I love Halloween, and always binge on horror movies every October. The other night we watched, for probably the fifth time, the Spielberg version of War of the Worlds, starring Tom Cruise. In that flick, instead of landing inside meteors, the evil tripods have already been buried in the ground, just waiting for the Martians to be inserted into them through bolts of lightning. Those sleeper machines have been just sitting underground, waiting to bust out of the dirt and concrete, and do their damage.

This is what we’re dealing with in the identity verification business. I’m talking about synthetic identities. These are personas, fake people assembled from a combo of real and phony PII, created for big fraud. They sit and wait, and occasionally build, biding their time. It’s their huge advantage. See, with third party fraud, a bad guy steals somebody’s PII and tries to bag credit cards, loans, accounts. They typically want to move quick, since they’re using another person’s actual identity, and if that person gets tipped off by a call or text from the bank, they can shut down the scam, or at least limit the damage. With a synthetic identity, there’s no real person to be alerted, and therefore nobody to shut things down.

The perpetrators not only often make real purchases and real payments, in order to build up their credit limits (in order to make big hits later), they lie in wait, to avoid suspicion. Many organizations have in their user repositories thousands of such identities, typically called sleepers. Meaning, one day they’ll wake up and strike, maxing out those loans and cards and “busting out,” meaning harvest those gains and disappearing. And while they sit there slowly percolating, their very age allows them to build additional credibility, which in turn helps them get past standard fraud defenses.

So while it’s a great idea to prevent synthetics from taking root, by sniffing them out with a solution built to recognize them, it’s equally important to search for them in existing user stores. For example, it’s thought that one out of five synthetic “persons” has an auto loan. That’s going to hurt later, right? There are solutions out there that can screen ids for a legit combo of name, SSN and DoB, but they require consent. So while that can supplement first-time onboarding, it’s useless for cleaning up the current population.

While our powerful Sigma model has a good record for rooting out synthetics, at Socure we’ve built a synthetic-specific model that examines very deep characteristics of presented identities to determine if they’re not just fraudulent, but completely fake, despite their age and seeming credibility. Our special sauce has long been used to auto-accept good applicants and bounce bad ones (with document verification for the ones who fall in that grey area). But our Sigma Synthetic model, which made a big splash at last week’s MoneyFest show, can also be used like a digital dachshund for identifying those sleazy sleepers among an organization’s registered users, the bad guys who slipped in with the good.

If you’re sweating not just the wolves at the front door, but also the unwanted visitors who’ve already come in the back, call us at Socure. We’ll lock out the new crooks, and sniff out the old ones, before they wake up and steal your stuff. Even if they’re from Mars.

Topics: synthetic identity, synthetic identity fraud

Jeff Scheidel

Jeff Scheidel

Jeff Scheidel is a technologist with 34 years in software, including 26 years in security solution design. He is the author of numerous white papers on security and regulatory compliance, as well as a McGraw-Hill book on identity, access, database, and application protection. Jeff is an expert on compliance requirements across a number of industries, and has presented at a wide variety of security events.