How do you catch a criminal who doesn’t actually exist? Through the use of fake data, fraudsters are creating data ghosts to commit various forms of fraud around banking, insurance, mortgages and beyond. How does this work and what can you do about it? And is it truly a victimless crime?
Transcription:
00:00:08:07 - 00:00:29:27
David Heun
Welcome. I'm David Heun. I'm at American Banker. I am associate editor for the technology team, and I'm glad you could join us today. It's one of the rare times where I can say good morning, good afternoon, and good evening, depending on where you're logging in from, for the digital bank conference this year. I have a great panel with us today.
00:00:29:28 - 00:00:51:15
David Heun
The moderator always says that, but I guarantee you I'm correct on this one. These folks have tremendous credentials for this synthetic fraud problem that plagues the banking industry as well as any other company or network out there. They're going to share all their good thoughts with us here in a moment. Before we get started, I do want to remind you that this is a CE- eligible session.
00:00:51:16 - 00:01:11:22
David Heun
That means the continuing education program for the American Bar is available to those who need to do that. There is a link on the poll question above your session with us. So if you look above where I'm talking, you probably see some information about the session, and there will also be a link there to click on for the poll to do the survey questions.
00:01:12:14 - 00:01:30:12
David Heun
The caveat is that you have to stay for the whole session. Get that big groan out of the way, but I guarantee you you're going to want to stay for the whole session. You'll enjoy it and enjoy it to the very end and you'll get your credit on that CE poll. I'll also try to remember to remind you at the end of the session, near the end of the session, to do that as well.
00:01:30:23 - 00:01:55:07
David Heun
Also, we will be taking questions from listeners and viewers, and we'll keep an eye on those and try to get to those near the end of the program. So, with that in mind, the fraudulent ghost thing — ghosts have been a mystery of our lives since we were kids. They're no different now in terms of how they threaten the banking systems, and they're going after our accounts, our personal credentials, our payment commercials.
00:01:55:20 - 00:02:27:18
David Heun
We really need to know how to combat that and what to watch for, so let's start by introducing the panelists. I have Simon Marchand, the chief fraud prevention officer at Nuance; Steve Lenderman, who's the director of strategic fraud prevention at Global Security Organization at ADP; and, Geraldine Schmitt, US card principal fraud investigative analyst at Capital One. We'll get started here now by having each one of the panelists tell us a little bit more about what they do.
00:02:27:28 - 00:02:55:11
David Heun
And also I would like them to really define synthetic fraud for us or the fraudulent ghost. What is it in your mind? And the reason I ask that is because we've probably got a pretty good array of listeners today that go from the gamut of the fraud expert, who is going to feel like they know as much as we do or more, which is great, and those who are just kind of learning this business, and they have the task of getting a better handle on synthetic fraud.
00:02:55:11 - 00:03:18:11
David Heun
So as you're given your introduction, also give us the definition of fraudulent ghost. I'll start with you, Simon, and we'll go to Steve, if he's with us; I am afraid he might have dropped out. Then we'll go to Geraldine. Geraldine has a slide to share with us on this topic as well, so we'll use up a little time there.
00:03:18:11 - 00:03:25:10
David Heun
But, I want you to get us started, Simon, on that — what you do at Nuance, what's going on there, and what do you consider fraudulent ghost to be?
00:03:26:01 - 00:03:59:07
Simon Marchand
Yeah, thank you, David. So like you mentioned, I'm the chief fraud prevention officer for Nuance. So I oversee everything that has to do with using our biometrics technology to identify fraudsters and prevent fraud across all sorts of channels. So, we work on voice biometrics and behavioral biometrics. I really am here to make sure that the technology we develop can be tailored to the specific needs of the front line in any kind of industry that's faced with identity theft or identity crimes in general.
00:03:59:07 - 00:04:29:07
Simon Marchand
So that includes synthetic identity as well. I'm a Certified Fraud Examiner — spent a little over a decade running corporate security teams in the financial sector and in telcos. So, it was really an opportunity for me to move from an experience where I was working actively at detecting those fraudulent ghosts — identifying those individuals that are not real individuals, trying to break into our risk assessment systems to open accounts — and now we have the technology to do it.
00:04:30:11 - 00:04:58:09
Simon Marchand
What's a fraudulent ghost? So, the way that we categorize our identity crimes — from a nuanced perspective, we really make a clear distinction between identity theft, which has a clearly identified victim on the other hand: If you investigate your case, you'll be able to find a person that's suffering from that fraud attempt. You'll have your first-party fraud cases or credit abuse, which is someone using their own identity to defraud an organization.
00:04:58:09 - 00:05:29:05
Simon Marchand
very difficult category of fraud cases with synthetic identities — those fraudulent ghosts, the individuals that take advantage of the flaws of different processes and our high reliance on credit bureaus and other types of information to really engineer their way through that process and create an identity that's completely fictitious, an identity that if you try to investigate, you will eventually end up talking to the fraudsters.
00:05:29:13 - 00:06:02:26
Simon Marchand
And, we see fraudsters more and more in the past decade, building those identities and building that knowledge of how to engineer their way into our organizations and how to create credibility around those fake identities from one organization to the next. So really, for us, fraudulent ghosts are those individuals that are non-existent, completely fictitious, and behind those identities, you have one fraudster that's probably managing and using and operating dozens, if not hundreds, of identities at the same time.
00:06:03:26 - 00:06:23:26
David Heun
Very good. That makes a lot of sense, Simon. I know it's an overwhelming thing, but when you talk to some people like you, you know they've got a handle on this thing, and that really helps. I think we'll go to Geraldine now. We're waiting for Steve to get back in with us. He's doing his fraudulent ghost thing, but we'll give him a chance to regroup.
