= Subscriber content; or subscribe now to access all American Banker content.

Spike in Fake ID Schemes Confounds Banks' Fraud Filters

Identity fraud, especially so-called synthetic schemes that use completely or partly made-up identities, is on the rise and hitting banks hard.

In a classic example of synthetic identity fraud, fraudsters create fake IDs to obtain credit cards, diligently pay their bills for years and keep getting the credit limit raised. Once they've reached a certain threshold (say $50,000), they do a "bust out," where they take out a cash advance for $49,000 and skip town. The bank keeps calling and trying to collect, but there's no real person to collect from and the lender ends up writing off the credit loss.

More recently, another type of synthetic ID fraud has emerged, fueled by the massive data breaches of 2014. In these schemes, hackers cross-reference data obtained from different sources — card numbers from Home Depot, for example, and Social Security numbers from another breached organization. Then they call the bank and ask to change the PIN on the card account, which some banks will do for a customer who can provide a Social Security number and card number. (Some even offer automated systems to take care of this.) Hackers can stitch all this data together and sell it on the black market as a fully emulated debit card that allows an individual to walk up to an ATM, enter the PIN and withdraw cash.

"We saw many instances of ATM fraud connected to the Home Depot breach where the PIN numbers weren't stolen," said Yaron Samid, founder and CEO of BillGuard, a provider of a card transaction monitoring services. "If you look at the Internet chat rooms, synthetic identities are the fastest moving."

It is hard to measure the frequency of synthetic ID fraud, in large part because "there’s no self-reporting victim," notes Richard Parry, a consultant and a former security executive at JPMorgan Chase, Citigroup, and Visa. But as a proxy, in the fourth quarter of 2013 synthetic identities accounted for 12% of all fraudulent applications at one credit card issuer studied by ID Analytics, more than double the figure in early 2010. (The firm, which monitors fraud for large banks and card issuers, did not identify the financial institution in its study released in October.)

Synthetic identity fraud makes up 88.3% of all identity fraud and 73.8% of the total dollars lost by U.S. businesses, ID Analytics said. According to the Federal Trade Commission, synthetic identity theft accounts for nearly 85% of the more than 16 million ID thefts in the U.S. each year.

When a synthetic ID user has had some kind of credit for a long time, by the time he does something bad with it, he might look like an honest borrower who fell on hard times, Parry said. "A lot of the losses associated with synthetics get written off as credit losses, not as fraud losses," he said. "That's one of the reasons why they are so underreported."

Catch Me If You Can

Banks' fraud filters typically try to find anomalous patterns in card transactions. But when an identity is created synthetically with stolen data, there's no pattern to match.

The accounts of synthetic identities can behave like "thin-file" customers — people who have little information in their credit reports, typically because they're young or underbanked and just haven't used much credit. A fraud analyst might review the account, call it a thin file, and approve it.

"It's very hard for banks to detect," Samid said. "This is how hackers are evolving and getting far more sophisticated, using big data sets where they can take bits and pieces of the data and string together new identities."

And often, synthetic IDs are built over such a long time, "by the time they do do something malicious, like bust out in a credit sense and just disappear, you can't find them again because the account doesn't resolve to a carbon-based life form," Parry said. 

More recently, with an added dash of chutzpah, perpetrators of synthetic ID fraud have been known to load up a line of credit to its maximum, commit fraud, and then report the fraud as a victim to get reimbursed, Parry said.

"They get another lease on life, and therefore significantly increase the revenue they make on these accounts. … It cost-justifies the effort and patience and attention to detail it takes to create and curate these identities." Again, the apparent normality of the behavior helps it sail through fraud filters.

How can they afford to be so patient? A typical synthetic ID syndicate has hundreds and sometimes thousands of such IDs going at the same time. "They have a pipeline, and they're enrolling these identities in other things to create all the behaviors that make them look like a really good customer," Parry said. 

Banks' obligation to know their customer, which theoretically would prevent them from letting people open accounts with fake identities, hasn't done much to prevent synthetic fraud, Parry said. 


(4) Comments



Comments (4)
Authentication techniques that triangulate on additional elements of identity beyond data alone are needed to thwart synthetic identity schemes. The use of telephones as authentication factors and the use of biometrics raise the bar for synthetic identity theft. The criminals must obtain telephones, register their voice biometrics and so forth. I can claim to be JQ Public, but even if JQ Public has a thin credit file, the legitimate JQ Public likely has a telephone. Multiple account openings against a single telephone is another red flag.

The perpetrators creating synthetic IDs may be patient, they may be clever - but that is why finding ways to connect information and activity to "carbon-based life forms" is critical to thwarting this type of theft.
Posted by Krista Haas - Authentify | Tuesday, February 03 2015 at 12:57PM ET
The guidelines in the KYC & Red Flag regulations tell us that the solution is in authenticating customer identity at the time they conduct a covered transaction (such as applying for a credit card). The problem right no, IMHO, is that FI's continue to operate under outdated assumptions - which is that the cost of fraudulent activity that could be prevented by more stringent ID Authentication procedures is outweighed by the profits generated by making credit applications (or, other financial transactions) as simple and non-restrictive as possible. If a financial institution is genuinely interested in reducing ID fraud losses, they need to credential their customers - which means conducting high-level document authentication on ID documents presented during the on-boarding/application process, and logging a biometric signature AT THE SAME TIME so that future authentication of that person's identity is ensured. Problem is - everyone in the pipeline is negatively incentivized to reduce transaction volume. The loan officer, the bank manager, even the teller clerk are all bonused by the volume of transactions. If transaction is discovered months - or years - later, the people charged with keeping their eyes open and detecting these things are not debited for approving fraudulent transactions.
Posted by Strundy | Monday, February 02 2015 at 12:42PM ET
Fake IDs are stopped with Consent Based SSN Verification - CBSV - from the SSA. In 2002, the SSA launched CBSV to match Name, SSN, DOB, and Death Indicator to the SSA Master File and Death Index. SSA does not advertise this service. Learn more at ssa.gov/cbsv and idvalidation.com - An Authorized SSA Agent for CBSV service. Many financial institutions use CBSV to protect their vital business interests.
Posted by Chuck Salvia | Monday, February 02 2015 at 11:17AM ET
Social Security cards NEED TO MOVE into the 21st century. They must provide a cleartext number, and have an embedded SIM chip or such that produces a reliably verifiable, but different, one way hash that can be provided each time someone applies for credit. Bankers can authenticate the hash number and then OK it or not. Different verifiable hash for every transaction. Really is this so hard. B/c, i believe they DON'T HAVE THE WILL. They need the fraud.
Posted by kiers77 | Monday, February 02 2015 at 10:11AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.