Synthetic identities: Unexploded ordnance in the balance sheet
Lodged inside most business’s balance sheets, synthetic identities hide like ticking time bombs. Once these identities are planted, it’s up to the fraudsters to decide when they will max out the account’s benefits and disappear. That’s in part why the FBI’s Supervisory Special Agent (SSA) Elvis Chan stated on CNP expo’s keynote stage that synthetic identities are one of the biggest fraud vectors today.
The problem defies counting
Synthetic identities are so pernicious because they reflect a growing level of patience among fraudsters. More sophisticated criminals are willing to spend months investing in synthetic identities—paying off small account balances in order to gain trust and more credit—before maxing out the credit and disappearing. Apparently, that patience yields a sizeable payoff.
In May, TruNarrative partner TransUnion shared the results of a fraud analysis that concluded total loss exposure due to a narrowly defined portion of rapid-default consumers grew by 25% between April 2017 and March 2018. Small surprise, that, in an oft-cited forecast from Juniper Research, synthetic identities are expected to help drive annual losses from online payment fraud up to $48 billion annually by 2023.
Remember that some fraud goes undetected. Some victims prefer not to report their losses. The result, according to the FBI’s SSA Chan, is that the FBI estimates it is made aware of only 20% of cybercrime. It may be hasty to multiply the above findings by a factor of five, but a conservative doubling of their numbers may be appropriate.
Fraudsters have all the material they could ask for
To grasp the root of the problem, we should start with one big number. 14.7 billion breached records give fraudsters all the data they need to synthesize identities for new accounts and transactions. More sophisticated groups will compromise the data themselves. Others can buy databases on dark web marketplaces. Frugal fraudsters can stitch together synthetic identities from the enormous Collections #1-5.
To create higher-value accounts, fraudsters may need a government identifier such as a Social Security number. Two groups’ Social Security numbers are especially appealing: the elderly and the underaged. Because these people may not monitor their credit actively, they’re less likely to notice and report suspicious activity.
For lesser-value accounts that don’t require a Social Security number, a compromised email address may be sufficient. Just think about your first email addresses (e.g. KiddyKat98@mrpost.com). If you keep that wizened email address active for occasional use and don’t bother to update the password, then it’s a perfect tool for a fraudster. Older email addresses appear more trustworthy than younger ones, a helpful point for synthetic identities.
Challenges stopping synthetic identities
Before we can discuss what can be done, first we have to establish why synthetic identities are so difficult to stop. We’ll focus on three reasons in this post:
Widespread reuse of passwords
We’re all guilty of reusing passwords, at least in the innocent days of the internet. However, researchers at Virginia Tech found that many online citizens are still living in that bygone era. After analyzing the password hygiene of 28.8 million users and their 61.5 million passwords on 107 services over 8 years, the researchers concluded that “More than 70% of the users are still reusing already-leaked passwords in other services 1 year after the leakage. 40% of the users are reusing the same passwords leaked more than 3 years ago.”
If a breached password on one site has been reused in an email account elsewhere (remember the near-abandoned ‘KiddyKat’), then a fraudster is just a credential-stuffing script away from gaining access to that email account, perfect for launching an array of synthetic identities.
No single source of truth to verify identities
By their nature, credit bureaus have to create new files for every unrecognized credit applicant. Otherwise, there would be no way for them to begin to track the financial lives of consumers coming of age. This provides an essential loophole in the bureaus’ identity-verification processes.
Criminals playing a long game know they can feed the credit bureau an application with a synthetic identity, and then wait for the record of that identity to age a few months. The bureau’s record will corroborate the identity in subsequent small applications for credit. From there, the synthetic identity can begin to build credit toward the payoff.
There’s no single repository of every citizens’ personal information—thank heavens—so the uncertainty provides fraudsters enough wiggle room to insinuate their synthetic identities in among the legitimate majority.
Inefficient Identity Verification
Because the data points in a synthetic identity come from multiple sources, and there’s no single source of truth against which to vet the identities, robust identity verification requires access to multiple sources. It’s cost-prohibitive for most businesses to automate this process. So, the task tends to fall to humans for manual review.
Under pressure to meet customers’ expectations for real-time experiences, and ill-equipped to cross-reference multiple data sources, each with its own formatting and representation of the data, an overwhelming case load can lead human reviewers to approve synthetic identities that should be caught.
And so, those ‘time bombs’ continue to tick away, nestled quietly in most business’s balance sheets. With every monthly payment, they patiently build up their trust and credit limits, waiting for the moment when they exhaust their credit limits and patience.
As with other identity-verification challenges described on this blog, businesses that can solve this problem will enjoy a competitive advantage.
They’ll filter out illegitimate applicants while onboarding more good customers, without onerous identity-verification procedures.
A dynamic, flexible and streamlined approach to fraud and financial crime management is required if organizations are to stand a chance of overcoming the challenge of synthetic identity fraud.
What is needed is a technology that brings multiple data sources together into a single workflow. One that enables the various necessary data sources to inform one another through normalization technology, and deploys this technology in a no-code format that even the least technical fraud, financial crime, or KYC subject-matter expert can master.
TruNarrative is transforming the financial crime management process by unifying Identity Verification, Fraud Detection, eKYC, Risk Assessment, AML Compliance and Account Monitoring into a single, no-code platform environment – accessed via a single API.
Don’t take our word for it … Book a Demo of the TruNarrative platform.
Enter your details in the form below and one of the team will reach out to arrange a demo.