The law of unintended consequences states that our actions always have unanticipated effects – think of the old cartoon trope where plugging a leak causes another leak to pop up somewhere else. The move from magnetic stripe to EMV chips on credit cards is another example. This change has improved security and helped prevent point-of-sale credit card fraud. The unintended (but not at all unexpected) consequence of the switch was that fraudsters shifted tactics and began to focus on customer-not-present venues, both online and on mobile devices.
Synthetic identity fraud, first emerged decades ago and has recently become a prevalent method used by criminals. According to a report by the GAO it is defined as “a crime in which perpetrators combine real and/or fictitious information, such as Social Security numbers (SSN) and names, to create identities with which they may defraud financial institutions, government agencies, or individuals.” According to officials at the US Postal Inspection Service, it one of the fastest-growing types of consumer fraud in the U.S. The Federal Trade Commission estimates that synthetic fraud costs American businesses $50 billion per year in fraudulent charges.
The dramatic rise in the occurrence of synthetic identity fraud and the losses associated with it are a consequence of EMV adoption. While counterfeit card losses are plugged, online identity fraud holes open up. It is also a consequence of improved fraud prevention tactics. KYC and CIP regulations have required businesses to verify identities, and credit/fraud monitoring services alert consumers to suspicious activity immediately. Instead of putting an end to fraud, however, the unintended consequences were that fraudsters began creating synthetic identities in order to avoid detection.
Data breaches have made it all too easy to obtain the SSNs fraudsters need to create a synthetic identity. Fraudsters then “nurture” the synthetic identity by opening accounts at different companies and building up their credit scores. The end goal is to create an identity that appears like a legitimate person with good credit in order to gain access to credit lines and loans. They then “blow out” the accounts when the identity and account have fully ripened.
The process of creating and building up a synthetic identity takes patience and time. One of the largest synthetic identity fraud rings involved 13 criminals and stretched across numerous states and countries. The fraud group created over 7,000 synthetic identities, maintained more than 1,800 “drop addresses”, and created dozens of shell companies to keep the fraud going. They stole at least $200 million. The group was broken up in 2013 when the FBI and the U.S. Postal Inspection Service arrested those involved.
Unintended consequences are inevitable. Criminals will always figure out a way to cheat the system and new fraud battle fronts will rise and fall. It is important that business’s fraud prevention strategies and tactics be able to quickly respond and evolve likewise. Given their reliance on real and fake data, preventing synthetic identity fraud depends on a business’s ability to analyze the layers of an identity to determine the person’s existence and intent. Relying on static matching simply won’t cut it because the identity information being verified is created by the fraudsters themselves (and considering how many identities have been compromised due to data breaches, static matching isn’t even enough to prevent regular identity fraud these days). To determine which are fraudulent and which are legitimate identities, businesses need a layered approach that looks beyond static attributes and analyzes location, email address, phone number, and more.