One of the great joys of my life—besides my family and guitars and Canadian beer and history books and German beer and Breaking Bad reruns and Belgian beer—is horror movies. Especially old ones. I was always partial to the Universal monster flicks, with Lugosi and Carradine and the two Chaneys. But I think Boris Karloff, as Frankenstein’s monster, was always underrated. There is actually some good acting going on in his first two movies as the creature. He’s not just grunting and stomping around. There is true substance behind the makeup, the fake flat head, and the bolts in the neck.
It’s the same with the Frankenstein monsters that bedevil banks and credit issuers. I’m talking about synthetic identities. Third party fraud is clearly more rampant in the form of just plain identity theft. I pretend to be you, I take advantage of your good credit and general history, but I point the contact info back at myself. It’s not that difficult to pull off once you’ve stolen or purchased somebody’s personal data. At Socure, we employ multiple data sources, some killer AI, and a data set larger than anybody else in the universe uses to train our fraud models for hyper-accurate identity and synthetic ID fraud detection—and catch these crooks.
How Synthetic Identities Are Created
But with synthetic identities, you have to dig a little deeper. That’s because, like Frankenstein did with his monster, the bad guys assemble a completely new persona by using the pieces of other people’s parts to create the illusion of substance. No, not real arms and legs, because that would be disgusting. This crime entails the usual suspects: SSN, email, phone, date-of-birth, etc. But here’s the different angle. Instead of stealing and utilizing somebody else’s PII right away, synthetic perpetrators often employ the most dangerous burglar tool of all … patience.
Synthetic Identities Are Built Over Time
These fake people are often an investment of time and effort. Their creators slap them together using a selection of other people’s PII, and top them off with a false identity. Then, they give these creatures some history. A bank account, a deposit, some actual payments, to provide them with a phony sort of integrity. So when the time comes, after they’ve baked for a sufficient amount of time, these fakes have enough gravitas to garner better credit lines, fatter cards, larger loans. This is when the evil fraud scientists perform what’s called a “bust out,” in which they max those credit cards and those loans for a big payday before they disappear, leaving an empty husk of an identity to be futilely investigated.
There are cases where fraudsters have created literally hundreds of these to hit up a single provider, and come away with a lot of loot, after baking their avatars long enough to bring them a semblance of life. A favorite target of their data mining is children (even newborns!) since kids’ social security numbers won’t be pinged for years. Your toddler won’t be applying for credit any time soon (unless you yourself are a crook) … so his or her SSN isn’t very likely to be flagged.
See, if I pretend to be you and you get an alert, then you shut me down (maybe after I’ve already done some damage). But a fake person—or a toddler—isn’t actually there to get an alert and take action.
Synthetic Identity Fraud Red Flags
So how to defend against these Frankensteins? First, you need to ensure that all the PII being used for verification belongs to 1) the same person, and 2) an actual person. The most basic KYC solution can validate that the email, phone, DoB, SSN, etc. are all real. But do they belong together? And if so, do they belong to a real live human? It also helps to dive more deeply into the history of that individual. Did they seemingly spring from the earth just a year ago? Where were they before that? Where have their phone and email been used?
It is also beneficial to not depend entirely on data elements that are chronically stolen and compromised. There’s a good reason why SSN alone is a lousy predictor of, well, anything.
Fighting Synthetic Identity Fraud with Socure
One more thought. This isn’t a victimless crime, as it’s often referred to. The costs of synthetic identity fraud are no joke. That fake person is still driving up the cost of doing business, and this ultimately impacts the consumer. And the very real bits of PII were taken from very real people, who can still suffer the consequences.
When that fake person is trying to rip us off, we need to chase “it” down to the windmill with torches and pitchforks. But to do that, we need to identify it. This is what Socure’s industry-leading identity verification platform does. We look at all those individual pieces and make sure that they are all part of a legitimate, holistic picture of a person. And we do it better than anybody. How? We’ve made the investment in machine learning, and we’ve put in the patience and time to build our killer AI robots to use that learning to detect fraud and auto-accept the good applicants. We’ve got an incredible client list across banking, credit, and other industries to prove it.
And our robots beat their monsters, every time.
Jeff Scheidel is a technologist with 38 years in software, including 26 years in security solution design. He is the author of numerous white papers on security and regulatory compliance, as well as a McGraw-Hill book on identity, access, database, and application protection. Jeff is an expert on compliance requirements across a number of industries, and has presented at a wide variety of security events.