This week's big bust of a credit card theft ring emphasizes the difficulty issuers face in locating fraudsters and the limitations of technology that can go only so far in mitigating the threat.
"You get hundreds of thousands of applications per month if you're a large issuer, so flagging folks is a tough task," says Julie Conroy, a senior analyst and fraud expert for Aite Group.
Eighteen people were part of a scheme to create thousands of false identities and credit profiles and take out large loans that were never repaid, according to the FBI. The suspects used a mix of identity theft and credit card fraud to steal more than $200 million, a number that's likely to get larger going forward, the FBI said in an arrest complaint.
The suspects allegedly used a difficult-to-fight method called first-party fraud, which has caused more than $18 billion in credit card losses globally in 2012 and is on pace to surpass $28 billion by 2016, Aite says.
First-party fraud refers to crimes such as identity theft; identity manipulation; synthetic identity fraud, or the creation of a new ID; and springboarding, a crime in which a fraudster is added as an additional signatory to an already established account. The intent is to obtain credit that's never repaid.
Synthetic fraud is hard to spot because it can result in the creation of a new consumer record, which makes the fraudulent account appear legitimate.
"Once somebody is able to get in and establish a synthetic identity, it becomes a vicious cycle that reinforces itself … the next time that person shows up [at another issuer], they have an ID so they can start a new relationship with their false credentials," Conroy says.
Many perpetrators also use their own identity, so traditional verification routines aren't effective, Conroy says.
Also, the recent case notwithstanding, most first-party fraud cases are small enough to fly under the radar.
"It's the kind of fraud that issuers are trying to fight every day. This stuff falls in the back office all the time. Right now it's getting a bright spotlight because of the spectacular nature of the event," Conroy says.
Most fraud-fighting models are geared toward spotting third-party fraud, where a card number has been stolen, rather than detecting patterns consistent with first-party fraud. Also, issuers often misclassify first-party fraud as ordinary credit losses.
There are some ways to spot synthetic identity fraud, which is a major part of first-party fraud, says Ben Knieff, a director of product marketing at NICE Actimize who is responsible for defining the strategic direction of the company's financial crime technology.
"To perform synthetic identity fraud, you take a phone number from here and an address from there to form the new 'ID.'…There are ways to look for that," Knieff says. "You look for multiple last names at the same address, for example. Then you marry that with behavior, with the first 90 to 180 days of the relationship being particularly important. You look for things such as people running up the balance on the card quickly and then paying it off with a check."
The tech options include rules-based systems and software that provide detection for application fraud, analytic models and social networking analytics. Rules-based systems are typically developed in-house by issuers and are designed to spot behavior patterns such as heavy use of an ATM for deposits followed by fast withdrawals, or a high number of balance queries.
Analytic models examine risky behavior, such as odd credit lines (a specific dollar amount instead of a rounded figure, for example). Vendors in this space include ACI Worldwide, Accenture, FICO, IBM, ID Analytics, SAS and NICE Actimize.
Social network analytics can discover connections between customers and account. These are provided by companies such as Detica, Fiserv, ID Analytics and SAS.
The most common approach is rules-based systems, which are used by almost all issuers, with social analytics being the least commonly used — it's deployed by about a quarter of U.S. and EMEA financial institutions, Aite says.
Card regulations also complicate the fraud fight. These regulations prevent the sharing of most account information among issuers, making it easier for fraudsters to set up accounts at different banks, Conroy says.
The Treasury's Financial Crimes Enforcement Network (FinCEN) allows some information sharing for anti-money laundering purposes, but more aggressive loosening of the rules is unlikely, Conroy says.
"To some extent companies are hamstrung by the structure of the financial system … I don't see anything happening anytime soon," she says. "The regulators don't always understand the financial system to a degree of detail that would permit them to understand the fine points of the threat. And Congressional action is unlikely given the current [political] environment."
There is some common information on borrowers stored at credit bureaus that can be helpful, Knieff says. "But most crooks know about that so they work around that. You may be able to catch some less sophisticated crooks, but the smart ones know how to not get red-flagged by the credit bureaus," he says.