WHITE PAPER

Detect and Prevent Identity Theft

Title
How advanced analytics can uncover the fast-growing incidence of synthetic identities
 ii

Contents
A million children working, earning and borrowing
before being born?.............................................................................................. 1

Why the spike in identity theft, and why now?............................................... 2

Synthetic identities: The prime choice for identity fraud.............................. 3

How fraudsters put substance to a synthetic identity............................................4

A true-life example of synthetic identity fraud................................................ 6

How to fight back.................................................................................................. 7

The role of advanced analytics and machine learning................................. 8

Balancing security and convenience................................................................ 9

Closing thoughts.................................................................................................11

About the contributors......................................................................................11

Learn more...........................................................................................................11
 1

A million children working, earning and

borrowing before being born?
The young couple joyfully welcomed their first child in May.
A new life, a fresh start. Or so they thought.

After they filed that year’s taxes listing their new little dependent, the IRS notified
them that their infant had an earnings and credit history going back five years.

Mom and Dad were taken aback, because their little one could barely pull
himself up by the rails of his crib.

As outrageous as this seems, it is common. More than 1 million children were victims of
identity theft or fraud in 2017, according to Javelin Strategy & Research.1 Two-thirds of
them were 7 or younger.
“The change to random-
ized Social Security
“We’re talking to folks who have had Social Security numbers issued to their kids, and numbers in mid-2011
those numbers are already tainted,” says Eva Velasquez, CEO and President of the
Identity Theft Resource Center, which helps consumers deal with such fraud. Children means a crafty thief
are handy targets, because parents are unlikely to monitor credit reports, loan activity could potentially build
and tax returns for a grade-school child or a baby who doesn’t even walk yet.
a profile around a
Children and deceased people make great targets, but identity theft – the necessary number before there’s
precursor to identity fraud – is escalating across age groups and demographics. The a victim.”
number of identity fraud victims rose 8 percent from 2016 to 2017, with fraudsters
netting 1.3 million more victims and $16.8 billion in that time – all without having to Eva Velasquez, CEO
commute, clock in or pay taxes. and President, Identity
Theft Resource Center
Account takeover tripled between 2016 and 2017, with losses reaching $5.1 billion.
And 49 percent of companies report being victims of fraud and economic crime in the
previous two years. 2

1 Source, Javelin Strategy and Research, “2018 Identity Fraud: Fraud Enters a New Era of Complexity,”
February 6, 2018. Al Pascual, Kyle Marchini, Sarah Miller. https://www.javelinstrategy.com/coverage-area/
2018-identity-fraud-fraud-enters-new-era-complexity, accessed Sept. 28, 2018.

2 Javelin Strategy & Research, “2018 Identity Fraud: Fraud Enters a New Era of Complexity,” February 6, 2018.
 2

Why the spike in identity theft, and why now?

Are fraudsters getting more clever, or are consumers and companies becoming more
vulnerable? Yes.

More account openings are taking place through digital devices and the internet,
which provide the access and anonymity fraudsters require. The lender or creditor can’t
verify applicants in person through photo IDs such as drivers’ licenses, passports and
other paperwork. And one fraudster can generate a multitude of spurious credit appli-
cations, which would be impossible with traditional in-person applications.

Furthermore, the pressure to render real-time decisions on loan or service applications

(or lose the business to a lender who will) cuts short the time available to do thorough
due diligence on a customer.

High-profile data breaches spill a flood of information that can be exploited for fraud.
For example, in 2015, the US Internal Revenue Service revealed that a criminal syndi-
cate used a tool on the IRS website to steal the tax forms of up to 330,000 people.

What made this breach so chilling is that the identity thieves didn’t even have to hack
into IRS computers; they just correctly answered verification questions to log into the
“Get Transcript” tool (since decommissioned), which was meant to help taxpayers
retrieve old tax documents. With the sensitive information in those files – such as salary,
family information, and property and investment values – criminals claimed bogus tax
refunds and opened credit lines in the names of others.

