Fraudsters doing more with synthetic IDs
As U.S. counterfeit card fraud declines with the advance of EMV, researchers say fraudsters seeking richer ground are reviving a familiar card scam based on creating fake credentials, known for many years as synthetic identity fraud.
Synthetic identity fraud occurs when scammers create a fictitious account using real or bogus customer credentials, make fraudulent purchases with the account and quickly abandon it. The scam isn’t new, but industry data suggests it’s on the rise as fraudsters discover new ways to automate their activities.
Financial losses stemming from application fraud grew 42% during the fourth quarter of 2016, and a potentially significant share of that is synthetic identity fraud, Auriemma said.
“Synthetic identity fraud has been around for a while, but as the card industry has tightened up its protections against counterfeit card fraud with EMV, it’s one of the scams criminals are returning to that still works,” said Ira Goldman, a director at New York-based Auriemma.
A central tool in synthetic ID fraud is the Social Security number, which many credit bureaus and financial services companies rely on heavily to verify consumer identities. People who have a Social Security number with little or no credit history—including children, immigrants and the elderly—are prime targets, Goldman said.
“The fraudster looks for a person who hasn’t applied for credit before or whose credit file is thin and builds a fake identity that looks like a healthy credit risk to a credit card issuer, and with a little work, they’re in business with a fake account,” Goldman said.
Though Visa and Mastercard insist that counterfeit card fraud has declined at the point of sale since the EMV liability shift went into effect in October 2015, experts say card fraud is evolving right along with the boom in online and mobile commerce.
Synthetic identities in particular negatively affect consumer credit in the same way as more well-known identity theft crimes, and the direct losses to financial institutions are growing, said Matt Ehrlich, senior director of fraud and identity product strategy at Experian.
"Fraudsters are creating a financial life and social history that mirrors true (consumer) behaviors and the similarities in financial activities make it difficult to detect good from bad and real from synthetic," Ehrlich said.
Issuers also are under constant pressure to make the card application process as seamless as possible for consumer convenience, which can complicate the process of verifying identities, according to Goldman.
“Much of the application process is automated now, and while issuers' risk-management systems may flag obviously suspicious accounts for manual review, many new synthetic ID accounts slip through because they look legitimate,” Goldman said.
Fraudsters also may sometimes spoof an account by inventing a bogus SSN, according to Goldman, and these cases can be even more challenging to sort out than accounts attached to actual SSNs.
It's difficult to gauge the scope of synthetic ID fraud, because the scam is hard to separate from other types of so-called first-party fraud, and solutions aren't simple, he said.
"Many card issuers are implementing measures that include looking beyond SSNs to verify the existence of payroll and employment, utilities and other services to ensure the applicant really exists, but solutions aren’t simple," Goldman said.
Experian's Ehrlich said there is no single solution to eliminate the risks stemming from synthetic ID fraud, but noted that a multi-pronged approach to reducing successful synthetic ID applications, coupled with better risk segmentation of existing accounts and portfolios, can be "quite effective" in the battle.
Auriemma recently formed a working group to gather information from 30 banks plus card networks and merchant associations to gauge the scope of the problem and help develop strategies to combat it.
“One of the key challenges we face is that cross-checking applicants’ information against Social Security Administration records requires the written consent of the SSN holder, which isn’t practical for most card issuers,” Goldman said.