Experian warns of facial recognition, synthetic ID fraud
The widespread shift to e-commerce and touchless payments during the pandemic has escalated fraud risk in those channels, including the possibility of fraudsters combining altered photos with synthetic ID, Experian warns.
A trick Experian is calling “Frankenstein IDs” could see fraudsters this year using machine learning to invent fake facial images, which combined with fictional identities could add a new and more virulent edge to fast-growing synthetic ID fraud, the global information company said in a new forecast.
Synthetic fraud — where fraudsters use a combination of real and made-up identity information to create new account IDs — is one of the fastest-growing and most insidious types of fraud in the last few years, and now facial recognition could make it worse, said Kathleen Peters, Experian Decision Analytics’ chief innovation officer.
“We predict that in 2021 we’re going to see a combination of fraud tactics using these inexpensive, widely available tools to create fake faces to go with synthetic IDs,” Peters said. The theory is part of Experian’s first-ever fraud predictions, announced Monday.
So far Experian hasn’t seen any incidents of fraudsters using facial recognition to enhance synthetic IDs, Peters said. But new research by McAfee and others demonstrates how machine learning can be used to form new identities with fake facial images that will be harder for financial institutions and merchants to fight.
“Synthetic ID fraud is particularly vexing, because the fraudster can gather enough legitimate data from the dark web to create a legitimate-seeming ID that a bank or a merchant thinks it’s a new customer account with a good history,” Peters said.
Fraudsters often nurture these synthetic ID accounts for months with legitimate transactions and payments before busting out by stealing thousands of dollars at once. Examples include drained bank accounts and cars stolen from dealerships after making a down payment with a payment card based on a synthetic ID.
Combining synthetic ID with facial ID could be exponentially more risky for banks and merchants, increasing fraudsters' capabilities for bust-out fraud, according to Peters.
Battling synthetic ID fraud is tough, though banks and merchants continue to invest in solutions to verify that accounts are represented by an actual person. But fraudsters continue finding new ways to muddle identities.
“Fraudsters are very creative and motivated individuals, and just as fraud solutions keep evolving, so do fraudsters’ tactics,” Peters said.
Experian’s Sure Profile provides a composite history of a consumer’s ID, public record and credit information, which combined with other verification tools can pinpoint whether an ID is legitimate, she said.
Experian is also part of the Social Security Administration ID-verification service pilot that began in June 2020, with plans to expand in mid-2021, and Peters hopes this will blunt synthetic ID fraud attempts.
The new Consent Based Social Security Verification (eCBSV) service would enable organizations to confirm in real time whether a Social Security number combined with a name and date of birth matches what the SSA has on file.
Apart from synthetic fraud, Experian also predicts an uptick this year in scams and phishing attempts leveraging COVID-19 cures and stimulus checks.
“Because of the pandemic’s effect on the economy we’ve seen unprecedented increases of consumers transacting online — including some for the first time — which has increased the scale of opportunities for fraudsters, who are also working at home. It’s a big new population to go after with lots of opportunities,” Peters said.
Massive fraud surrounding government stimulus checks and PPP loans will likely be repeated this year, despite the growing awareness of risks for these payments, she said.
“There were learnings from the first round of government payments, but unfortunately there’s so much pressure to get money out quickly, and recipients are so eager to get it, that it just creates more opportunities for people to be victimized by scammers,” Peters said.
Experian also expects to see an uptick in automated fraud attempts, where fraudsters use computers to run constant attacks on customer files until they succeed.
“Whether fraudsters are using public records data that was exposed in many data breaches over the years or the names of business owners and entities, there’s a real opportunity with automated credential stuffing to intercept government payments using machines,” she said.
Account takeover — when stolen credentials are used to access a legitimate customer's account — also will likely rise as fraudsters increasingly use automation to test and crack accounts.
“With everyone online, there are fewer in-person transactions and account takeover is rampant online,” Peters said.