A thief who doesn’t exist.
Using a synthetic identity makes anyone practically invisible, unable to identify who is really behind the synthetic ID.
That’s not a trick question; it’s the problem investigators of synthetic identity fraud (SIF) have to deal with. SIF is a relatively new type of identity theft in which criminals combine pieces of accurate personal data with fake information to create a whole new identity that’s almost impossible to track down.
SIF is different from traditional identity fraud, which is when someone steals and uses someone else’s real identity. Instead, SIF criminals start with one piece of accurate personal information, usually a Social Security number.
“Everything’s fake”
Then they build a fake identity around it by making up a fake address, phone number, and other essential information. Fraudsters then use fake identities to open credit lines, get auto loans, or trick government agencies into getting their hands on tax returns and benefits.
There is so much money being lost to SIF that no one knows, but a 2018 study by the advisory firm Sanford research found that U.S. credit card accounts lost $820 million to SIF in 2018, and losses are expected to rise to $1.25 billion by 2020.
Other estimates say that credit losses could be as high as $6 billion to $8 billion, and that’s not even counting the untold millions of dollars that victims of this new breed of cybercriminals lose in time and stress. At the federal level, the Department of Justice got $3.7 billion in settlements and judgments under the False Claims Act in 2017. However, the AARP says that Medicare alone lost $60 billion to different types of fraud in 2017.
What’s going on?
Modern government and financial systems are more likely to be affected by SIF because of a number of factors that have come together.
First of all, SIF is being driven partly by improvements in the security of physical credit cards. This is an irony that people who work to stop fraud are used to. Since debit and credit cards now have EMV chips, it is harder for thieves to commit fraud in person. Instead, they are coming up with more and more clever ways to steal money online.
Next, the move to digitize almost all financial transactions, including government benefits, has given cyber thieves both a chance and a temptation.
It is much easier to pretend to be someone else online than in person, especially if the “person” is just a set of data points. Banking, credit, and government agencies only look at a few critical pieces of information to figure out who someone is, and thieves are good at making them look natural.
Lastly, a record number of data leaks in all parts of the economy have given criminals access to more personal information than ever before. According to the Identity Theft Resource Center, there were 1,579 data breaches in 2017.
These breaches exposed almost 179 million personal records, including 14.2 million credit card numbers and 158 million Social Security numbers. Many of these records are now on the Dark Web, where they are sold to anyone who is willing to pay, just like any other good.
How does SIF work?
Fraudsters start SIF by stealing real Social Security numbers from people who aren’t using their credit, like children, homeless people, or people who have recently died. Fraudsters use fake addresses, phone numbers, and even social media accounts to create a synthetic” identity or thousands of them. Then comes the real trick.
Thieves start applying for credit online with these fake names, even though they know they will be turned down because there is no credit history attached to the terms.
The trick is that you can start a credit history just by applying for credit. At some point, a lender will give in and give the con artist a small line of credit, like $500 to $1,000.
“This is how we do it”
Fraudsters then make small purchases over a few months and pay off the balance to improve their credit score and get lines of credit that are ever more generous. When their credit limit gets big enough, between $10,000 and $15,000, the scammers “bust out” by suddenly using up all their credit and leaving.
“These criminals are smart and willing to play the long game and set up a Synthetic identity,” says Robert Davis, a digital identity expert who works in Strategic Intelligence for Salusgard, an industry leader in mobile security solutions for financial institutions. “They are patient and know how to use holes in the system to their advantage.”
In a SIF scam, criminal gangs might take up to a year or two to put together a list of fake identities before they pull the trigger. And while they’re pretending to be real credit customers, fraudsters have plenty of chances to take advantage of how real they seem in other areas, like auto loans, health care, and government benefit programs.
Synthetic fraudsters use the Social Security numbers of children because it could be 10 or 15 years before the child finds out that their credit was hacked.
“Try to get us if you can.”
Why is it so hard to catch people who use SIF?
