Professional Documents
Culture Documents
Contents
A million children working, earning and borrowing
before being born?.............................................................................................. 1
Closing thoughts.................................................................................................11
Learn more...........................................................................................................11
1
After they filed that year’s taxes listing their new little dependent, the IRS notified
them that their infant had an earnings and credit history going back five years.
Mom and Dad were taken aback, because their little one could barely pull
himself up by the rails of his crib.
As outrageous as this seems, it is common. More than 1 million children were victims of
identity theft or fraud in 2017, according to Javelin Strategy & Research.1 Two-thirds of
them were 7 or younger.
“The change to random-
ized Social Security
“We’re talking to folks who have had Social Security numbers issued to their kids, and numbers in mid-2011
those numbers are already tainted,” says Eva Velasquez, CEO and President of the
Identity Theft Resource Center, which helps consumers deal with such fraud. Children means a crafty thief
are handy targets, because parents are unlikely to monitor credit reports, loan activity could potentially build
and tax returns for a grade-school child or a baby who doesn’t even walk yet.
a profile around a
Children and deceased people make great targets, but identity theft – the necessary number before there’s
precursor to identity fraud – is escalating across age groups and demographics. The a victim.”
number of identity fraud victims rose 8 percent from 2016 to 2017, with fraudsters
netting 1.3 million more victims and $16.8 billion in that time – all without having to Eva Velasquez, CEO
commute, clock in or pay taxes. and President, Identity
Theft Resource Center
Account takeover tripled between 2016 and 2017, with losses reaching $5.1 billion.
And 49 percent of companies report being victims of fraud and economic crime in the
previous two years. 2
1 Source, Javelin Strategy and Research, “2018 Identity Fraud: Fraud Enters a New Era of Complexity,”
February 6, 2018. Al Pascual, Kyle Marchini, Sarah Miller. https://www.javelinstrategy.com/coverage-area/
2018-identity-fraud-fraud-enters-new-era-complexity, accessed Sept. 28, 2018.
2 Javelin Strategy & Research, “2018 Identity Fraud: Fraud Enters a New Era of Complexity,” February 6, 2018.
2
More account openings are taking place through digital devices and the internet,
which provide the access and anonymity fraudsters require. The lender or creditor can’t
verify applicants in person through photo IDs such as drivers’ licenses, passports and
other paperwork. And one fraudster can generate a multitude of spurious credit appli-
cations, which would be impossible with traditional in-person applications.
High-profile data breaches spill a flood of information that can be exploited for fraud.
For example, in 2015, the US Internal Revenue Service revealed that a criminal syndi-
cate used a tool on the IRS website to steal the tax forms of up to 330,000 people.
What made this breach so chilling is that the identity thieves didn’t even have to hack
into IRS computers; they just correctly answered verification questions to log into the
“Get Transcript” tool (since decommissioned), which was meant to help taxpayers
retrieve old tax documents. With the sensitive information in those files – such as salary,
family information, and property and investment values – criminals claimed bogus tax
refunds and opened credit lines in the names of others.
For a wellspring of factoids commonly used in verification questions – your first car,
where you met your spouse, the name of your pet, your elementary school – identity
thieves need look no further than Facebook. Oops. In September 2018, Facebook
reported a security breach that affected nearly 50 million accounts, potentially giving
attackers access to view account information and use accounts as their own.
Forget the myth that identity thieves are aiming for people with good credit and lots of
money. The number one criterion that determines a target is whether an identity has
been compromised in a data breach. That means no one is immune.
“If anybody thinks there’s privacy for their personally identifiable information, they’re
delusional,” says Shirley Inscoe, a senior analyst covering fraud, data security and
consumer compliance issues for Aite Group. “I can find just about anything about
anybody.
“One banking executive I spoke to said that identity theft is at the highest rate he’s ever
seen in his career, and he’s been banking for a couple of decades now. In research last
fall, I asked executives at 19 of the largest North American financial institutions about
the largest categories of fraud losses they were seeing related to online and mobile.