For a wellspring of factoids commonly used in verification questions – your first car,
where you met your spouse, the name of your pet, your elementary school – identity
thieves need look no further than Facebook. Oops. In September 2018, Facebook
reported a security breach that affected nearly 50 million accounts, potentially giving
attackers access to view account information and use accounts as their own.

Forget the myth that identity thieves are aiming for people with good credit and lots of
money. The number one criterion that determines a target is whether an identity has
been compromised in a data breach. That means no one is immune.

“If anybody thinks there’s privacy for their personally identifiable information, they’re
delusional,” says Shirley Inscoe, a senior analyst covering fraud, data security and
consumer compliance issues for Aite Group. “I can find just about anything about
anybody.

“One banking executive I spoke to said that identity theft is at the highest rate he’s ever
seen in his career, and he’s been banking for a couple of decades now. In research last
fall, I asked executives at 19 of the largest North American financial institutions about
the largest categories of fraud losses they were seeing related to online and mobile.
The No. 1 problem was account takeover, and second was application fraud. Those are
both identity crimes, and it goes to show how challenging this issue is in financial services.”

These realities bring new urgency to identity theft detection and prevention. This is true
not only for banks and credit card companies, but for other credit-granting organiza-
tions such as mobile phone companies, online retailers and auto finance organizations.
 3

Synthetic identities:
The prime choice for identity fraud
Three types of misappropriated or misrepresented identities are used for identity fraud:

• Theft of a real identity. Unlike identity theft or

• Manipulation of a real identity. manipulation, where
• Creation of a synthetic identity. some nugget of a
Of these types, synthetic identities tend to be the most challenging to identify, detect
person’s core is retained,
and prevent. Synthetic identities are a combination of fabricated credentials – either a synthetic identity is an
totally created, assembled from various sources, or made by editing or changing artificial identity with no
breached data – where the implied identity is not associated with a real person.
real person behind it.
Hence, there’s no one to complain about a new unauthorized account, credit card or That makes synthetic
line of credit. No one to call to validate an action or transaction. No one to chase down
identities a prime choice
to collect. This makes synthetic identities particularly attractive to fraudsters – and partic-
ularly frustrating for creditors. for identity fraud.

Application Fraud
Application Fraud
Size and Nature of the Problem

Figure 1. Traditional identity fraud is still the leading approach, but synthetic identity
fraud is the fastest-growing. 13
Copy rig ht © SA S Institute Inc. A ll rig hts reserved.
 4

Synthetic identity fraud alone reached $820 million in 2017 and is projected to surpass
$1.2 billion by 2020, according to Aite Group research. As troubling as these figures
are, they are grossly understated, says Inscoe. “These cases are often not recognized
until they go to collections, and the bank realizes there is no person from whom to collect.

“An executive from one of the top five issuers in the country told me his institution had
hired a consultant at great expense to examine why credit card losses were skyrock-
eting. The consultants went through credit card records and found a number of them
that had been charged off within six months of account opening. More than 80 percent
of them were charged off as credit losses when they were actually synthetic identity fraud.”

Synthetic identity
Synthetic fraud
identity fraud is growing
is growing rapidly rapidly

US Synthetic Credit Card Fraud, 2015 to e2020

(In US$ millions)

$1,257
$1,133

$968
$820
$701
$580

2015 2016 2017 e2018 e2019 e2020

Source: Aite Group

6 Copy rig ht © SA S Institute Inc. A ll rig hts reserved. ©2018 Aite Group LLC.
Figure 2. Synthetic identity fraud is growing rapidly.

It’s imperative to spot synthetic identity fraud for what it is and stop it as early as
possible. But detection is difficult as fraudsters get more sophisticated at nurturing and
developing those identities. In many ways, they appear to exist in the real world.