00:06:24:16 - 00:06:40:14
David Heun
We'll go with Geraldine here now, and I believe she has a slide to share with us. Same thing, Geraldine: what you do at the bank, what you're watching for and how you guys defined a fraudulent ghost in what people should look out for.
00:06:42:08 - 00:07:05:05
Geraldine Schmitt
So I am Geraldine Schmitt, and I work at Capital One. I work in the US card division and for the law enforcement team. Basically what that means is that I am investigating requests coming from law enforcement, and I'm also putting out requests to law enforcement involved with first-party fraud crime rings, which incorporates synthetic identity fraud crime rings,
00:07:05:05 - 00:07:40:28
Geraldine Schmitt
I first heard the term ghost while I was working cases out west — these were synthetic identity fraud rings orchestrated by organized criminal groups — and it basically just meant that they were using personal identifiable information, or PII, to establish an open credit that was not fully connected to a real person. And this would be a good time. I’ll give it a second.
00:07:41:10 - 00:08:10:17
Geraldine Schmitt
But, there are variations of synthetic identities that are employed. And, you'll read a lot of reports about how synthetic identities are the use of real as well as fabricated information to apply for credit. That's not always the case. We still see fully synthetic identity is being used, which is the use of a completely invalid social security number, in addition to an invalid name and date of birth.
00:08:10:17 - 00:08:34:08
Geraldine Schmitt
This actual type of fraud became more prevalent, if you will, around 2011, and this is when the Social Security Administration began to randomize Social Security numbers. It was in an effort to prevent identity fraud, but in doing so, it helped to proliferate synthetic identity fraud, and it helped to make it — or, made it harder for banks to mitigate that type of fraud.
00:08:35:00 - 00:09:00:07
Geraldine Schmitt
The majority of the synthetic cases that I see are going to be the use of partially synthetic PII or manipulated credit profiles. The difference is that a partial synthetic is the use of a valid Social Security number that might belong to an immigrant or child, for example, and the use of a fake name and date of birth with that information to apply for credit.
00:09:01:08 - 00:09:42:18
Geraldine Schmitt
Arguably, this started in the mid 1990s but really started to become an issue for issuers, I would say, in the early 2000s. A manipulated credit profile is the use of what some crooks would call a CPN, which is not a valid social security number. CPN just stands for a profile number, you might also hear credit privacy number, and the only thing that it has in common with a Social Security number is that it's nine digits. Someone using that particular social security number will often use her name — their real name — and date of birth, and it's an effort to start credit over if they have bad credit profiles.
00:09:43:02 - 00:10:02:06
Geraldine Schmitt
Or, you may also see people that are not here in the country legally using that, and they're not necessarily the problem. The problem is when you start seeing the quantity of partially synthetic and manipulated profiles and the use of fraud rings as opposed to just the one off where they're keeping those credit profiles going for a long time.
00:10:04:08 - 00:10:24:28
David Heun
Very good. Was that it, Geraldine? That's it. Okay. Very good. Thank you. All right. And then, we have Steve Lenderman with ADP, and the same routine, Steve. We're looking to just get an idea of what your role is at the company and how you would define synthetic fraud, what you guys are usually looking for. Just a quick plug:
00:10:25:12 - 00:10:39:05
David Heun
I have found everything ADP to be great, and when I looked at your credentials, I thought, "boy, am I glad this guy's on our team." So with that, go ahead and give us an idea of what goes on there and what you guys view as synthetic fraud.
00:10:39:19 - 00:10:59:16
Steve Lenderman
Sure thing. Absolutely. Pleasure to be here. Thanks, everybody, for the time. I've been with ADP about three years now. Prior to ADP, I spent time with PayPal, and before that, the credit side of things. That's really when I was first exposed to synthetics. As Geraldine mentioned, you know, the late 90s, early 2000s, we started seeing this really proliferate through the credit side of things,
00:10:59:21 - 00:11:19:23
Steve Lenderman
and the credit market was the first to see it and kind of the first to bear the brunt of it. What we're seeing now is: They've moved out of the credit space into multiple other sectors out there. They're not just looking for easy credit cards, and they're in mortgages; they're in auto; they're in health insurance, and they're in the payroll space, which is where I'm at now.
00:11:20:12 - 00:11:43:11
Steve Lenderman
And, we're actually seeing them move into the business side of things as well. We refer to synthetic identities as individuals, and what we're seeing here, and a term that I've been using the last year or two, is this concept of synthetic entities, which is really the idea of creating a synthetic business, purely for fraud. We've seen a number of synthetic entities in the past,
00:11:43:11 - 00:12:08:24
Steve Lenderman
and if you're in the AML space, these are referred to as either shell companies or shelf companies, and they were typically created really just for tax aversion or tax liability, or they were created, obviously, for money laundering purposes, all of which are in the fraud space, as well. But, what we're really seeing now in this transition is they are going to the synthetic entity space purely to commit fraud.
00:12:08:26 - 00:12:28:17
Steve Lenderman
They're going to use a synthetic entity use synthetic identities to pass all the KYC, and then they're going to go to town in the commercial space, which is anywhere between 10 to 20 times more lucrative for the fraudsters to get into as opposed to an individual credit card account, versus a business credit card account.
00:12:29:11 - 00:12:48:29
Steve Lenderman
So that's what we're seeing really on our side of the house. We're seeing employees being added to legitimate businesses that are actually synthetics, and that's a real problem for our perspective because the one thing that a lot of people want to use to validate whether someone's real or not, is what we produce, which is pay stubs, and W-2s.
