Synthetic identity fraud in card not present transactions tops risk managers’ concerns in 2016

March 23, 2016 by Tom Groenfeldt

The nice thing about using a synthetic identity to commit fraud is that there’s no pesky credit card holder calling to report unauthorized charges on her statement. The fake identities can be created or purchased on the Dark Web.

With credit cards, fraudsters often buy gift cards or smartphones that can be turned into cash easily. Luxury automobiles are another popular purchase with synthetic identities and internet purchasing, although in some cases you have to wonder what dealers were thinking when they received a purchase over the internet with instructions to deliver the cars to a port. Fraudsters pay the shipping with fraudulent credit cards to ship the vehicles overseas, often to China where they can sell for two or three times the North American price.

“Organized crime groups are able to exploit weaknesses in credit reporting to use a synthetic ID to acquire financing for the purchase of vehicles at multiple dealers throughout the same day,” Steven D’Alfonso, senior financial crimes intelligence specialist at IBM Red Cell, wrote in ‘Security Intelligence’. “A fraudster using a synthetic ID can go from dealer to dealer in one day and apply for credit without each dealer knowing about previous or same-day inquiries.”

Very patient criminals developing credit over several years can use one fake identity to obtain not just credit cards, loans and cars but even mortgages. Then, at some point individuals who have looked like model borrowers bust out — maximizing every bit of credit, buying things with counterfeit checks and selling assets like cars that they have acquired using phony credentials and then disappearing.

“Typically, fraudsters will use a real Social Security number (SSN) and pair it with a name not associated with that number,” said D’Alfonso. “Fraudsters seek SSNs that are not actively being used, such as those of children and the deceased. In some cases, an identity fraudster may create a completely fake identity with a phony SSN, name and address.”

Gartner estimates that synthetic identity fraud makes up 20 percent of credit charge-offs today and 80 percent of losses from credit card fraud. Total losses remain unknown because banks don’t like to publicize them, but a New Jersey ring in 2013 stole more than $200 million and Canadian authorities estimate fake IDs cost $1 billion there.

Synthetic identities, a top threat for banks in 2016

After talking with banking risk managers about major threats for 2016, ‘The Wall Street Journal’ placed synthetic identities at the top of the list. Bankers said the fake identities can be supported by fake pay stubs, fake businesses and phony references.

As EMV chips make on-site purchases more resistant to fraud, criminals are turning to online purchases where they don’t have to hand cards to a cashier, called card not present (CNP) transactions. Ontario officials who a few years ago were seeing perhaps 100 cases of synthetic identities per month now report thousands.

Credit card issuers, both stores and major card companies, are often the point of entry. A fraudster might apply for a department store card and get rejected. But that application goes on a credit bureau record, so the next time he applies his name will be on file and he may get a store credit card.

“There are many factors that contribute to the problem, but the authorized user process and availability of credit from some of the major card issuers play key roles in this,” said D’Alfonso.

Another approach is to borrow the good credit of existing cardholders for a few days, usually for a fee, to get the credit history on the fraudster’s account. After a time the fraudster can apply for a credit card using the inherited credit history to qualify for a card in his own name.

Credit bureaus are data aggregators, not credit validators, noted D’Alfonso.

As more transactions and account openings can be done online, banks lose the opportunity for face to face meetings to verify the identity of their customers. Sonya Andreassen-Henderson, vice president of the mortgage investigative services group at PNC Bank told the ‘WSJ’ that banks need people with technology skills and human intelligence; they can’t rely on technology alone.

Synthetic identity fraud Using Social Security numbers belonging to children is also an effective way to create a synthetic identity. Richard Power, distinguished fellow at the Carnegie Mellon Cylab, wrote that a recent survey of questionable identities turned up a victim who was only five months old.

Under normal circumstances, a child whose Social Security number had been used in a synthetic identity probably wouldn’t learn about it until she applied for college financial aid. Cylab found a 16-year old girl who had $735,000 in debts to her name. An 18-year old applying for college loans had recorded debts of $325,000, but the police wouldn’t act without a credit report and the credit reporting agency refused to provide it because she was a minor. It took months to clear her name. Power said children are 50 times more likely to be victims of synthetic identity than adults 10.2 percent in one study vs. only 0.2 percent for adults.

Canadian authorities speculate a fraudster there had a poor command of English and typed in a name that appeared on a nearby computer screen —Server Froze. No matter, it was good enough to obtain nine drivers licenses. Another fraudster got bank loans and insurance to buy several cement trucks, shipped them to Dubai and reported them stolen so he could collect both the sale price and the insurance.

Just to add some complication, not all synthetic IDs are created for fraud. Sometimes people with poor credit history use them to obtain mobile phone contracts or sign up with their local utility and then pay their bills on time. And sometime what looks like a suspicious thin or absent credit file is just a young person trying to get her first credit card.

The credit is compounded by companies’ desire to create a great, effortless customer experience, especially for mobile phone users. And banking customers have adopted mobile banking at an astonishing rate. Citi, for example, saw the share of digitally active bankers on mobile grow from 22% to 66% over 18 months.

“With the growth of online banking and the rise of mobile usage, it’s important to ensure a superior customer experience across all digital channels,” said Eileen Turner, senior product marketing manager for IBM Security. “It is clear that the financial services industry needs a better approach for fraud prevention. The current approach does not support the industry’s goal of a superior customer experience. Given the fact that most banks compete on customer experience, it’s all the more critical that the online experience is not negatively impacted.”

Taking into account the sky-rocketing growth of mobile usage for everything banking and e-commerce, putting in place age verification processes within the mobile channel will help to make it more difficult for fraudsters to create synthetic identities using minors’ personal information. Additionally, offering customers to verify their identity from their smartphone or tablet will keep the overall user experience hassle-free, convenient, and secure for all stakeholders.