Fraudsters are quickly developing a way to sidestep EMV-chip security ahead of the U.S. card networks' October 2015 deadline for adopting the technology.
Rather than print cloned cards, which EMV technology is designed to thwart, fraudsters create artificial identities to open credit cards with banks, then use that account to its maximum limit.
The method, known as synthetic identity fraud, is a looming danger for banks and mobile network operators because it tends to increase dramatically once chip-based cards go mainstream, said Stephen Coggeshall, chief analytics and science officer for ID Analytics, a unit of Tempe, Ariz.-based LifeLock.
About 2% of all applications, either for credit cards, loans, cell phones or financial services, are synthetic fraud, according to recent research from ID Analytics.
"We were surprised to see this number, as it was a little more than we expected," Coggeshall said. With billions of applications being filled out annually around the globe, it means that "tens of millions of synthetic attempts occur each year," he added.
Unlike attempts in which fraudsters target someone to steal an identity and open new accounts, or manipulate their own accounts with different names or numbers to avoid bill payments, those deploying synthetic fraud invent completely new identities.
The risk to banks associated with these types of accounts is about four times higher than the average risk of other accounts, Coggeshall said.
"It's easier for the fraudsters to abuse the account and never have it traced back to them," Coggeshall said. Sometimes the criminals will open fake accounts and let them sit dormant or pay small bills regularly to lull banks into a false sense that the accountholder is a good customer, Coggeshall added.
At some point, the criminal performs a "bust out" with the account, quickly using it to its limit with no intention of paying it back, Coggeshall said. "We call that the long con because we have examples of thousands of accounts being nurtured in this way."
U.S. banks are likely to feel the sting if the synthetic fraud trend in other EMV countries is any indication, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"It's an issue in the U.S. now, but we will see it increase in size and severity as we migrate to EMV," Conroy said.
Recent Aite research found that application fraud in Australia spiked to $3.5 million in 2012, from $1.1 million in 2011. In Canada, application fraud rose to $11.8 million in 2013, up from $8.5 million in 2012; the country had only $6.1 in application fraud losses in 2011, about the time EMV was taking hold.
"It's the ultimate game of whack-a-mole," Conroy said. "It's a big problem and we see once again that organized crime rings are very active in it."
Financial institutions generally try to protect themselves from synthetic fraud by limiting exposure to an account by denying credit line increases or the ability for the cardholder to obtain other loans for 90 to 180 days, Conroy said.
"But these crime rings are lying in wait for three or more years with these accounts, building up connections and their credit, then they bust out the accounts at the same time, often in collusion with fake businesses," she added.
Still, the most common use case is that of a John Doe applying for a credit card using a synthetic identity, racking up a ton of charges, and then disappearing, Conroy said. "The bank absorbs this fraud and is left holding the bag."
ID Analytics uses its network of personal credentials accumulated over the past decade to help financial institutions and businesses screen for potential synthetic fraud, Coggeshall said.
A bank or wireless network operator generally sees only its own customer data, but ID Analytics sees data across many industries.
"When our tools cannot figure out who a person is, that's the first warning sign to the banks," Coggeshall said.
ID Analytics also recently boosted its protection for online merchants to guard against an anticipated rise in e-commerce after EMV technology drives fraud away from the point of sale.
When a synthetic fraud account operates for a number of years, appearing to be a good bank customer making payments on time, it generally means some other crimes are in the works, Coggeshall said.
"These accounts and these expensive cell phones obtained through fake identities are the tools for money laundering or selling drugs," he added.
Financial institutions should be especially concerned about synthetic fraud as it relates to the Know Your Customer compliance policies. The USA Patriot Act of 2001 requires all financial service providers to establish anti-money laundering programs.