Combatting Synthetic Identity Fraud and Account Takeover With Digital Identity Verification

Mike Engle

In this vlog, our CMO, Michael Cichon, is joined by our CSO, Mike Engle, to discuss how digital identity verification can be used to combat synthetic identity fraud and account takeover. If you are interested in learning more about this topic, please watch our webinar.

 

Michael Cichon:

Hi, everybody. This is Michael Cichon, chief marketing officer at 1Kosmos. I’m here today with Mike Engle, our chief strategy officer, to talk about synthetic identity. Mike, synthetic identity, it’s not a new problem, but a pernicious one. Can you just define what we’re talking about when we mention synthetic identities?

 

Mike Engle:

Sure. It’s actually not a very well understood term. We are all familiar with bad guys stealing your account data. My username, password, login, is me and steal my money. We also know about people who may steal my identity. So the first is account takeover, you stole my Chase account. The second is, I’m going to use your identity to pretend to be you and steal your credit, maybe open an account. This is a whole new category where they’re making a new identity, right? Synthetic, it’s fake. And they’re doing it in some pretty crafty ways.

 

Michael Cichon:

Well, tell us about that. What makes up a synthetic identity?

 

Mike Engle:

So a couple types. One is there’s fabricated. So I am going to take the name John Smith and maybe a valid address in Austin, Texas, and I’m going to put those attributes together along with a birthdate that I know belongs to a John Smith somewhere. Which that’s pretty easy to find, right? Millions of John Smith’s birthdays are available out on the web. And the bad guys have gotten really good at feeding that information to the banks that will pass the sniff test where it says, that really could be a real person, maybe I haven’t seen them before. And so that’s a completely fabricated synthetic identity. As part of that, they even have buckets of social security numbers that they put into those algorithms to bypass those checks as well. My social belongs to me, these socials are maybe in a fuzzy state, haven’t been used before or reclaimed.

There’s a second type, which is manipulated, and they’ll mix their own PII or somebody else’s PII with some alternate. So it’s like maybe just a slight variation of mind. And in some of those cases, you can create a brand new credit record and start to build it up, in others you’re stealing somebody else’s credit at the same time.

 

Michael Cichon:

Right. Okay, great. So I’ve read about this, they’re kind of Frankenstein identities, little bits and pieces of information, I guess often commonly used names, common cities where there’s large populations and different permutations of first and last name and so forth. So who’s affected by synthetic identities?

 

Mike Engle:

That’s the thing, in account takeover and identity fraud, identity theft, they’re stealing it from me, and I can make a big splash about that. However, when you create a synthetic identity, it’s really just the banks that are exposed. In fact, they don’t even really know how to classify it into their fraud buckets because it’s not impacting going back to a specific individual. So, really, it’s affecting all of us because it’s making our products and services more expensive. And it also could affect us because now the banks have to make us jump through more and more hoops to prove that we’re not synthetic. So it’s a combination of effects flowing downstream.

 

Michael Cichon:

So I guess then the origin of a synthetic identity, this thing, this person that does not exist. But I guess because the criminal trying to use it has applied for credit, they get a credit file, so now it’s in use, and they develop this over time. They develop a credit history for this identity?

 

Mike Engle:

That’s right. So, the way it’ll work. Just some industry stats, we’re going to cover these on the webinar next week, but up to 2% of all bank accounts now are created with synthetic identities. That’s 2%, that’s a lot. There’s $355 million in card debt for people who did not exist in two in 2017, so almost a half a billion dollars.

The way it works is I create the synthetic identity and I start to create some good behavior, I buy some stuff, I make some payments. And then I do what’s called busting out, when it’s time for me, I think I’ve got the most value out of my account, the most credit I could get for example, I’ll rack my credit card up and go over the limit because they let you go over your limit by a bit. And the bust out average loss is $90,000 across these accounts. So it’s significant dollars.

 

Michael Cichon:

That is significant. But I mean, how do these things get created? I mean, it’s got to be embedded somewhere in the verification process. We’ve got a valid social, but it’s social security number that’s not associated with the name. I mean, what’s happening here? What’s the core? What’s the root cause of this problem?

 

Mike Engle:

The root cause is that most account openings, at least here in the US, are stuck in the nineties the way they do it. So if you go to many banks today, you’ll type in your first name, last name, address, date of birth, social, and that starts the entire account creation process. What’s wrong with that? Well, it’s not really easy to validate against a trusted source because that data’s been stolen a dozen times over from various breaches of the credit bureaus. So, because we’re using knowledge and knowledge can be slightly tweaked, it’s also known by everybody. KBA, known by anybody. That’s how the fraudsters are able to manipulate. And so I’m guessing your next question might be, what do we do differently?

 

Michael Cichon:

I’m sorry if I rattle on this, but banks are required by the anti-terrorism legislation to do the know your customer checks. So you’re saying they’re doing them, but it doesn’t sound like they’re doing them all that well.

