Identity fraud, especially so-called synthetic schemes that use completely or partly made-up identities, is on the rise and hitting banks hard.
In a classic example of synthetic identity fraud, fraudsters create fake IDs to obtain credit cards, diligently pay their bills for years and keep getting the credit limit raised. Once they've reached a certain threshold (say $50,000), they do a "bust out," where they take out a cash advance for $49,000 and skip town. The bank keeps calling and trying to collect, but there's no real person to collect from and the lender ends up writing off the credit loss.
More recently, another type of synthetic ID fraud has emerged, fueled by the massive data breaches of 2014. In these schemes, hackers cross-reference data obtained from different sources — card numbers from Home Depot, for example, and Social Security numbers from another breached organization. Then they call the bank and ask to change the PIN on the card account, which some banks will do for a customer who can provide a Social Security number and card number. (Some even offer automated systems to take care of this.) Hackers can stitch all this data together and sell it on the black market as a fully emulated debit card that allows an individual to walk up to an ATM, enter the PIN and withdraw cash.
"We saw many instances of ATM fraud connected to the Home Depot breach where the PIN numbers weren't stolen," said Yaron Samid, founder and CEO of BillGuard, a provider of a card transaction monitoring services. "If you look at the Internet chat rooms, synthetic identities are the fastest moving."
It is hard to measure the frequency of synthetic ID fraud, in large part because "there’s no self-reporting victim," notes Richard Parry, a consultant and a former security executive at JPMorgan Chase, Citigroup, and Visa. But as a proxy, in the fourth quarter of 2013 synthetic identities accounted for 12% of all fraudulent applications at one credit card issuer studied by ID Analytics, more than double the figure in early 2010. (The firm, which monitors fraud for large banks and card issuers, did not identify the financial institution in its study released in October.)
Synthetic identity fraud makes up 88.3% of all identity fraud and 73.8% of the total dollars lost by U.S. businesses, ID Analytics said. According to the Federal Trade Commission, synthetic identity theft accounts for nearly 85% of the more than 16 million ID thefts in the U.S. each year.
When a synthetic ID user has had some kind of credit for a long time, by the time he does something bad with it, he might look like an honest borrower who fell on hard times, Parry said. "A lot of the losses associated with synthetics get written off as credit losses, not as fraud losses," he said. "That's one of the reasons why they are so underreported."
Catch Me If You Can
Banks' fraud filters typically try to find anomalous patterns in card transactions. But when an identity is created synthetically with stolen data, there's no pattern to match.
The accounts of synthetic identities can behave like "thin-file" customers — people who have little information in their credit reports, typically because they're young or underbanked and just haven't used much credit. A fraud analyst might review the account, call it a thin file, and approve it.
"It's very hard for banks to detect," Samid said. "This is how hackers are evolving and getting far more sophisticated, using big data sets where they can take bits and pieces of the data and string together new identities."
And often, synthetic IDs are built over such a long time, "by the time they do do something malicious, like bust out in a credit sense and just disappear, you can't find them again because the account doesn't resolve to a carbon-based life form," Parry said.
More recently, with an added dash of chutzpah, perpetrators of synthetic ID fraud have been known to load up a line of credit to its maximum, commit fraud, and then report the fraud as a victim to get reimbursed, Parry said.
"They get another lease on life, and therefore significantly increase the revenue they make on these accounts. … It cost-justifies the effort and patience and attention to detail it takes to create and curate these identities." Again, the apparent normality of the behavior helps it sail through fraud filters.
How can they afford to be so patient? A typical synthetic ID syndicate has hundreds and sometimes thousands of such IDs going at the same time. "They have a pipeline, and they're enrolling these identities in other things to create all the behaviors that make them look like a really good customer," Parry said.
Banks' obligation to know their customer, which theoretically would prevent them from letting people open accounts with fake identities, hasn't done much to prevent synthetic fraud, Parry said.