The battle against fraudsters in the digital era has evolved into a never-ending arms race. The tools we use to detect, score and prevent fraud — particularly card-not-present fraud in digital transactions — have improved exponentially in the last half-decade. Unfortunately, the more the good guys refine the defensive tools necessary to lock out fraudsters, the more the vast cybercrime ecosystem evolves the offensive tools they use to force their way in.
And make no mistake, as GIACT’s Chief Experience Officer David Barnhardt told Karen Webster in a recent conversation — cybercrime is not the province of individual actors hiding out in basements attempting to do quick digital snatch-and-grab. These are sophisticated criminal organizations that are methodical, patient and extremely proactive. As of today, 85 percent to 95 percent of synthetic fraud identities are easily slipping past risk detection systems that are failing to flag them.
“They are doing the same things we are: always evolving their tactics to meet the newest technology and offers out there,” he noted. “Whenever a new thing in security comes along, they come out and see if they can beat it. When I was working in banking, we knew for certain that with any new initiative we rolled out, we would be attacked for six months and would have to tweak our approach every day. What they’ve learned is that they don’t have to rob a bank in person — they can do it with malware, make more money and get away with it.”
And the tactic du jour as the sun is setting on 2019, Barnhardt said, is synthetic identity fraud, a form of attack that is a known commodity in the risk management world, but not necessarily a well-understood one, as evidenced by the fact that it has been so over the last several years.
Synthetic identity fraudsters have gotten incredibly clever and creative in how they are designing and getting away with their crimes, noted Barnhardt — which means the onus is on those who fight them to get even more creative in their strategies.
The Rising Threat of Synthetic Identity Fraud
In short, synthetic identity fraud occurs when a fraudster takes some legitimate personally-identifying information (PII) — usually the type of information that is taken in a data breach, like a Social Security number — and then combines it with some invented biographical details to create a synthetic consumer who can open a bank account, apply for a credit card, apply for loans and, of course, purchase things.
Fraudsters like synthetic identity fraud much better than its counterpart, true-name fraud (which is when a fraudster simply hijacks a real consumer’s identity), because it pays better.
According to GIACT’s data, Barnhardt noted, synthetic fraudsters made off with some $6 billion in 2016 alone. And that number is going up — mainly because there is a lot more good consumer data out there to buy up and build into fraudulent personas. More than 446 million consumer records were exposed in data breaches in 2018, an increase of 126 percent compared to 2017, according to a 2018 Identity Theft Resource Center report.
But even more worrisome, said Barnhardt, is how much better cybercriminals are getting at this type of fraud. They are establishing synthetic identities, opening bank accounts and cards, and then acting like legitimate customers. They make purchases in line with normal consumer spending patterns, and they pay off their cards and bills on time and in full. Instead of immediately popping off with big fraudulent actions, which is what security professionals have learned to anticipate, they are instead taking the time to mature their fake customers and help them build stronger credit scores. Six months or even a year down the line, they will ask for a higher credit limit or a larger loan – and then the time comes for the fraud to bust out.
“The average payday for a synthetic fraud is around $15,000 — and so the more they succeed, the more they can afford to be patient, because they have plenty of working capital to invest in beating a lot of the prevention systems that are out there today,” said Barnhardt.
Defeating the Fraudsters
There is no special magic trick or a single set of tools that will simply banish fraudsters, Barnhardt told Webster — but there are better and worse ways to go about fighting the good fight. The most important thing is to know fraudsters are thinking outside the box with the goal of getting one step ahead of the tools to protect against them — which means the industry needs to use creative approaches to get a precious two or three steps ahead of the fraudsters.
“In the case of synthetic identity theft, the devil is in the details,” said Barnhardt. “Traditional solutions only key in on a few data points. To detect more sophisticated crimes, you need to look at more detailed data elements.”
In GIACT’s case, he noted, that means checking to see if the details match up. Does the name provided go with the Social Security number? Has the person associated with this SSN been reported deceased? Does their email address or phone number appear to have been created in the last six months to a year?
Moreover, Barnhardt noted, it is becoming increasingly important for all players in the commerce ecosystem to understand that customer data management is a whole lifecycle process, not something that only happens at onboarding. No matter how good an onboarding process is, if the fraudsters find it easier to break in further down the stream, the solution won’t prevent fraud so much as it will merely change where that fraud is occurring. A holistic approach, he said, is geared toward making the chain hard and unprofitable to infiltrate at any point.
The fraudsters have advantages, Barnhardt noted. Even if the data breach level is reduced to zero in 2020, customers would still be posting useful data on public social media sites, which fraudsters could build into functional profiles with which to commit synthetic fraud.
But what they can’t do, said Barnhardt, is beat every piece of data out there. They can’t force things to match that simply don’t add up, like using a deceased customer’s Social Security number to obtain an installment loan. The key, Barnhardt told Webster, is simply knowing when and where to dig deeper and look more broadly.
“There is no silver bullet — just data and the knowledge that there are a lot of things we need to continually evolve to keep the fraud operators out,” he said.