Cybersecurity Experts Discuss Fraudsters' Techniques and How to Stop Them
Bank Info Security
December 22, 2021
Synthetic ID fraud or SIF has grown in popularity among bad actors over the years, with U.S. companies reporting losses of $20 billion in 2021 compared to $6 billion in 2016. Cybersecurity and fraud experts discuss with Information Security Media Group why this type of fraud has gained traction, how fraudsters use it, mitigation steps, and what we can expect in 2022.
SIF-deploying threat actors use automation and artificial intelligence to evade traditional identity verification solutions, according to synthetic identity fraud solutions provider FiVerity which came out with a report titled '2021 Synthetic Identity Fraud Report'. The report delves into the formulation of synthetic identities, the construction of these profiles, and how they avoid detection.
"Criminals apply data from approved and rejected loan applications to their AI-driven systems, creating a feedback loop that generates increasingly effective applications. The model used by criminals determines the thresholds for the fraud detection rules used by legacy systems and develops new profiles that are even better at evading them,” says Greg Woolf, CEO and founder of FiVerity.
Woolf says fraudsters have a detailed understanding of the U.S. payments system and use sophisticated software to create profiles that are "extremely difficult to detect."
As fraudsters get savvier in their use of technology, credit repair organizations struggle to identify fraudulent accounts, says John Buzzard, lead analyst of fraud and security at advisory firm Javelin Strategy and Research.
“There are credit repair companies out there who may or may not be overly scrupulous in their practices. We see a lot of synthetics use ‘piggybacking’ to build credit for additional identities,” he says.
In piggybacking, a fraudster adds himself as an authorized user onto an account with good credit, thereby inheriting the good credit history and positive credit score of the parent account. The FiVerity study reports that 50% of SIF-deploying bad actors use piggybacking to build credit for additional identities.
Once a SIF profile establishes a moderate amount of credit, it quickly opens around five trade lines, typically at different banks, says Karen Boyer, vice president of fraud at the People’s United Bank.
“This gets a further boost as criminals can leverage automation to scrape identity elements from the dark web and assemble millions of synthetic profiles,” Boyer tells ISMG.
“In the past two years alone, a series of data breaches revealed 3.4 billion PII elements. The sheer amount of exposed data has turned PII into an affordable commodity. On the dark web, criminals can purchase a Social Security number for as little as $1, or a driver’s license for $20.4,” Woolf says.
It does not help that there’s no victim who will notice a fraudulent charge to alert the banks, he adds.
The U.S. government’s safety net and stimulus programs launched to help those affected by the COVID-19 pandemic became an opportunity for fraudsters to cash in, the report states.
"These programs were rolled out with a broad understanding that they’d be more susceptible to fraud than those with robust safeguards, and criminals took full advantage," according to Woolf.
Electronic Consent-Based Social Security Number Verification
Establishing a government attribute validation service that complements the electronic consent-based Social Security Number Verification - or eCBSV - service at the Social Security Administration would help mitigate the damage, says Jeremy Grant, managing director of technology business strategy at law firm Venable.
The eCBSV service was established over the past year to allow financial institutions to get a yes/no answer as to whether a submitted name, date of birth, and Social Security number match what is on file in the SSA’s databases, as well as whether if that person is alive or dead, Grant tells ISMG.
“If I, as a consumer, can ask SSA to let a bank validate some data I gave them as part of applying for a new credit application, why can’t I do that with the agency that issued my birth certificate, or the state department which issued my passport?" he says.
"All of these are nationally recognized, authoritative sources of identity information, but their systems are all stuck in the paper world. Closing the identity gap between physical credentials and digital commerce will allow us to make great progress."
U.S. Federal Reserve SIF Toolkit
In early 2022, the U.S. Federal Reserve plans to publish a synthetic identity fraud mitigation toolkit to address the problem, says Mike Timoney, vice president of secure payments at the Federal Reserve Bank of Boston.
"The initial toolkit will focus on synthetic identity fraud basics, including how synthetics are created, used and detected. It will include an assortment of materials that financial institutions and their customers can use," Timoney tells ISMG.
"Later next year, the toolkit will be expanded with additional information and resources on detection and mitigation strategies for the U.S. payments industry. We envision this toolkit as a 'one-stop-shop' to help fight synthetic identity fraud and will continue to update it as more resources become available."
Timoney says SIF is a "moving target" and continuous research is needed to find ways to address it.
"Our conversations with the industry and fraud experts have affirmed that it’s important to look at fraud trends holistically, rather than focus on synthetic identity fraud alone,” he says.
Technologies such as machine learning are also being used by security vendors to fight against SIF.
"SIF’s use of machine learning is largely what makes it effective at bypassing legacy fraud detection systems. Needless to say, banks can use the same technology to identify these attacks. However, despite having multiple vendors out there claiming to leverage machine learning techniques, financial institutions have so far failed to combat SIF," says People’s United Bank's Boyer.
Boyer says financial institutions are not using these technologies in the right manner.
"Financial institutions need to start using machine learning techniques correctly. Many businesses have a 'set it once and forget it' approach. There has to be some kind of human interaction to differentiate between fraud and legitimate transactions."
And vendors must change their approach too, she says.
"Vendors are checking personally identifiable information that has been used previously to verify its legitimacy. As a result, they are tuning their AI and ML models to check if a particular piece of information has been used before, without really checking if there is an actual person to whom that belongs," says Boyer.
From Knowledge- to Possession-Based Systems
There is a need across industry and government to move away from knowledge-based approaches to identity verification, says Grant.
"The idea that knowledge of a name, date of birth and Social Security Number is somehow proof that you are that person is absurd. But we still see a lot of legacy digital identity verification tools that are based on this premise," he says. "Let’s stop building systems that assume that knowledge of someone’s identity data has any security value, and move toward systems that rely on possession-based factors augmented with AI and ML to detect anomalies and possible fraud."
Earlier this year, the Federal Reserve Bank of Boston, along with a 12-member focus group, published a definition of SIF that it says could be used by U.S. domestic financial service providers as well as global financial markets and industries.
"Some organizations have adopted or plan to implement the FraudClassifier Model, which now incorporates the industry-recommended definition of synthetic identity fraud that we announced in early April 2021. And some organizations are focused primarily on monitoring the fraud landscape while researching ways to address synthetic identity fraud," says Timoney of the Federal Reserve Bank of Boston.