Synthetic Identity Fraud: Part Two, The Evolving Threat
In our previous blog we discussed the significant problem of synthetic identity fraud and established that ‘symptom’ solutions, which help detect and address some forms of synthetic fraud, are not enough in the industry’s fight against this evolving threat. This is the second article in a three-part series that examines how to get this epidemic back under control. In this post we discuss the danger posed by manufactured synthetic identities—a problem that is growing in sophistication, intensity and frequency.
Manufactured synthetic identities differ from manipulated synthetics in the manner they are created and in their criminal intent—fraudsters use these fabricated identities to apply for credit and other services planning to take the money (or cell phone, car, etc.) and run. Once a somewhat manageable problem, they have morphed into a new and aggressive form of fraud.
Originally, manufactured synthetic identities were composed of valid data assembled from multiple identities—sometimes referred to as ‘Frankenstein’ identities because fraudsters cobble together bits and pieces of personally identifiable information (PII) from real people to create fake identities, much like Victor Frankenstein used various body parts from multiple corpses to create his monster. These fabricated identities were used to apply for financial products and other services and could be detected when the social security number (SSN) did not match the name, date of birth, or other PII on the application.
Unfortunately, we are in a new era of synthetic identity fraud where fake identities are not always created using valid information from several different consumers. Today’s synthetics are fake identities composed of invalid information with no ties to a known consumer – making them increasingly difficult to verify. With no victim to report that their identity has been stolen, or conflicting PII to raise a red flag, these fraudsters can operate undetected for years building up credit with multiple institutions before “busting out” and vanishing without a trace.
This evolution in synthetic identity fraud has occurred in part due to the Social Security Administration’s (SSA) shift in June 2011 to randomize the way SSNs are issued. In the randomized era, it is easier for fraudsters to create a synthetic identity using a “new” SSN because the SSA no longer uses a regimented, geographical approach for determining the first five digits of newly issued SSNs. As a result, current fraud detection techniques find it difficult to distinguish between legitimately issued numbers and fictitious numbers being fraudulently asserted. In the pre-randomized era lenders could tell if an SSN had been issued and as soon as someone used a real person’s SSN and the name and DOB didn’t match, the application could be identified as potential fraud.
In October of 2017, ID Analytics published a white paper on the synthetic epidemic facing enterprises in the United States. Our research showed that the rate of credit applications asserting possible new SSNs more than doubled within the five-year period post-randomization. This is a strong indication that synthetic identity applications targeting financial institutions are growing due to this loophole. For more details on this study download our white paper, The Synthetic Epidemic: Understanding Identity Fraud after SSN Randomization.
Even though fraudsters have found ways to evade current methods of synthetic identity detection, there are actions being taken to help keep this epidemic from continuing to spread.
This spring, new legislation was passed called the Economic Growth, Regulatory Relief, and Consumer Protection Act which includes a provision that directs the SSA to make a mechanism available to facilitate the verification of consumer information upon request by a certified financial institution. This provision requires gathering consent from a consumer, but no longer requires the collection and submission of a hard-copy wet signature on an SSA consent form, which is a major obstacle to using current SSA services. Electronic consent will allow financial institutions to verify identities more quickly and at scale in connection with a credit transaction.
While this regulation has the long-term potential to significantly reduce synthetic identity fraud, uncertainty on the SSA’s timeline for implementation and the limitations on both the industries and use cases which can benefit from it make the level of impact unclear. Therefore, we need more than new legislation to tackle the problem.
For the past two years, ID Analytics has undertaken an extensive R&D process to deliver solutions that address the most challenging aspects of synthetic fraud—the difficulty in quantifying losses from synthetic identities, inconsistencies within organizations on what constitutes a synthetic identity, and even disagreement on whether this is a fraud or credit problem. Further complicating the challenge is that there are numerous synthetic fraud solutions which focus on identifying tricks-of-the-trade to catch synthetics, rather than attack the problem’s root cause. Effective strategies need to target the core issue of identity legitimacy and/or the typical outcomes of synthetic fraud, to create a more holistic defense capable of both addressing the entire issue, and of maintaining performance once synthetic fraudsters shift their methodology.
How can the market slow the growth of synthetic fraud? Do lenders need to choose specific solutions for manufactured vs. manipulated synthetics? How can business cases for new defenses be developed to address a problem whose damage is so hard to quantify? Stay tuned to learn more about how your enterprise can benefit from synthetic risk solutions that are on the horizon.
Aaron Kline is the Vice President of Product Management at ID Analytics