Synthetic IDs: Fake identities. Real threats.
With record-breaking data breaches happening all the time, bad actors have access to more personal identifying information on the dark web than at any time in history. Blending pieces of these identities with new information, like never before seen email addresses, allows them to slip past organization controls using a synthetic identity and make purchases they never intend to actually pay for.
As part of the Emailage, a LexisNexis Risk Solutions Company virtual event series Amador Testa and Raphael Loureiro — Chief Product Officer and Chief Technology Officer, respectively — from Emailage talk about how their teams partner to prevent fraud.
What is the Synthetic ID challenge?
Going back to 2000-2005 there wasn’t a Synthetic ID challenge. There wasn’t a challenge, because there wasn’t as much e-commerce on the internet and there were other easier ways to commit fraud. But once EMV chips got implemented, those physical fraud tactics got harder. We quickly saw a huge shift of that fraud trend online. And it hit two ways: it hit e-commerce within large enterprises and across the entire e-commerce space. It also hit account opening. Today, we see this new trend where fraudsters can actually create fake or synthetic identities to commit fraud.
What’s the economic impact of Synthetic ID fraud?
It’s already an eight billion dollar problem. The problem is not going away.
How are Synthetic IDs created?
It’s not that hard. I actually created one by mistake. Five years ago, I went to apply for a credit card and I made a mistake on my Social Security Number by a single digit. Yes, I know I should know this by heart. The credit card got approved. I used the credit card for four years. Then when I went to buy a house, the mortgage company came back to me and said, “Hey, which one of these are your identities?” By mistake, I created two identities.
Now, fraudsters, they are professionals. And today they target more elderly and children with this fraud tactic. Generally, these are populations who don’t monitor their Social Security Number.
And as a father of two daughters, I would strongly recommend thinking about freezing their credit report to prevent some of this. That’s one simple suggestion I would offer to all parents.
Is Synthetic ID fraud a victimless crime?
We all are victims. Companies can’t go through the typical process of addressing fraud, even to the point of prosecutions, because there’s no actual person to prosecute for the crime. The company bears all the cost of Synthetic ID loses. To recoup those loses, businesses are forced to account for them in the way they price goods and services. So, we all pay a higher price.
How do fraudsters create Synthetic IDs?
One way they start is by getting a prepaid number in case there is any type of information that company needs to confirm. They can pick up the phone and answer, validating all the information they submitted. Also they need an email address. At account opening, that’s how many companies request you confirm your account. And they make an email that looks like they are the consumer, so the new account profiles don’t raise flags as easily. Usually they leverage a first and last name, but it really could be any mail that they own. And even if fraudsters don’t have good emails, we see them creating a new email because they need to control the email to pull it all off.
What happens behind the scenes from a technology perspective?
I’m going to start by covering our infrastructure. The goal for all the regions we’re in — North America, Europe, Asia Pacific and Latin America — is high availability. We’ll always strive to get to 5-9. What does that mean? Five-nine refers to high availability where solutions cannot experience more than 5.26 minutes of downtime in a year, which is 99.999 percent uptime.
On the innovation front, the pace is fast and getting faster. We do our best to stay with it with trial and error. This ultimately helps us get to production faster. One of the goals is faster delivery. Less than one second replication. When a customer shares fraud with us in California, I want to be able to provide this intelligence to a customer in Sydney in less than a second. That’s my objective. That makes a big difference if you are a global customer.
How is technology helping to meet customer demand for services?
It’s all about being scalable. It’s critical. Think of a seasonal business. Black Friday is a good example. We can see up to quadruple the traffic in our solutions. The benefit of running our infrastructure in the cloud is being able to scale up and down to demand.
Is there a specific tool to use to detect Synthetic ID fraud?
Unfortunately, there is no silver bullet. Ultimately, the most effective fraud prevention is a layered approach. Basically, you need to think about all the interaction points with the customer, select our proper capabilities that can help with that interaction… from when they land to your website, opening an account, forming links between credit cards, associating an address, performing a transaction, making a change on their existing account. Each of these interactions looks at unique information. It goes without saying that you need an IT partner to ensure all your systems and connections pass data the right direction, all the integrations work seamlessly and fast so the customer experience isn’t impacted.
What are the key takeaways?
First, we are all victims of this eight billion dollar problem and we pay the price in compromised data and increased costs in the goods and services we buy. Second, spread best practices across a layered approach with right solutions and the right control points. Last but absolutely not least, partner with IT. Things are moving so quickly that you need to be able to have the right technology and the right ability to innovate and to adapt to all emerging fraud tactics and changes that we are seeing in our industry.