A common thought from comics and movies when evil geniuses build giant machines to steal all the oxygen from Earth’s atmosphere or carve their initials on the moon is, “Why don’t they use all that brilliance for good instead of evil.” ? The criminals in Die Hard were obviously smart enough to rake in huge budgets for henchmen and military hardware. If only they had put that intelligence to better use, they could have avoided being blown up by Bruce Willis.
The answer to why they went wrong in life is obvious. They may or may not get caught, but they are willing to take the risk to get a big score. And to get that score, they’re willing to invest their brains and even some budget.
The same applies to financial crime. Identity theft, which often leads to third-party fraud (where a perpetrator uses stolen, private information and then pretends to be someone else to obtain loans, credit cards, and other unearned benefits), is a relatively easy crime to commit. It simply requires the collection and application of appropriate data. In a way, it’s a smash and grab. Steal the data, use the data. This information is typically name, address, social security number, email, phone, driver’s license, etc. The criminal applies for a loan or credit card on the victim’s behalf, but uses their own contact information (phone and email) to intercept the benefits. The person whose identity has been taken may not find out that they have been cloned until it is too late. After getting a card or loan, the bad guy takes off, leaving the wreckage for the victim and lender to iron out.
Fake identities, real crimes
A far more complicated and insidious type of identity fraud involves the use of synthetic identities. Private information is still stolen and used, but instead of pretending to be a real person, the perpetrator creates an entirely new identity from parts. The building blocks are still the pieces of someone else’s background used to provide credit and other basic data, but the actual identity is made up. And here’s why. The more foundation and history an identity has, the greater the chance it will receive a serious set of cards or credit. Not just a starter, but something with a larger line of credit. That means investment.
What does the perpetrator invest?
- Effort. Third-party fraud requires the effort, and possibly minimal cost, to collect someone else’s information. Synthetic identity fraud requires the same. But then the data is used to create fake people. Almost immediately after combining the ingredients into a fake ID, the criminal files for a loan. And then come the Twitter and Facebook accounts to continue building a digital footprint.
- Cash register. These ghosts are often equipped with bank accounts, with real (and very small) deposits. These spirits could even make purchases and payments. They apply to other, random accounts. And that includes the ultimate financial assets that bring the greatest returns.
- Time. The loan that is applied for directly after the “birth”? Even if denied, that request becomes part of the story. After enough activity and background has been baked, and sufficient financial and social history has been gathered, the fake identities are ready to be launched. This means that the perpetrator is willing to make the best use of these phantoms. This story allows the thief to get the most miles out of ill-gotten schedules and “break out,” the term (similar to first-party fraud) when synthetic identities have paved the way for the crook to max out credit cards and borrow and walk away.
The Rub: What makes synthetics so difficult to catch
The thing that allows synthetic scammers to get away with building this story is this synthetic Part. There is no actual person who needs to be notified that activity is being generated on their behalf. The named victim does not receive a prompt to take action because there is no actual named victim. However, synthetic identity fraud is not “victimless” as it is often called. The financial institution itself is the victim, and the cost of fraud, while often a write-off, still trickles down with measurable repercussions.
What could bring down this scheme? When an application using a very real SSN triggers an alert to the SSN holder. Because of this, synthetic scammers often steal the SSNs of people who are less likely to be notified. Newborns are often the victims. They won’t apply for credit anytime soon, and so the theft of their data can go undetected for many years. The consequences of this crime are therefore terrible now and in the future.
To prevent synthetic identity from succeeding, institutions need to ensure that everyone applying for credit is who they say they are. This of course seems obvious and is the reason for the standard CIP (Customer Identification Program) and KYC (Know Your Customer) laws and policies. But with enough stolen personal information and a healthy dose of fake history, synthetic identities can present themselves as perfectly legitimate.
Most KYC tools are not designed to detect fake identities, just to match Name/DOB/SSN with header data. Fraud solutions, on the other hand, are a bit more sophisticated, but still seek an alignment of data points that scammers have learned to artfully replicate. Therefore, a deeper dive into identity with more insightful fraud prevention tools is needed to ensure all elements actually fit into a holistic identity and are not strung together from stolen pieces.
Outsmart the fake
So how do you retool solutions to outwit counterfeiting? Of course, the usual precautions must be taken to secure the identity bases. But then it is necessary to combat the very essence of synthetic identities: the combining of stolen data elements and the fabrication of a false story.
The first is combated by correlating these elements. Do the name, address, email, phone, social security number, etc. all belong to the same person? Do they coalesce into a holistic identity, i.e. a collection of data owned by a single entity?
The second is thwarted by addressing this false story directly. Digging deeper to examine the age of that phone, the age of that email, the history of that identity across public and private sources can help reveal a synthetic identity as an empty suit. As this scam increasingly supports genuine accounts, connections with genuine credit holders, and occasionally genuine merchants, there will be a need to detect these illegitimate connections as part of a broader effort to detect and combat synthetic IDs.
If the perpetrators have no conscience, they certainly have the intelligence to pose a threat, contributing to a type of fraud that costs American lenders and issuers billions each year and accounts for perhaps one-fifth of all credit fraud. This means that the defenders of the financial frontier must be even smarter to combat synthetic fraud now in its current form and in the future as it evolves. New financial products and digital channels mean more opportunities for consumers as well as for scammers who continue to use their intelligence for evil. Fortunately, there are many smart people building identity verification platforms to combat this scam. Because they chose to use their powers for good.
Jeff Scheidel is Head of Training and Development at Socure