00:12:48:29 - 00:13:10:06
Steve Lenderman
If we start issuing those things for synthetic identities, then we have a significant problem, because the rest of the financial sectors rely on some of the data that we produce, to say, "Hey, they must be real. They're getting paid. They're paying taxes." All that fun stuff. So that's kind of what we're seeing right now. And, I only see it getting a little more involved as we progress into the next few years here.
00:13:11:29 - 00:13:34:07
David Heun
Thanks, Steve. Let's start by— I wanted to ask this question because, whenever I'm working on any kind of story related to fraud or security, the tension goes to: Where are the gaps? Where are the security gaps? You know, I've got to think that for fraudsters to establish a fake identity or a ghost individual,
00:13:34:07 - 00:13:54:03
David Heun
Maybe they've already built this fake identity, but they need a place to come in. How does a bank or a company know where the gaps really are? They get these vulnerability messages, and sometimes they apply to their company, sometimes they don't. How do you keep track of that stuff?
00:13:54:03 - 00:14:12:27
David Heun
So, I'm just kind of curious as to where all this is going. You know, there's this mantra out there that, in the digital world, it's not your security, it's everybody else's that affects you. If you think you're really doing well, how do you know your third party partners are? And all that, so it's really complex.
00:14:12:27 - 00:14:23:08
David Heun
So, I'm going to start this one with you, Simon. What do you guys see as the gaps here? Are they easy to spot? Are they changing all the time? Give us a feel for that.
00:14:23:20 - 00:14:47:16
Simon Marchand
There's a lot of different enablers for synthetic identity. I think one of the major gaps in the past decade — when you look at this issue as the issue it's been and how it's evolved — one of the enablers for fraudsters was the way credit files are handled, as financial institutions and telcos and insurance companies rely very heavily on a credit check to open an account.
00:14:48:20 - 00:15:08:10
Simon Marchand
We saw fraudsters start building credibility by generating those credit files even with fictitious information. You'll try to open a prepaid account with a phone company. There will be a credit check. That credit check will be made with fictitious information. The response you receive will be: No hit. This is not a real person. There's no credit file.
00:15:09:06 - 00:15:29:23
Simon Marchand
But, the result of that check is to create an entry. Then the fraudsters can come later, try again with the same pieces of ID, and all of a sudden, the response changes from "no hit" to "thin file." So we have someone. There's no information on file. You don't have a lot to make a determination whether that person's going to be trustworthy or not, or they're going to make their payments.
00:15:30:07 - 00:15:59:21
Simon Marchand
But then, because of the competitive landscape of certain industries — telcos being a very good example, where it's very aggressive campaigns to get those new customers and new subscribers — then you'll tolerate the thin file. You might ask for an upfront security deposit, but if you're doing it for a prepaid account, well you'll do that check, the prepaid account will be set up, and just for $50, then fraudsters have a real account that's now tied to that credit file they created.
00:16:00:01 - 00:16:22:10
Simon Marchand
And then, from there, they can start building credibility. They'll go to a credit card issuer that might be more tolerant to very high risk new customers that come with those 10 files, and then you get a small credit limit on your credit card. You can start start making purchases. And over the course of several months, you're starting to build credibility around an identity that in the first place didn't exist.
00:16:22:23 - 00:16:52:03
Simon Marchand
And, I think all companies that have that very high tolerance to risk and rely on very little information to open an account without doing all the validations they can: they all become enablers of creating synthetic identities that can then be used for some massive attacks with high credit limits, mortgages, loans. But, I think it starts in a lot of cases in how we rely on a credit file, and we make a determination or decision based on that.
00:16:52:17 - 00:16:58:29
Simon Marchand
Fraudsters know it, and they'll try to exploit that vulnerability as one of many.
00:16:59:15 - 00:17:24:25
David Heun
Well, it's called the fraudulent ghost, and you're scaring me, Simon. There's a lot going on. What about you, Geraldine? You talked quite a bit about the different types of things you're seeing coming in through your network. What is it that the banks are looking to make sure they tighten up; and have the gaps, so to speak, kind of checked and rechecked; and knowing what the third parties are doing; and all that kind of thing?
00:17:27:04 - 00:18:02:09
Geraldine Schmitt
Well, Simon's right in that it's very difficult across the industry to differentiate between a synthetic identity and a credit risk — an ordinary credit risk. And, the diagnosis of a synthetic identity is usually found from account behaviors, which is more reactive. So, in addition to that: adaptation between the industry not being congruent. So, there's a slow adaptation to new tools and references in order to detect synthetic identity fraud.
00:18:03:02 - 00:18:28:01
Geraldine Schmitt
But, one of the tools that we are employing now is the electronic consumer-based verification service, which is provided by the Social Security Administration. We did have a manual process prior where a consumer could fill out a wet signature form, and we'd send off the SSA-89 forms to the Social Security Administration, then they, days later, send back information to us and tell us whether or not information on an application is a match.
00:18:29:07 - 00:18:48:20
Geraldine Schmitt
And, instead of doing that, now, it's electronic, so it's more scalable. So, at the account application stage, there's more ability for issuers in particular, and lenders, to validate whether or not a name, date of birth and social security number matches from the get-go, as opposed to waiting for some kind of account behavior to detect it down the road.
