Synthetic Fraud’s Slow Roll Across FIs

Impersonation fraud — where a cybercriminal pretends to be someone they aren’t in an attempt to make off with funds — gets a lot of attention, and for good reason. Cybercriminals are getting good enough to fake biometric authentication methods using Deep Fake and other techniques. Earlier this year, for example, fraudsters made off with $29 million from the U.S. subsidiary of Japan’s largest financial media organization, Nikkei, by successfully stealing a Nikkei executive’s actual voice to order the wire transfer.

It’s scary, GIACT CEO Melissa Townsley-Solis told Karen Webster in a recent conversation, because of the level of technological sophistication it implies. It’s also bold in that there is no way to miss that one has been ripped off for tens of millions of dollars on the strength of a good impersonation.

More insidious and much harder to track, Townsley-Solis told Webster, is synthetic ID fraud. In synthetic identity theft, she explained, the fraudster is still pretending to be someone they are not, but the difference is that they aren’t so much imitating an existing person as creating one. Starting with one or two pieces of real information (a Social Security number is always one of them, sometimes paired with a real name), fraudsters take their time to slowly nurture a fake credit profile until it has a good enough record to make a big strike.

It is often a big strike. A fraudster will make thousands — and even tens of thousands — of dollars in credit card purchases, take out five-figure or six-figure loans, then, once the cards are all maxed out and the maximum amount of cash has been collected, they are gone. Poof. The customer whose Social Security number has been compromised is left fixing their credit report, merchants and issuers are out the money, and the fraudster skips away scot-free and onto the next synthetic identity.

There will be a next one, Townsley-Solis told Webster, because — in the era of Big Data breaches, and hundreds of thousands of Social Security numbers up for grabs on the dark web — this fraud is coming up more, and is costing more to clear up.

“The entire ecosystem is seeing this is an ongoing and growing problem that needs to be addressed,” said Townsley-Solis.

Addressing it, she noted, isn’t going to be about a single silver-bullet solution fired by one heroic player. Stopping this kind of fraud will take lots of data, and even more collaboration around it, to make sure transactions are coming from real customers — not synthetics doing a good impersonation.

The Synthetic Fraud Slow Roll 

Synthetic fraudsters are not smash-and-grab thieves. They are patient players, willing to create an opportunity by waiting and optimizing it. In the case of synthetic fraud, that means creating a fake identity, then slowly laundering it into appearing real. That may start with a secured debit card, she said, or a low-limit credit card. The fraudster uses those cards, pays the bills on time, applies for higher credit limits and gets a bank account.

On paper, she noted, this customer looks both like a legitimate human being with normal spending habits and like a good credit risk. Once those credit lines start to mature and multiply, the credit reports associated with that Social Security number tell a story that looks compelling, despite being a fabrication.

The problem, she added, is that most fraud protection programs are keyed to root out impersonation fraud — someone with a card they shouldn’t have pretending to be its owner. They are using machine learning and artificial intelligence (AI), but what they are looking for isn’t quite right.

“AI and machine learning are great technologies,” she said. “The problem is, if you don’t start with good, clean, reliable data, you will run into the classic GIGO problem: garbage in, garbage out.”

Instead of rooting out synthetic IDs, synthetic ID data essentially trains the security algorithms themselves because the synthetic identity looks much like a real user with clearly identifiable use patterns.

“It all goes back to [how] you’ve got to start out knowing you are dealing with the right person,” she said. “If you don’t know that, then everything else is going to fail.”

Knowing Whom One Is Dealing With

Synthetic fraud, Townsley-Solis noted, is not the work of socially alienated people hacking away in their basements. These are sophisticated, professional operations with both the time and money to invest in their schemes. Recently, a fraud ring that entailed 18 fraudsters created 7,000 synthetic identities, which collectively lifted more than $200 million.

“These are well-oiled machines. As a provider of risk and fraud solutions, we can’t just be looking at the status quo because fraudsters are thinking ahead of that, which means the entire ecosystem has to as well,” she said.

The name of the game is data, and making sure — in looking at securing transactions — to first ask if all the data in a set on the consumer matches up. This isn’t just looking at one stream, but a holistic look at the consumer to make sure that everything adds up. Is the Social Security number associated with a person who is both alive and over the age of 18? The deceased and underaged are favored targets of those building synthetic identities. Does the consumer seem to have two totally separate home addresses in different places? Sometimes, she noted, even more basic data checks are overlooked, such as whether the name on the account matches up with the Social Security number at all.

It is about realizing that the consumer life cycle is long, she said, and needs to be monitored end to end, because fraudsters are always creatively looking for an easy place to pop in. They are counting on data silos, or on security platforms using credit checks as proxies for IDs — even though we know that, with a little false information, it is easier to create a fake credit profile than one might think.

There isn’t going to be a silver-bullet solution or a single, unbreakable source of identity. If fraudsters have proven anything, it is that they will think outside the box, and even find ways to turn security measures back against victims if they can. What works, Townsley-Solis said, is a data-driven solution, informed by many different data points, used to triangulate and verify each other. It means cooperating and sharing data, and being able to evolve along with the fraudsters.

However, the place to start is with authenticating a consumer, she noted, and verifying constantly that whomever one is transacting with is actually — and exactly — who they claim to be.

“As a whole, we need to know to work together, and be cooperative competitors at times, so we can use data shared to fight this battle,” she said. “Because we have to — this is a huge issue that is getting larger, and it is affecting everyone.”