Synthetic identity theft is a type of fraud in which a criminal combines real and fake information to create a new identity, which is used to open fraudulent accounts and make fraudulent purchases. Fraudsters use this fictitious identity for obtaining credit, opening deposit accounts and obtaining driver’s licenses and passports.
This kind of fraud differs from tradition identity theft in that the perpetrator creates a new synthetic identity rather than stealing an existing one. The process starts with someone stealing real social security numbers that aren’t actively being used e.g. children and elderly people who use little, if any, credit and then creating identities by adding fake addresses. Synthetic identity theft allows the criminal to steal money from any credit card companies or lenders who extend credit based on the fake identity.
It’s difficult for banks to detect because their fraud filters aren’t yet sophisticated enough to catch it. When the synthetic identity thief applies for an account, they might just look like a real customer who has a limited credit history. Digital channel-specific solutions can be effective at identifying bots and devices with negative histories but fail to efficiently flag fraud executed from a clean device by an individual with no history at the institution.
Data validation solutions are prone to errors due to duplicated or incorrectly entered entries, which become more difficult considering more frequently changing data points such as home addresses and phone numbers. This fuzziness allows manipulated identities to blend in effectively as each data point appears valid, despite linking to a number of different identities.
Synthetic identity theft is by far the most common type of identity fraud and is costing banks billions of dollars and countless hours as they chase down people who don’t even exist. It’s the fastest-growing and hardest-to-detect form of identity theft, according to the U.S. Federal Trade Commission. Credit reporting agency Equifax said the crime has “become the predominant tactic for fraudsters.” Synthetic-identity fraud resulted in $800 million in credit card losses in 2017, up from $580 million in 2015 — and that amount is expected to grow in the years ahead, according to a recent investigation by Aite.
“Today, online criminals are creating what we might call a synthetic identity ecosystem that will be among the larger threats in infosec over the next 5 years.” “I expect users on LinkedIn, Facebook and Twitter will see a growing number of farmed profiles that are very difficult to distinguish from accounts from real people. The credibility that comes with the connections in our online communities is important – it makes access and fraud more difficult to prevent,” said Daniel Riedel of New Context company that is doing research into “synthetic identities” and “secure attribution”
Further the advances in artificial intelligence is making it even more challenging as it is beginning to outstrip a human’s ability to discern engagement with non-human entities during casual interactions.
Recently, Google showed-off their new AI that can book a hair appointment. Beyond Google’s AI we are now able to create realistic artificial faces and can manipulate videos of people to say and behave differently. These same tools will also be used by criminals to defraud people. The impact to critical infrastructure will be advancement on the same phishing scams to gain access and dupe people into giving away their identities so that criminals will gain access to networks.
Synthetic frauds are not confined to just the banking industry, there are several other crimes committed under fabricated identities. As these synthetic identities are not used for financial gain, they are much more difficult to discover since there is no report of credit loss or fraud. There have also been recent, high-profile cases of terrorist organizations exploiting the use of synthetic identities to serve their ideological purposes. Synthetic identities provide an avenue for terrorists to not only distribute funding but to also obtain valuable resources, such as cell phones and airplane tickets for individuals having intent on more than just financial harm.
Cyber Security Measures
The rise of synthetic identity theft indicates that financial institutions are not authenticating the identities of credit applicants. Multi-factor authentication is one of the most effective methods for preventing synthetic identity fraud. Banks are experimenting with voice recognition technology at call centers and see if it could flag whether a certain voice has called before under a different identity.
Identity Verification system
Under the Patriot Act, financial institutions and card issuers are required to verify core identity elements through a Customer Identification Program (CIP). Typically this entails validating name, date of birth, Social Security number, and place of residence. Additionally, CIP may include checks of ancillary data such as employer or contact information.
Another part of the solution will be a central method of verifying identity that works as seamlessly as the major credit bureaus do today. However, central repository also could raise privacy concerns.
A new banking reform law will help fight synthetic identity fraud. The law, signed by President Donald Trump this spring, will allow credit card issuers and other lenders to verify applicants’ identity information in near-real time using electronic signatures. Under the current process, financial institutions must obtain an applicant’s written consent to validate their information with the Social Security Administration (SSA), a process that can take days or weeks.
“A practical identity verification system is the holy grail when it comes to fighting synthetics, and recent developments now open the door to real progress with the SSA,” said Ira Goldman, who leads Auriemma’s portfolio of fraud control roundtables, an information-sharing and benchmarking platform for top lenders.
Reputation systems are programs that allow users to rate each other in online communities in order to build trust through reputation. Some common uses of these systems can be found on E-commerce websites such as eBay, Amazon.com, and Etsy as well as online advice communities such as Stack Exchange.
Reputation systems that are used to ferret bad actors or misbehavior in today’s ecosystems can help in making discerning decisions. But in long term they will be susceptible to attack by the synthetic identity, therefore multiple levels of verification are required
AI and Machine learning
A key part of the solution will be using artificial intelligence engines and machine learning methods to comb through the growing repository of digital data about each of us to better verify identity. For example social media and community data can be searched to verify the name, location and other pointers of the identity.AI is perhaps the technology best suited for this challenge because the amount of data that banks will have to search is an enormous pool that is constantly growing.
Trust systems such as blockchain are beginning to emerge as a method to provide immutable identities on the Internet.
Cyber attribution is the process of tracking, identifying and laying blame on the perpetrator of a cyberattack or other hacking exploit. Cyber attribution can be very difficult because the underlying architecture of the internet offers numerous ways for attackers to hide their tracks.
Secure attribution means fingerprinting every interaction of a coder or operator interacting with a machine and network. Creating a trace enables engineers to access the history of all executables and code they are running. This attribution history enables the organization to connect any malicious activity to the original entity.
Using the Consortium model
In synthetic fraud prevention, the network holds significance. Cross company and cross-industry data sharing are incredibly important for identifying anomalies originating from different sources and shutting them down.
The consortium model solicits data from all participants related to the use of different data elements and related experiences (i.e., positive or negative). Whenever a FI sees an identifier on an application, whether the application is approved or not, the identifier is submitted to the network. All other members of the consortium can check data points on applications they are receiving against the network in near real-time.
This gives FIs and issuers greater assurance that core identity data elements provided as part of an application all belong to a unique individual. Additionally, institutions can learn whether the data elements’ combined use is associated with fraud or known good account activity.
This provides an additional layer of security against new-account fraud using both stolen and synthetic identities. Identifiers that link to a wide variety of identities or that are associated with a large number of applications over a short period of time are more likely to be tied to synthetic identities.
In the end, the eventual solution for thwarting synthetic fraud will depend on cooperation and leveraging artificial intelligence engines and lots of innovation, because the bad guys are innovating, too.
The challenge for banks that are already trying their best to improve customer service in the digital age is to ensure that whatever anti-fraud measures they adopt don’t add friction to the banking experience.
The problem is so large that it may be handled best by developing an industry-wide solution. Banks have shown in the past that they can work together to tackle these kinds of endemic, industry-wide issues. When identity theft reached a tipping point 25 year ago, major banks set up the Early Warning Services to monitor, compile and report on consumer banking habits. EWS shares information to prevent and combat fraud among 2,500 banks and other subscribing institutions.