00:18:50:26 - 00:19:10:16
David Heun
Okay, Steve, I want to ask you the same question but I want to put a little different spin on it for you to give a little more insight into this. When I think about synthetic fraud, the first thing that pops into my mind is the things we've been talking about. Somebody somewhere started this whole thing by having bad credit and wanted to create a new identity to get better credit.
00:19:10:16 - 00:19:30:08
David Heun
But then, more criminals got involved, put their thinking caps on, got more of a network going on, this kind of thing— Is that kind of what you saw happening through your career? Or is that a little bit too simplistic of a view? Is it a little more complex than that as you guys are trying to determine where these security gaps are and how all this thing gets going?
00:19:31:15 - 00:19:57:05
Steve Lenderman
Yeah, I mean, I think this fraud originated from individuals trying to repair credit or obtain credit. It happened in certain demographics, etc., and it was what I would say is individual gain. But, what we're seeing now, is the fraudsters have have really monetized this, and it's very organized, now. This is not a one-person operation where somebody is sitting in the basement with a hood on doing this.
00:19:57:15 - 00:20:24:10
Steve Lenderman
This is transnational, organized crime, on purpose, for the mere fact that they can go after millions of dollars. That's the big difference: It's matured from the early 2000s to now. It is complex; it is organized; and, it is invasive in every portfolio out there. And, as Geraldine mentioned as well, and as Simon mentioned too: the idea about the digital ghost, the data aggregators out there.
00:20:24:11 - 00:20:43:06
Steve Lenderman
Once you put the data into the aggregators, there's aggregators of the bureaus; it's anything from marketing sites, etc. Once I get that stuff into the systems, the aggregators then start validating that, and once again, we mentioned: We rely on, "Hey, they got a T-Mobile bill; they got a Verizon bill; they got an ADP pay stub; they got a Capital One card."
00:20:43:14 - 00:21:03:24
Steve Lenderman
We all rely on each other to self-validate, and that doesn't work. That's the problem right now, is: "Well, it looks good," but it's really not. The one thing the bad guys have that we don't, as you mentioned, is they're organized. They talk to each other, they communicate. We don't really have any kind of consortium. It's negative file or bad synthetics here and there.
00:21:03:24 - 00:21:16:23
Steve Lenderman
It's very difficult to put it together — for all the organizations to say, "Hey, we know this identity is bad." It's really hard for us to do anything about it. You really just can't make it go away. It's not like a delete button, and it all disappears. That's the problem for us right now.
00:21:17:29 - 00:21:42:10
David Heun
Okay. You know, the thing you hear a lot about is obviously trends in fraud, trends and security, but I sometimes wonder what qualifies something as a trend. I don't know if there's any specific type of trend that you guys are seeing that would be quantified by numbers, like a spike in certain types.
00:21:42:10 - 00:22:04:23
David Heun
Do you look at those things as, "Well, this is a new thing the bad guys came up with, and once we wrap our arms around this, they'll be on to something else." It's kind of hard to say. But, from the straight standpoint I'm asking the question: What— and I'll get started with Simon — What are the trends, now? What are you seeing that's a little bit different from what may have been happening just even six months ago?
00:22:06:00 - 00:22:31:29
Simon Marchand
So, if you look at what happened, let's say 18 months ago — I'll start there — one of the major trends from 2020 was how fraudsters shifted very heavily on identity theft, mostly. So, not fraudulent ghosts, not synthetic ID, but ID theft, because the pandemic just made it easier for them to monetize their activity, and Steve was absolutely accurate to say that this is a business.
00:22:31:29 - 00:22:56:17
Simon Marchand
For them, it's nine to five, and they want to make as much as they can in as little time as they can. So, as governments were putting out their new programs, fraudsters were incentivized to target those programs very heavily, and we have seen that in 2020, compared to 2019, we had in the U.S. about twice as many identity theft cases that were reported to the FTC.
00:22:56:28 - 00:23:15:07
Simon Marchand
So, quite a significant trend, because fraudsters could make money there. Now, what we're starting to see, as those programs are being phased out, and employment is going— er, unemployment rates are going back to the rates they were before, we see that fraudsters are going back to what they were doing before. It's not as easy to target governments.
00:23:15:07 - 00:23:39:03
Simon Marchand
They have to fall back to their known verticals or industries like financial sector and telcos where the authentication methods and identification methods might be a little stronger. So, we're seeing them go back to synthetic identities; they're going back to what they were doing before. They had a full year to create a couple identities that they could nurture and make sure they could build credibility around.
00:23:39:15 - 00:24:04:27
Simon Marchand
But, that steady growth of synthetic identity crimes — you know, it's been 8-12%, year-over-year since 8-10 years ago — and we're seeing that this keeps growing steadily. So, yeah, there was that focus or that shift towards stolen identities for a year, and now we're seeing them come back very, very strongly on synthetic IDs, because it's just easier,
00:24:04:27 - 00:24:11:16
Simon Marchand
and that's how you can fool the financial sector and telcos and the others more easily.
00:24:12:25 - 00:24:16:19
David Heun
Was there anything dramatically different or something you'd want to add to that, Geraldine?
00:24:18:18 - 00:24:43:11
Geraldine Schmitt
So from my point of view, I think that scams and payment frauds were huge over the past 18 months and where synthetic identities might come into play with those is the establishment of like fictitious work from home businesses utilizing synthetic identities or synthetic identity is being added on has fictitious employers in order to garner more benefits from the government.
00:24:43:22 - 00:25:16:01
Geraldine Schmitt
But he's right. I mean, Simon's right where synthetic identities didn't just go away but diminished because there was another opportunity for criminals to find more readily available money quickly and easily. But it hasn't gone It just kind of went dormant for a bit, but I do see it coming back quite heavily, I'd say, in 2022. And, the biggest losses involved with synthetic identities are coming from what we call assumed identities, and that's the use of identities that actually belonged or belong to someone.