How fraudsters put substance to a synthetic identity

In the US, identity development begins with a Social Security number (SSN). Fraudsters
obtain either actual numbers off the “dark web” or may create totally fake ones. When
actual numbers are used, the criminals tend to prefer SSNs of children and deceased
individuals – ideally, of deceased children. The criminal pairs the SSN with other
personal and demographic information to create an identity.
 5

Once an identity is created, there are several ways to develop the appearance of a
person through credit profiles or other records. Three common methods are:

• Applying for credit. The fraudster uses the identity to apply for credit cards, phone
service, etc. The merchant, financial institution or other entity submits the identity
information to the credit bureaus. If the credit bureau has a file for that identity, it
sends the creditor a score.
If there is no comparable record, the credit bureau creates a file and records the
inquiry. Whether the initial request is approved or declined, at least now a record
exists for subsequent applications using that identity. It starts to look more real.

• Adding an authorized user. The fraudster adds a new identity as an authorized user
on an existing and mature credit file – either another synthetic identity or a real To build credibility for
person who may get kickbacks for colluding in allowing the fraudster to use their
credit identity.
a synthetic identity:
By association, the newly authorized user adopts the credit score of the original
account, then splits off to a separate credit file. The number and relationships of Add authorized users
authorized users can be an indicator of this type of fraud. to an existing credit line.
Apply for a secured
• Bringing a business entity in collusion. This scheme, also known as a data furnisher
approach, is likely to involve an organized fraud ring. Business entities (fake or real) credit card.
create sham credit accounts for synthetic identities, then submit monthly records to • Get a mobile phone for
the credit bureaus, making it appear that these accounts are being paid and repre-
sent real, credit-worthy people.
the identity.
• Establish a social media
The underlying theme is the same: The fraudster exploits the services of the credit
profile for the identity.
industry – banks, other creditors and credit bureaus – to build a credible identity to use
to gain access to yet more credit. The usual pattern is to build up more and more avail- • Collude with a business
able credit, leading to a cash-out at a most profitable moment. that reports sham
records to credit
More sophisticated fraudsters go a step beyond to create the semblance of a real life
surrounding an identity – a full credit persona. They create email addresses and social bureaus.
media profiles for their synthetic identities, and in general build out the details of a • Slowly and steadily
normal life.
accumulate credit.
Fraudsters get unwitting help from organizations that have a higher risk tolerance than
traditional banks. Telecom service providers are favorite starting places to build out a
synthetic identity, since they are generally more focused on upselling bigger plans than
on whether you’ll pay your bills. Social media sites are also willing to accept more
uncertainty about a person’s identity when opening an account. An e-commerce
business selling low-cost goods will allow for some fraud in order to facilitate more
transactions. So it’s relatively easy to get in the door in ways that help build out a
synthetic identity.
 6

A true-life example of synthetic identity fraud

Data from the credit bureau TransUnion shows a typical case of a nefarious individual
profiting from multiple synthetic identities.

The perpetrator had felony records for passing bogus checks and breaking and
entering, as well as lesser infractions, such as delinquent child support and failure to
pay taxes one year. Although his real-life criminal record and credit profile were hardly
stellar, that didn’t prevent him from creating multiple synthetic identities that were
granted credit cards, auto loans and personal loans, leading to delinquencies
amounting to $253,000 in ill-gotten gains.

If you multiply this one example to an organized crime ring with many participants
doing the same, the fraud losses add up quickly. What if you could identify this process
much earlier in the game? What if you could shut the front door on this type of fraud
before it ever got started? With analytics and machine learning, you can.

True-life example of synthetic identity fraud

One fraudster, multiple synthetic identities

Original Credit Profile / December 1998

90 associated Synthetic Profile #1 / September 2014

accounts, including
cards, auto, loans, 1 collections Profile #2 / December 2014
collections, and account
Bruce Banner 9 associated Profile #3 / April 2015
various liens
! $170k lent,
$100 past due accounts, including
2 authorized users,
3 associated Profile #4 /March 2015
accounts, including
Felony records for $149k delinquent personal loan, auto 7 associated ac-
1 authorized user,
passing bogus checks loan, cards, and counts, including
personal loan, and
2002-2013 1 collections 3 authorized user,
collections
$53k lent, credit card, and
Felony breaking and Total Loss $149k $1,600 lent, personal loans
entering 2003-2004 $48k delinquent
Total Loss $149k $1,600 delinquent
Multiple delinquent $55k lent,
child support reports Total Loss $197k $55k delinquent
(or going
Failure to pay taxes Total Loss $198k delinquent)
2014
Total Loss $253k