The No. 1 problem was account takeover, and second was application fraud. Those are
both identity crimes, and it goes to show how challenging this issue is in financial services.”
These realities bring new urgency to identity theft detection and prevention. This is true
not only for banks and credit card companies, but for other credit-granting organiza-
tions such as mobile phone companies, online retailers and auto finance organizations.
3
Synthetic identities:
The prime choice for identity fraud
Three types of misappropriated or misrepresented identities are used for identity fraud:
Application Fraud
Application Fraud
Size and Nature of the Problem
Figure 1. Traditional identity fraud is still the leading approach, but synthetic identity
fraud is the fastest-growing. 13
Copy rig ht © SA S Institute Inc. A ll rig hts reserved.
4
Synthetic identity fraud alone reached $820 million in 2017 and is projected to surpass
$1.2 billion by 2020, according to Aite Group research. As troubling as these figures
are, they are grossly understated, says Inscoe. “These cases are often not recognized
until they go to collections, and the bank realizes there is no person from whom to collect.
“An executive from one of the top five issuers in the country told me his institution had
hired a consultant at great expense to examine why credit card losses were skyrock-
eting. The consultants went through credit card records and found a number of them
that had been charged off within six months of account opening. More than 80 percent
of them were charged off as credit losses when they were actually synthetic identity fraud.”
Synthetic identity
Synthetic fraud
identity fraud is growing
is growing rapidly rapidly
$1,257
$1,133
$968
$820
$701
$580
6 Copy rig ht © SA S Institute Inc. A ll rig hts reserved. ©2018 Aite Group LLC.
Figure 2. Synthetic identity fraud is growing rapidly.
It’s imperative to spot synthetic identity fraud for what it is and stop it as early as
possible. But detection is difficult as fraudsters get more sophisticated at nurturing and
developing those identities. In many ways, they appear to exist in the real world.
Once an identity is created, there are several ways to develop the appearance of a
person through credit profiles or other records. Three common methods are:
• Applying for credit. The fraudster uses the identity to apply for credit cards, phone
service, etc. The merchant, financial institution or other entity submits the identity
information to the credit bureaus. If the credit bureau has a file for that identity, it
sends the creditor a score.
If there is no comparable record, the credit bureau creates a file and records the
inquiry. Whether the initial request is approved or declined, at least now a record
exists for subsequent applications using that identity. It starts to look more real.
• Adding an authorized user. The fraudster adds a new identity as an authorized user
on an existing and mature credit file – either another synthetic identity or a real To build credibility for
person who may get kickbacks for colluding in allowing the fraudster to use their
credit identity.
a synthetic identity:
By association, the newly authorized user adopts the credit score of the original
account, then splits off to a separate credit file. The number and relationships of Add authorized users
authorized users can be an indicator of this type of fraud. to an existing credit line.
Apply for a secured
• Bringing a business entity in collusion. This scheme, also known as a data furnisher
approach, is likely to involve an organized fraud ring. Business entities (fake or real) credit card.
create sham credit accounts for synthetic identities, then submit monthly records to • Get a mobile phone for
the credit bureaus, making it appear that these accounts are being paid and repre-
sent real, credit-worthy people.
the identity.
• Establish a social media
The underlying theme is the same: The fraudster exploits the services of the credit
profile for the identity.
industry – banks, other creditors and credit bureaus – to build a credible identity to use
to gain access to yet more credit. The usual pattern is to build up more and more avail- • Collude with a business
able credit, leading to a cash-out at a most profitable moment. that reports sham
records to credit
More sophisticated fraudsters go a step beyond to create the semblance of a real life
surrounding an identity – a full credit persona. They create email addresses and social bureaus.
media profiles for their synthetic identities, and in general build out the details of a • Slowly and steadily
normal life.
accumulate credit.
