Synthetic ID fraud costs banks $2 billion a year. The bad guys are so crafty that the credit bureaus are unwitting accomplices to the fraud. Traditional methods of catching ID theft fall short, as Naftali Harris, co-founder of SentiLink says in the latest Monday Conversation – and what we need now, he contends, is an ID bureau that separates good consumers from the fake ones.
Synthetic fraud is a brave new frontier in bilking billions, as commerce goes increasingly online. Merchants, lenders and banks never see the person on the other side of the transaction, and proving that someone is, well, legitimate is becoming more difficult.
To that end, SentiLink said late last month that it had garnered $14 million in Series A funding. The money is being earmarked across a number of initiatives, designed to combat synthetic fraud.
Some of that money — supplied by investors such as Andreessen Horowitz, Nyca Partners and Max Levchin, founder and CEO of alternative lending startup Affirm — will go toward building an identity bureau, which will help lenders and financial firms verify identities. It also comes in tandem with the launch of the SentiLink API, billed as a real-time risk modeling and scoring system, focused on blocking synthetic identities.
In the latest Monday Conversation, Naftali Harris, co-founder of SentiLink, told Karen Webster that these efforts could represent a one-two punch against synthetic fraud. Harris and Co-founder Max Blumenfeld hail from Affirm, where the duo helped build the company’s risk operations — and where Harris, as a data science manager, gleaned first-hand knowledge of synthetic fraud.
What It Is And How Much It Costs
To fight a battle, it helps to know a bit about the opponent. Synthetic fraud is different from what might be thought of as “traditional” identity fraud, where real identities and data are hijacked and used to make unauthorized transactions. As Harris noted during the discussion, synthetic fraud essentially centers around creating a person (a fictitious one, in this case) — where bad actors can and do use fake names, Social Security numbers or birthdates, and build credit histories.
There’s a long gestation period, he told Webster, ranging between six months and 24 months before the fraudster starts to rack up huge charges on cards and various accounts — and, of course, never pay. The price tag is enormous, as estimated by SentiLink and some of its partners, reaching as much as $2 billion annually — and that’s just for banks.
Flavors Of Fraud
Drilling down on the details, Harris maintained that there are two types of synthetic fraud.
There is “first-party” synthetic fraud, where people use at least some components of their own identities and cobble them together with fake attributes. Since there are roughly four attributes used to create and verify identities (Harris listed them as name, address, date of birth and Social Security number), a bad apple might use their genuine date of birth or name and combine that information with a fake Social Security number. Thus, a composite identity now counts as a new identity to the lender and credit bureau, and, as Harris said, “the applicants are obscuring their true credit histories.”
Then, there is “third-party” synthetic fraud, where individuals opt to fake every one of the four elements.
Exploiting The Weak Links
Whether first- or third-party fraud, Harris said the fraudsters have been able to exploit at least some of the weak spots that exist among the three major credit bureaus and lenders. The standard methods of checking whether email addresses or Social Security numbers match an identity fail to be effective when entire identities are constructed out of a whole cloth, because, though some or all individual data points may be fake, they all line up.
As the would-be criminals apply for credit at multiple lenders, Harris said, the lenders make requests to the bureaus. If the fraudsters get enough requests in place, the bureaus establish records for the (fake) individuals, furthering the illusion of credibility.
The credit bureaus, in turn, expect the banks to have know your customer (KYC) and other screening processes in place, so they have little incentive to figure out the identities that are legitimate, and separate them from the fake ones. Thus, in the past, Harris noted, applications have sported the illustrious — OK, preposterous — attempts of individuals passing themselves off as Hello Kitty, Mickey Mouse and others.
Amusing anecdotes aside, there’s a real problem afoot. “It’s a gap,” he said, of these blind spots that cut across the various credit and lending stakeholders. Everyone’s chasing the problem, but few coherent solutions exist. He noted, a bit tongue-in-cheek, “The vast majority of time, they are not applying as Hello Kitty.”
The blind spots, as they exist now, can give rise to a vicious cycle of sorts: The wiliest of outlaws creating synthetic identities are able to apply for credit in ways that will generate requests across each of the three bureaus. Getting multiple bureaus to open reports has the effect of strengthening the fake identity (as there are relatively more records in place) and, in tandem, an assumed creditworthiness of the fraudster.
Some criminals have even taken to plying their tactics across authorized trade lines, buying access to those lines via online marketplaces.
The Database — And Bureau — Cometh
Neither side (the lenders or the bureaus), of course, maintains a comprehensive database that can check applications and identities, and ensure that everything matches up.
That’s the longer-term goal of the company. Harris told Webster that, at least for now, the near-term roadmap involves heavy concentration on the SentiLink API, and the detection and scoring of synthetic fraud risk through finding patterns across tens of millions of applicants. Those patterns can be discerned with the aid of technology, as individuals (or should we say identities?) open several accounts — or where one or two bits of information appear across several applications, but all the other details change.
“There is a gap here between identity information and consumer verification. That is the gap that we are filling right now,” he said.
However, looking just a few years down the line, there is a big opportunity to build what SentiLink calls an identity bureau, which would allow everybody to help each other when it comes to verification. Eliminating multiple checks across multiple lenders or other financial system stakeholders means that a “white list” of verified identities could be constructed (as opposed to a “black list” compiled that spotlights fraudsters), easing commerce on the consumers’ side and building trust.
Harris said that “when [a lender] identifies an identity or rejects it, and someone else comes in [to verify an applicant], then the second bank already has a record from the first one.” In essence, the ID bureau would act as “an adjacency to the credit bureau. It would not replace it.”