 

Mike Engle:

The laws don’t get revised that often. And so if we go back to Patriot Act, it’s 20 years old, then they’re still meeting the spirit of the law and they’re checking that box for compliance to say that we do KYC. But that doesn’t mean it’s the best way to do it.

 

Michael Cichon:

Okay. So what is the best way to do it?

 

Mike Engle:

Well, I don’t know about the best, but one of the best would be to have the user provide better forms of proof about their identity at the time they sign up for a service. The technology is now in our hands to do this. Go back 20 years, really all you could do was type in a keyboard or go into a branch, and that’s what they made you do. You had to go into a branch, look the person in the face. But today, everything’s done remote. And so now we can ask the user to present government issued credentials remotely through something called document verification, and then tie in the identity verification on top of that.

The process around that is actually very straightforward. I type create a new account, hit the button, and I’m asked to present my government credentials, and I will take my mobile phone out or in some cases I might even be able to hold it up to a laptop or desktop camera and present that credential where it can be verified using all kinds of different technologies, optical character recognition and other fraud signals that’ll go into that check.

 

Michael Cichon:

Okay. All right. So a government issued credential. So we’ve got what? The federal government in the US issues the passport, the state government’s issue the driver’s license and I guess the Social Security Administration issues the SSN number, are those the document types that are validated typically?

 

Mike Engle:

Yeah they are. Driver’s license is obviously the most common and the most pervasive. As part of that, you’ll typically be asked for scan the front, the back, and then your face will be matched to the photo. And then there’ll be a few other checks, because even that could be manipulated. And so to prove that my driver’s license is valid and I didn’t buy it from a truckload of fake licenses, we can verify the authenticity of the license through the issuing authority. So there’s an organization called AAMVA, A-A-M-V-A, which is an aggregator of all the DMVs, not almost all the DMVs in the US and they’re coming into Canada. So we can do more checks besides just doing what your camera and AIML can do. We can go then make some calls out to say, on top of what they gave us, does it look good from a data perspective as well? So we’ll check AAMVA, check the SSN, make sure that their SSN address with the bureaus matches the one on the license. And we can even do some checks on the ownership of the email address or the phone number. I’ve had the same phone number for 10 years, if it says Mike Engle in the records, that’s another source of truth that brings credibility to my account signup process.

 

Michael Cichon:

Okay, well if I’m doing this remotely, how do I do the facial match? I, how do I prevent somebody from maybe holding up a photo and showing that and then trying to match that photo against the driver’s license?

 

Mike Engle:

Yeah, the photo, deep fakes, or if you’ve seen the Elon Musk videos of late, they’re really getting impressive. And it’s a bit of a cat and mouse game where the bad guys will try to do certain types of fraudulent activities, and we on the kind of good guy side, will have to catch them and stop it. So a couple things are done.

There’s the concept of liveness. So we can pretty much tell now if you’re holding up a photo or if it’s a real face, you can tell there’s depth. And we can also even tell if the document, there’s something called document liveness, there’s person liveness, and so these technologies are continuously evolving. And there’s even another concept of where we called morphing where you take two pictures and put them together into make almost a new face that all the algorithms could point to one way or another. So yeah, it’s continuously evolving and it’s just the nature of the good guy versus bad guy. But we’re in a pretty good place right now, and it’s far better than the way that most banks are doing it today.

 

Michael Cichon:

Okay, well, it’s a step in the right direction, but of course, we’re doing this digitally now and we’re creating all these digital artifacts. Privacy’s got to be an issue. So banks then, do they inherit a privacy concern when they start to move in this direction of the remote identity proofing?

 

Mike Engle:

They can. If you’re capturing people’s biometrics, for example, or maybe you’re saving a copy of a driver’s license, you need to disclose that, handle it properly. But today, banks own so much sensitive information that I’m pretty sure that they can do that well. And then there’s also newer technologies and the concept of giving the user their own encryption keys so that they’re in charge of it, yet they can share it when they need to. So yeah, a lot of options on the table there.

 

Michael Cichon:

And at 1Kosmos, of course, our systems are privacy by design, so only the user has access and control over that PII.

 

Mike Engle:

Exactly.

 

Michael Cichon:

All right. That’s a little PSA from my side. All right. Well, I know that you’re doing a webinar on November 17th, 1:00 PM Eastern Time with Oliver Wyman. So if you happen to see this folks before that event, tune in. If not, the replay will be available on the 1Kosmos website.

Mike, as usual, thank you’ve very much for your time today. Very interesting conversation on synthetic identities.

 

Mike Engle:

Pleasure to be here. Thank you very much.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Mike Engle

Co-Founder and CSO

Mike is a proven information technology executive, company builder, and entrepreneur. He is an expert in information security, business development, authentication, biometric authentication, and product design/development. His career includes the head of information security at Lehman Brothers and co-founder of Bastille Networks.