00:25:16:01 - 00:25:41:00
Geraldine Schmitt
Perhaps they're homeless, or perhaps someone that came to the country temporarily for work or education, and have since left. Those are really hard to mitigate, because the identifiers with those identities are real, and there's paperwork to back it up, and they were issued by the Social Security Administration. It's just the victims that that information belongs to are either complicit or not readily available to report that a fraud has occurred.
00:25:41:21 - 00:25:50:24
Geraldine Schmitt
So, I would say that the majority of losses are really hard there, and I think issuers have a hard time detecting and mitigating a particular type of synthetic identity.
00:25:52:05 - 00:26:18:10
David Heun
Pretty good, yeah. Steve, I know that you've probably seen some trends as well, but I wanted to throw in this one that I was going to ask you anyway, because it just kind of piqued my interest and seems so crazy to me. This notion of creating a fake person to be on a company payroll. All of a sudden, you think you're paying— there's an employee on there that's a ghost and they're drawing money.
00:26:18:19 - 00:26:33:21
David Heun
That's how I view it; maybe it's not quite that simplistic. I'm just curious how that happens. Does the employer and the bank work together to sniff something like that out? Or, is it not happening as much as I think it might be?
00:26:34:29 - 00:27:06:07
Steve Lenderman
Well, I mean, it clearly happens, right? It's not a — I wouldn't say it's really a trend yet. Going back to the concept of trends: I think one thing we all see and know is happening is the idea of us going to all self-service, online interactions is no longer a trend. It's the norm. Even my parents now are digital banking on their phones, etc. We move that human element of going to a branch to actually validate that you are a real person, and move everything to a digital perspective, it's just data. That's what the bad guys love.
00:27:06:08 - 00:27:27:14
Steve Lenderman
They are just data, again. So, they can go in and apply to multiple banks and do all kinds of fun things, and it's all self-service now, and it makes it very, very difficult. And I think Simon and both Jody alluded to this as well: This thing with with Cares Act is just a giant red ribbon for the bad guys of free money.
00:27:28:07 - 00:27:54:08
Steve Lenderman
There was actually a recent case that was just indicted— er, actually tried in Florida, regarding PPP, with 700 synthetic identities used to basically substantiate an overinflated PPP loan application, and then those 700 identities were used as the mules to offload the payroll through the accounts. That's really what we're starting to worry about.
00:27:54:11 - 00:28:18:12
Steve Lenderman
All right, they're being added to the employee counts as employees, but they're mules, and the benefit of a synthetic mule is that they don't get caught. They actually do whatever you tell them to because you control them; they don't exist, right? And you're not worried about them going to law enforcement, etc. Right? So now the fraudster controls almost the entire movement of money from start to finish, and there's nobody there to really rat them out.
00:28:18:25 - 00:28:30:10
Steve Lenderman
That's what we're kind of concerned with seeing: this use of synthetics in an employee space. We just call them ghost employees, because that's what they are. They don't really exist, unfortunately.
00:28:31:16 - 00:28:53:14
David Heun
Yes, I know. It's it's it's a kind of a tempting thing that for the bad guys, they're probably really, you know, kind of bolster their their payrolls without having to do much work, just kind of get a fake identity in there. I think most everybody knows. But just in case, one, Steve referred to the Cares Act. He's talking about the coronavirus relief Act from last year.
00:28:54:13 - 00:29:14:27
David Heun
We talked about the damage the fraudsters can do, but I want to ask Geraldine: What's the mitigation process? What does your team have to go through once something's caught or you realize there was some potential damage or a problem here? What are the steps that you guys go through to handle this sort of thing?
00:29:14:27 - 00:29:22:02
David Heun
I have to imagine the smaller the bank, the tougher that would be.
00:29:22:17 - 00:29:48:08
Geraldine Schmitt
And it depends on the attack in the scheme. But banks can employ a lot of different processes in order to detect synthetic identity fraud. You want to use a mix of automated risk defenses and in real time or near time, in addition to manual overviews. So you can look at things and see if they're riskier, why they're risky to do some additional verification on those.
00:29:49:17 - 00:30:28:12
Geraldine Schmitt
You can employ behavioral risk-type defenses that have to do with payments or the monitization of accounts, which just means how cards are being used for spend, or the merchants that are associated with those accounts that are either collusive or shell businesses. Actually finding one account, as you mentioned, that is fraud, is actually helpful at that point, because then you can do link analysis and discover about what's connected to that particular fraud account and see if it's connected to anything else that you have on your books, or anything new that's coming in at the application stage.
00:30:28:12 - 00:30:52:00
Geraldine Schmitt
But banks do have a lot of ability to use multiple tools that are available to detect and mitigate synthetic identity fraud, and it's really gotten better over the years, and it just depends on what their risk level is. Some banks are are willing to take a little bit more risk, whereas other banks really want to try to mitigate everything.
00:30:53:09 - 00:31:19:18
Geraldine Schmitt
When someone comes forward and identifies that a fraud has occurred — for instance, if a child becomes 18, and they start applying for colleges, or their first car or whatnot — that gets detected by us, by other banks, and that can be quickly corrected at that point. But, getting to that point is the hard bit. Getting those people to be aware that their Social is being misused is the hard part.
