Trade in 220 million fake IDs worth $2.3 billion

Police in Berlin thought they had tracked down a notorious hacker responsible for stealing US$ 18 billion from Deutsche Bank.

“The hacker wasn’t as good at covering his tracks as he thought. We managed to trace him back and capture a Facebook cookie. We’ve investigated the account and forces are on their way,” said Phillippe Mauer, the lead detective on the case.

But it turns out the Facebook account was a careful forgery. Seven years of social activity, and the illusion of a network of friends – including photos of parties and lengthy online games – were just made up. Now they are embarrassed; just the latest police investigation left in tatters through online identity fakes.

“It’s a massive industry. In South America, India and China, thousands of youths are paid by organized criminals to develop sophisticated and comprehensive online identities using Google, Facebook and Twitter. They sell these ready-made identities for anywhere from US$ 100 to US$ 10,000 to online criminals who use them and abandon them at will,” says Shelly Windstone, a data piracy consultant at WindstoneMajors.

“It’s a new nightmare for law-enforcement,” says Steve Jones at the FBI. “When governments were responsible for ensuring identity, then we had identity theft. Now people just make one up for themselves. There are so many fake identities out there, we no longer have any idea who is real.”

ANALYSIS >> SYNTHESIS: How this scenario came to be

January 2013: Manti Te’o’s deep relationship with a puppet
It was an inspirational story. Manti Te’o, a linebacker on Notre Dame’s football team, learned of the death of his grandmother, Annete Santiago, and his girlfriend, Lennay Kekua on the day of a major match. Despite his obvious distress, he went out to lead his team to a 20-3 victory over Michigan State.

The problem was that Lennay Kekua never existed. Played out in public on Twitter and Facebook, Kekua’s identity has existed since early 2011. She started dating Te’o in 2009 and ‘died’ in September 2012. Bloggers at Deadspin tracked down the person in the photographs, still alive, who was horrified at the use of her image. Te’o is humiliated … or was he involved?

The story amuses people across the world for almost two weeks. It is part of a broader problem, however.

Facebook reveals that 8.7% of its accounts are fake; over 83 million profiles. Twitter has an even worse problem. You can buy fake Twitter followers from hundreds of online services for as little as US$ 18 per thousand. Retweets cost between US$ 2.50 and US$ 55. During Mitt Romney’s unsuccessful bid to become US president, he is embarrassed when more than 30% of his Twitter followers are discovered to be fake.

Fake online profiles, known as “sock puppets”, are used to promote product sales, distribute key-loggers and other viruses, attack sites through denial-of-service attacks, and even perpetuate straightforward identity theft.

Numerous governments are also experimenting with creating fake identities. The United States Central Command (Centcom) contracts a private company to create online personas, stipulating that each “must have a convincing background, history and supporting details, and that up to 50 US-based controllers should be able to operate false identities from their workstations without fear of being discovered by sophisticated adversaries.”

“We’re obviously concerned,” says Joshua Smith, a researcher at Kaspersky Internet Security. “The weakest link in online security is the human element. Fake identities can easily be used to gain trust and profit from gullible people.”

March 2014: Fakes catch terrorists and voters alike
Ayman Al-Zawahiri has spent almost 20 years at the top of the FBI’s list of most wanted terrorists. The reward of US$ 25 million is spectacularly claimed on 12 March when Cybercide, a security consultancy, presents the physical location of Al-Zawahiri to the FBI. Televised on a two-hour time delay, Al-Zawahiri is captured by special forces operatives.

“Yes, obviously it’s a marketing ploy,” says Feinstein Al-abi, a spokespuppet (their term) for Cybercide. “And good luck getting revenge. None of us exist.”

Cybercide have introduced themselves in singular style. They only receive payments in Bitcoins, the crypto-currency. Their website is only accessible via the Tor Network, an encrypted online anonymity system. None of their staff are known and the company doesn’t appear on any company registrar’s database anywhere.

“We believe them,” says Lucinda Folks, at the FBI. “We just put them on retainer at US$ 8 million per year.”

Cybercide spent more than a year building credibility and confidence inside the al-Qaeda network. They then appropriated the identities of a number of senior al-Qaeda operatives and used these to communicate inside the organization. That is as much as they are willing to say about their methods. Analysts believe that they managed to trick Al-Zawahiri into believing that an identity they created was real and trusted, and that he – eventually – betrayed his location to them.

Cybercide isn’t the only organization tricking skeptics.

San Franciscans are horrified to discover that they have elected a sock puppet in a by-election. Touted as the first purely digital election – delegates debated via YouTube and Reddit – it is also the most comprehensively discredited election in US history.

Anne Aegis appeared to be a credible candidate. “Her birth-certificate, proof of residency, bank statements … everything she needed to register as a candidate appeared legitimate,” says Inspector Sam Peckinpar at the San Francisco State Attorney’s office. All were issued by the appropriate authorities. Aegis’ Facebook, Twitter and other social media accounts all appear more than four years old.

“Whoever did this, well, they really did it well,” says Peckinpar. “We think it’s also advertising. A bit like that Al-Zawahiri thing. But this time, it’s the bad guys advertising. And we don’t even know who’s selling.”

April 2015: Fake crime wave, real crime
“We estimate the value of the trade in fake identities at about US$ 2.3 billion a year. The value derived from those fake identities? We have no way of knowing,” says Shelly Windstone, a data piracy consultant at WindstoneMajors. “It’s a massive industry. In South America, India and China, thousands of youths are paid by organized criminals to develop sophisticated and comprehensive online identities using Google, Facebook and Twitter. They sell these ready-made identities for anywhere from US$ 100 to US $10,000 to online criminals who use them and abandon them at will.”

An Al-Jazeera camera crew comes under fire as it attempts to gain access to one such ‘identity farm’ in the Philippines. When military police arrive later the entire warehouse has been abandoned. “They knew we were coming,” says one disgusted soldier. It is suspected that identities produced in this farm were used by unknown attackers to gain access to Deutsche Bank’s currency transfer servers and so steal US$ 18 billion.

The financial fallout from the hacking at Deutsche Bank is immediate. Depositors, insurers and investors pull out, unsure of how far the fake identities penetrate into Deutsche Bank’s system. “It doesn’t present as a hack. As far as their systems are concerned, all the transactions are being done by legitimate people. They are going to have to physically verify every account in their system. Until then, they’re wide open,” says one investor.

When Phillipe Mauer, the lead detective on the case, resigns, followed shortly thereafter by Deutsche Bank’s head of data security, it is merely a formality.

“Our greater concern is just who is real,” says Steve Jones at the FBI. “We’re now spending about US$ 27 million a year on services designed to catch criminals running these fraudulent identities. Yet the services we hire are themselves anonymous and run by who knows who?”

Globally, anonymously-run identity protection services like Cybercide now earn an estimated US$ 160 million annually.

“We’re going to have to rethink everything we know about identity. We used to joke that on the Internet no-one knows you’re a dog. Now it’s true that on the Internet no-one knows if anyone else is real!” says Shelly Windstone.

Warning: Hazardous thinking at work

Despite appearances to the contrary, Futureworld cannot and does not predict the future. Our Mindbullets scenarios are fictitious and designed purely to explore possible futures, challenge and stimulate strategic thinking. Use these at your own risk. Any reference to actual people, entities or events is entirely allegorical. Copyright Futureworld International Limited. Reproduction or distribution permitted only with recognition of Copyright and the inclusion of this disclaimer.