Identity fraud, especially so-called synthetic schemes that use completely or partly made-up identities, is on the rise and hitting banks hard.
In a classic example of synthetic identity fraud, fraudsters create fake IDs to obtain credit cards, diligently pay their bills for years and keep getting the credit limit raised. Once they've reached a certain threshold (say $50,000), they do a "bust out," where they take out a cash advance for $49,000 and skip town. The bank keeps calling and trying to collect, but there's no real person to collect from and the lender ends up writing off the credit loss.
More recently, another type of synthetic ID fraud has emerged, fueled by the massive data breaches of 2014. In these schemes, hackers cross-reference data obtained from different sources card numbers from Home Depot, for example, and Social Security numbers from another breached organization. Then they call the bank and ask to change the PIN on the card account, which some banks will do for a customer who can provide a Social Security number and card number. (Some even offer automated systems to take care of this.) Hackers can stitch all this data together and sell it on the black market as a fully emulated debit card that allows an individual to walk up to an ATM, enter the PIN and withdraw cash.
"We saw many instances of ATM fraud connected to the Home Depot breach where the PIN numbers weren't stolen," said Yaron Samid, founder and CEO of BillGuard, a provider of a card transaction monitoring services. "If you look at the Internet chat rooms, synthetic identities are the fastest moving."
It is hard to measure the frequency of synthetic ID fraud, in large part because "theres no self-reporting victim," notes Richard Parry, a consultant and a former security executive at JPMorgan Chase, Citigroup, and Visa. But as a proxy, in the fourth quarter of 2013 synthetic identities accounted for 12% of all fraudulent applications at one credit card issuer studied by ID Analytics, more than double the figure in early 2010. (The firm, which monitors fraud for large banks and card issuers, did not identify the financial institution in its study released in October.)
Synthetic identity fraud makes up 88.3% of all identity fraud and 73.8% of the total dollars lost by U.S. businesses, ID Analytics said. According to the Federal Trade Commission, synthetic identity theft accounts for nearly 85% of the more than 16 million ID thefts in the U.S. each year.
When a synthetic ID user has had some kind of credit for a long time, by the time he does something bad with it, he might look like an honest borrower who fell on hard times, Parry said. "A lot of the losses associated with synthetics get written off as credit losses, not as fraud losses," he said. "That's one of the reasons why they are so underreported."
Catch Me If You Can
Banks' fraud filters typically try to find anomalous patterns in card transactions. But when an identity is created synthetically with stolen data, there's no pattern to match.
The accounts of synthetic identities can behave like "thin-file" customers people who have little information in their credit reports, typically because they're young or underbanked and just haven't used much credit. A fraud analyst might review the account, call it a thin file, and approve it.
"It's very hard for banks to detect," Samid said. "This is how hackers are evolving and getting far more sophisticated, using big data sets where they can take bits and pieces of the data and string together new identities."
And often, synthetic IDs are built over such a long time, "by the time they do do something malicious, like bust out in a credit sense and just disappear, you can't find them again because the account doesn't resolve to a carbon-based life form," Parry said.
More recently, with an added dash of chutzpah, perpetrators of synthetic ID fraud have been known to load up a line of credit to its maximum, commit fraud, and then report the fraud as a victim to get reimbursed, Parry said.
"They get another lease on life, and therefore significantly increase the revenue they make on these accounts. It cost-justifies the effort and patience and attention to detail it takes to create and curate these identities." Again, the apparent normality of the behavior helps it sail through fraud filters.
How can they afford to be so patient? A typical synthetic ID syndicate has hundreds and sometimes thousands of such IDs going at the same time. "They have a pipeline, and they're enrolling these identities in other things to create all the behaviors that make them look like a really good customer," Parry said.
Banks' obligation to know their customer, which theoretically would prevent them from letting people open accounts with fake identities, hasn't done much to prevent synthetic fraud, Parry said.
"KYC does not mean we know our customer," Parry said. "KYC means weve been through a process that makes it likely that we know our customer. Because KYC is a risk-based process, it's not a definitive, validated and verified process. That's because our whole system of identity is based on the inference of consistency measures around data and behaviors. Its not absolute validation that a carbon-based life form is the one standing before you."
Banks are trying to speed the new account opening process, to enable customers to quickly sign up for mobile apps. This could actually help, Parry said.
"A well-designed infrastructure for creating applications that enable electronic banking or transactions is aided by the phone, if robustly implemented, becoming a really good token," he said. "The problem with any form of tokenization, whether the token is a key fob or a telephone or whatever, is you have to know who you gave the token to."
The Trouble with Social Security Numbers
The one piece of data that clearly separates one person's identity from another, and that is needed to get through banks' Know Your Customer rules to open accounts, is the Social Security number.
The Social Security Administration changed the game in July 2011, when it shifted from an orderly, rules-based numbering scheme to a randomized number generator, to allow more numbers to be created.
