Using Biometric Authentication to Combat Synthetic Identity Fraud

What is synthetic identity fraud? Ask experts for a definition and you’ll likely get multiple answers. A common definition of synthetic identity fraud is layering real and fabricated identity information together. By using either a manual or automated fashion, a usable online identity is created to tap credit from card issuers and auto loan underwriters. An example of this might be a real social security number purchased through the dark web combined with a falsified name and bogus personal details such as address and employment information.

In the U.S., a reverse identity building scenario is also rampant. A national policy change was put in place in 2011 to randomize social security number issuance. The outright fabrication of a social security number associated with either a genuine or falsified identity is now ironically a relatively easy endeavor.

Synthetic identity fraud is a rampant problem

In a recent report, ISMG reported on the massive spike in synthetic identity fraud. “We’ve made it somewhat easy for new customers to get credit approval. If credit bureaus can’t find a match, they’re obligated to approve a credit decision.” Amazingly, credit bureaus are not allowed to use social security numbers as a primary key to match to a name. An emerging trend is that younger U.S. citizens (even pre-millennials) are increasingly being exploited and hired by crime rings to make credit applications using manufactured identities.

Furthermore, the ability in the U.S. to add additional authorized users to a single credit account multiplies the potential for credit usage by bad actors, who have no intention of repaying the borrowed funds or of ever being identified. The more synthetic layers added to the identity, the more difficult it is for authorities to identify individuals and make arrests.

Fraud engines in use at financial institutions, while improving, are not keeping pace with the ability to flag synthetic identities at the time of account inception. According to Accenture, “existing fraud detection models are designed to prevent transaction fraud, not identity fraud from account outset.” Moreover, a typical synthetic identity criminal will often build credit by paying bills on time for months or even years to increase credit limits, before maxing out drawdowns and then disappearing into the ether.

Estimates of annual losses vary widely due to the difficulty in properly pinpointing synthetic identity fraud. Gartner calculates that up to 80% of credit card fraud is now attributable to it.  While this may be an aggressive figure, ranges seen on a dollar basis vary from $800M up into the billions worldwide. In 2017, 179 million records containing personal information were disclosed via 1,579 data breaches. One thing consistent is that synthetic identity fraud is an epidemic with double-digit growth.

Fighting fraud and obstacles with privacy

There are privacy issues at play. The use of geolocation data is one example. In evaluating the likelihood of fraud, creditors can compare the location of the device used to complete an application or transaction with the applicant’s or cardholder’s stated location. Acoustic and voice analysis can further authenticate a caller’s true location. These methods bring up controversial privacy rights and need to be compared against the cost to citizens and financial institutions.

In the cost-benefit analysis, it’s hard to argue against a case for mandating an individual to be physically present at a credit issuer’s office with legitimate documentation and identity verification via fingerprint and face recognition. Behavioral biometrics, such as keystroke, can be further used to authenticate a customer continually. While a biometric credential does represent a real human being, it’s still possible that the person has fabricated identity details. However, one or more biometric factors combined with valid documentation could help decrease synthetic ID fraud.

Credit issuers should strongly consider requiring in-person enrollment using available biometric technologywhich has become less expensive than ever to implement. Additionally, since confirmed cases of synthetic identity fraud have a strong correlation to prior criminal history, there’s a case to be made for more rigorous criminal background checks. Not to mention there’s a need for creditors to be able to verify a social security number against a living individual by the exact name.

Biometricsboth physical and behavioralshould be table stakes in mitigating the growing synthetic identity fraud epidemicnot only in the U.S. but across the globe. Data analytics and machine learning must be improved to combat this trend in combination with policy changes, individual-level data access, and more advanced authentication and identity technology.

Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.

Podcast: Deploying Multifactor Authentication at Credit Unions
Why Biometric Tokenization Means History Will NOT Repeat Itself
5 Signs of a Winning DFARS Strategy