What Is Synthetic Identity Theft? New Path For Fraud?

Synthetic identities can easily be mistaken for real identities and can wreak havoc on companies that fall victim. So how can you differentiate between the two?

What is synthetic identity theft? Synthetic identity theft, or synthetic identity fraud, happens when a social security number is stolen and combined with fake personal information. The number is then used to open accounts, make purchases and steal money.

How Does Synthetic Identity Fraud Work?

Synthetic identity fraud (SIF) is a new form of identity theft that leverages modern technology and the realities of a data-driven society to take advantage of individuals and organizations unprepared to address the complex problems of data security.

Primarily, synthetic identity theft strikes us when we least expect it. While they won’t harm individual consumers, they can significantly impact organizations that hackers fool.

What Is a Synthetic Identity?

In modern cybersecurity, “digital identity” refers to the collective information used to represent an individual in online systems. Depending on the organization, service, and applications, this individual identity might include many different pieces of information–account numbers, phone numbers, address information, unique identification numbers, payment or credit information, Social Security Numbers, etc.

A synthetic identity, as the name suggests, is “artificial.” A hacker uses a piece of legitimate and fake data to construct a synthetic identity that can be used for nefarious purposes.

While traditional forms of identity theft rely on hackers stealing partial or whole sets of information representing a real identity connected to a real person, synthetic identities are fake credentials anchored with a piece of accurate information to help bypass security.

These synthetic identities are unique in that they seem like real identities, and they may fool financial or other institutions who see the legitimate information and assume that the identity is legitimate.

Generally speaking, there are two approaches hackers take in making synthetic identities:

  • Manipulated Synthetics: A hacker will take real information, most often a social security number, and build a synthetic identity around it with natural or altered elements that include phone numbers, addresses, fake names, and so on. They may even make small changes to the SSN if there is any potential for reusing it elsewhere.
  • Manufactured Synthetics: If a hacker can get some information on fake or non-existent SSNs (for example, from a range of numbers used for randomly assigning new numbers), they can essentially create a fully-faked identity.

The challenge of synthetic identities is that, for the most part, they are tough to track. Hackers using synthetic tactics may sign up for services (a credit card, a buyer’s account) and use them normally for years, building reputation and available credit. Then, once enough credit is available, they will spend the money, burn the account, and vanish.

Unlike traditional fraud, where consumers are victims, financial institutions are usually the biggest targets for synthetic fraud. The institutions that find themselves victims of synthetic identity fraud may have little or no recourse. Unless the hackers left a paper trail of their activities, the synthetic identity is just a hollow figure in their system that was never real.

Why Are Synthetic Identity Threats More Common?

The invention of synthetic identity threats isn’t a new and random phenomenon… instead, it is a natural attack vector that has come about due to how we approach digital information and security.

Some factors that have played a role in the rise of synthetic identity hacks include:

  • Credit Card Security Improvements: It’s simply not as easy as it once was to hack credit card information. New developments in a card protection, compliance requirements, and the ability to track and reverse fraudulent transactions have made credit card theft… not impossible but trickier than it once was. This is due, in part, because many security measures have lined up to protect digital identities.
  • Increased Online Activity for Payments and Benefits: The reason that credit security has gotten so advanced is due, in part, to the drastic expansion in online eCommerce and digital storefronts. Customers increasingly rely on digital-only or hybrid shopping experiences for goods and services, and these storefronts are almost exclusively Card Not Present (CNP) transactions–which means that they are ripe for fraud.

How Can You Recognize Synthetic Identity Theft?

Synthetic identity theft is a long game–-hackers will often wait years, building up identities to steal tens of thousands of dollars and leaving businesses and financial institutions holding the bag.

Businesses and consumers/employees must stay vigilant in looking for potential synthetic fraud.

Some tell-tale signs include:

  • Abnormal Credit Reports: If you work with an organization that checks consumer credit reports (or are a consumer looking at a credit report), you can see if any unusual activity has occurred related to your SSN.

    More importantly, fraudsters can steal SSNs for children who technically do not have credit, which means that a report could be tied to a synthetic account using an existing SSN connected to a minor. Coordinating credit checks for these numbers can help you see if something strange is going on tied to those numbers.

  • Social Security Statements: Social Security Statements report when payments are made into the Social Security fund as part of withholding taxes. If a business or user notices discrepancies in payments to Social Security, it could mean a fraudster has used false credentials to gain employment.
  • Strange Bills and Multiple Addresses: If you check any official documentation, online bills with lenders and credit companies, or other organizations, you may find new, strange addresses included in those statements. You may even start receiving strange bills in the mail. These signs could mean someone using some of your information to build a synthetic identity.

How Can You Prevent Synthetic Identity Threats?

The best defense against threats from synthetic identity fraud is, for the most part, tied to proactive cybersecurity approaches related to protecting user identity information during and after authentication and authorization.

Some of these approaches include:

  • Strong Identity Management: Your organization should have tough identity management and authentication security. This includes using MFA for all authentication purposes, having superior security for stored authentication credentials and identity data, and avoiding the pitfalls of centralized identity management like honeypot databases or lack of proper data obfuscation.
  • Behavioral Biometrics: Agencies that manage identities can utilize behavioral biometrics to connect the dots between different pieces of those identities to determine potentially fraudulent activity.

    As their name suggests, behavioral biometrics are a way to identify patterns of behavior between pieces of information and tie them together with assurance measures like advanced biometrics for added, preventative security.

  • Holistic Cybersecurity: Identity management and data protection must extend across your organization. This means having a comprehensive understanding of data, identity management, authentication and access management across all relevant systems across customer and employee identity journeys.

Protect Employee IDs Against All Synthetic Threats with 1Kosmos

Identity fraud, and phishing attacks are two of the biggest threats most enterprises face today. It’s increasingly common for companies to face mass email attacks, steal identities from team members, and use them to wreak havoc inside and outside your organization.

With 1Kosmos BlockID, you can leverage decentralized and strongly-secured identity management to support authentication resistant to breaches and compliant with rigorous national identity and authentication standards.

With 1Kosmos, you can get the following identity protection, and authentication features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Watch our webinar: Techniques for Securing Transactions With Identity Verification and Verifiable Claims to learn more about identity verification.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.