There are many reasons for this, but one of the biggest is that fraud detection is hard to do. Dennis Lormel, who used to be the head of the FBI’s Financial Crimes Program and is now a financial crimes consultant, says that compliance and fraud investigators tend to be reactive. “We don’t look into fraud until it happens, we’re really behind the curve when it comes to SIF because we need to be proactive to stop it.”
Lormel thinks that this will change as the banking and credit industries change their practices to make SIF harder.
Right now, government programs are only responsible for a small amount of fraud related to fake identities. Lormel says, “Criminals are always changing, and the government is a fraudster’s dream.” ”
All entitlement programs are in danger, but healthcare is especially so. So are tax returns and programs to help people. If you can make a fake ID and set it up to get refunds or benefits early – which is precisely what the system is designed to do – you have the makings of a fraud that can last. Lormel says that the only reason SIF hasn’t been used more often to cheat the government is that credit fraud is much more profitable, at least for now.
How to deal with Synthetic identity
Changes must be made to how financial and government institutions verify people’s identities and how technology is used to store and share personal information to keep SIF from becoming an even bigger problem.
In January 2018, Lormel spoke in front of the U.S. Senate Banking Subcommittee on National Security, International Trade, and Finance. He urged government officials to make it easier for government agencies and departments, financial institutions, and the private sector to share information with each other.
Lormel says, “We need to get better at using artificial intelligence and data mining everywhere to find patterns of behavior that don’t make sense or are suspicious.” “Government agencies need shared databases so that they can check information like Social Security numbers against other data sets. Everything is closed off right now, and criminals take advantage of that.
In 2011, for example, the Social Security Administration started randomizing Social Security numbers.
This meant that the first three digits of a Social Security number no longer had any meaning in terms of location. This was done so that the nine-digit SS system could be used for longer.
But without the geographic identifier, it is much easier for a criminal to make a fake ID with contact information that looks like it came from a real ID. To find possible SIF, you need to be able to look past these essential pieces of information and find patterns of behavior that “real” people have but that are usually missing from a synthetic ID profile.
Put to use
For example, “real” people have rental histories, legal issues, family ties, passports, DMV records, extended social media profiles, etc., but a synthetic ID profile doesn’t have these things.
Salusgards Davis says that “behavioral biometrics” would help agencies get a more complete and accurate picture of a person’s identity. “The big problem is that all the pieces that make up “you” as an individual are held in different places,” he says, adding that a better system would be able to “analyze and compare contexts and behaviors” to figure out if a person is who they say they are.
Davis says, “You need as much information as possible at your fingertips to look for gaps in the data and get a complete picture of a person’s identity.” He says that combining this ability with other unique identifiers, like biometrics (eye scans, fingerprints), dedicated personal devices (like a cell phone), or unique biographical details, would add an extra layer of identity assurance because these identifiers are hard to copy.
Technology and being on guard
New technologies like blockchain show the promise of being able to build a foolproof, unhackable system of personal identification in the future.
However, it will be a long time before all levels of government use these technologies.
Lormel says, “We are way behind on Synthetic identity.” “All government agencies need to update and improve their technology,” he says, adding that people need to be taught to be more careful at the state and local levels.
There are other holes in the system that need to be fixed and agencies need to work together to make a much more robust environment for running the government’s business.
In Davis’s opinion governments and institutions need to think about the problem throughout the whole user journey. “Even if you solve the SIF problem, you might be pushing other types of fraud into other channels,” in the same way that chip-enabled credit cards led to SIF.
Between now and then, neither Lormel nor Davis thinks that a “top-down” approach is enough to fight Synthetic identity. People need to be more aware of how dangerous SIF is and learn how to protect themselves, such as by freezing their child’s credit and checking their own credit reports regularly for any strange activity.
SIF may be the type of fraud that is growing the fastest in the country, but it is far from the only one.
“People need to assume that all of their information has already been stolen,” says Davis, because data breaches happen every day, and it’s likely that it has.
Contact Amicus International for information on how to obtain a legal new identity.
