The many, many, many well-publicized breaches of various high-profile, high-volume data sources have spilled a wealth of otherwise-private consumer information into the public and dark domains respectively. Plain identity theft is bad enough, because it not only fuels fraud, it also victimizes the affected consumers who have to clean up after bad guys have abused their profiles to commit crimes.
The other form of fraud these breaches have empowered is synthetic. This is sometimes called “victimless” fraud because synthetic ids are fake people, and typically this type of fraud does not impact an actual consumer. But that’s not always true as pieces of real profiles are still leveraged. Additionally, the financial organizations themselves are defrauded, and eventually the incurred costs are passed along.At Socure, we fight third party and synthetic fraud by:
1. Validating individual profile elements
2. Making sure they all belong to the same person
A lot of AI and deep-dive examination goes into that second point, especially for synthetic IDs, since those personas are often imbued by their creators with fake history. Perpetrators create bank accounts, make small deposits, and even make payments, in order to provide the weight of history for these avatars.
To help combat synthetic fraud, and also to provide a few basic components of KYC (Know Your Customer) capabilities, the Social Security Administration (SSA) is proposing a new service. This isn’t the first time the SSA has tried to fix an inherent problem with SSNs. In 2011, the SSA recognized a problem with how SSNs were generated. Because the SSNs were created in ranges, using geographic and incremental logic, fraud prevention schemes could spot a phony one that fell outside a legit range. But this also meant that these numbers could be guessed. In an attempt to address this issue, the SSA started randomizing the generation logic but unfortunately this eliminated identification via range, taking away an easy validation point.
Now the SSA is trying to execute on KYC, and battle synthetic fraud, by providing a service, known as eCBSV (electronic consent based SSN validation), for verifying an individual’s SSN, name, and date of birth — an effort that Socure applauds and supports. There are fraud experts who say this government-supplied service will “solve the synthetic ID problem.”
Certainly I would never impugn someone’s good intentions. But let’s take a hard look at this proposed solution.
eCBSV is to be accessible via API, requiring the acquisition of an API key, and authentication through OpenID Connect and OAuth 2.0. The SSA will require, for each transaction, the SSN holder’s written consent, whether hard or electronic. The API returns a thumbs up or down on SSN or Date of Birth match.
The service will be available Monday through Friday, 5am to 1am EST, 5am to 11pm EST on Saturdays, and 8am to 11:30pm EST on Sundays. The hours aren’t as good as a White Castle (nature’s most perfect food), but I guess that’s not bad. Unless you’re a financial institution that operates 24x7.
If you spend a couple of bucks to do a dark web search, you will find your most personal security questions and answers out there. Your first pet, the make of your first car, the amount of your first mortgage, the pattern of the lace doilies you got for a wedding present, it’s all out there. The combination of name, SSN and DoB are nothing compared to that. When a synthetic ID goes historically deep, are these enough?
Socure's KYC solution already validates what the SSA proposes to do (and much more). We meet the assurance levels our customers demand by leveraging all that additional data and history, as well as deep machine learning. In addition, we don’t need consent. Socure not only returns a binary validation of the SSN (or DOB), but also detailed reason codes that explain the matches and mismatches. To enable our customers to achieve the best possible acceptance rates, we have designed recommended logic sets, leveraging these reason codes to help our clients onboard the greatest number of safe bets. And to really make sure our customers don’t leave money on the table by rejecting people for the wrong reasons (often referred to as false positives), Socure offers the option to employ a variety of fuzzy matching capabilities, to provide acceptable levels of tolerance for fat-fingered entries — a very common mistake in a mobile first world.
The eCBSV service will be available to a small beta group in mid-2020, but the SSA has yet to state a date (other than 6 months post initial launch) for general release. We anticipate a requirement for integration and annual licensing fees, as well as per-API-call charges, and a cap on how many transactions can be executed within a given timeframe. This is not to mention all the execution risks associated with a program like this. So while Socure is excited to be involved with the program and will implement its most useful features into our solution, we continue our program of perpetual improvement in accuracy and insight into fraud and identity verification. When it’s live, the SSA offering will be a good thing. But there will be an awful lot of fraud attempts between now and then.
Socure has hundreds of happy customers who are paying on a transaction basis, with unlimited capacity, and operating to scale with sub-second response times because they need that assurance right here and now.
One more thing to consider: there’s far more to accepting good customers and preventing bad ones than checking the bare minimum. Third party fraudsters themselves are doing far more than the bare minimum.
If you need an excellent, scalable, tried-and-true KYC product, think Socure. There’s a reason we were the hit of Money2020. It was more than our horde of engineers in our orange shirts. It’s because we deliver results.
Fraud isn’t waiting until 2021. Neither should you. Talk to us. Socure’s KYC is here for you, right now.