Identity doesn’t have to be stolen when it can be conjured up out of thin air.
Introduction:
Synthetic identity theft (or more accurately, synthetic identity fraud, which is also in sharp contrast to stolen identity fraud) has no specific consumer victim. That’s an important advantage for the fraudsters. After all, if Mary Doe steals Jane Smith’s identity, then Ms Smith has every incentive to report the theft to the authorities and credit bureaus. She serves as a key tool in the detection and mitigation of such fraud. But if Mary Doe invents a Ms Smith, then this key tool is missing from the toolbox.
A related problem, from the point of view of lenders and merchant creditors: it is very difficult to get a fix on how big a problem this is. Often the invested Ms Smith’s account will simply be written off as bad credit, and unrecoverable debt. It won’t be accounted for as a cost of fraud.
On a macro level, Gartner Inc. has estimated that synthetic fraud accounts for 20% of credit charge-offs.
Short Description:
Broadly speaking, synthetic identity fraud takes one of two forms. Our Mary Doe can try to create a new cyberspatial identity by slightly altering her own self, or she can start from scratch. The results are sometimes called “manipulated synthetics” and “manufactured synthetics,” respectively.
Sometimes the synthetic identity creator does not intend to defraud those with whom she deals. This (relatively) innocent form of false identity creation is likely to fall under the first of those two headings, manipulated rather than manufactured. Mary Doe might start calling herself Maria Dough, and invert two digits of the social security number she provides, in order to try to get out from under the effects of a bad credit history. She might make legitimate purchasers and intend to repay them.
But if “Maria” is in fact cobbled together from a variety of sources, the personally identifiable information (PII) of a number of people, the date of birth of one the address of another, the SS number of a third, etc., the perpetrators are more cold-bloodedly fraudulent. Increasingly, synthetic identities are being created from a single identity element, like a social security number, which a fraudster uses to seed an otherwise fabricated identity. While the first new credit application filed with lenders may get rejected as having too little history, the second or third has a much better chance of being approved as the credit agencies being queried may now recognize the identity as legitimate. An example is as follows:
Click here for solutions on how to prevent synthetic identity fraud.
Interesting Facts:
- Many institutions (employers, lenders) verify an applicant’s social security number only by checking it against the birth date. If the SS number is within the rage that corresponds with that birth date, the inquiry ends there. This only catches the lazier fraudsters.
- SSA switched, in 2011, to the randomization of the numbers it issues, so they are no longer tied to birthdate or geography. This may over time require lenders to be more careful about how they confirm the number, but it has its own problems.
- Specifically, randomization means that if fraudsters can steal a child’s SS number, they can assign it to a fictitious adult without that mismatch attracting attention. Minors are very likely never to have defaulted on a loan.
- The street address of a synthetic identity is another area in which the laxity of lender confirmation procedures works to the fraudsters’ advantage. It is not difficult to print up a fake ‘utility bill’ for an abandoned property, as if “Maria” is living at that property and paying for water, electricity, etc. there.
- Synthetic identity fraud resulted in $6 billion in credit losses in 2016.
How the Scheme Works
After a fraudster has assembled an identity from a social security number, a mailing address, and/or other bits in pieces in ‘Frankenstein’ style: what then?
The next step is often to apply for a credit card. The application will almost certainly be rejected, simply because the newly created person thus far has no credit history. But the simple fact that an application has been made begins the process of creating a history.
Soon thereafter, the synthetic person may be added to a real person’s credit card as an ‘authorized user.’ The real person who allows this may have varying degrees of culpability in the scheme. It may well be an innocent person who doesn’t understand what is going on. Over the subsequent months or years, the synthetic person can charge small items to this card and pay them off promptly, building up a record as a low-risk user of credit.
In time, the synthetic person may make a successful credit card application, and again, build up a good credit rating here, using the card for small charges and paying them promptly. The issuer will typically over time increase “Maria’s” credit limit until the real people behind “Maria” decide the time is right for the “bust out.”
