<img height="1" width="1" src="https://www.facebook.com/tr?id=316029722675592&amp;ev=PageView &amp;noscript=1">

One of the great joys of my life—besides my family and guitars and Canadian beer and history books and German beer and Breaking Bad reruns and Belgian beer—is horror movies. Especially old ones. I was always partial to the Universal monster flicks, with Lugosi and Carradine and the two Chaneys. But I think Boris Karloff, as Frankenstein’s monster, was always underrated. There is actually some good acting going on in his first two movies as the creature. He’s not just grunting and stomping around. There is true substance behind the makeup, the fake flat head, and the bolts in the neck.

frank

 

It’s the same with the Frankenstein monsters that bedevil banks and credit issuers. I’m talking about synthetic ids. Third party fraud is clearly more rampant in the form of just plain identity theft. I pretend to be you, I take advantage of your good credit and general history, but I point the contact info back at myself. It’s not that difficult to pull off once you’ve stolen or purchased somebody’s personal data. At Socure, we employ multiple data sources, some killer AI, and a data set larger than anybody else in the universe uses to train our fraud models to catch these crooks.

But with synthetic identities, you have to dig a little deeper. That’s because, like Frankenstein did with his monster, the bad guys assemble a completely new persona by using the pieces of other people’s parts to create the illusion of substance. No, not real arms and legs, because that would be disgusting. This crime entails the usual suspects: SSN, email, phone, date-of-birth, etc. But here’s the different angle. Instead of stealing and utilizing somebody else’s PII right away, synthetic perpetrators often employ the most dangerous burglar tool of all ... patience.

These fake people are often an investment of time and effort. Their creators slap them together using a selection of other people’s PII, and top them off with a false identity. Then, they give these creatures some history. A bank account, a deposit, some actual payments, to provide them with a phony sort of integrity. So when the time comes, after they’ve baked for a sufficient amount of time, these fakes have enough gravitas to garner better credit lines, fatter cards, larger loans. This is when the evil fraud scientists perform what’s called a “bust out,” in which they max those credit cards and those loans for a big payday before they disappear, leaving an empty husk of an identity to be futilely investigated.

There are cases where fraudsters have created literally hundreds of these to hit up a single provider, and come away with a lot of loot, after baking their avatars long enough to bring them a semblance of life. A favorite target of their data mining is children (even newborns!) since kids’ social security numbers won’t be pinged for years. Your toddler won’t be applying for credit any time soon (unless you yourself are a crook) ... so his or her SSN isn’t very likely to be flagged.

See, if I pretend to be you and you get an alert, then you shut me down (maybe after I’ve already done some damage). But a fake person—or a toddler—isn’t actually there to get an alert and take action.

So how to defend against these Frankensteins? First, you need to ensure that all the PII being used for verification belongs to 1) the same person, and 2) an actual person. The most basic KYC can validate that the email, phone, DoB, SSN, etc. are all real. But do they belong together? And if so, do they belong to a real live human?  It also helps to dive more deeply into the history of that individual. Did they seemingly spring from the earth just a year ago? Where were they before that? Where have their phone and email been used?

It is also beneficial to not depend entirely on data elements that are chronically stolen and compromised. There’s a good reason why SSN alone is a lousy predictor of, well, anything.

One more thought. This isn’t a victimless crime, as it’s often referred to. That fake person is still driving up the cost of doing business, and this ultimately impacts the consumer. And the very real bits of PII were taken from very real people, who can still suffer the consequences.

When that fake person is trying to rip us off, we need to chase "it" down to the windmill with torches and pitchforks. But to do that, we need to identify it. This is what Socure does. We look at all those individual pieces and make sure that they are all part of a legitimate, holistic picture of a person. And we do it better than anybody. How? We’ve made the investment in machine learning, and we’ve put in the patience and time to build our killer AI robots to use that learning to detect fraud and auto-accept the good applicants. We've got an incredible client list across banking, credit, and other industries to prove it. 

And our robots beat their monsters, every time.

Click here to read our new white paper on Synthetic Identity Fraud 

Topics: Identity Fraud, synthetic identity, synthetic identity fraud, synthetic fraud

Jeff Scheidel

Jeff Scheidel

Jeff Scheidel is a technologist with 34 years in software, including 26 years in security solution design. He is the author of numerous white papers on security and regulatory compliance, as well as a McGraw-Hill book on identity, access, database, and application protection. Jeff is an expert on compliance requirements across a number of industries, and has presented at a wide variety of security events.