How do you catch a thief who doesn’t exist?
That’s not a trick question – it’s the problem facing investigators of synthetic identity fraud (SIF), a relatively new form of identity theft in which criminals combine pieces of real personal data with fake information to create an entirely new identity, one that’s almost impossible to trace.
Unlike traditional identity fraud, where someone steals and misuses a person’s actual identity, perpetrators of SIF start with a single piece of legitimate personal data – usually a Social Security number – and build a fake identity around it using a bogus address, phone number, and other basic information. Fraudsters then use the fictitious identity to open lines of credit, secure auto loans, or scam government agencies in order to intercept tax returns and benefits payouts.
No one knows precisely how much money is being lost to SIF, but a 2018 study by the advisory firm Aite Group found that U.S. credit-card accounts lost $820 million in 2018 to SIF, and losses are projected to climb to $1.25 billion by 2020. Other estimates put credit losses as high as $6 billion to $8 billion, to say nothing of the untold millions of dollars lost in personal time and aggravation for those who fall victim to this new breed of cybercriminals. And at the federal level, the Department of Justice in 2017 recovered $3.7 billion in settlements and judgments under the False Claims Act – but, according to the AARP, Medicare alone lost $60 billion to various types of fraud in 2017.
Several factors have converged to make modern government and financial systems more vulnerable to SIF today.
To begin with, SIF is being driven in part by security improvements in the use of physical credit cards, a familiar irony to those involved in the whack-a-mole game of fraud prevention. The introduction of EMV-chip security in debit and credit cards has made it more difficult for thieves to commit fraud in person, so they are finding ever more creative ways to steal money online.
Next, efforts to digitize almost all financial transactions, including government benefits, have created both temptation and opportunity for cyber-thieves. It’s much easier to impersonate someone online than it is in person, especially if the “person” exists only as a collection of data points. Banking, credit, and government agencies only check a few key pieces of data to establish a person’s identity, and thieves are adept at mimicking them.
Finally, a record number of data breaches across all sectors of the economy has exposed more personal information than ever to potential criminals. According to the Identity Theft Resource Center, there were 1,579 data breaches in 2017, which exposed almost 179 million personal records, including 14.2 million credit-card numbers and 158 million Social Security numbers. Many of these records now circulate on the Dark Web, where they are sold like any other commodity, to anyone who is willing to pay.
How does SIF work?
To commit SIF, fraudsters begin by stealing legitimate Social Security numbers from people who aren’t using their credit – usually a child, a homeless person, or the recently deceased. To build a “synthetic” identity – or thousands of them – fraudsters add fake addresses, phone numbers, and even social media accounts. Then the real fraud begins.
Using these synthetic identities, thieves begin applying for credit online, knowing they will be turned down because there is no credit history attached to the names. The trick is that by simply applying for credit, a credit history gets started. Eventually, a lender will break down and offer the fraudster a small line of credit – $500 to $1,000, for example. Fraudsters then make small purchases over several months and pay off the balance to improve their credit rating and receive ever-more-generous lines of credit. When their credit limit gets large enough – $10,000 to $15,000 – the fraudsters “bust out” by suddenly maxing out the cards and disappearing.
“These criminals are sophisticated, and are willing to play the long game and lay the groundwork for SIF,” says Jennifer Singh, a digital identity expert who does Strategic Business Development for Entersekt, an industry leader in mobile security solutions for financial institutions. “They are patient, and they know how to take advantage of loopholes in the existing process.”
In an SIF scam, gangs of criminals might spend as long as a year or two curating a collection of fake identities before finally pulling the trigger. And while they are pretending to be legitimate credit customers, fraudsters have ample opportunity to mine their apparent legitimacy in other areas, such as auto loans, healthcare, and various government benefit programs. The Social Security numbers of children are ideal for synthetic fraudsters, because it could be 10 or 15 years before they even learn their credit had been hacked.
