How ‘Data Exhaust’ Separates Legitimate Customers From Synthetic ID Fraudsters

Consumers want a speedy, Amazon-like experience when creating accounts with their banks, but keeping fraudsters from slipping in among genuine users can be a challenge. In the FI Fraud Decisioning Playbook, John Kelly, chief administrative officer at Pentagon Federal Credit Union, discusses why financial institutions (FIs) should stop relying on traditional data sources to weed out bad actors and turn to other, more effective tech.

Digital banking and eCommerce are making rapid gains in 2020 as consumers turn to online channels to make purchases and avoid potential exposure to COVID-19.

These shifts are pressuring financial institutions (FIs) to provide seamless account opening experiences for growing shares of customers while also preventing fraudsters from slipping into their systems undetected. Bad actors who use fake or stolen IDs to fool banks’ onboarding procedures can then commit “bust-out” schemes by applying for credit lines and loans, receiving funds and ultimately vanishing with the money.

Synthetic ID fraud can be especially hard to spot. Fraudsters perpetrating these attacks use details stolen from consumers — sometimes combined with fabricated information — to create fake identities that they leverage to open new accounts. Using real credentials lends authenticity to these schemes and allows them to elude many fraud detection systems, and cybercriminals can avoid tipping off victims by not using pilfered identities wholesale.

Long-running synthetic ID schemes have illuminated gaps in FIs’ traditional fraud-fighting measures. Banks and credit unions (CUs) are realizing that they need more insightful data gathering and analysis to help them separate bad actors from legitimate customers as quickly and seamlessly as possible, explained John Kelly, chief administrative officer at 2 million-member-strong Pentagon Federal Credit Union. Kelly said FIs can upgrade their approaches by authenticating users’ devices and examining the finer details of customers’ digital lives to better distinguish legitimate applicants from fraudsters. Tools like artificial intelligence (AI)- and machine learning (ML)-powered risk engines can support these tasks, helping FIs catch bad actors and minimize false positives.

Where Standard ID Verification Falls Short

FIs often ask new customers to supply personal details to verify their identities during account opening, but this method can fail to stop synthetic ID fraudsters. Troves of personal data are publicly available on social media or have been leaked from data breaches, Kelly noted, making it easy for bad actors to provide seemingly valid information. It has become too simple for the wrong people to give the right answers, meaning FIs must look for harder-to-fake and harder-to-steal information when assessing new users.

“Social engineering and the explosion of individual information available has allowed fraudsters to traverse traditional detection strategies,” he said.

The proliferation of personal details online is not the only new complexity FIs face. Red flags that commonly indicate synthetic ID fraud in certain situations — such as new account applicants who have short credit histories — could simply be genuine characteristics of honest customers, Kelly said. Reducing false positives thus requires FIs to dig deeper for more insights.

Nontraditional Data

Some banks collect standard identification details as well as those gleaned from a broader number of sources. FIs traditionally refer to their internal records to examine the previous interactions they have had with existing customers and to government-issued credentials, such as driver’s license numbers and Social Security numbers, to verify new accounts. Banks and CUs can improve on these efforts by also looking at how consumers transact online, Kelly said.

“The data exhaust we all give off every day in all of our lives is data that is able to be taken advantage of — but it is also data that [can be used] to help protect consumers,” Kelly noted. “That unstructured or nontraditional data that is available allows us to not be reliant on what traditionally might be bureau-based data or only-on-us transactional-based data. There are other types of … behavioral data out there that allow us to really understand and authenticate the real you.”

Tapping into this nontraditional data could entail asking consumers about cellphone bill details, for example. Even fraudsters who have stolen consumers’ real names and passport numbers are unlikely to have access to all information about their victims, making it possible to reveal discrepancies in their answers if they are asked enough additional verification questions.

Device Authentication

FIs and their partners can also examine the devices with which customers transact to better determine whether fraud is occurring. This method — known as device authentication — involves assessing how devices have been previously used, including whether they have recently facilitated behaviors that indicate criminal activity.

“Every phone has a technology footprint,” Kelly explained. “That footprint is highly complex, and there’s [a] lot of information that we and others will look to authenticate as well as leveraging data relative to that device footprint. … [We] can go out and leverage partnership and data sets that allow us to say that exact phone — I’m not talking phone numbers, [as] those can be spoofed — has that [device] been used in other fraudulent activities at our institution or elsewhere? Or has this device been used to open 100 accounts in the last day?”

Digging into device details and other unique aspects to ferret out fraud attempts requires FIs to quickly process large quantities of information. Kelly said that AI and ML tools can drive these efforts, enabling FIs to thwart schemes before they get off the ground.

“That ability to do predictive analytics and leverage AI and machine learning and those capabilities really allows us to string together what would have been distinct, separate events that, in and of themselves, may not have appeared to be risky,” Kelly said. “We can now very rapidly connect those dots [and] stitch those together to very quickly tell a risk story that allows us to begin to identify synthetic IDs.”

Getting ahead of synthetic ID fraud is an increasingly important task for FIs that aim to offer legitimate consumers smooth digital services while preventing criminals from making off with funds. Data strategies and advanced learning tools that can rapidly assess and verify new account applicants can help FIs simultaneously stop fraudsters and ensure seamless customer experiences.