The fast-growing crime of synthetic identity fraud is has become a crucial issue for fraud investigators, financial institutions, and governments.
During a well-attended webinar hosted last month by the Association of Certified Fraud Examiners (ACFE), The Anatomy of Synthetic Identity Fraud, I spoke with financial crime expert Michael Schidlow and Thomson Reuters’ Amanda DuPont about the rise of synthetic identity fraud, how financial institutions can take steps today to protect themselves and ways to mitigate this risk using technology.
At the end of the webinar, the audience had more than 100 questions for the panel. Here are several key questions and their responses:
1. Can synthetic identity fraud still occur if your organization compares personal data registered by the government (such as Social Security numbers, addresses, birth dates, etc.) against personal data presented by the customer?
DuPont: Synthetic identity fraud occurs when a fraudster takes some legitimate personally identifiable information — usually the type of information that is taken in a data breach, like Social Security numbers (SSNs) — and then combines it with some invented details, such as a date of birth, address, or email to create a synthetic consumer who can open a bank account, apply for a credit card, and apply for loans. This type of fraud can be perpetuated globally since it relies on consumer data.
For defeating this type of fraud, there is no special magic trick or a single set of tools that will simply stop this type of fraud. With synthetic identity fraud, details matter.
Because traditional account openings only key in on a few data points — like SSN, name, and date of birth (DOB) — they may wholly miss this type of fraud. To detect more sophisticated crimes, you need to look at more detailed data elements.
- Do all data points match in any single record? If so, how long has the “identity” existed?
- Does the name provided go with the SSN?
- Does the address, email address, or phone number appear to have been created within the last year?
Fraudsters can’t use a real person’s identity to match every piece of data out there. Today more than ever, stopping synthetic identity fraud requires verifying a “true” person to the full set of data elements and overlaying authentication procedures that this same “true” person presented the data to you (for example, in digital account openings).
2. Is there a reliable way for law enforcement to confirm that someone’s identity is legitimate?
DuPont: Yes, technology vendors are available to help solve this crime — both for U.S. and international persons and businesses. For example, partnering with data aggregators that can validate that the subject’s data exists in records (such as driver’s license records or credit bureau records) as well as data vendors who can validate the digital identity and behavior matches to the subject (biometrics, IP addresses, and phone location, for example).
3. Are SSNs an outdated method of identity verification? Should trade organizations like ACFE be advocating for more advanced means of personal identification?
Schidlow: The problem with SSNs is that they are a bell that cannot be unrung. While many organizations (such as corporations, academia, etc.) have shifted away from the use of SSNs as a primary identifier for registration purposes, many more others still utilize it. So once a fraudster has enough supplemental information about a victim, they can either maneuver past any non-SSN restrictions or use that information to obtain a victim’s SSN, and the vault has once again been opened.
Knowing that SSNs are routinely compromised, the broader consideration is to have organizations add this risk as a factor into their risk assessments and adapted controls to better combat it. Many organizations still rely on single-factor authentication and static security protocols because a decade ago a security consultant suggested using “mother’s maiden name” as an access question. Fast-forward to 2021, and that information is either publicly available or can be found through even the gentlest of doxing or social engineering by a hacker.
The advocacy should be turned in favor of multi-factor authentication along with dynamic and subjective security controls (for example, passwords, security questions, and soft-tokens). And yes, going forward, stop asking for an SSNs unless you need it and can encrypt it in motion and at rest.
4. Are fraudsters using mail theft to obtain personally identifiable information?
Schidlow: There is a lack of awareness as to just how little data is needed by a fraudster to steal an identity or create a new, synthetic identity. Convictions for mail theft represented 45% of all convictions by the U.S. Post Office Inspection Service (USPIS) for 2018, and reports of mail theft increased by about 600% between 2017 and 2020.
Once a bank statement is intercepted, that statement can verify the signers on an account, a home address, their account structure at that bank, where else the victims might bank, and numerous other data points. The frightening component of this is that those data points are not only criminally misused and then resold to other fraudsters but can then be reshaped into a synthetic identity, and then the process begins again.
That’s why theft of mail remains a critical focus of agencies like USPIS, and therefore a significant risk to consumers.
5. How can a fraud audit uncover synthetic identity fraud?
Schidlow: As far as certain data points are concerned, there should never be changes to a retail customer’s date of birth (DOB) or tax ID number. So, in terms of low-hanging fruit, first look at whether there are controls in place to escalate changes or attempted changes to those data points. Second, in terms of risk assessment, see whether there are automated preventative or even manual detective controls in place. These can help you find “horseshoe” cases, meaning those where the tax ID or other static data elements are close enough to another customer’s data, thus suggestive of synthetic identity fraud.
Separately, under the ever-expanding scope of “other illicit activity,” the question that auditors should be thinking about is whether there are controls and processes in place, such as a monthly reconciliation for unusual changes to dynamic customer data fields, including changes in online banking access, phone numbers, or addresses, and whether replacement cards had been issued.