Figure 3. One fraudster, multiple synthetic identities

 7

How to fight back

The best approach to detect synthetic identities will vary depending on available data
and the stage of the fraud cycle – at the application, when building up credit, or when
poised to cash out. The detection strategy could include rules, anomaly detection,
models, network analysis, machine learning and other statistical approaches. Multiple
methods used together can effectively find identity fraud while managing false positives.

Here are some approaches already proven in the financial services industry:

• Connect the demographic dots. Do an applicant’s details match historical records

from credit bureaus and other sources? Is a Social Security number or account
number associated with multiple birth dates? Does a 30-year-old have a transaction “Javelin Strategy &
history that spans 40 years? Given the demographic data on the credit application,
would the credit holder be likely to purchase from the type of merchants where the
Research estimates that
account is being used? individuals and crime
• Connect the communications dots. The use of digital channels creates new informa- rings get away with an
tion about device fingerprint, IP address, geolocation and more – data that can be
folded into the analysis along with personal and credit bureau information to create
average $15,000 per
a richer view of the customer (or the illusion). Was this device used in the past, and if attack. Even the most
so, was it associated with the same customer, account and provided information? reclusive of lone wolves
• Assess past experience. What is the creditor’s past experience with applications that
can make a serious
included the same data element, such as the same device ID, address or SSN? Were
any declined? Have any of the details of the identity been linked to fraud elsewhere? killing. One Atlanta-based
Negative information may prompt further due diligence to understand the relation- con artist allegedly
ships between accounts and applicants.
synthesized 300
• Find “proof of life.” Many synthetic identities do not have records we would asso-
ciate with a real person, such as driver’s license, voter registration or property owner- different identities
ship. Lack of well-rounded identity details can be a strong red flag to a synthetic ID. to rip off $350,000 from
• Analyze the network. Network analysis plays a big role in understanding the internet retailers and
connections (or lack of connections) among applicants, devices, open accounts and
application data. For instance, does an account have authorized users who are not credit card companies
family members? Are payments from the same source (bank, account or device) before being nabbed
being used to pay otherwise unrelated accounts? Visualizations of these links can be
by federal agents.”
very useful both in assessing applications and conducting investigations.
• Look for anomalies. Are credit lines fully used soon after account opening, or repeat- Rebekah Moody,
edly maxed out and paid in full without carrying a balance? Has there been a spike Director of Fraud and
in transaction frequency or amount? Is a payment coming by check when prior Identity, ThreatMetrix3
payments were made online?

3 Source: Rebekah Moody blog, “Are You for Real? Synthetic Identity Fraud – and How to Identify It”
July 26, 2018, accessed Sept. 28, 2018 https://www.threatmetrix.com/digital-identity-blog/fraud-prevention/
synthetic-identity-fraud-how-to-identify-it/
 8

The role of advanced analytics and

machine learning
By layering multiple analytics methods, you can find more identity fraud, faster,
and spot emerging fraud tactics that don’t resemble historical patterns. For
example, anomaly detection and predictive analytics can uncover new types of
fraud by examining what’s happening right now, not just comparing it to the past.
Social network analytics can establish links among elements of a synthetic identity
in cross-industry context.

Self-learning techniques, such as machine learning, take identity fraud detection to

the next level. Unlike rules-based systems, which are fairly easy to test and circum-
vent, machine learning adapts to changing behaviors in a population through
automated model building. With every iteration, the algorithms get smarter and
deliver more accurate results. It’s easy to see the value of machine learning to keep
pace with evolving identity fraud tactics.