"The thing we're observing is after randomization, those folks who are creating these synthetic IDs are going bad more frequently. They're just plain riskier," said Garient Evans, vice president of solution services at ID Analytics. "We think these are bad guys who have exploited randomization because now, institutions have fewer tools to know that a Social Security number is legit."
The SSA offers a service for approved institutions to do one-off manual requests to get Social Security numbers verified. It's not an automated solution and there's a fee charged per look-up. Most large institutions dont use it on a large scale. The SSA doesn't necessarily want to make it easy for people to access its database.
"You can understand the moral hazard [the SSA] might have, which is how do they make sure they don't make it so easy that bad guys the ability to access that service," Evans said.
There's also a large population of immigrants who use made-up or stolen Social Security numbers for benign purposes; sometimes several immigrants will share the same Social Security number.
"We'll see multiple names and addresses associated with one number, but with no fraud, no losses," Evans said. "We'll see a mortgage, an auto loan, a card being paid with regularity and there are no issues." Sometimes people invent Social Security numbers for the same purpose.
An estimated 20 million Social Security numbers in credit bureau files are associated with four or more names. Even when a bank checks a number with the SSA, the administration won't necessarily share the fact that, although the customer name they're asking about does match the number, so do three other names.
"Think about the many people in the fabric of our society who do not have access to credit because theyre undocumented," Parry said. "They don't want to rip anybody off. In fact, they tend to be good customers. They have little choice to get access to credit but to use a synthetic or in some way doctored identity that masks who they really are or enables them not to have to say who they really are."
What banks ought to do about this is not clear. If a bank discovered that a seemingly stellar borrower who never missed a payment was not who he claimed to be, it would have to report and possibly revoke the loan, Parry said.
Another category of users of fake or stolen Social Security numbers are people who have gotten into financial straits, had their credit rating damaged or obliterated, and have turned to a dodgy credit repair service.
"There are illegal syndicates that help people repair their credit record by issuing them what theyre told is a credit reference number, which is not a new credit reference number at all, it's somebody elses Social Security number," Parry said. The customer will be told not to use the number within 30 miles of a certain location (where the legitimate Social Security number owner lives).
And of course, there are those who make up Social Security numbers to perpetrate fraud.
"The fraudsters are sophisticated enough to know what legitimate Social Security numbers have been issued," Evans said. To create a synthetic identity, they will generate a Social Security number thats one digit off or they'll transpose numbers. "They'll do things such that an actual credit bureau file will be pulled, because the Social Security number is close enough and a lot of institutions have fuzzy logic," Evans said. "If it's a 1 and we know it's a 7, we'll pull it. We know fraudsters are sophisticated enough to use those techniques."
To pass banks' KYC filters, synthetic ID perpetrators prefer to use the Social Security numbers of minors.
"If you use a childs Social Security number, the chances are you have 10 years to make use of that before that child reaches an age where they're likely to apply for credit in their own right," Parry pointed out. "In the more perverse example, you get the child who walks into the bank and requests his first debit or credit card because he's off to college. And the bank says, 'but youve already got a mortgage with us and you've had it for seven years.'"
How ID Fraud Could Be Thwarted
Consumers expect their banks to protect them from identity and account fraud. According to a Ponemon consumer survey, 63% of respondents believe that organizations should be obligated to provide identity theft protection.
Most retailers and banks respond to data breaches by offering consumers free credit report monitoring. But as Litan observes, credit reports don't track fraud; they track loan defaults and delinquencies, which generally have nothing to do with fraud.
"Every time theres a data breach, Experian, Equifax and the other credit bureaus run in there and sell credit report monitoring to compromised customers," said Avivah Litan, a vice president at the research firm Gartner. "It doesnt do you any good, because that's not the data that was stolen. It was the credit card that was stolen."
Typically when a consumer sees fraud on a credit card statement, he calls his credit card issuer for a refund, Litan noted. If the consumer doesn't see it and the bank's fraud analytics software doesn't spot it, the consumer ends up paying for it. None of this turns up on a credit bureau report.
BillGuard does provide a service that monitors credit card transactions. BillGuard and Experian launched an app on Monday that consumers can use to monitor their credit cards and bank accounts. For every account for which they provide their user name and password (account aggregation is provided by Yodlee), they will receive alerts about every transaction, with a yellow signal for every transaction BillGuard has cause to suspect.
If someone stole a customer's Social Security number and reset thee PIN to take money out of an ATM, for example, the BillGuard service should be able to flag that.
Banks have their own analytics in which they look across their applications for indications of identity fraud, Litan noted.
Biometric identity schemes that require a customer to produce a fingerprint or retina for identification could help reduce fake identity theft.
And the Social Security Administration could improve the cost and availability of its ID number lookup service. "It would reduce so much fraud if it was readily available," Parry said.
Another effort that would help would be for banks to use out-of-band authentication, such as a phone call or text to the phone number on record, for unusual transactions (banks already do this in some cases, such as for certain types of wire transfers). "More institutions are doing this, but it should be becoming commonplace," Parry said.
"It's an extraordinarily complex problem that requires collaboration by government departments, legislature, regulators and the lenders," Parry said.