Synthetic Identity Fraud [What You Need to Know]
Data breaches and stolen credentials are fueling synthetic identity fraud. Behavioral biometrics offers the best defense.
Increasing use of synthetic identities, fueled by the large volume of stolen credentials, is posing new challenges for traditional fraud detection. Synthetic identity fraud is when a cybercriminal combines stolen user data with fictitious information to create a new identity, which is then used to open new banking and credit services. Fraud using synthetic identities is difficult to identify. Because the applicant is not real, there is no victim who can alert financial institutions of what is happening. Often, the financial institution only realizes the fraud after months.
How big are the fraud losses from synthetic identities?
Fraud losses from synthetic identities are in the billions of dollars. As early as 2016 the Federal Reserve reported credit companies suffered losses valued at $6 billion from synthetic identity theft. Not only are the losses significant it is considered one of the fastest-growing frauds, especially in the United States, according to estimates by McKinsey.
The growing number of fraud cases due to synthetic fraud is directly linked to the volume of data leaks. To get a sense of the size of the problem, in 2019, more than 164 million sensitive records were exposed in the US, according to a report by the Identity Theft Center. The continuing stream of data breaches adds fresh data for sale on the Dark Web. A Social Security Number, for instance, can be bought for about one US dollar.
How is a synthetic identity created?
With stolen data in hand, mainly a Social Security Number (SSN), a cybercriminal can begin manufacturing a synthetic identity, changing names, addresses, and date of birth. This identity construction can vary, including completely fictitious information or slightly modified versions of an actual record.
After this exercise of imagination, the fraudster begins the main phase of the fraud endeavor: gaining access to financial institutions that can offer credit. While an initial attempt may usually be thwarted, this is also part of the plan, as the fraudster needs to establish a credit report and credit score for the synthetic identity. One of the major gaps in the anti-fraud and KYC process is that, when requesting the opening of an account, the credit bureau opens a credit profile and history linked to that information because it is considered a new applicant.
In the next phase, the fraudster attempts to create accounts at different institutions using the synthetic identity until one of the applications is approved. In the first few months, the fraudster may make the use of the accounts seem legitimate, to increase the credit score for the synthetic identity and thereby increase the size of credit allowed for the account. Another method used to raise the score quickly is through piggybacking, where the cybercriminal uses social engineering to gain access to a person's account with a good track record and associate their synthetic identity as a dependent for a brief period of time. Later, the fraudster removes his information and takes the credit score with him.
Synthetic identity fraud is also aided in part by the types of data that are managed by credit bureaus. Often, the information supplied by a credit applicant does not exactly match the data available in the credit bureau databases - either because of typos, changes of married names, or changes of address, among others. This makes it possible for many synthetic identities to go unnoticed in initial checks.
How can you know if your data is being used for synthetic fraud?
People who have had their information stolen often do not notice the scam in the short term: they only realize the problem when they go in search of credit and need to prove their identities or when they are contacted by credit protection services, which can take months or years. A study by Carnegie Mellon's CyLab, for example, found that there are more possibilities for synthetic identity fraud using children's documents, mainly because parents are not aware of possible leaks and because they will not seek credit in the short term.
How do you defend against synthetic fraud?
Detecting synthetic identity fraud requires more than checking the identity data since some of the information is real. The best defense against identity fraud is requiring a second authentication factor that demonstrates proof of life either by sharing "something you are" or "something you do". Biometrics are typically used to identify “something you are” whereas behavioral biometrics are used to identify “something you do”.
Fingerprints are the biometric identifier that most people are familiar with. In addition, facial biometrics using facial recognition is starting to be used in applications as proof of life, especially during account registration.
The main weakness with biometrics is that they comprise static information and so once stolen they become yet another piece of data that fraudsters make use of for synthetic identities.
The theft of biometrics presents a considerable and growing security problem. Once stolen the use of that biometric by the true owner has been compromised as an authenticator, since we cannot change our fingerprint or face. Fraudsters will be able to use this information forever. Furthermore, it was already demonstrated by Tencent researchers at the 2019 Black Hat USA hacker conference that facial biometrics can be hacked, with photos, eyeglasses that mimic the eyes, and even videos.
In comparison with biometrics, behavioral biometrics are dynamic and constantly changing. There are many characteristics of our behavior that can uniquely identify us, and these factors are known as behavioral biometrics.
Behavioral biometrics captures the unique signature of a user’s behavior and offers an important advantage over biometrics as an authentication factor, in that it is dynamic and therefore very difficult to copy, fake or forge.
Location-based behavioral biometrics captures the unique location fingerprint of our movement around the world, from home to work, from work to the gym, to the supermarket. No two users have the same location behavior, which makes location-based behavioral biometrics a powerful weapon against synthetic identity fraud. Using behavioral biometrics as a second factor of authentication is the best defense against synthetic identity fraud.
With synthetic fraud on the rise, fueled by stolen credentials, behavioral biometrics offers a strong defense to thwart fraudsters looking to create accounts and steal assets.
To learn more about the characteristics of location behavioral biometrics read more in this blog post: Location Behavioral Biometrics a new Type of Digital Identity