Fraud and Identity Risk Insights Q&A with Ken Meiser
ID Analytics’ Chief Compliance and Consumer Support Officer, Ken Meiser will be speaking at several conferences during the month of March covering fraud trends, best practices for managing fraud threats, cybersecurity and identity risk insights, synthetic identities and more. In this post Ken shares some highlights of the topics he’ll be discussing.
Cybersecurity threats and data breaches have dominated headlines in recent years, what are some ways enterprises are responding?
Cybersecurity, identity protection and fraud risk management are interrelated. Symantec recently acquired LifeLock and ID Analytics as part of recognition that there was a need for a comprehensive Digital Safety Platform¹ – that IT, consumer and behavioral tools have complementary roles in fraud detection and mitigation.
Data breaches are an indication that institutions may not have adequate defenses in place to protect their network, which can put consumers at risk. But the degree to which a person’s identity information is comprised matters a great deal. When breaches occur, there is a market for the consumer’s data and there are clues on the dark web that indicate whether an individual’s data is ‘in play,’ meaning it is available to be sold or traded illegally. If my information was compromised in a breach and my email, phone number and social security number found their way on to the dark web, that makes me more likely to become a victim of identity fraud.² When an enterprise becomes aware that a person’s identity information is being marketed on the dark web, they can raise defenses around that identity. Exercising increased due diligence on customers whose personal data may have been compromised not only protects the enterprise from potential losses, it says to their customers, “I’ve got your back.”
What role does identity play when it comes to cybersecurity?
When we think of cybersecurity, intrusion detection is a high priority. There are tools to detect when an enterprise’s network is under attack, but what about threats lurking inside the network perimeter that aren’t seen by antivirus or intrusion detection systems? Account takeover (ATO) fraud is often accomplished via telephone. ATO scoring is designed to assess the behavioral actions around the account. Measures that address identity-related issues, such as third-party fraud or synthetic identity fraud, are important.
Think of cybersecurity as a quilt, not a blanket. In other words, you need to assemble multiple protections and complementary solutions to help prevent attacks—there isn’t one blanket solution or silver bullet. It’s critical that enterprises layer detection tools to protect against attacks to their network from the outside and internal risks to their processes.
When an identity is compromised, bogus transactions can hide in a stream of normal activity. Enterprises need to be able to identify if the patterns of behavior for an identity are consistent with behavior typically associated with this individual, or if the behavior suggests suspicious activity. They must also look for patterns associated with the separate data components. How are phone numbers and addresses being used? If the same phone number is used on multiple applications and tied to different identities, that signals a potential problem.
There has been some industry confusion around identity theft and synthetic identity fraud. What are the primary distinctions between the two?
There’s an important distinction to be made between identity theft and synthetic identity fraud. Identity theft can be likened to an Elvis impersonator—someone is pretending to be the victim. A synthetic identity is a made-up character; they simply don’t exist.
Recent events have influenced both types of fraud. Data breaches have made it easier for fraudsters to gain access to a victim’s identity elements and the randomization of social security numbers has made it easier for fraudsters to create synthetic identities.³
Identities that are compromised due to breaches and disclosures, typically manifest themselves in third-party fraud or identity theft. In these cases, fraudsters are able to obtain enough information about an individual to use that information to pretend to be that person—the Elvis impersonators. In cases of third-party fraud, the identity thief opens accounts in a victim’s name, builds up debt and may never make a payment. When an enterprise attempts to collect on one of these accounts that has gone bad, they discover that the individual they are attempting to collect payment from never applied for an account with their institution and is a victim of identity theft.
Fraudsters don’t need compromised data to create a synthetic identity. Synthetic identity fraud usually involves creating an entirely new identity composed of information with no ties to a known consumer—the made-up character. Synthetic fraudsters apply for credit and services and maintain a positive payment history on the accounts. Those initial accounts help the fabricated identity build a credit history. This enables the fraudster to open new accounts using their newly established credit history. This fraud can be years in the making and is very difficult to detect, particularly because there is no consumer victim to report that their identity has been stolen. Eventually the synthetic identity may stop paying and disappear without a trace. Not having a real identity to pursue for the losses is the critical aspect of synthetic fraud that ID Analytics is working to address.
To see Ken’s presentations in-person, join him at these events: CBA Live, March 12-14 in Orlando, Barclay’s Emerging Payments Forum, March 14 in New York and KNOW Identity Conference, March 26-28 in Washington, DC. For more information read our media advisory.
1. Symantec, https://www.symantec.com/about/newsroom/press-releases/2016/symantec_1120_01 (accessed February 16, 2018).
2. frankonfraud, https://frankonfraud.com/identity-theft/8-risk-factors-that-can-predict-if-you-might-become-a-victim-of-identity-theft/ (accessed February 16, 2018).
3. ID Analytics, The Synthetic Epidemic: Understanding Identity Fraud after SSN Randomization, p.3-4, October 2017.