Synthetic Identities - The Bank Killer
Before we begin, I would like you to cast your mind back to a simpler time, where people were able to leave their homes without cowering in fear. Where we could attend things like conferences and meetings. Do you remember going to those, and shaking hands with other attendees whilst telling them your name without immediately squirting sanitiser on your hand? This ritual of shaking hands dates back to the 5th century BC where the Greeks shook hands to indicate peace and that they were not carrying a concealed weapon. The act of introducing oneself came to prominence in the 1300s as a necessity as people frequently shared first names. An introduction would allow a person could distinguish themself from others who shared a common name. As a result, one might introduce himself as Alred, Son of Athelstan the monk of Lindisfarne. This provides the audience with as much information as possible to enable them to pinpoint the individual’s identity. The fact that this practice was developed and that it has survived over 700 years shows the importance attached to identifying ourselves and at the core of identifying ourselves, is a name. As we mentioned in our article on the evolution of fraud, it is this same importance that has firmly put identity theft in crosshairs of fraudsters.
The link in identification and fraud.
You may look at your identity as a what separates you from everyone else but to a fraudster, your identity also comes with a whole host of other information such as phone numbers, email addresses and credit card numbers. Therefore, acquiring your identity means that they would have access to this information, enabling them to make large purchases or even worse, taking out loans in your name. This is possible due to the digitization of our identities or what is known as Personal Identifiable Information or PII. This information is stored by payment providers/internet browsers and even some websites. Furthermore the proliferation of Single Sign On (SSO) services by social media companies means that a fraudster would only need one piece of compromised PII to gain access to the rest of an individual’s digitized identity.
If we were to consider that in addition to the appeal of high-value PII, some organizations, have weak data security infrastructure and processes or flat out sell data to other companies for ‘business development’ reasons, it is no surprise that PII is the fuel to a fraudster’s engine. This is not to say that the digitization of identities is a recipe for disaster.
As a result of the steep climb in the number of people affected by identity theft, an unpredictable series of events occurred. News reports about retirees who have 'outstanding taxes’, or people who ‘won competitions’ and ‘love interests’ became commonplace with many people losing their life savings due to identity theft. These reports inadvertently educated the public and introduced a degree of scepticism in their online interactions. This, in turn, has lead to increased regulator scrutiny towards PII resulting in new rules on data protection being introduced.
Furthermore, organizations are leveraging the online identity verification services by credit bureaus like VEDA, Dun & Bradstreet and CTOS to enable e-KYC with minimal PII input. These steps create difficulty for fraudsters and as previously mentioned, the one thing fraudsters hate is the difficulty.
The new threat.
These steps forced fraudsters to rethink their strategy in order to continue their heinous acts with minimal disruption from regulators, organizations and people. It was during this time, maybe in a fraudsters townhall that they realised if they can’t use people’s identity to defraud they should just create identities themselves. And so it began. Fraud conglomerates began playing the long game, creating fake identities knowing that in the long run, these ‘people’ would enable them to abscond with millions of dollars.
How it works.
For a Synthetic identity to be successful, it needs to follow the same method of money laundering. The identity first needs to be created and placed into a system. Fraudsters realised that instead of trying to steal all the information necessary for identity theft, they just needed one bit of information - an unused identification number. This can be an IC number in Malaysia, a Social Security number in the US or even a driver’s license number in the UK. This information is normally stolen from the most vulnerable of society’s people, the homeless, 16 to 20-year-olds and the elderly. Once this information is obtained, the fraudster combines a made-up name and address to the ID number. The next step is to make the created person seem as normal as possible. This can start with something as simple as getting a utility bill issued to the created person like an internet bill. Now, the created person exists, they need to appear to be a regular person with their identity layered into the rest of the ‘grid’. So the created person now ‘rents’ a room and ‘gets a job’. On paper, this created person seems like a completely ordinary person.
Then, the created person needs to be left alone and with time, their identity will carry with it more credibility and heft. After a few months or even years, the fraudster can put these profiles to work. Either by applying for ‘quick approval’ loans or credit cards or applying for small business loans to start their own home business. These tend to get approved and shortly after, the banks see these turn into bad debts and no one can be held accountable as the person does not exist.
At the core, this kind of fraud exploits the system designed by financial institutions as safety measures. The identities created have created just enough of a presence that they look like ideal customers to banks. The online identity verification services will return a positive result as the created person has utility bills that go to the same address on file. These same providers return favourable credit scores as the created person pays bills on time with minimal delinquencies. Therefore, on paper, the financial institutions have found themselves the perfect customer.
This scenario might seem far fetched but in 2016, financial institutions in the US lost $6Billion to this exact modus operandi1. In recent years, this type of fraud has become one of the most common yet most difficult to detect.
Of course, there are a few elements of truth involved in this fraud that we will not be discussing to avoid turning this into a ‘how to commit’ guide instead of an educational post.
How to stop it?
This question has been posed by many bankers around the world and yet, there isn’t a solution that is has proven to be effective. The reason behind this is simple - the entire system is designed to bypass all the standard security checks. The name of the game here is to create a few more barriers that could dissuade or discourage fraudsters from attempting the usage of synthetic identities.
Therefore, banks have to accept that part of their solution would be introducing more complex and intrusive ID checks. These might include capturing biometric information or using facial recognition technology. These should also include more basic verifications like phone calls and checks against existing databases. The banks would need to develop their solution based on two elements: their risk appetite and how much they believe in the theory of balance. Alternatively, they can use Dicorm. Dicorm will work with the bank to understand their needs, and to create a system that suits their business goals. Check out our packages now or contact us for more information.