Synthetic identity “creation” - a tsunami of problems for financial institutions

06 March 2020 00:00 by Dawid Jacobs

By Dawid Jacobs

Identity Management Specialist, on behalf of LexisNexis South Africa

Synthetic identity “creation” - a tsunami of problems for financial institutions

Synthetic identity theft, or rather synthetic identity creation, has become a major breakthrough for fraudsters. The days of having to find a ‘mark’ with a good credit standing who ticks all the boxes for stealing their identity in order to defraud financial and other institutions, are fast disappearing. Syndicates have evolved in their methods of theft and fraud, safe in the knowledge that they can neither be identified, nor caught, and never be prosecuted.

Synthetic identity creators understand identity theft. These syndicates know how every preventative measure put in place to prevent identity theft works, as well as how to create new avenues to circumvent and even nullify preventative solutions.

The one factor they have recognised as the single point of failure in almost every new system, is the disregard of 100% corroboration of the existence of a real-world human being in the creation of a cyber-world digital identity. As this critical part of physically proving an identity (KYC principles), has been removed and replaced by systems allowing for effortless ‘self-registration’, it has opened the gates for syndicates to create as many synthetic identities as they want.

Synthetic identity theft was responsible for 5% of charged-off accounts and up to 20% of credit losses – or $6 billion in 2016 alone, according to the Auriemma Consulting Group

There have been alarming increases in the number of hacks to obtain, or rather harvest, identities over recent years. Many of these harvested identities are used to create a synthetic identity. In the USA the Social Security Number (SSN) of any person, from a child to the elderly or deceased can be used to create a synthetic identity – just add an address, name and other identifiable personal information to the SSN and a new identity is created.

How true synthetic identities are created

However, the true synthetic identities being created by syndicates are being created out of thin air – without the need to have any SSN or other details pertaining to any human being.

All the syndicates have to do is to create an identity through any of the many companies offering identity authentication solutions with self-registration.

  • These identity authentication companies are used by many financial and other institutions in their KYC systems. The financial institutions, especially mobile banking systems, believe that there is no need to prove the existence of a human being in the real-world to whom this identity must belong. They believe that gathering personally identifiable information (PII) from various ’trusted sources’ to prove a person’s existence, is more than ample evidence of proof. This is a very dangerous delusion.
    • These solutions offer a quick and easy self-registration for any person onto their systems, using a selfie for facial biometrics, or a voice biometric, or any of the biometrics available on most smart devices, such as fingerprint/ facial/ iris biometrics, to register their identity onto the system.
    • Thus, anyone can register with these identity authentication’’ solutions as whoever they want to be and as many times as they want, without having to prove that they are a real-world human being.
  • Identity authentication solutions use ’trusted sources’’ such as motor vehicle registration databases, national citizen databases, other utility accounts and one of the most dangerous databases, the credit bureaus, to collect PII of a person; to build a synthetic identity and to then ’verify’ a new digital identity on their systems. The syndicates have infiltrated these databases used to collect PII and have compromised them with false information. These building blocks assist in creating synthetic identities.

Gartner states: “Data breaches have led to rampant compromise of personally identifiable information (PII). As a result, correctly reciting PII is worthless as a stand-alone method of corroborating a person's claimed identity.”

Many of the synthetic identity “creator” syndicates currently, do not even bother to infiltrate the ’trusted sources’’ databases to gather PII. They simply apply electronically for a loan at a financial institution with the synthetic identity they have created on the identity authentication solution to start the process of creating a credit profile at the credit bureaus. As the credit bureau creates a profile of the ‘’person’’ applying for credit without being 100% sure if this ‘’person’ is a real-world human being, the process to defraud any institution using a credit profile, can begin.

How true synthetic identities are nurtured

Once the identities are created, these synthetic identity creators or fraudsters, typically nurture the synthetic identities until they mature. They open accounts at different organisations, check their credit scores regularly, and choose the perfect time to exploit the accounts to the maximum degree possible.

In 2013, federal authorities shut down a massive synthetic ID fraud scheme that created 7,000 false identities to obtain more than 25,000 credit cards that resulted in more than $200 million in confirmed losses

Imagine a syndicate “creating” 100,000 Synthetic Identities out of thin air and hitting a major financial institution or credit facility with a massive Sybil like attack borrowing $ 100,000 per synthetic identity…

$200 million losses will increase into $ Billions, and, no one will be caught and no money will be recouped

How true synthetic identities are used to commit fraud

Synthetic identity creators rack up debt with no intent to repay, leaving lenders with massive losses and no true customer to chase in their collection and recovery efforts. Because synthetic identities behave like legitimate borrowers – establishing a history of responsible use and prime credit scores before defaulting on their loans at the credit bureaus and financial institutions – they will be impossible to identify. As a result, their accounts evade detection and the charged-off balances are logged as a credit loss instead of fraud. Those balances are exponentially higher than a typical charge off, averaging more than $15,000 per attack. Again, imagine 100,000 such attacks all at once.

Synthetic identity fraud is a growing problem not only in the losses which are incurred, but also in futile operational expenses, especially within lenders’ collections departments, which are investing time and money working on debts that will never be repaid. Most financial institutions rely on what is dictated to them by governance principles. Many of these principles are outdated and, in most cases, the financial institutions comply by ticking the box simply to show compliance. Most financial institutions may not even have best-practice processes in place to verify an applicant’s information.

How to combat synthetic identity fraud

Synthetic identity theft is the fastest growing type of ID fraud and its occurrences have surpassed true-name identity fraud. Synthetic identities could currently account for 80-85% of all identity fraud.

The only way to nullify this fast growing, out of control problem and to prevent a synthetic identity from being accepted as a legitimate identity, is to implement strict rules which should include:

  • No digital identity created must be allowed onto any system if there is no forensic linkage proof that the digital identity belongs to a real-world human being.
  • No identity verification system allowing self-registration by individuals onto their system must be trusted, nor used as a trusted source of identification, unless they can forensically prove that the digital identity represented on their system belongs to a real-world human being and that there is only that single digital identity of such a human being on their system (an individual can have only one referenceable identity on an identity verification system).

To pro-actively stop the arbitrary creation of synthetic identities by syndicates and other fraudsters, a real-world human being must be physically linked to the cyber-world digital identity. This means that before a digital identity can be accepted as being a true reflection of a real-world human being, there must be a 100% provable linkage between the existing human being and that of the digital identity. This can only be done with the real-world human being registering their identity with forensic protocols and forensically accepted biometrics on a secure identity management system.

A digital identity can only be created once the individual (real-world human being) is enrolled onto an independent identity management system by an authorised operator. A complete and accurate chain of custody evidence (physical and digital audit trials) protocol must be in place, which shows and proves the process from human being to digital identity.

You are first a Human Being before you are a Digital Identity

Related Posts