In the bust out phase of the scheme, the credit cards may be maxed out buying gift cards ad valuable merchandise. Criminals will sometimes stretch the bust out over two months, paying the bill for the first month with rubber checks in the synthetic person’s name, and continuing on with the expenditures. After all is milked out of this identity that can be milked, the synthetic person disappears like so much smoke in the wind.
Recent Events
One intriguing approach to battling synthetic identities involves the use of artificial intelligence. According to a Forbes contributor, “artificial intelligence engines and machine learning methods” may be used to “comb through the growing repository of digital data about each of us to better verify identity.” The machines might learn that a social media presence is a reliable indicator of when there is a real person by that name: has someone been posting on Facebook about the fun he has been having in Woodstock New York, well before applying to a bank for an automobile loan citing an address in Woodstock? If so, that may well help indicate that he isn’t synthetic.
On the one hand, as the Forbes contributor ( Alan McIntyre, who is the head of global banking practice at Accenture) also observes, there will likely be objections to any system that will turn down credit applicants simply because an individual doesn’t post on Facebook! The battle against synthetic fraud, McIntyre says, “is just beginning,” and even the ground rules for the combat aren’t entirely clear yet.
Solutions
Certain obvious measures for the self-protection of lenders, issuers, and merchants do suggest themselves:
- Up the due diligence. Check, for example, into the street address of an applicant for credit to ensure that it isn’t an abandoned building.
- Keep, or return to, an element of the personal touch. Some community banks require that a customer show up, physically, at a bank branch either to apply for a loan or even to open an account (even a new account can too easily be one step in the creation of a phony identity, especially if such face-to-face contact is not required).
- Creditors may over time develop a central registry to deal with this issue in much the same way that the Early Warning Services established a quarter century ago has helped them deal with the threat posed by stolen identities.
- Since, even in these digital times, much business continues to be transacted over the telephone, voice recognition technology may play a role, red flagging when two or more apparently unrelated accounts are associated with the same voice.
- Remember that it isn’t going to be enough simply to get ahead of the bad guys: it will be necessary to STAY ahead of them, because they can adapt to counter-measures and innovate their own routines as well.
Conclusions
The rise of synthetic identity fraud has come about because life has become more difficult for criminals who try to employ old-fashioned identity fraud. There was a time when a crook who was willing to dumpster dive outside a store could get a hold of the credit card numbers of a random customer of that institution and … go to town. Those days are gone. There was also a time when someone else’s credit card numbers; however obtained, could result in the creation of a new and legitimate-looking piece of plastic using the same numbers. But with the rise of cards that contain EMV chips, that too is heading the way of the dodo.
Criminals have adapted. Part of the adaptation involves patience. Synthetic identity fraud is a “long game.” It takes time to develop an identity, and then it takes further time to build up credit to the point that will make a bust out worthwhile.
In resisting the fraud, both the authorities and the commercial counter-parties might want to keep it in mind that the latter aren’t the only victims. Children are often collateral damage from the fraud.
As noted above, the randomization of social security numbers has meant that if con artists can steal a child’s number, they can assign it to their fictitious adult. The child may not learn of this until many years later when he enters the credit-seeking market and discovers that “his” number is already circulating. He will be stuck with the burden of cleaning up the paper trail or debt trail left by the fraudsters.
The fight has to be taken to the fore. As the costs escalate, the logic of working together will surely make itself clear among authorities at different levels and for the private sector counter-parties. Some of the suggestions above may assist in the unfolding of that logic.
Synthetic Identity: Sources
Stephen D’Alfonso, “Synthetic Identity Theft: Three Ways Synthetic Identities are Created,” Security Intelligence October 28, 2014.
Alan McIntyre, “The Battle Against Synthetic Identity Fraud is Just Beginning,” Forbes, February 7, 2018.
Anna Nova, “Scammers Create a New Form of Theft: ‘Synthetic-Identity Fraud,’” CNBC, June 7, 2018.
Bev O’Shea, “What is Synthetic Identity Theft?,” NerdWallet, April 27, 2018.
Staff, “What is Synthetic Identity Fraud,” ID: Analytics.
Click here for solutions on how to prevent synthetic identity fraud.