Here’s a bombshell: The Financial Crimes Enforcement Network reports that identity-related theft and crimes total $1 billion per month on average! And twenty-five percent ($250,000,000) of this exorbitant figure can be attributed to identity theft and synthetic identity fraud. At this point, you’re probably thinking… “What is synthetic identity fraud and how can I avoid it?!” Good, I have your attention. Let’s move on and take a closer look at synthetic identity fraud and especially its level of sophistication?

Synthetic identity fraud in a nutshell.

What is synthetic identity fraud exactly? In a few words, it is a type of fraud in which a criminal will combine real, stolen information and fake, fabricated credentials to synthetically manufacture a new identity. For example, the criminal may pair a legitimate Social Security number with a fake name, birth date, and address. Therefore, the synthetic identity is not linked to an existing individual. Synthetic ID fraud is mostly detrimental to the banking and financial services industry. The criminals’ goal is to use Personally Identifiable Information (PII) associated to people who have little or no credit history, so that banks and other financial institutions have no pre-existing credit files on them, making them less likely to be flagged. What’s the bottom line? Young people are more at risk, since they are less likely to have any credit history.

The staggering numbers about synthetic identity fraud.

There is an enormous amount of stolen PII available for sale on the Dark Web, and given the ever -increasing volume of data breaches (for example, there were 7,098 reported breaches in 2019 that exposed 15.1 billion records, a 284 percent increase in records compared to 2018 – Source: Risk Based Security), sophisticated criminals have an incredible amount of stolen information to choose from to create their fake identities, which makes synthetic identity theft now one of the most common types of identity fraud. According to a report from the Federal Reserve dating from four years ago, synthetic identity theft is the fastest growing financial crime in the United States. The cost to lenders was $6 billion in 2016, with the average write off amounting to $15,000. But, the scariest aspect of this phenomenon is that the Fed does not have any proposed solutions to contain this ongoing crime spree, which, by the way, costs you and me in the long run. In fact, it says that it is difficult to even know the full extent of synthetic identity theft in the payments industry because of a lack of consistency in identifying synthetic identities, a lack of investigation, a lack of awareness and a lack of reporting.

What systems enable synthetic identity fraud?

There are cracks in quite a few systems that have allowed and continue to allow synthetic identities to increase.

First, the Federal Government in the United States continues to rely on Social Security numbers as identifiers, but as we all know of data breaches have exposed those numbers. It costs only $4 to buy an SSN on the Dark Web (source: Atlas VPN). For individuals with high credit scores, a Social Security number, birth date, and full name can sell for $60 to $80 on the digital black market. Now, credit bureaus assume that the first person to apply for a loan with a social security number is legitimate and there is no way to validate a number with the Social Security Administration. To make matters worse, in 2011, the Social Security Administration switched to random numbers, eliminating the geographical distinctions that would have helped identify fraudulent numbers or users. Finally, because the number is often assigned to a child, they are less likely to access credit information and uncover the fraud, so it goes unreported for years.

Second, the victims of data breaches are mostly organizations that store significant volumes of personal information pertaining to their employees and customers. Billions of names, addresses and dates of birth, among other variables, are stolen each year, providing cybercriminals with extensive options to build synthetic identifies. A data breach can be traced back to varying causes ranging from an employee sharing his or her credentials to access corporate resources online with a colleague to storing unencrypted user data in centralized systems that offer criminals a single point of failure.

Who are the principal victims of synthetic identity fraud?

As mentioned above, financial institutions are the prime targets for criminals leveraging synthetic identity. Synthetic identity fraud accounts for 80 percent of all credit card fraud losses. And guess what? There is no one to trace or to collect from! Without a consumer to alert an organization of fraudulent activity, fraudsters can use synthetic identities to keep accounts open for months-to-years, garnering credit line increases and improved credit standing, only to eventually max out the credit line and disappear without a trace. You, as a customer, may sometimes wonder why your banking fees suddenly increased from one year to the next. Well, it is in great part the lender’s attempt to mitigate losses incurred from synthetic identities.

What can be done about synthetic identity fraud?

Since there is no way of knowing that synthetic identity-related fraud is being committed until the fraudulent activity has happened, what solution or methodology is available? It seems obvious that the problem must be attacked at the very beginning: proving the absolute and undeniable identity of an individual who seeks out a service such a loan from a financial institution, before the process even has a chance to begin. Can this be done?

Yes, it can! The success in absolutely proving an identity – the key to preventing fraud – lies in the ability to digitally triangulate enrolled government-issued documents as well as enrolled advanced biometric features with several other sources of truth. These three elements operate a series of data checks and verifications to prove an individual’s identity and leverage this process each time the same individual needs authentication to access a system or a service online. What does it mean exactly? The information contained on a driver’s license and a passport (or another government-issued document) like a first name, last name and date of birth must be compared between documents, and the documents themselves be validated by querying the appropriate database (AAMVA for the driver’s license, State Department for an American passport). Then, an advanced biometric feature (preferably a liveness test) is leveraged to operate a photo match with the government-issued documents. Finally, other digital sources of truth like credits cards, bank accounts, utility bills, address and phone verifications and loyalty program memberships, along with many other possibilities, can be leveraged to complete and perfect the ID-proofing process. Only then will financial institutions, for example, know who is really on the other side of a potential business relationship.

A useful tip to conclude.

Have you ever received a letter bearing your address (obviously) but not your correct name? I have, and I am pretty sure that like so many others out there in the same situation, I instantly assumed the piece of mail was for a previous owner of my house. And interestingly enough, the correspondence was often from a bank or credit-card company… Now, it is possible that the previous owner of my house didn’t inform the financial institution of his new address; let’s face it, that’s unlikely… So, another possibility is that a criminal used a real address (mine) along with a fake name and a real SSN to create a new, synthetic identity in an attempt to bypass a bank’s security without it being traced back to them. As now you know, it’s easily done. Fake identities are not fake news.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More