Synthetic ID Fraud on the Rise

Synthetic ID fraud or SIF has grown in popularity among bad actors over the years, with US companies reporting losses of $20 billion in 2021 compared to $6 billion in 2016. Cybersecurity and fraud experts discuss why this type of fraud has gained traction, how fraudsters use it, mitigation steps, and what we can expect in 2022. SIF-deploying threat actors use automation and artificial intelligence to evade traditional identity verification solutions, according to synthetic identity fraud solutions provider FiVerity, who provides a report titled '2021 Synthetic Identity Fraud Report'. FiVerity report delves into the formulation of synthetic identities, the construction of these profiles, and how they avoid detection.[1]

"Criminals apply data from approved and rejected loan applications to their AI-driven systems, creating a feedback loop that generates increasingly effective applications. The model used by criminals determines the thresholds for the fraud detection rules used by legacy systems and develops new profiles that are even better at evading them,” says CEO and founder of FiVerity. He says fraudsters have a detailed understanding of the US payments system and use sophisticated software to create profiles that are "extremely difficult to detect."

As criminal fraud actos get savvier in their use of technology, credit repair organizations struggle to identify fraudulent accounts, says the lead analyst of fraud and security at advisory firm Javelin Strategy and Research. “There are credit repair companies out there who may or may not be overly scrupulous in their practices. We see a lot of synthetics use ‘piggybacking’ to build credit for additional identities,” he says. In piggybacking techniques, a fraudster adds himself as an authorized user onto an account with good credit, thereby inheriting the good credit history and positive credit score of the parent account. The FiVerity study reports that 50% of SIF-deploying bad actors use piggybacking to build credit for additional identities. Building credit solidifies their schemes.

Once a SIF profile establishes a moderate amount of credit, it quickly opens around five trade lines, typically at different banks, says the vice president of fraud at the People’s United Bank. “This gets a further boost as criminals can leverage automation to scrape identity elements from the dark web and assemble millions of synthetic profiles,” she reported. “In the past two years alone, a series of data breaches revealed 3.4 billion PII elements. The sheer amount of exposed data has turned PII into an affordable commodity. On the dark web, criminals can purchase a Social Security number for as little as $1, or a driver’s license for $20.4,” included in the report.

It does not help that there is no victim who will notice a fraudulent charge to alert the banks. Therefore, the loss of customer data such as PII, credit card numbers and medical records can allow cyber actors to build such convincing “credit history” to commit financial fraud.

The US government’s safety net and stimulus programs launched to help those affected by the COVID-19 pandemic became a huge opportunity for fraudsters to rake in relief funding. "These programs were rolled out with a broad understanding that they would be more susceptible to fraud than those with robust safeguards, and criminals took full advantage."

Establishing a government attribute validation service that complements the electronic consent-based Social Security Number Verification or eCBSV service at the Social Security Administration would help mitigate the damage, says the managing director of technology business strategy at law firm Venable. The eCBSV service was established over the past year to allow financial institutions to get a yes/no answer as to whether a submitted name, date of birth, and Social Security number match what is on file in the SSA’s databases, as well as whether if that person is alive or dead. “If I, as a consumer, can ask SSA to let a bank validate some data I gave them as part of applying for a new credit application, why can’t I do that with the agency that issued my birth certificate, or the state department which issued my passport?" he says.

The report states that, "all of these are nationally recognized, authoritative sources of identity information, but their systems are all stuck in the paper world. Closing the identity gap between physical credentials and digital commerce will allow us to make great progress." This can lead to even more fraud, if this service is not properly protected and safe guarded. Remember the successful hack of the Office of Personnel Management a couple of years ago? Matching this data, with the loss of Target’s, The Home Depot and all of the credit information stored and lost by Experian? Herein lies the needed data for the SIF actors be be so successful and hard to defend against.

In early 2022, the US Federal Reserve plans to publish a synthetic identity fraud mitigation toolkit to address the problem, said the current vice president of secure payments at the Federal Reserve Bank of Boston. "The initial toolkit will focus on synthetic identity fraud basics, including how synthetics are created, used and detected. It will include an assortment of materials that financial institutions and their customers can use," he reported. "Later next year, the toolkit will be expanded with additional information and resources on detection and mitigation strategies for the U.S. payments industry. We envision this toolkit as a 'one-stop-shop' to help fight synthetic identity fraud and will continue to update it as more resources become available." The Fed says SIF is a "moving target" and continuous research is needed to find ways to address it. "Our conversations with the industry and fraud experts have affirmed that it’s important to look at fraud trends holistically, rather than focus on synthetic identity fraud alone,” he added.

Technologies such as machine learning are also being used by security vendors to fight against SIF. "SIF’s use of machine learning is largely what makes it effective at bypassing legacy fraud detection systems. Banks can use the same technology to identify these attacks. However, despite having multiple vendors out there claiming to leverage machine learning techniques, financial institutions have so far failed to combat SIF," says People’s United Bank's Boyer.

The bank representative explains financial institutions are not using these technologies in the right manner. "Financial institutions need to start using machine learning techniques correctly. Many businesses have a 'set it once and forget it' approach. There has to be human interaction to differentiate between fraud and legitimate transactions. Vendors are checking personally identifiable information that has been used previously to verify its legitimacy. As a result, they are tuning their AI and ML models to check if a particular piece of information has been used before, without really checking if there is an actual person to whom that belongs," says the bank.

There is a need across industry and government to move away from knowledge-based approaches to identity verification. "The idea that knowledge of a name, date of birth and Social Security Number is somehow proof that you are that person is absurd. But we still see a lot of legacy digital identity verification tools that are based on this premise," experts say. "Let’s stop building systems that assume that knowledge of someone’s identity data has any security value, and move toward systems that rely on possession-based factors augmented with AI and ML to detect anomalies and possible fraud."

Earlier in 2021, the Federal Reserve Bank of Boston, along with a 12-member focus group, published a definition of SIF that it says could be used by US domestic financial service providers as well as global financial markets and industries.[2] "Some organizations have adopted or plan to implement the FraudClassifier Model, which now incorporates the industry-recommended definition of synthetic identity fraud that we announced in early April 2021. And some organizations are focused primarily on monitoring the fraud landscape while researching ways to address synthetic identity fraud," says the Federal Reserve Bank of Boston.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers pro-active solutions to protect your networks. Cyber intelligence is a needed key for your over-all cyber security and we are assisting the cyber security provider to Primex, in New Hampshire. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: