peer-to-peer transactions.
Protect against fullz fraud
Contact us for a demo of our digital identity verification solutions, which can fight fullz fraud in multiple ways.