Fraudsters get unwitting help from organizations that have a higher risk tolerance than
traditional banks. Telecom service providers are favorite starting places to build out a
synthetic identity, since they are generally more focused on upselling bigger plans than
on whether you’ll pay your bills. Social media sites are also willing to accept more
uncertainty about a person’s identity when opening an account. An e-commerce
business selling low-cost goods will allow for some fraud in order to facilitate more
transactions. So it’s relatively easy to get in the door in ways that help build out a
synthetic identity.
6
The perpetrator had felony records for passing bogus checks and breaking and
entering, as well as lesser infractions, such as delinquent child support and failure to
pay taxes one year. Although his real-life criminal record and credit profile were hardly
stellar, that didn’t prevent him from creating multiple synthetic identities that were
granted credit cards, auto loans and personal loans, leading to delinquencies
amounting to $253,000 in ill-gotten gains.
If you multiply this one example to an organized crime ring with many participants
doing the same, the fraud losses add up quickly. What if you could identify this process
much earlier in the game? What if you could shut the front door on this type of fraud
before it ever got started? With analytics and machine learning, you can.
Here are some approaches already proven in the financial services industry:
3 Source: Rebekah Moody blog, “Are You for Real? Synthetic Identity Fraud – and How to Identify It”
July 26, 2018, accessed Sept. 28, 2018 https://www.threatmetrix.com/digital-identity-blog/fraud-prevention/
synthetic-identity-fraud-how-to-identify-it/
8
• Recognize faces. Several companies offer products that validate a user by facial
recognition, said Inscoe. The user takes a smartphone selfie and a photo of an Creditors are always
identity document, such as passport or driver’s license. The system compares the
two. “It’s very effective,” says Inscoe. “I recently talked to two bankers whose banks seeking that optimal
are doing this not just for applications, but in their branch networks to eliminate balance between
account take-over.”
reducing the false posi-
• Use behavioral biometrics to identify bots. Some pioneering banks are using
analytics to determine if an online applicant or account holder is a human or a bot.
tives that can damage
The threat is real. According to ThreatMetrix, which provides digital identity tech- customer relationships
nology to the financial services industry, a record 2.6 billion bot attacks were
and the false negatives
detected in just the first half of 2018.4
that can lead to financial
A first line of defense uses keystroke analytics. Does this online activity seem human- loss for the institution.
like? There’s a certain cadence a person would make in completing an online applica-
tion. Some sections of the form, such as basic demographic information, would be filled
That requires analytics,
out fairly quickly. You know your address, date of birth and SSN right off the top of your the ability to detect
head. But when you get to unfamiliar sections of the form, you may have to stop, read anomalies that represent
and understand the request – maybe look up the needed information. The cadence
changes. Analytics can detect if the pattern of keystrokes has the natural flow of a potential red flags – at
human or the staccato rhythm of a bot. the speed of now, in an
ever-changing fraud
environment.
4 T
hreatMetrix, Merging Online & Offline Identity Intelligence to Reduce Customer Friction, Sept. 27, 2018,
https://www.threatmetrix.com/digital-identity-blog/digital-identity/
merging-online-offline-identity-intelligence-to-reduce-customer-friction/
9
Consider a consortium
“The big ‘aha’ moment for a lot of these organizations, especially on the financial
institution side, is that they can benefit from the experience across the globe of all
of these other, unrelated industries in informing their decisions on new account
opening. You can stop [a synthetic identity], so it never gets into the credit granting
side, because you’ve shut the fraudster down at the front door.”
You want to detect synthetic identities without alienating legitimate customers. There’s
always the need to balance high security (which can mean higher friction) with the need
to provide a positive customer experience.
“Bank executives are really struggling with this,” says Inscoe. “The authentication
measures they’re using have some gaps, or are just not as effective as they need to be.
At the same time, you’ve got to balance that customer experience. I’m a consumer too,
and I hate really invasive authentication measures. Most consumers do. They really need
to reexamine their tools and strategies enterprisewide.”