00:31:20:08 - 00:31:40:16
David Heun
Right. Okay. I want to ask you this question, Simon, because I think it's probably in your wheelhouse to start with. I tend to think of Social Security numbers being the golden piece. You got that, you got the world at your fingertips. But, I'm starting to think that maybe they can get around even worrying about that, if they can steal some biometrics — if they can get a fingerprint scan or a voice.
00:31:40:16 - 00:31:52:19
David Heun
Number one, is that stuff easy to steal, can it be stolen? But also, what do you think about that? Has that become the main thing that they'd be trying to get their hands on?
00:31:53:25 - 00:32:20:00
Simon Marchand
Well, going back to that topic of how you mitigate: It's all where biometrics comes into play. When you want to mitigate synthetic fraud or synthetic identity fraud, you need to start asking yourself, "How do I identify the human being that's behind that transaction?" That's the most challenging part of everything. When we enter into an agreement with a new customer, we're not really checking who they are as a person;
00:32:20:00 - 00:32:39:12
Simon Marchand
we're checking what information they present to us. Is that information valid? Do they have the answers to all the questions we might be asking? When you start using biometrics, you're actually taking a step back from it. You're becoming data agnostic, and you're starting really to look at what information— Who's the human being providing me with all of that information?
00:32:39:27 - 00:33:02:17
Simon Marchand
The challenges of investigating synthetic identity fraud is: You'll always end up talking to your fraudster, and that fraudsters sitting on a chair with 100 different identities, and they get those calls, and they have the answers. When you identify someone's voice or someone's fingerprint or someone's face, it doesn't matter what information they're presenting to you. You're able to make the determination based on who's the human being:
00:33:02:17 - 00:33:24:21
Simon Marchand
Is that someone I've seen before, and is it someone that I've identified as an undesirable individual? Now, when you start doing that, it makes it extremely difficult for fraudsters to successfully use a synthetic identity. Within seconds of them trying to get into your organization, you're like: "No, you know, what, I don't care what you're presenting, I don't care how good your your credit score is;
00:33:25:02 - 00:33:50:02
Simon Marchand
you are not a person I want to let in because I've seen you before on 10 different accounts, and you presented 10 different identities. So, we just cut the service or escalate to a fraud team. Now, fraudsters might be interested to try and synthesize information. They might be interested in trying to hide their voice, for example, because they know that within two seconds of them making a call, we'll know they're a fraudster.
00:33:50:10 - 00:34:07:02
Simon Marchand
So, we see more and more fraudsters starting to look at those technologies to mask who they are more than we see fraudsters trying to steal what other people are because, when you start doing that, you get into a technological nightmare for them. Today, we hear a lot about deep fakes and deep voices and all that stuff,
00:34:07:02 - 00:34:33:03
Simon Marchand
but the reality of what the threat level is with that kind of edge technology: Fraudsters are not interested in using that. They don't use that successfully, regardless of what kind of media coverage we see. It's easier for fraudsters to just move on to an organization that doesn't use biometrics. So, what we see today is really fraudsters trying to go around biometric systems to hide who they are more than steal information from someone else.
00:34:33:11 - 00:34:49:20
Simon Marchand
And, the truth is, they can't hide who they are. If they use a vocalizer to mask their voice, we'll know it; we'll detect it. Obviously, if I tell a bank, the person calling in is modifying their voice, regardless of who they are, this is extremely suspicious. You might not want to do business with that person.
00:34:51:02 - 00:35:19:02
Simon Marchand
So, really, biometrics technology is not something that's easily beat by fraudsters, and that's why we see more and more banks and credit unions and organizations that need to rely on very high standards of security shift from their normal KBA process to biometrics authentication, because that's how you make sure that your fraudsters, whether they're stealing an identity or creating one, are not able to get through,
00:35:19:02 - 00:35:21:26
Simon Marchand
and you can tell right away that this is an undesirable individual.
00:35:23:11 - 00:35:49:17
David Heun
Okay, very good. Steve, I wanted to ask you: On the timing of some of this stuff — and I also want to get Geraldine's thought on this, too — I've always thought that one of the more scary things I've ever really learned about was: They build these synthetic identities, or fake identities; they open these accounts; they make payments; they act like a regular bank customer.
00:35:49:18 - 00:36:11:02
David Heun
They're just cruising along fine, and then boom. Eight months later, a year later, some scheme they're part of a network on — boom, all the money's out of all the accounts. That's always been— that's always bothered me, because you're thinking everything's fine, and then all of the sudden, it isn't. It's really a timing thing.
00:36:11:21 - 00:36:24:07
David Heun
What have you seen in that world, Steve? Is there a network out there that would do something like that, where at like 15 different banks, there's three or four different fake people waiting for a certain time for their boss to tell them: "Now's the time."
00:36:25:09 - 00:36:43:03
Steve Lenderman
Yeah, absolutely. Right. And so there's the short game right, left that they're synthetic one for six months to a year, right? Because it does take time to kind of nurture a synthetic identity, right? Once you've created it, you've got to make it valuable. Right? And so I have a synthetic identity. Am I vantage of like upwards of 500?
00:36:43:23 - 00:37:03:05
Steve Lenderman
Yeah, absolutely. There's the short game: let this— let their synthetic run for six months to a year because it does take time to nurture a synthetic identity. Once you've created it, you've got to make it valuable. So, if I have a synthetic identity, and my Vantage or FICO score is a 500, that's not very valuable. I'm going to get a $500 credit line somewhere. I may qualify for a very small loan, but the fraudsters aren't interested in $500 or a $1,000 loan. What they want is their synthetic identity become more like a real — as Simon mentioned — a real human, who is in their quote, unquote, 40s, or 50s, and has an 825 VantageScore
00:37:03:05 - 00:37:20:26
Steve Lenderman
and a FICO score, and their file is no longer thin. You want it to look just like a human would look. And so, they build these profiles out not just over years, but sometimes decades. And then, they will, in theory, bust those out. But even that, at least in my world I've been seeing, is kind of going away.
