Lazy days of summer, indeed. Say someone is on the beach, perhaps leafing through a long-neglected stack of The New Yorker (oh, c’mon, they’re just looking at the cartoons), why worry about something as abstract as synthetic identity fraud? Maybe because the bad guys are not on summer break, and that beach-goer might be in their crosshairs.
Synthetic identity fraud, as readers of these virtual pages know, is the practice by which criminals take information from various sources — and people, of course — and create new identities to open accounts, buy goods and get loans on someone else’s dime and reputation. No one is sacred or safe — not even children.
The problem is costly for firms, resulting in losses of as much as $6 billion in 2016, roughly 20 percent of card losses. Beyond the hits to businesses’ bottom lines lies the long-standing harm to consumers, who may see their credit reports decimated, with debt collectors dunning them for things they never bought and all sorts of desperate battles waged to clear their good names. They may not even be aware that they’re being victimized until months or even years later.
In the latest Topic TBD, Karen Webster and GIACT EVP of Product David Barnhardt delved into just how widespread the problem is becoming, why firms are consistently taken for a ride by the fraudsters and what can be done to stanch their efforts. Turns out nothing less than a sea change is needed in how companies vet who is on the other side of transaction.
A Global Problem
If you needed any reminder, there’s a gold mine of data out there, and data is the brick-and-mortar of constructing a synthetic identity. Everything’s fair game, it seems, from names and Social Security numbers (SSNs) to account data, and even info gleaned off social profiles (more on this in a minute).
Equifax may have its place as a watershed hack in the annals of data breaches, but it stands as only one of many. Consider the fact that, just this past week in Singapore, a massive data breach touched the information of a third of the city-state’s population. As many as 1.5 million people have been affected, stretching back three years, and the criminals made off with the “non-medical” details, spanning names, addresses and identity cards. The Singapore event shows how breaches (and targeted information) are becoming global in scope, said Barnhardt.
“This isn't just a U.S. problem,” he said “This is a global problem. And I think the more we see breaches in these foreign countries, as well as stateside … my thoughts are ‘when are the fraud guys going to really start to cross-pollinate?’”
Cross-pollination brings with it new threats, it seems, as the data is, well, out there (perhaps exponentially so with each large breach), ripe for the picking and there to cobble together to create new personas.
How The Bad Guys Do The Bad Stuff
With so much raw data moving through the dark undercurrent of the web, and the billions in losses incurred by firms, the question remains: Why have companies been lagging in their anti-fraud efforts? The status quo is what doesn’t work, with entrenched processes, of course. All too often, companies rely on limited data for enrollments and payments, Barnhardt told Webster.
Relying on limited data points is a dangerous game. Barnhardt stated that fraudsters are fleet and nimble in formulating new concoctions from disparate data sources. They may use a “correct name” as matched to a Social Security number, but that data may be paired with an email address that has never been associated with that individual, or was recently created. The fraudster may also enlist technology of the tangible sort in their effort, with a prepaid cell phone or a brand new device that has been recently activated and has no history tied to it.
Email and phone are the primary means by which the individual communicates with a financial institution (FI) or retailer, he stated. Now, virtual accounts mean that paper statements are never mailed to the real person. Conceivably, then, an individual can be a victim of fraud and never know it until they’ve been mailed a statement of overdue payment or gotten a collection notice, Barnhardt said.
“They are mixing it up now,” said Barnhardt of the sorcerers behind synthetic identity fraud, “and they are trying to see what they can be successful with.”
To sum it up, the bad guys find the corporate blind spots and exploit them.
A few new wrinkles are emerging, he said. Among them: Fraudsters are taking on fresh Social Security numbers — the ones issued to children, the most vulnerable victims. That’s because criminals can get away with their schemes a lot longer — for years. As Barnhardt stated, credit profiles take shape over a period of years. These youngest victims will not be actively checking their reports until they do things like (legitimately) apply for loans, credit cards or mortgages.
The bad actors behind synthetic identity fraud are also “hopping” onto legitimate accounts. There’s that wealth of data again, which allows the criminals to gather info from social media (high school, mother’s maiden name, dog’s name), along with traditional data, and gain entrée into an account. Presto, change-o: They lock the real user out by changing passwords and drain the account. They can even add themselves as authorized users on accounts.
Don’t Look To The Law
Webster noted that a law signed by President Donald Trump in May mandates that the government — specifically the Social Security Administration — help FIs verify applicants and Social Security numbers via the database that already exists, cataloguing those very same SSNs. At present, the practice that requires applicants’ signatures and verification takes weeks. Now, that response can be rendered in real time.
Barnhardt noted, however, that such efforts really verify only one piece of data — albeit an important one. The number of stolen SSNs far surpass the number of stolen credit and debit cards. The difficulty with synthetic identity, especially for retailers and FIs, is “they look like a legitimate customer if you are not cross-checking the data,” he said.
Marking The Time(stamp)
The key is to cross-check traditional and non-traditional data carefully, said Barnhardt. With those efforts, FIs can start to build a consumer or business profile that is essentially the digital DNA of that party.
“When you bring all this together with the facts, coupled with time stamps of the association of each piece of data,” he said, “at that point, synthetic identities stick out like a sore thumb. … This is what gives users the ability to pause and further investigate because, I can tell you, more and more companies today are seeing [that] one or two pieces of secondary information are mismatched or not really associated — and when they investigate, they find this is, in fact, a synthetic identity.”
In other words, a bit of advice from Barnhardt to the firms seeking to separate legit users from poseurs: “You’ve got to manage the lifecycle from login to logout. Today, you have to verify and authenticate everything your customer wants to do — if they want to order a new debit card, order checks, change their address, change their email, their phone … everything has to be authenticated.”
When verifying so many disparate actions, Barnhardt stated, single-point solutions are ineffective. He noted that his own firm seeks to help create the digital DNA, coupling, say, bank account information with cell phone carrier data, eliminating the aforementioned blind spots.
The problem is pervasive, the battle permanent. And, per Barnhardt: “We just have to keep fighting the good fight.”