When Synthetic IDs Are As Good As The Real Thing

Businesses Fight Back Against Synthetic IDs

It’s no secret that digital criminals are becoming more sophisticated. So are the fraud defenses deployed by merchants, payment service providers and financial institutions. But some criminals are going a step further – essentially pretending to be legitimate consumers. It even comes down to the use of consumers’ phone numbers and children’s Social Security numbers.

And that’s causing a problem that goes beyond more traditional forms of ID fraud.

In a new PYMNTS discussion, Yinglian Xie, CEO and co-founder at DataVisor, a fraud detection services provider, takes a look at the growth and tactics of synthetic ID fraud. That type of digital crime involves criminals using existing (and stolen) data to cobble together new (synthetic) IDs from disparate sources, building a whole new profile behind which thieves can hide – and perpetrate.

As Xie explained, the fight against that type of fraud is taking on more importance as the global economy becomes ever more digital, and as more participants increasingly serve customers from around the world – a broader base of consumers that criminals can use to break through fraud defenses.

Synthetic Fraud Process

The practice of synthetic ID fraud generally involves “fake IDs made up by criminals that are then used to get credit cards, loans” and to conduct other types of fraud, Xie said. Unlike more “typical” forms of ID theft, synthetic ID fraud is relatively grand. More than, say, just pumping out illegitimate payment cards, as one analysis described it, the scheme also involves “the creation of completely new identities,” sometimes via the Social Security numbers of children.

Successful synthetic ID operations tend to play out over months or even longer periods of time, and involve the racking up of (fraudulent) credit before what mobsters (or at least mobster movies) have called the “bust-out,” a last big spending spree before the ID is essentially retired and the criminals move on. According to various estimates, losses from synthetic ID fraud come in at $6,000 or more per account or victim, and the form of fraud has increased by 35 percent or more since 2015.

“It can be very sophisticated,” Xie told PYMNTS, with criminals not only using those Social Security numbers, but also phone numbers, addresses and other data to make their fraudulent identities for the purpose of theft. The criminals behind synthetic ID fraud are learning to better “mimic user behavior as well,” she said. Not only that — and this is no fun to report — but Xie said trends show these types of criminals are also using malware to “hijack other users’ computers,” to make their activities resemble those of legitimate consumers.

Fighting Back

So that’s the scope and the methods of synthetic ID fraud. What about the remedies? What about fighting back?

For Xie, one part of a successful strategy to prevent this type of crime is to “look beyond individual IDs and identify the subtle correlations” behind the fraud. That means using data – and even machine learning – to examine traffic and patterns to spot real and potential fraud. That can become more challenging as an organization’s customer base becomes broader and more global, as the herd can provide ample hiding places for digital criminals – but there are ways to deal with that dim fact of digital reality.

Take phone numbers, for instance.

In Xie’s telling, the phone number may be a common data point used by consumers and organizations during onboarding and other activities. But a good criminal – a craftsman or craftswoman – can certainly use stolen phone numbers in such a way to help build a synthetic, illegitimate identity. What businesses can do to fight back, Xie told PYMNTS, is to “collaborate with some of the upstream providers” when it comes to phone numbers and other such data. That might mean having a KYC operation that can trace a phone number “back to the telecom providers” in an effort to make sure it is being used by the legitimate owner of that data. “That can help limit downstream attacks,” she noted.

Biometric Role?

When it comes to biometrics, however, the story is more complicated.

While such biometrics as fingerprints, facial recognition and irises are indeed being used more often for fraud prevention and seamless commerce – or, at the least, being increasingly considered for such uses – the problem when it comes to synthetic ID fraud is the lack of a “real user baseline” for that biometric, Xie said. “If you have no baseline of biometrics associated” with a synthetic ID account, criminals “can fake those biometrics.”

One thing that never changes in the fight against synthetic ID fraud, Xie told PYMNTS, is the importance of businesses and other fraud-fighting organizations to “anticipate the new unknown things.” You don’t have to like criminals. Why should you? But without respecting their craft, especially when it comes to synthetic ID fraud, the job of defending against them promises to be even harder than it already is.