• Recognize faces. Several companies offer products that validate a user by facial
recognition, said Inscoe. The user takes a smartphone selfie and a photo of an Creditors are always
identity document, such as passport or driver’s license. The system compares the
two. “It’s very effective,” says Inscoe. “I recently talked to two bankers whose banks seeking that optimal
are doing this not just for applications, but in their branch networks to eliminate balance between
account take-over.”
reducing the false posi-
• Use behavioral biometrics to identify bots. Some pioneering banks are using
analytics to determine if an online applicant or account holder is a human or a bot.
tives that can damage
The threat is real. According to ThreatMetrix, which provides digital identity tech- customer relationships
nology to the financial services industry, a record 2.6 billion bot attacks were
and the false negatives
detected in just the first half of 2018.4
that can lead to financial
A first line of defense uses keystroke analytics. Does this online activity seem human- loss for the institution.
like? There’s a certain cadence a person would make in completing an online applica-
tion. Some sections of the form, such as basic demographic information, would be filled
That requires analytics,
out fairly quickly. You know your address, date of birth and SSN right off the top of your the ability to detect
head. But when you get to unfamiliar sections of the form, you may have to stop, read anomalies that represent
and understand the request – maybe look up the needed information. The cadence
changes. Analytics can detect if the pattern of keystrokes has the natural flow of a potential red flags – at
human or the staccato rhythm of a bot. the speed of now, in an
ever-changing fraud
environment.

4 T
 hreatMetrix, Merging Online & Offline Identity Intelligence to Reduce Customer Friction, Sept. 27, 2018,
https://www.threatmetrix.com/digital-identity-blog/digital-identity/
merging-online-offline-identity-intelligence-to-reduce-customer-friction/
 9

Consider a consortium

When differentiating an authentic identity from a synthetic one by triangulating the

data, obviously the more data you have, the more accurate the detection. Cast a
wide net both within and outside the industry.

“Organizations need to be in a consortium environment where they can share

information,” says Chris LeBaron, a Senior Director at ThreatMetrix. “When you
share information, you can understand the normal combination of device, loca-
tions and other account markers that are associated with a real person. You can
see the profile of that identity that has been seen by all these other organizations.

“The big ‘aha’ moment for a lot of these organizations, especially on the financial
institution side, is that they can benefit from the experience across the globe of all
of these other, unrelated industries in informing their decisions on new account
opening. You can stop [a synthetic identity], so it never gets into the credit granting
side, because you’ve shut the fraudster down at the front door.”

A combination of analytical methods can significantly improve detection rates while

reducing false positives. If a synthetic identity does escape detection, and a charge-off
happens down the road, forensic analysis of the account helps tune the rules and
models for ever greater precision and supports smart collection efforts. After all, there’s
not much point trying to collect from a synthetic identity.

Balancing security and convenience

The data, analytics and computing horsepower are available today to detect synthetic
identities, but speed is critical. Consumers have short patience for authentication and
verification processes. They don’t want laborious, multilevel logins. They don’t want to
answer multiple authentication questions. In fact, they’ll defect after a surprisingly short
period of inconvenience.

You want to detect synthetic identities without alienating legitimate customers. There’s
always the need to balance high security (which can mean higher friction) with the need
to provide a positive customer experience.

“Bank executives are really struggling with this,” says Inscoe. “The authentication
measures they’re using have some gaps, or are just not as effective as they need to be.
At the same time, you’ve got to balance that customer experience. I’m a consumer too,
and I hate really invasive authentication measures. Most consumers do. They really need
to reexamine their tools and strategies enterprisewide.”
 10

The
The quest: Optimizing
quest: Optimizing the balance
the balance betweenbetween risk and friction
risk and friction

Behavioral
biometrics

Seamless
Behavior
experience
Device
malware patterns
Fingerprint
Eye vein biometric
biometric Device
3-D facial
2-D facial identity
recognition
recognition
Identity data
verification
Iris Username
biometric password
Identity
document
verification
SMS
OTP
Level of security

Mobile High
KBA
app
push
Medium
Token
Low

High
friction

Page 20 Copy rig ht © SA S Institute Inc. A ll rig hts re se rve d. ©2018 Aite Group LLC.
Figure 4. Authentication techniques – from highest friction to seamless customer
experience

From the wide range of tools available, you would think the most effective ones would
be the most cumbersome to the user. Not so. There’s not necessarily a correlation
between security value and convenience. Some of the most effective authentication
tools are invisible to the user, while some of the more intrusive ones are losing their
power.