00:37:21:08 - 00:37:52:15
Steve Lenderman
What we're seeing now is almost like the offspring of synthetic identities. Now, you're using these very well-nurtured, built synthetic identities, and they're using those to help springboard new identities, as well. So, it's almost like another child — a ghost child is being born and being validated by another synthetic that looks legitimate because they've been around for 12 years and have lots of credit card payments and no late payments, etc. It's this vicious cycle feeding itself.
00:37:52:15 - 00:38:12:13
Steve Lenderman
That's really what honestly scares the you-know-what out of me because how do you figure that out? It's really, really tough. Biometrics are there, as Simon mentioned, and look at your digital device, fingerprinting, etc. But, the reality is, all that data looks legit, and it looks better than most actual consumers.
00:38:12:13 - 00:38:13:08
Steve Lenderman
That's the worst part.
00:38:14:18 - 00:38:32:26
David Heun
What about that, Geraldine? Do the banks share information when they spot something like this? Or is there a way to tell, "Well, we've seen this before," or, "This happened to my bank; has it happened to yours? Do you have this guy's cohort with you?" As Steve said, it's gotta be really hard.
00:38:34:20 - 00:39:04:04
Geraldine Schmitt
It can be, but there is a lot of cooperation. We do partner with the industry to mitigate fraud when we've seen — especially if some identity has already committed fraud against one bank, they'll reach out via working groups. We belong to lots of different professional organizations where information can be shared, and it helps to prevent from another bank, if that identity has not yet been used, to bust out an account.
00:39:05:00 - 00:39:35:13
Geraldine Schmitt
But, something interesting that Steve mentioned was the use of springboarding. You might also hear the word pollinating and the use of data to commit it. What's really interesting about that is that you've got an individual who's first to use a particular identity, and then when the actual person comes forward, they look like they're the criminals when they go to use their own accounts because an identity has been established for a decade or longer.
00:39:36:02 - 00:40:06:26
Geraldine Schmitt
So, the first-in-first-out kind of scenario, bad data in bad data out, is another term you might hear — a phrase you might hear in the industry when they talk about synthetic identities. But, the pollinating itself is a beast where you don't even have to have real identifiers or even apply for an account. All you need to do is add yourself on to an established account as an authorized user and allow that account to report to the credit bureaus
00:40:06:29 - 00:40:30:18
Geraldine Schmitt
after a cycle period. That in itself establishes a fictitious credit profile, and you do that enough times and over a length of time and then start applying for accounts with those identities, then you can start getting approvals with those synthetic identities, and it's a quantity game. So, you don't want to lose an identity if you're a criminal once you've established it. It depends on the ring,
00:40:30:18 - 00:40:52:27
Geraldine Schmitt
but there are some that will bust on the account immediately once to get an approval, and that's more of a quantity game; we'll apply for a lot of different synthetic accounts at a time in order to get value from that. Then, there are people that play that long game where you have an account with a synthetic identity, and you get credit limit increases over time, and you use it, and you make your payments, and everything looks normal,
00:40:53:06 - 00:41:30:27
Geraldine Schmitt
and then when you have enough established credit, you'll bust out all your accounts at the same time. That one requires a lot less effort in that— I mean, time effort — but you end up getting more value and more fraud money from an account you've established for a lot longer. So, banks do share information in order to prevent that from happening, and honestly, the only way that this gets mitigated is through cooperation as well as with partnerships that we make with law enforcement and legal entities across the industry.
00:41:31:29 - 00:41:49:17
David Heun
Yes, I would think that's a key part of this, because— I was going to run this question by you, in listening to the three of you — I get the impression that we're in pretty good shape in terms of thinking ahead to what the bad guys might try to do next. For a period of time, several years ago, there was just no way.
00:41:50:07 - 00:42:12:18
David Heun
Everything was pretty reactionary: This is all new stuff, and they were working 24/7, too, and coming up with new stuff all the time and just kind of driving crazy. Not that that's going to go away, but from your standpoint, Simon, your company's got to feel pretty good about where you're sitting in terms of thinking like these people and knowing ahead of time what they might try next. It wouldn't be so surprising;
00:42:12:19 - 00:42:20:06
David Heun
you would be able to react to it pretty quickly and stop it. But, then again, they're no dummies. They're thinking, too.
00:42:21:06 - 00:42:49:15
Simon Marchand
You know, anyone that works in fraud doesn't have to be worried to go out of a job anytime soon. It's the best career choice: It'll never end — sad to say it will never end. But, there are ways that collectively, as an industry, we can be one step ahead. We tend to be very reactive to fraud in general just because our organizations are not nearly as nimble and agile as a small group of criminals.
00:42:50:24 - 00:43:15:05
Simon Marchand
But yeah, from from our point of view, we're starting to be in exactly the right sweet spot where fraudsters have moved away from very heavily doing payment fraud. I mean, it's always going to be an issue: You're going to have those, card-not-present attacks, and you're going to have still some card skimming. But, as we adopt the chip card in the US — the EMV standard — this is kind of going away.
00:43:15:05 - 00:43:41:24
Simon Marchand
Now, we're in the perfect spot from a company perspective because what we allow to do— Steve was mentioning earlier how ineffective it can be to try to share information on the identity that was used by a fraudster because they're cycling through identities anyway. You can share a Social Security number; you can share a driver's license number, whatever. The risks are that once they attack you with it, they made their money; they're going to move to something else.
