Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/12/2019
10:00 AM
Kathleen Peters
Kathleen Peters
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Fight Against Synthetic Identity Fraud

Advanced data and innovative technology will help organizations more easily identify abnormal behavior and tell legitimate customers apart from "fake" ones.

Synthetic identity fraud — a type of fraud attack carried out by criminals who have created fictitious identities — continues to be a vexing challenge for many financial institutions and retail organizations, even prompting a recent white paper by the Federal Reserve. At the same time, many remain optimistic that initiatives on the near horizon may severely disrupt fraudulent behavior. Most notably, the Social Security Administration's electronic Consent Based Social Security Number Verification service — the pilot program scheduled for June 2020 — is designed to bring efficiency to the process for verifying Social Security numbers directly with the government agency. That said, criminals still have a window of opportunity to maximize their inventory of synthetic identities before the program kicks in.

It typically takes fraudsters approximately 12 to 18 months to create and nurture a synthetic identity prior to "busting out" — the act of attempting to build a credit history, with the intent of maxing out all available credit and eventually disappearing. That means fraudsters are investing money and time building numerous tradelines — a term to describe credit accounts listed on a credit report —  to ensure these "fake" identities are in good credit standing in order to steal the largest amount of money possible. Any significant progress in making synthetic identities easier to detect could cost fraudsters significant time and money.

For instance, an organized crime ring may be sitting on a large pool of "developed" synthetic identities. Just like perishable food in a grocery store, these synthetic identities now have an expiration date: June 2020. To monetize as many of these identities as possible, some organized crime rings, as well as other fraudsters, may increase their volume of synthetic identity fraud attacks in the coming months.

With the Social Security Administration's pilot program not scheduled for launch until the middle of next year, how can financial institutions and other organizations bridge the gap and adequately prepare for a potential uptick in synthetic identity fraud attacks? It comes down to a multilayered approach that relies on advanced data, analytics, and technology — and focuses on identity.

Far too many financial institutions and other organizations depend solely on basic demographic information and snapshots in time to confirm the legitimacy of an identity. These organizations need to think beyond those capabilities. The real value of data in many cases lies between the data points. We have seen this with synthetic identity — where a seemingly legitimate identity only shows risk when we can analyze its connections and relationships to other individuals and characteristics. The use of advanced analytics (such as machine learning) and innovative technology (such as device intelligence and behavioral biometrics) can help organizations detect patterns and anomalies that indicate potentially fraudulent behavior.

Additionally, evaluating the historical behaviors and velocity in which basic demographic attributes are used can provide more confidence during the verification process. For example, if a Social Security number is used frequently to apply for credit within a short period of time — particularly with different addresses — it could indicate fraudulent behavior. Once potentially fraudulent behavior is detected, financial institutions need to deploy secondary identity checks prior to a lending decision, such as one-time passocdes or remote document verification.

Beyond the ability to minimize and prevent future losses associated with synthetic identity fraud, proper identity management practices can also save financial institutions money during the prescreen process. Because many synthetic identities appear to have good credit — which can often pass prescreen criteria – if organizations can identify high-risk accounts, it diminishes the cost to review these identities during the application stage.  

While there are programs and initiatives in the works to help financial institutions and other organizations combat synthetic identity fraud, it's important to keep in mind there's no silver bullet — a multilayered approach is required. The evolving patterns in the fraud landscape suggest we may see a burst in activity around synthetic identity bust-out in the coming months. Now is the time to apply additional layers of intelligence to the problem. The use of advanced data and innovative technology will position organizations to more easily identify abnormal behavior and recognize legitimate customers from "fake" ones.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Community Projects Highlight Need for Security Volunteers."

Kathleen Peters is Experian's senior vice president and head of fraud & identity, where she is responsible for the strategic direction of the company's fraud and identity products and capabilities. In 2018 and 2019, Kathleen was named a "Top 100 Influencer in Identity" by One ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13632
PUBLISHED: 2020-05-27
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
CVE-2020-13253
PUBLISHED: 2020-05-27
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
CVE-2020-13630
PUBLISHED: 2020-05-27
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
CVE-2020-13631
PUBLISHED: 2020-05-27
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
CVE-2020-4226
PUBLISHED: 2020-05-27
IBM MobileFirst Platform Foundation 8.0.0.0 stores highly sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 175207.