I just returned from the Marketplace Risk Management conference in San Francisco. At the conference, I had the opportunity to speak with a lot of companies that make up the booming marketplace ecosystem, including companies that onboard and manage independent contractors, merchants, sellers, and direct customers.
Here are some key things I learned from those conversations:
- Because of the unique potential risks that face some marketplaces, emerging companies in the space that hire independent consultants, and have truly emerging marketplace business models have a difficult time obtaining insurance coverage. (I’ve started several companies, and can totally relate.)
- On the flip side, insurance carriers and brokers care a great deal about the marketplace economy and work with their customers in the marketplace to develop risk management and insurance coverage plans that cover the unique challenges that face these companies.
- I was surprised and a little disappointed to hear that “KYC” is a catch-all phrase for “fraud defense”. Many of the companies I talked with felt (or have been told) that KYC solutions are effective at stopping fraud. KYC solutions simply validate traditional identity elements and do not analyze identities for fraud risk.
Live Simulation: Building a Synthetic Identity
I also had the opportunity to host a break-out session called “Synthetic Identity Scams: Who’s Hiding in your Customer, Seller & Worker Bases?”.
During the interactive session, the audience and I developed a “purpose-built” synthetic identity that would be optimal for someone like me, a 59-year-old-male, to bypass an identity verification check, a criminal background report, and a document validation (including a live selfie) check.
For this hypothetical scenario, we wanted to create a passable synthetic identity because I have two felonies on my record, and I was looking to get work as an independent contractor at a marketplace. (To be clear, I do not have two felonies on my record in real life. This was just for the simulation.)
In any case, we picked a “male” first name and a last name that would be in line with my demographic. To round out our synthetic identity for the simulation, we also:
- Chose to purchase a Consumer Privacy Number (CPN) from one of the several companies offering a CPN that would “establish a new credit report as long as a new address was provided” where I never lived. We assumed that the “CPN” was chosen from a randomly issued SSN range.
- Used an address that is used as an Airbnb that is close to my real home so that the IP address tied to my work application would be closely tied to my physical location. We also used similar online tools to select emails and phone numbers that we thought would help circumvent normal KYC checks.
- Established a credit report and strengthened the simulated credit score from 540 to 590 by applying and receiving a line of credit from an organization that would report a $5,000 line of credit to the bureaus on my behalf.
- Went online and purchased a fake driver’s license that I was assured could pass document validations.
To take it one step further, we decided to spend the extra money to purchase tradelines from a few websites online that would sell me the use of an “authorized user” tradeline to be added to my credit report (called “piggybacking”). And because I really wanted the job, we bought two credit card tradelines – 1 with a credit limit of $10,000 that had been active for 15 years, and another with a credit limit of $30,000 that was opened last year. The “boosted” and piggybacked tradelines gave me a near-prime credit score of 630.
From Simulation to Real-Life Application
While this is where the simulation ended, prior to the conference I ran some “real” synthetic identities gathered from applications that we scored for our customers (one “manipulated’ and one “fabricated” synthetic identity) through an online criminal background check.
Guess what? Both of those identities were validated and passed state and federal background checks.
Why is that? First, the synthetic identities I picked to run through the online criminal background check were fairly well formed by the bad actors who developed them. And second, criminal background and KYC compliance companies generally use credit header data as the source of truth for identity validations. Credit header, along with other publicly available data, can be, and is, gamed by bad actors who create and strengthen synthetic identities.
What’s the point here?
Fraudsters who create synthetic identities attack everyone. For perspective, in traditional and fintech deposit institutions, on average 1 to 4 or more of every open, active deposit accounts are held by synthetic identities. That’s a massive number. Additionally, when we analyze identities for onboarding of independent consultants received by marketplace companies, we find that 75% of those that are synthetic are using a “fabricated” synthetic identity.
In marketplaces, synthetic identities can be used to abuse policies to gain access to coupons, referrals, and special bonuses. They can be used to gain entrance back onto a marketplace platform after being kicked off for bad behavior. Synthetic identities can be used to create fake reviews and move money fraudulently (money muling). And, they can be used to circumvent prior criminal histories that would disqualify them from getting a job in your marketplace.
Synthetic fraud attacks everyone. The vast majority of KYC solutions will not help identify them and background check companies can be gamed in a way that you miss prior convictions that would disqualify the applicant from your platform
Strategies for a Risk Free Marketplace
It’s important to use proper fraud tools in your onboarding and marketplace management strategies, as KYC compliance solutions do not stop synthetic and third-party fraud. Moving forward, here are three key things to consider:
- Purpose-built analytic models that detect different synthetic and third-party fraud patterns are crucial to your fraud prevention strategy moving forward.
- Using a sophisticated document validation solution (like Socure’s DocV) can help weed out the riskiest applicants quickly, and accurately.
- It’s important to assess the risk of individual identity elements like email, phone, and address when your platform members make a change, which could be a catalyst for account takeover.
Beyond reducing financial loss from policy and other abuses, a strong fraud management strategy will help open up and potentially reduce the cost of differing risk management and insurance coverage expenses to your organization.
If you don’t use these solutions today, it’s likely that there is synthetic fraud within your platform already. Socure can perform a “Portfolio Scrub” to weed out differing fraudulent identities that are already hiding in your marketplace.
Socure is Here to Help
If you’d like to speak with the Socure team about any of the solutions or challenges I mentioned above, please give us a shout! Our experts are ready and excited to talk through your unique obstacles and share how we support some of the largest marketplaces today.
Thank you to the MRMC and for all the participants I had the opportunity to speak with.
Mike Cook is VP of Fraud Solutions Commercialization at Socure and works alongside Data Science, Product, Sales and the Fraud Investigation team to help ensure solution optimization across all the markets Socure serves. Mike has been an innovator in fraud, identity, and credit risk for almost 35 years and has created several patents for identity risk technologies.
Fact vs. Fiction in Identity Verification and Fraud...
When it comes to digital identity verification and fraud prevention, accurate...
How Legacy Identity Verification Vendors Expose Your Enterprise...
The strength of an identity verification solution is not determined solely...