In Chapter 2, we briefly introduced the notion of synthetic identity. This is an identity constructed from valid artifacts, such as a social security number, that have been combined with falsified information to create a new, fictitious identity that can be used to commit fraud.
Fueled in part by the effectiveness of the EMV chip used for in-person transactions, fraudsters have been forced to find new ways to carry out crimes. Thanks to the enormous volume of compromised personal identity information stolen through corporate data breaches and made available on the dark web, synthetic identities have emerged as a fast-growing portion of online card-not-present credit fraud schemes.
By some estimates, synthetic identities were responsible for $6 billion in credit chargeoffs in 2016 and as much as 80 percent of all losses stemming from credit card fraud. With an average chargeoff of $15,000 per attack, it’s easy to see why fraudsters view this as an especially lucrative attack vector.
Synthetic identity fraud ranks as one of the three biggest risks facing banks.
With approximately 10 million new consumer credit files generated in the U.S. each year, synthetic identities can be very difficult to detect. Unlike stolen identity credentials used to commit direct fraud, synthetic identities are meticulously crafted and nurtured over time to create an entirely new person. And, while this guide has addressed the commercial applications of digital identity for enabling businesses to detect and block fraudsters using stolen credentials to impersonate legitimate customers, synthetic identities may represent a far greater threat.
For one thing, consumers do not normally discover that their personal information has been used to create a synthetic identity until they are contacted by a collection agency, which can be many months or years after fraudsters have begun defrauding businesses. This is typically the point when the associated businesses are first alerted to the problem as well.
Beyond financial losses, synthetic identities can also be leveraged in crimes with potentially devastating consequences. Plane tickets, government services, employment, telecom services, medical care, housing rentals and even firearms are just a few examples of goods and services that must be secured against individuals attempting to obfuscate their identity or their past behind a synthetic identity. What’s more, the ability to ascertain an individual’s true identity is critical to law enforcement’s efforts to block the movement of money between criminal or terrorist enterprises.
For the purposes of this discussion, we’ll focus on the United States, though the same techniques are applied around the globe. In the U.S., social security numbers are often used to seed synthetic identities, though fraudsters are also known to leverage credit profile numbers (CPNs). Because they generally won’t apply for credit for many years, minors make ideal targets for these schemes, as do the recently deceased, who typically have intact credit histories that are likely to be left unmonitored.
5 percent of all uncollected debt is attributed to synthetic IDs.
Generally, people intent on committing identity fraud acquire a valid social security number and begin assembling an identity online. To do this, they begin initiating multiple “proof of life” events, such as online personals or phone listings, social media profiles and digital payment accounts. They may even apply to loyalty programs or submit online credit applications.
Because of a lack of credit history, fraudsters may initially get declined, but can re-apply for trade lines with low credit limits and, in most cases, will eventually get approved.
Most synthetic IDs are nurtured through a process known as “piggybacking.” This involves having an identity added as an “authorized user” to an established credit file in the same way a credit card holder might add a spouse or child to an existing account. After as little as 30 days, the new user inherits the credit history.
There are ample online resources for facilitating piggybacking. Most recruit unsuspecting individuals to provide so called “pollinator accounts,” under the guise of helping the disadvantaged repair their credit histories. The owners of these pollinator accounts receive compensation in exchange for allowing an aggregator to place and eventually remove the authorized users from their credit lines. In return, aggregators get paid a significantly higher amount for the service.
Once credit is established, the synthetic identity can then be leveraged in a variety of ways. Fraud rings are known to work multiple synthetic identities in tandem, often through extensive networks of physical home or business addresses. They might establish what appear to be valid businesses, and then issue credit for fictitious goods and services, with fictitious payments reported to credit agencies. Fraudsters can also establish solid payment histories with legitimate businesses to create a credit history that eventually will be used to perpetrate “bust out” schemes, where credit limits are maxed out with no intention of repayment.
To this end, fraudsters using synthetic identities often prey on smaller businesses that are likely to accept new account applications from “thin file” prospects without much scrutiny beyond, perhaps, verifying a social security number. The fraudsters make calculated guesses on which account applications and transactions will be accepted by businesses that simply don’t have the time or resources to fully vet each application or are hesitant to turn away customers.
According to a study from Carnegie Mellon’s CyLab, children’s social security numbers are 51 times more likely to be used in a synthetic identity fraud scheme than adults.
The key for businesses seeking to disrupt such ploys is to look at identity as a big data issue, which is where digital identity can play a huge role. Because digital identity connects the dots between people, their devices, locations, accounts and other identity details (see Chapter 4 – Digital DNA), it can be trained to spot anomalies common to synthetic identities. Multiple addresses, birthdates, email addresses and accounts associated with the same social security number, for example, can then be readily identified. Digital identity can even be refined to detect more artfully crafted synthetic identities where nearly all the personal information is correct, save for a few key details, such as an email address and phone number.
The benefit and effectiveness of digital identity is closely correlated with the quality of the available dataset (see Chapter 6 – The Network Effect). A dataset that is drawn from numerous, highly accurate global sources and intricately linked to physical and digital entities is naturally an ideal resource for combating synthetic ID fraud.
Importantly, this kind of digital identity intelligence (Chapter 5) needs to be delivered at the point of each transaction in a way that is not disruptive to legitimate customers. Delivering an instant trust decision based on sophisticated business rules and globally shared intelligence is where digital identity typically excels.
In some countries, 60 percent of banks report application fraud involving synthetic identities.
Because synthetic identity represents more than just a credit risk, the efficacy of digital identity in fighting this issue can be further enhanced by merging non-credit entities into the dataset. Beyond transaction and behavioral histories, for instance, digital identity can be linked to information, such as DMV records, educational histories, offline residences, and even cohabitation details for parents, siblings and children.
Fraudsters intent on easy profits will no doubt continue to use synthetic identities. They’ll keep their accounts current and build the history they need for their bust-out event. The detail linking that digital identity affords can provide businesses with a critical weapon against this and other threats as they seek profitable, secure growth through digital channels.
Next up: Getting Started