A single data breach in 2017 exposed 143 million Americans’ credit details and personal information, and incidents that occurred a year later hit companies like Facebook, Google and Quora, affecting 100 million people. The numbers just keep adding up.
Why? Because fraudsters are raising their chickens.
That’s the way Dickson Chu, global head of portfolio management for BBVA, describes how fraudsters are now plying their craft. Today’s fraudsters are methodical, stealing identities to create new ones, then waiting until the right moment to reap the rewards, Chu explained in a recent interview with PYMNTS.
“[Fraudsters] will take the stolen identity of someone and then go and create what looks like a legitimate Facebook account, and they’ll farm it for a long time,” Chu said. “They have patience. They’re going to build a history. They’re going to grow that chicken and then sacrifice it later, tricking all of the sources that say, ‘wait, this account has been in use in a while, it has tenure.’”
This type of identity theft is growing only more insidious for financial institutions (FIs), particularly in today’s digital world as the assault on stealing identities becomes more rampant.
“Everyone’s been comprised,” Chu noted. “We just may not know it yet.”
While this presents big problems for consumers, banks and others charged with protecting their money face even more daunting challenges. The critical task at hand in this high-stakes financial environment, Chu said, is to determine how FIs can guard against the fraudulent use of an identity that has passed all required checks and verifications without raising an alarm.
Inverting the Fraud Approach For Better Security
Banks tend to view fraud as an authentication problem, he explained, and focus on preventing it by identifying criminals before their defenses are breached. In a world where fraudsters are chicken-farming millions of identities and waiting for the opportune moment to cash in on them, however, focusing on identity verification alone is winning only half the battle.
It’s why banks and other FIs must instead invert their approach to tackling fraud, he said.
“It’s not about putting locks on the door to keep the bad guys out — it’s about making sure there’s no way to for them get the money out without additional checks, ” Chu said.
Protecting Data in an Open Banking World
Not only does this approach close the doors on fraudsters attempting to haul away millions in digital funds — it provides banks with some additional benefits in an ecosystem now inundated with new FinTechs.
A growing share of today’s consumers now trust their money to FinTechs rather than traditional banks. These new firms, operational for just a few years, often lack the resources necessary to build the comprehensive verification tools their established competitors possess — an issue for banks and FIs that see them as a legitimate source of money.
Chu said that this can become a bigger problem when accounts are opened at traditional FIs, which must protect themselves against fraudsters using fake credentials to create bank accounts at challenger banks to transact with others. A further complication is when ACH transfer requests come from accounts that have been verified by other banks. This can lead to a ripple effect of less stringent security confirmations during downstream transactions.
Chu noted that open banking is one way in which banks can protect against these verification lapses. This process requires FIs to make their siloed data available to others. Chu said collaborating in this way with other banks is going to become critical as fraudsters begin using the stolen identities they are currently holding onto.
“If you think about all of the breaches that have happened over the last few years, at some point those identities are going to surface. Those IDs are going to get used,” Chu noted. “They have an inventory of these IDs and they’re going to wait to harvest [them] in a way that’s more meaningful.”
While open banking and data transparency expand, banks and FIs will continue facing a flood of ready-to-hatch illegitimate identities, and with fraudsters getting better at committing synthetic identity fraud, banks must also get better at catching it before those chickens come home to roost.