Take knowledge-based authentication (KBA), for example. The customer is stalled by

having to recall the answer to a security question, but thanks to major data breaches
and a strong black market for the data, there’s not much fortitude in static KBA anymore.
And on the other end of the spectrum – best customer experience – you find analytics-
driven techniques that provide high security value without inconveniencing the
customer at all.

A hybrid approach can match the authentication technique to the need. “It’s very
common to have a waterfall approach,” said LeBaron. “You start with a very seamless,
frictionless capability where you can look at the device being used, the true location,
and triangulate that with global shared intelligence to quickly recognize good returning
customers. They never know anything happened. If the identity is indeterminate, you
might step up to a different technique, such as knowledge-based authentication, but
you want to minimize that for obvious customer experience reasons.”
 11

Closing thoughts
It’s critical to get ahead of the identity theft epidemic, not just because of the financial
loss, but because real people are getting caught up in it. Remember those 1 million
babies whose SSNs have been misappropriated? The Social Security Administration will
not reissue those numbers, so the parents are left to clean up the mess – or the identity
theft isn’t discovered until children apply for their first job or bank account.

Even when lenders make good on identity fraud losses, the victims suffer. Consumers
pay an average of $290 out of pocket and spend 15 hours on average resolving fraud,
says consumer advocate Velasquez. Even in cases where the financial institution has
acknowledged fraud and absolved the consumer of responsibility, there are domino
effects. “We’ve seen that about 38 percent of identity theft victims subsequently had
their credit affected, had interest rates go up, had their credit cards cancelled or were
denied credit – not because of their own behavior but because they’re victims of a
I encourage financial
crime,” says Velasquez. institutions to reexamine
and update their current
“For those of us in financial services, it’s easy to get caught up in the number of cases
that we have, and overlook that these ‘cases’ are real human beings,” says Inscoe. “After tools and strategies,
they’ve worked so hard to clean this up, research has shown that these people are particularly if they’re
statistically more likely to be victims again. I encourage financial institutions to reex-
amine and update their current tools and strategies, particularly if they’re going to offer
going to offer Faster
Faster Payments, RTP [real-time payments] or Zelle anytime soon.” Payments, RTP [real-time
payments] or Zelle
About the contributors anytime soon.”
The insights in this paper were drawn from a panel discussion at the SAS-sponsored Shirley Inscoe, Aite
Fraud and Financial Crimes Customer Connection event, held at SAS headquarters in Group
Cary, NC, in August 2018.

Shirley Inscoe is a Senior Analyst with Aite Group, covering fraud, data security and
consumer compliance issues. Before joining Aite Group, Inscoe held several roles at
Wachovia Bank, including Director and Senior Vice President of Payments Strategy.

Chris LeBaron is a Senior Director at ThreatMetrix, providing fraud and digital identity
technology solutions to the banking and financial services industry. Prior to
ThreatMetrix, LeBaron was a Senior Director at FICO, where he held numerous business
development, alliances and sales management roles.

Eva Velasquez is President and CEO at the Identity Theft Resource Center. Velasquez
previously served as the Vice President of Operations for the San Diego Better Business
Bureau and spent 21 years at the San Diego District Attorney’s Office. She has a passion
for consumer protection and educating the public about identity theft, privacy, scams,
fraud and other related issues.

Learn more
sas.com/fraud
To contact your local SAS office, please visit: sas.com/offices

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc.
in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their
respective companies. Copyright © 2018, SAS Institute Inc. All rights reserved. 110062_G88680.1118