Identity Fraud: Back with a Vengeance, Harder to Stop
New-account fraud is growing fast and forcing banks and their data brokers to rethink the way they verify the identities of new customers.
The opening of fake accounts using stolen or made-up (aka synthetic) identities more than doubled in 2015, according to a Javelin Strategy & Research report. Crooks stole the identities of, or appropriated personal information from, 1.5 million consumers — up from 700,000 in 2014 — to create fraudulent checking, credit card, loan and other accounts.
"I can tell you with 100% conviction that identity proofing is the biggest fraud problem out there," said Avivah Litan, a vice president at the research and advisory firm Gartner. "Fraud has become an identity problem."
Consumers, especially millennials, increasingly prefer to do everything on their mobile devices, including signing up for services. But as banks start to open accounts for people whom their employees have never met, there are plenty of questions about whether they can tell real customers and crooks apart.
The drumbeat of news about hackers stealing millions of dollars by gaming the Swift interbank messaging system should have been a wake-up call for banking executives, but it's unclear how many of them answered it. Is it too late for them to shore up their defenses?
Authentication methods meant to keep cybercriminals from taking over accounts can also lock out legitimate users. This old dilemma is growing more vexing as cybercriminals get better at impersonating customers and as regulators increasingly push multifactor authentication.
The U.S. migration to EMV chip cards is one factor, as it is forcing criminals who used to create counterfeit cards to change their MOs.
"The impetus for identity thieves has increased generally because the chip card has created a situation where you can't mass produce counterfeit plastic with compromised data," said Richard Parry, principal at Parry Advisory. "That has got a lot of criminals thinking, if I can't manufacture one, why don't I get a real one?"
Data that can be used to create synthetic identities or set up new accounts based on stolen identities is plentiful. According to the Javelin study, 7 million individuals last year reported having their Social Security numbers breached within the prior 12 months, 63% more than in 2014. Since Social Security numbers maintain their value for the entire life of the associated individual, these represent lasting vulnerabilities.
"There are staggering amounts of data available about people that enables me to impersonate them for the purpose of fraudulent applications," Parry observed. "So fraudulent applications will go up until the financial services industry comes up with better ways to" verify identity.
To be sure, consumer surveys are an imperfect measure of new-account fraud because consumers often do not realize they are the victims. Fraudsters could use stolen identities to open and use credit cards for months before the victims notice something is wrong — such as, they cannot get loans or their credit scores drop precipitously. In the case of synthetic identities, consumers may never find out a piece of their information was used to build a fictitious yet realistic identity.
Banks often do not detect these rogue accounts, either. They tend to mislabel synthetic ID fraud as loan losses.
"When we talk to our bank clients about application fraud and identifying true-name fraud versus synthetic IDs, they have a hard time even distinguishing if they're dealing with fraud in the first place, much less whether it's a synthetic ID," said Al Pascual, research director and head of fraud and security at Javelin. "Often, banks and issuers will charge off these accounts and label them as a credit risk issue. Unless that consumer or law enforcement calls them and says that wasn't me and can prove it, they're not going to stamp it as fraud."
In synthetic ID, where bits and pieces of real identities are cobbled together to create an identity Frankenstein, it is hard for issuers to get a hold of the true owners of those pieces of ID information, Pascual said. "It confounds banks' ability to know how much of a problem they're really facing."
Another caveat to the survey results is that the 700,000 victim number for 2014 was a record low. That year, fraudsters were able to take advantage of massive card data breaches (1,107 in the U.S. alone) and conduct card fraud at the point of sale. They did not have to go to the trouble of opening fake accounts. By 2015 a huge wave of reissued cards made card fraud less tenable.
"We've have had so many breaches lately with very sensitive information being stolen that this trend line will continue, if not accelerate, and become more of a problem," Pascual said. "I predict we're going to go from 1.5 million to well over 2 million new account-fraud victims next year."
Bankers are worried. In a recent American Banker survey of bank chief information security officers, almost a third said the overall increase in identity theft was one of their top five challenges.
"It's become a much bigger issue," Litan said. "We get a ton of questions on identity proofing and new-account fraud."
Kinds of ID Misuse
Ken Meiser, vice president of identity solutions at ID Analytics, sees three classes of synthetic identity behavior.
In one, called identity manipulation, crooks use their real core identity but insert some false data to confuse underwriting systems.
In a second, called "quick synthetics," fraudsters construct identities from components of valid identities to, say, go to a marketplace lender and get a quick $10,000 loan.
The third category involves patient fraudsters who allow a credit bureau file to develop, take out additional credit based on the fact that that identity has a performing account somewhere else, then a year or two later they withdraw large sums or go on a big shopping spree.
How to Stop It?
As more fake and stolen identities are used to open accounts, some banks seek alternative methods for proving identity.
Some are looking for unique red flags, such as account applications linked to voice-over-internet-protocol phones from carriers used by criminals. "A lot of criminals don't bother to try that hard, so they'll use prepaid, throwaway VoIP phones," Litan said.
Banks can look at cellphone account data for clues — has this phone number been billed to this name for a long time, has the customer paid his bill at this address? Email address lookups can also yield intelligence; for instance, a newly created email address is statistically far more likely to be involved in fraud than one that's existed for years; a never-used email address should also send up red flags.
Banks also could look at the relationships between mobile devices and email addresses. "Are you seeing them together?" Litan said. "You can look at the mobile number and see whether it's the right location you'd expect."
Device ID is another useful piece of data, except for the fact that people can easily change phones.
"All these factors change," Litan said. "That's why people used to love Social Security numbers, because they didn't change. But they're heavily compromised."
Also, about two and a half years ago, the Social Security Administration went to a randomized mechanism for issuing Social Security numbers, which makes it hard for identity verifiers to figure out whether a Social Security number is valid.
The three big credit bureaus and other companies are all trying to improve the way they check out consumers' identities.
ID Analytics looks for patterns in elements of personal information. "We might see the same phone number and address on multiple applications for different people," Meiser said. "And the way we've engineered our systems is we're able to recognize those disparities in real time and say I've got five applications using that phone number with four different identities associated with them. That's a problem."
Another thing ID Analytics is doing for some card issuer clients is after the initial risk score of an applicant, it goes back 24, 48 or 72 hours later and rescores the application, looking for other activity associated with the applicant's identity elements that might not have been visible the first time around.
"We're seeing a small but significant population where we're observing a lot of behavior change in that time frame," Meiser said. "This gives issuers another opportunity, even though the plastic may have gone out, to hold off on the activation of that new plastic because of information learned after the event."
"They all know they need to use more than personally identifiable information, and they're all working on it," Litan said.
Banks could make better use of their own data on customer behavior in their other accounts. "You're always better off using internal data if you have it," Litan said.
This requires, of course, a view of the customer across channels, which most banks lack.
No one product or method is perfect, Litan noted. "It's just a matter of trying to stay a step ahead of them and create processes that are harder to beat," she said. "If you do put a lot of data together, so you rely on all these different layers, the chances are you'll beat the criminals. They can beat one or two layers, but they're not going to beat three or four."
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.