The $6B Synthetic Identity Fraud Problem And Assessing Customer Identity
Originally published on Forbes.
As more and more interactions take place online and data breaches flood the dark web with stolen personal information, identity theft and account takeovers have become an increasingly common nightmare for consumers and a costly challenge for businesses and financial institutions. Enterprises need to know who is on the other side of a transaction, but common methods of assessing identity are often too narrowly focused to be effective — particularly in the case of synthetic identity fraud, one of the fastest-growing types of financial crime in the United States according to the FBI.
What is synthetic identity fraud?
In traditional identity theft, a criminal steals the personal information of a real person to commit financial crimes. In synthetic identity fraud, a criminal uses a combination of real and fake information to create a fictitious identity and then opens fraudulent accounts to make fraudulent purchases.
The most common example is of a fraudster stealing a real Social Security number (often from a child) and combining it with fake contact information to apply for credit. The initial request will often be denied, but the denial creates a profile with that Social Security number in the credit reporting system which legitimizes the fake identity. The fraudsters will keep applying, often moving down market to smaller financial institutions with less mature identity verification processes or direct to retailers, until a request is granted. They may use that credit responsibly for a period to steadily raise the credit score of the fake person and obtain additional credit or they may immediately proceed to max out all the credit cards and loans and walk away with the cash.
Synthetic identity fraud is estimated to cost banks $6 billion annually. Financial institutions are usually on their own when it comes to spotting this type of fraud, as there are no consumer victims with immediate financial losses to spark an inquiry. The criminals often specifically target the Social Security numbers of individuals (for example, older adults, the deceased, people who are homeless and children) who are unlikely to be checking their credit reports.
Synthetic identity fraud is preventable
The most challenging aspect of combatting synthetic identity fraud is its combination of real and fake information. This information is used to create a new identity, so there is no historical data for institutions to refer to when the fraudster opens a line of credit with that identity. The profile appears like that of any new borrower with a limited credit record.
Individually examining each identity element alone when onboarding a new customer is often ineffective, as all the pieces of information provided may be technically valid. If the bank examines the elements individually in a checklist style (yes, that's a legitimate address; yes, that's a legitimate SSN; yes, that's a legitimate email, etc.), each piece of identity data the fraudster provided may be technically correct.
Scratch below the surface, though, and it becomes clear that the fraud mitigation tools querying these identity elements often rely on historical, abstract, fractional or easily manipulated data.
For example, if a financial institution compares the user's IP address and claimed physical address, the pass/fail response is based on geofencing, which requires that the addresses be within a certain general proximity of each other. Fraudster in a coffee shop nearby? No problem. Pass.
Checking a customer's name and address allows for fractional verification — for example, “R. Smith” could pass for a name linked with an address. But what if much of this information is public, and the fraudster can pick a name and address that match? No problem. A complete name is not needed to pass this query.
Fraudsters know how to game the system, which is why synthetic identity fraud can be so devastating to financial institutions.
Examining linkages to assess synthetic identity fraud risk
There are three ways organizations can change their perspective to better position themselves to combat complex forms of synthetic identity fraud.
Evaluate each piece of data in combination with additional identity markers.
Prevention starts by looking at each piece of data in combination with additional identity markers to create an integrated view of a single stable identity over time. This means not just asking, "Is this specific piece of data valid?" but rather determining, "How strong is the linkage between two or more of these data points compared to the identity of the customer in question and how long has this connection been true?"
Determine how frequently each data point interacts with the other.
Organizations need to be able to see how frequently and completely each of the provided data points connect to each other to assess whether an identity is real or not. Fraud prevention solutions need to look at all the data provided and examine the strength of the linkages between the various identity elements in order to answer the question, "Do all of these data points in combination relate back to a single stable identity?"
Assign scores to gauge the risk of an interaction.
Evaluating the connections between all the points allows the calculation of a score that enterprises can use to gauge the risk of an interaction. The organization can then either allow the transaction to proceed or flag it for further examination with additional fraud-fighting resources. Monitoring changes in these data points and connections over time allows the account to be flagged if any of the data points do not match current behaviors and generates a better customer experience for returning, legitimate customers who no longer need to be subjected to stringent authentication procedures.
Looking beyond synthetic identity fraud
Combating sophisticated forms of fraud starts by moving beyond the common "checklist" approach that relies on inadequate or easily manipulated data. Instead, organizations need to assess the strength of identity linkages to determine whether an interaction is a high risk — an approach that helps curb account takeovers based on traditional identity theft as well as synthetic identity fraud. The key is adopting a more integrated view of identity and identity reputation before taking action.