Synthetic ID Theft: A Growing Problem for Credit Unions
A Federal Reserve report warns that the new identity theft technique is harder to detect and often affects those unlikely to report the crime.
A Federal Reserve white paper released last July, “Synthetic Identity Fraud in the U.S. Payment System,” focused on the severity of this somewhat misunderstood fraud type, a mounting problem for credit unions and other financial institutions. The study cited McKinsey, which described synthetic identity fraud as the fastest-growing type of financial crime in the U.S., and the Auriemma Group, which in 2016 estimated that fake personas accounted for 5% of charged-off accounts and up to 20% of credit losses – or $6 billion.
The Fed paper reported fraudsters increasingly use synthetic identities to execute payments scams, which can evade detection by ID verification and credit-screening processes. Over time, fraudsters build up the synthetic identity’s creditworthiness, then “bust out” by purchasing high-value goods and services on credit before disappearing. “Because the identity was not real to begin with, there is limited recourse in tracing the perpetrators and holding them responsible for their debts,” the Fed report explained. Other consequences include denial of benefits, tax return rejections and health record inaccuracies.
“Crime rings see attractive opportunities in synthetic identity payments fraud,” Ken Montgomery, Federal Reserve System payments security strategy leader and Federal Reserve Bank of Boston COO, said. “Law enforcement officials, financial institutions, and other organizations recognize it as a growing concern. But unfortunately, many consumers do not realize how it can hurt their access to credit or how to protect themselves.”
Jack Lynch, SVP, chief risk officer, at St. Petersburg, Fla.-based payments CUSO PSCU and president, CU Recovery, said the advent of EMV chip cards prompted imposters to shift their account takeover tactics. “Fraudsters are really in it for the most part in the long game with synthetic fraud,” said Lynch.
Traditional identity payments fraud involved hackers pretending to be another real person and using that individual’s credit. According to the Fed report, synthetic identity payments fraudsters create a new identity to commit fraud in one of several ways: identity fabrication (a completely fictitious identity without any real personally identifiable information), identity manipulation (using slightly modified real PII to create a new ID), or identity compilation (a combination of real and fake PII, such as a false driver’s license, to form a new identity).
Fraudsters employ a variety of tactics to make synthetic identities appear authentic, such as creating bogus ID documents and social media personas, and utilizing drop addresses (e.g., P.O. box addresses or vacant properties or vacation homes) to receive credit cards or goods. The Fed paper also suggested fraudsters use synthetic identities to start phony businesses and sign up with merchant processors to obtain credit card terminals and run up charges.
As a synthetic identity’s credit score rises, the fraudster can secure larger extensions of credit until ultimately, the fraudster “busts out.” This term refers to maxing out the credit line and vanishing.
Lynch noted that in the long game approach, even a first-time declination originates a credit profile. “The next time they might get a small, $300 amount; enough to start building a profile,” he said. In some cases, they take years before busting out: “They become very good consumer in terms of paying off their balances, making their payments, doing all the things that gets them credit line increases.
Lynch explained synthetic identity fraud is tough to detect, and often goes unreported, since victims are typically individuals – such as children, the elderly or homeless – who are less likely to check their credit information. “In some cases, you might have gotten the social security numbers for your children, but who’s paying attention to that/?”
Sometimes financial institutions just write off the loss not even realizing it is a synthetic ID. Lynch pointed out protection that looks at velocity attacks, where a cybercriminal continuously submits a card number to make unauthorized charges, does not really help here. “It really becomes a quick strike at the very end and boom, they’re gone.”
Lynch suggested the fraud issue is finally getting the attention at the Fed level and at the associations. “Everybody is starting to get more engaged in this process, to come up with solutions for it.”
One of the ways PSCU helps credit unions protect against synthetic fraud Is through the integration of Linked Analysis, developed by PSCU’s in-house experts, which uses cross-network analytics to create a 360-degree member view. This enables PSCU to look at members’ activity across different platforms, institutions and merchants, using any card. Data scientists and machine learning help identify linkages, compromises, breaches and common points of purchases.
Lynch pointed out that Linked Analysis picks ups odd pieces of information that do not match, such as slightly changed names, ages, and addresses at different financial institutions; or detecting patterns in how fraudsters utilize the interactive voice response or set up other things around electronic banking. “That’s the start of how you can start identifying these things you have in your ecosystem today.”
PSCU also educates their CUSO members so they know in today’s environment they cannot just rely on credit bureau scores or any one source. “You have to have a holistic look at people enrolling in things.”
PSCU also encourages credit unions to make sure members not only monitor their own (identities) but the identities of their children or any elderly in their care, too. “Credit unions should make sure they and their partners look at cross channel analysis and leverage data during the lifecycle of the member.”
Lynch recommended credit unions reexamine their account-opening process. “You have to have a holistic look when people are enrolling, not just going out to the credit bureau and going, ‘Hey look, they’ve got a very high FICO score, that’s enough to open the account.’ You really need to have different data feeding into your new account opening process as well.”