Identity theft has been a concern for individuals for decades, reaching new heights as we began increasing our use of the internet for sensitive transactions. While identity theft is a major issue, a new form of identity fraud has been steadily increasing in recent years: synthetic identity fraud.
Synthetic identity fraud is a problem that plagues financial institutions, particularly those in the United States. The US is particularly hard hit by synthetic identity fraud due to our reliance on static forms of personally identifiable information, such as Social Security Numbers. These forms of static PII are easily stolen in data breaches, along with other information that can be readily used to create a synthetic identity. Healthcare, financial aid, and telecommunications are other industries that are commonly targeted by synthetic identity fraud.
What is a synthetic identity?
A synthetic identity is a realistic looking identity created using a blend of real and fake information. Social security numbers are relatively easy to steal and are leaked in data breaches on a somewhat regular basis, and are a common form of valid data used when creating a synthetic identity.
Creating a synthetic identity involves using a real social security number, often one from populations less likely to notice: the elderly, children or the homeless. The theft and use of children’s social security numbers is particularly problematic and poses long term challenges, as parents don’t typically monitor children’s credit scores or other uses of their identity. Fraudsters end up able to use a child’s social security number for years, and parents or the child themselves won’t notice until 10 – 15 years after the damage has been done.
Synthetic identities are more than just a stolen social security number, however. They’re also a blend of real looking, but ultimately fake, information, sometimes blended with other legitimate information such as date of birth or addresses. Fraudsters may often mix and match legitimate data, using real names and social security numbers, but a different (legitimate) address. This use of real information, expertly blended, means there’s rarely enough of something ‘off’ to trigger traditional fraud detection methods.
Why traditional fraud detection isn’t catching this type of fraud
Most fraud detection was set up to catch traditional identity theft or stolen credit or debit cards. Traditional identity theft often relies on the victim flagging the theft or fraudulent transactions in their account. Any fraud detection taken proactively by banks also focuses on protecting individuals rather than determining identity legitimacy; transactions that are out of the normal pattern, or not in an account holders’ local area, are often flagged as potential fraud.
Synthetic identity fraud doesn’t have a victim in this sense, so this method of detection is entirely ineffective.
Instead, synthetic identities are set up to look as legitimate as possible. They apply for credit cards, establishing a record and legitimizing their existence, even if the cards are initially denied. When they finally do get approved for an account, they make small purchases, pay them off, and otherwise act utterly respectable. There’s no fraudulent transactions; the entire account belongs to an identity that isn’t real.
In fact, with small transactions, regular bill payments, and otherwise good behavior, these synthetic identities look like ideal and highly valuable accounts. As a result, they’re awarded benefits, such as increased lines of credit, which only makes the later fraud even costlier.
And the eventual fraud always comes, usually in the form of “busting out”.
Busting out is when the fraudster decides to max out all associated accounts with a given synthetic identity and has no intention to pay. Occasionally, a bold fraudster may even file a claim of being the victim of identity theft themselves, wiping out the recent debt and allowing them to continue using the account. Even where the fraudster simply maxes out the credit lines and vanishes, there isn’t always investigation into the unpaid accounts, as some financial institutions write off the accounts as bad debt due to the account still looking legitimate. There may be millions or billions of dollars in “bad debt” that is actually due to synthetic identity fraud that just hasn’t been investigated.
Prevention is the Best Cure
Because it is so difficult to identify a synthetic identity once it exists in a system, the best way to prevent the damage is to prevent them from getting into your systems in the first place.
An identity proofing process that is rigorous without being frustratingly difficult ensures that your system only allows real humans to create accounts. Your identity proofing process also needs to incorporate methods of identification that can’t be fooled by a combination of data that looks close enough to be legitimate.
Using biometrics, as Q5id does with our identity proofing app, requires that a given individual uses their real readings to compare against a form of government issued ID. While creating a fake ID is certainly possible, the effort to do so and create one with legitimate enough data to pass verification is substantial. Combine that with also ensuring the face on the ID is the same as the person providing their live facial scan, and the challenge of creating a suitably convincing synthetic identity begins to look impossible. Even if a synthetic identity is successful, a face can’t be enrolled twice, so the fraudster would be unable to create more than one identity in the system.
The number of challenges involved in attempting to fool an identity proofing flow that includes just one biometric measurement (much less the 3 types used when enrolling with Q5id) makes the system difficult enough that nearly all fraudsters would look for easier pickings. When using Q5id for identity proofing, not only are multiple biometrics measured for later authentication purposes, but a live adviser is on hand to review new users in real time and ensure liveness of the user enrolling.
On the back end, the technological hurdles preventing synthetic identities from being mistaken for real ones are extensive. To the end user, however, the process is fairly quick and easy, able to be completed in just 3 minutes.
By making it easy for users to enroll as verified, authentic identities in a highly secure system, while simultaneously making it nearly impossible for fraudulent identities to enroll, Q5id helps financial institutions prevent synthetic identity fraud.
For more details and to find out how to incorporate Q5id’s identity proofing capabilities into your business’s new user enrollment process, email us at [email protected].