The Confounding Threat of Synthetic Identities
Our fraud series on Zoot Blog recently discussed a multitude of threats facing the financial industry and provided insight regarding next steps in prevention. One thought provoking point raised during these conversations is that criminals are taking advantage of banks’ desire to provide a frictionless customer experience.
This push for zero-friction just might be creating more leverage for one of the more difficult fraud issues financial institutions face today—synthetic identities. How do you identify and prevent fraud when there is no self-reporting victim?
Ken Meiser, vice president of identity solutions for ID Analytics shared his perspective with us on the confounding threat of synthetic identities. These identities are created using possible valid social security numbers with accompanying false information or by changing just enough personally identifiable information (PII) to confuse the system.
Synthetic fraud is much harder to manage because criminals maintain what appear to be legitimate accounts, in good standing (sometimes for years), before maxing out a credit line or taking a cash advance and disappearing. Since the account holders don’t actually exist, there isn’t a way to collect on the bad debt.
The invisible faces of synthetic identities
According to Meiser, there are typically two distinct groups when it comes to synthetics. In the first scenario, the fraud happens in a systematic and long-term effort. Organized crime rings open retail cards to establish history on synthetic identities, then use those credit files to obtain additional lines of credit. They grow their credit limits over time, and eventually “bust out” the accounts by suddenly using the remainder of a credit line.
The second category is more akin to identity manipulators and holds a slightly different intent. In an attempt to keep their bad credit history from catching up with them, fraudsters use new social security numbers to apply for credit. By changing small pieces of PII, they are able to create multiple variants of an identity.
Depending on where you are in the ecosystem, synthetics present themselves differently. In a retail environment, they look like a new customer who has a thin credit file. The customer will transact with the retailer for a year or two before they turn bad. When an attempt to collect on the account is made, it is discovered that the debtor doesn’t exist. Unknowingly, the retail store has helped the fraudster establish credit and an identity.
The second party to come into contact with a synthetic will experience a much shorter life cycle. The creditor will see an established credit file with a good history. The fraudster can then take out a line of credit and immediately use it, again disappearing without a trace.
What are some preventive measures to address synthetic identity fraud?
“In synthetic fraud prevention, the network matters,” says Meiser. “Cross company and cross industry data sharing is incredibly important to identify anomalies originating through different sources and shut them down. Real-time data sharing is also critical due to the speed of these transactions.”
When a bank or a telecommunications company receives an identity event: an application or request to change account information such as a physical or email address, sharing those changes can be invaluable. “If data sharing shows us an account has had five activities within a few days, there might be an issue or at least a reason to flag the account for suspicious activity,” says Meiser.
These criminals are very sophisticated in the use of stolen credentials to change account information. By changing an email they can send a lost credit card request, suppress statements and even gain access to a cell phone account—forwarding information to a new line and returning the phone back to its original configuration. Non-monetary changes are easier to make over a period of time and they often don’t raise triggers at the bank.
Dealing with fraud is a continual action/reaction environment. When you shut down one behavior the fraudsters simply move to another. Fraudsters will test all channels to see where they can get in and some have easier entry points, especially online or through call centers. The good news is that fraud processes are being universalized; banks are seeing the benefits of implementing stronger defenses across multiple channels.
Synthetic identities are a growing problem and quickly becoming the number one concern for many financial providers. Multi-factor authentication seems to be the direction the industry is heading with regard to the most effective fraud prevention. Applying enhanced detection tools early in an application process will be an additional benefit to combating these invisible personas.
Vice President, Identity Solutions for ID Analytics, Ken Meiser has 20 years of experience in designing and implementing risk mitigation, compliance, and authentication services and products.