On Synthetic Identity Fraud

pharmacy-2055132_960_720

Add SSN and stir.

CHANCES ARE that identity fraud appeared the moment that presenting valid ID first became needful. Today’s inflated claims aside, The Balance’s Jack Stroup points out that in early U.S. history fake IDs were used to stuff ballot boxes. Since the advent of the minimum drinking age, underage youth out to purchase alcohol have resorted to ID fraud. And, of course, early credit cards were easy prey. Thanks to chips, today’s cards are less convenient prey but not impervious.

In the good old days, ID fraud involved altering or appropriating the bona fides of a real person. Synthetic ID fraud, which Equifax asserts accounts for over 80 percent of today’s identity fraud, obviates the need for a real person.

All that today’s synthetic ID fraudster needs to get started is patience and a Social Security Account number that passes muster. Among other places, such are bought and sold on the dark web. Best are account numbers rarely or not used, automatically pointing fraudsters toward seniors and, more often, children: a Cylab study reports that “children were targeted 51 times more frequently than adults.” 

An alternative for the fraudster is simply to make up account numbers. Since Social Security numbers are no longer tied to birthplaces but randomly generated, such can sail through as if valid. This can cause complications for anyone to whom the Social Security Administration might later assign that number, a consequence that does not seem to give the average fraudster pause.

Whether the SSN is lifted or fabricated, the fraudster creates a name to go with it. Giving the name weight in the credit world takes time, which is where patience comes in. One method is to apply for credit using the phony ID. The initial application will be declined, but a record of the name and account number will have been placed in credit bureaus’ databases. The phony ID will then show up as a real person on the next credit search, possibly qualifying for credit accounts with small spending caps.

IBM’s SecurityIntelligence lists that and two other ways of giving a synthetic ID weight. One way is to add the new ID as an authorized user of a legitimate account. Another is to create a shell company that extends credit to the ID.

Once the synthesized ID’s gains a foothold, more lines of credit can be obtained and limits raised. When the time is right, the fraudster proceeds with a rapid spending and cash advance spree—and then, of course, disappears without paying.

Not a tiny problem

Forbes’s Alan McIntyre reports that synthetic identity fraud costs …

… banks billions of dollars and countless hours as they chase down people who don’t even exist. That is part of the reason why global card losses have been rising at an average annual rate of 18 percent in recent years, according to Accenture estimates. Synthetic identity theft alone may account for 5 percent of uncollected debt and up to 20 percent of credit losses, or $6 billion in 2016, according to some industry analysts. The problem is even more acute with store credit cards and auto loans.

Detecting synthetic security fraud is frustratingly difficult. Real identities are hidden, making perps nearly impossible to identify. Investopeida reports

Sometimes financial institutions can’t even tell that synthetic identity theft has occurred because the criminal will establish a history of using the fraudulent account responsibly before becoming delinquent in order to look like a real person experiencing financial problems and not an outright criminal who racks up charges and becomes delinquent on the account at the first opportunity.

CNBC’s Investor Toolkit page paints no rosier a picture:

When criminals use a blend of different people’s data, as well as some entirely made up information, it becomes harder for law-enforcement officials to both realize the crime and then locate the culprit, said R. Sean McCleskey, a retired United States Secret Service agent who supervised an identity-theft task force for more than a decade. “If you’re using an address you control, the person whose Social Security number you’re using may never be getting the account statements,” he said.

Fighting synthetic identity fraud

On the consumer side, CNBC suggests giving out one’s SSN as seldom as possible, freezing children’s accounts, and keeping tabs on statements and credit reports. On the financial institution side, forewarning and forearming clients with good information is, as always, a best practice. 

Nor are financial institutions entirely defenseless. The major credit reporting agencies and other companies offer AI-esque tools for financial institutions. For that matter, if you will indulge this modest plug for my employer, Fiserv’s VerifyNow service is not to be overlooked.

Comments are closed.