00:43:42:06 - 00:44:10:15
Simon Marchand
What we allow to do by using biometrics is to allow to share the information on the human beings committing fraud. So again, instead of sharing the information on one identity — instead of sharing the information tied to a known fraud case — we share the voice of the fraudsters, which means that if a fraudster is heavily targeting Steve's organization, that might be an indication that they're trying to set up identities to move on and attack a bank after that, or a telco.
00:44:11:11 - 00:44:34:15
Simon Marchand
Steve can share the voice of a fraudster with his peers using biometric technology, and his peers can pull those voices in their own system and start doing detection even before they're even hit the first time. So, that's the kind of collaboration that using biometrics information enables. You're not relying on waiting for a fraud to happen, and see if the information provided matches with information you already own.
00:44:34:24 - 00:44:58:04
Simon Marchand
You're really looking at: Who's that person? Oh, Steve and ADP have seen that individual before. They've told me that this is a fraudster's voice. Let me do step-up authentication with that person; ask them to go in a branch; make them jump through additional hoops because I'm pretty sure they might be the same human being that's going to use the synthetic identities they might have built somewhere else against my own organization.
00:44:58:14 - 00:45:16:29
Simon Marchand
So, I think collaboration is made easier, and I think it's the way to go. Moving forward, if we want to have a more meaningful impact on fraud as an industry, and as professionals, we have to collaborate, otherwise fraudsters will just be cycling through attack schemes. They'll be cycling through organizations, and we really don't want that.
00:45:17:08 - 00:45:42:27
Simon Marchand
It was mentioned earlier today: it's not just about them making a dent in our financial report at the end of the year. It's about what it enables on a much bigger scale. Identity theft is run by criminal rings — by professional organized crime, which can then fund transnational operations, which can then fund much bigger issues.
00:45:42:27 - 00:46:11:13
Simon Marchand
We have seen it in some big investigations that were made public. Ultimately, not doing anything or tolerating the loss because it's just cost of doing business, you're enabling something much worse. We've seen financial— er, terrorist activity financed through the proceeds of smaller crimes, like identity theft or synthetic identities. So, I think collaboration is key if we want to have that impact. We have to recognize our responsibility to do something,
00:46:11:22 - 00:46:16:13
Simon Marchand
but when we can share voices and share biometrics information, then we can be one step ahead of fraudsters.
00:46:17:12 - 00:46:45:07
David Heun
Very good. I think we're getting close to time here, but I just I just want to run this one by Steve because I would imagine you've seen some cycles of this sort of thing over the years. Can you pinpoint, or is it possible to pinpoint, any kind of area or timeframe in which you saw a turning point where we finally— now we're an even keel with these bad guys? Or, you know, they got to chase us;
00:46:45:07 - 00:46:56:25
David Heun
we're not chasing them anymore; we're ahead of them. Has that happened yet? Or did you see some things that happened over the past several years that you thought to yourself: "Oh, we're in pretty good shape now." We got about a minute left here, Steve.
00:46:57:20 - 00:47:18:16
Steve Lenderman
Yes. So I'll keep it short and sweet. I would love to say we're there. But, the real answer is: We will never be in front of the fraudsters. That is never going to happen. They're just too fast, too nimble. They don't have to play by the same rules we do. And, some of the rules that we have to play by, that were designed to protect consumers, they also use to protect themselves and the rings.
00:47:19:05 - 00:47:28:19
Steve Lenderman
So, we have to worry about privacy laws and being sued and all these things, and so our life is much more difficult. No chance we catch them ever.
00:47:29:27 - 00:47:51:13
David Heun
Yeah. How about you, Geraldine? Do you feel like the customers, the bank customers— I mean, people trust their banks, there's no doubt about that. Do you feel like they're still pretty sure that the bank has a grip on this and things are going to be okay? There might be a few bumps in the road, of course. But overall, the banks do a pretty good job of security.
00:47:51:13 - 00:48:28:01
Geraldine Schmitt
Overall, I would say that's true, yes. But we're in an age where every company is out there, amassing data — collecting and aggregating data. It's hard for financial institutions to differentiate between what is real and not real, and I feel like that's where we fall short but not necessarily where we're not looking. And, financial institutions, including my own, are very astute and willing to take on new tools in order to mitigate the fraud,
00:48:28:01 - 00:48:48:08
Geraldine Schmitt
so I definitely feel like we're making lots of movement towards the right direction, and customers definitely have trust in what we're attempting to do, and there's always going to be that fine line between fighting fraud and good customer service, and that's where— that's the crutch, right there, is to find that smooth transition between the two.
00:48:48:25 - 00:49:04:25
David Heun
Very good. I really appreciate the time, you guys. It was an excellent session. You're all brilliant at we you do. Keep doing it, and keep us safe. I'll remind the people to fill out that quiz if they haven't— er, poll if they haven't done so yet. Thanks so much for your time. It was really, really good time. Thank you much.
00:49:05:13 - 00:49:06:01
David Heun
Thank you much.
00:49:06:26 - 00:49:07:09
Steve Lenderman
Thanks everybody.
00:49:07:12 - 00:49:07:25
Simon Marchand
Thanks, everyone.
00:49:07:25 - 00:49:08:08
Geraldine Schmitt
Thank you.
Security & Fraud Highlight: Chasing Fraudulent Ghosts
December 1, 2021 8:55 PM
49:20