Catch us if you can
Why are perpetrators of SIF so hard to catch? There are many reasons, but one of the biggest obstacles is the nature of fraud detection itself. “Compliance and fraud investigators tend to be reactive,” says Dennis Lormel, former chief of the FBI’s Financial Crimes Program and currently a financial crimes consultant. “We wait for fraud to happen, then investigate it. With SIF, we’re really behind the curve because preventing it requires a proactive approach.”
Though government programs currently account for a small percentage of fraud connected to synthetic identities, Lormel expects that situation to change as the banking and credit industries revise their practices to make SIF more difficult. “Criminals always evolve, and the government is a fraudster’s delight,” says Lormel. “All entitlement programs are at risk, particularly healthcare. So are tax returns and benefit programs. If you can create a synthetic ID and set it up to divert refunds or receive benefits up front – which is exactly what the system is set up to do – you have the basis for a sustainable fraud.” The only reason SIF hasn’t been used more often to defraud the government, says Lormel, is that there is much more money to be made in credit fraud – at least for now.
How to combat SIF
To prevent SIF from becoming an even bigger problem, changes must be made in how financial and government institutions verify personal identities, and how technology is used to store and share personal information.
In January 2018, Lormel testified before the U.S. Senate Banking Subcommittee on National Security, International Trade, and Finance, and urged government officials to develop better information-sharing networks between government agencies and departments, financial institutions, and the private sector.
“We need to get better at using artificial intelligence and data mining all across the board in order to identify patterns of behavior that are inconsistent or suspicious,” says Lormel. “Government agencies need shared databases so that they can cross-check information such as Social Security numbers against other data sets. Right now, everything is stove-piped, and criminals take advantage of it.”
In 2011, for example, the Social Security administration began randomizing Social Security numbers, removing the geographical significance of the first three digits of a Social Security number in order to extend the usefulness of the nine-digit SS system. Without the geographical identifier, however, it is much easier for a criminal to create a synthetic ID with legitimate-looking contact information. In order to identify possible SIF, one needs the ability to dig beneath these surface layers of basic information to recognize patterns of behavior associated with “real” people – e.g., rental histories, legal matters, utility bills, family connections, passports, DMV records, extended social media profiles, etc. – but typically absent from a synthetic ID profile.
So-called “behavioral biometrics” would allow agencies to get a more complete and reliable view of a person’s identity, says Entersekt’s Singh. “The big challenge is that all the information that could verify a person’s identity – all the pieces that collectively add up to ‘you’ as an individual – are held in different places,” she says, adding that a more effective system would be able to “analyze and compare contexts and behaviors” in order to verify whether a person is who they say they are.
“You need to have as much information as possible at your fingertips in order to look for inconsistencies in the data and get a holistic view of a person’s identity,” says Singh. Coupling that capability with other unique identifiers – e.g., biometrics (eye scans, fingerprints), dedicated personal devices (mobile phone), unique biographical details – would add an extra layer of identity assurance, she says, because such identifiers are more or less impossible to duplicate.
Technology and vigilance
New technologies such as blockchain also hold the promise of eventually being able to build a foolproof, unhackable system of personal identification, but adoption of such technologies at all levels of government is a long way off. “We are way behind the curve on SIF,” says Lormel. “The government needs to upgrade and improve its technology across all agencies,” he says, adding that at the state and local level, people need to be trained to be more vigilant.
Other loopholes in the system also need to be addressed, says Singh, and agencies need to work together to create a much stronger ecosystem for conducting the government’s business. “Governments and institutions really need to think about the problem across the lifecycle of the user journey,” Singh says. “Even if you solve the SIF problem, you may be pushing different kinds of fraud into other channels,” in much the same way chip-enabled credit cards have given rise to SIF.
In the meantime, neither Lormel or Singh believes that a “top-down” approach is sufficient to combat SIF. Individuals need to be more aware of the threat posed by SIF and learn how to protect themselves – by freezing their child’s credit, for example, and regularly reviewing their own credit report for suspicious activity.
SIF may be the fastest-growing form of fraud in the country, but it’s hardly the only one. In the age of the daily data breach, “people need to assume that all of their information has already been stolen,” says Singh – because chances are, it has.