10
The
The quest: Optimizing
quest: Optimizing the balance
the balance betweenbetween risk and friction
risk and friction
Behavioral
biometrics
Seamless
Behavior
experience
Device
malware patterns
Fingerprint
Eye vein biometric
biometric Device
3-D facial
2-D facial identity
recognition
recognition
Identity data
verification
Iris Username
biometric password
Identity
document
verification
SMS
OTP
Level of security
Mobile High
KBA
app
push
Medium
Token
Low
High
friction
Page 20 Copy rig ht © SA S Institute Inc. A ll rig hts re se rve d. ©2018 Aite Group LLC.
Figure 4. Authentication techniques – from highest friction to seamless customer
experience
From the wide range of tools available, you would think the most effective ones would
be the most cumbersome to the user. Not so. There’s not necessarily a correlation
between security value and convenience. Some of the most effective authentication
tools are invisible to the user, while some of the more intrusive ones are losing their
power.
A hybrid approach can match the authentication technique to the need. “It’s very
common to have a waterfall approach,” said LeBaron. “You start with a very seamless,
frictionless capability where you can look at the device being used, the true location,
and triangulate that with global shared intelligence to quickly recognize good returning
customers. They never know anything happened. If the identity is indeterminate, you
might step up to a different technique, such as knowledge-based authentication, but
you want to minimize that for obvious customer experience reasons.”
11
Closing thoughts
It’s critical to get ahead of the identity theft epidemic, not just because of the financial
loss, but because real people are getting caught up in it. Remember those 1 million
babies whose SSNs have been misappropriated? The Social Security Administration will
not reissue those numbers, so the parents are left to clean up the mess – or the identity
theft isn’t discovered until children apply for their first job or bank account.
Even when lenders make good on identity fraud losses, the victims suffer. Consumers
pay an average of $290 out of pocket and spend 15 hours on average resolving fraud,
says consumer advocate Velasquez. Even in cases where the financial institution has
acknowledged fraud and absolved the consumer of responsibility, there are domino
effects. “We’ve seen that about 38 percent of identity theft victims subsequently had
their credit affected, had interest rates go up, had their credit cards cancelled or were
denied credit – not because of their own behavior but because they’re victims of a
I encourage financial
crime,” says Velasquez. institutions to reexamine
and update their current
“For those of us in financial services, it’s easy to get caught up in the number of cases
that we have, and overlook that these ‘cases’ are real human beings,” says Inscoe. “After tools and strategies,
they’ve worked so hard to clean this up, research has shown that these people are particularly if they’re
statistically more likely to be victims again. I encourage financial institutions to reex-
amine and update their current tools and strategies, particularly if they’re going to offer
going to offer Faster
Faster Payments, RTP [real-time payments] or Zelle anytime soon.” Payments, RTP [real-time
payments] or Zelle
About the contributors anytime soon.”
The insights in this paper were drawn from a panel discussion at the SAS-sponsored Shirley Inscoe, Aite
Fraud and Financial Crimes Customer Connection event, held at SAS headquarters in Group
Cary, NC, in August 2018.
Shirley Inscoe is a Senior Analyst with Aite Group, covering fraud, data security and
consumer compliance issues. Before joining Aite Group, Inscoe held several roles at
Wachovia Bank, including Director and Senior Vice President of Payments Strategy.
Chris LeBaron is a Senior Director at ThreatMetrix, providing fraud and digital identity
technology solutions to the banking and financial services industry. Prior to
ThreatMetrix, LeBaron was a Senior Director at FICO, where he held numerous business
development, alliances and sales management roles.
Eva Velasquez is President and CEO at the Identity Theft Resource Center. Velasquez
previously served as the Vice President of Operations for the San Diego Better Business
Bureau and spent 21 years at the San Diego District Attorney’s Office. She has a passion
for consumer protection and educating the public about identity theft, privacy, scams,
fraud and other related issues.
Learn more
sas.com/fraud
To contact your local SAS office, please visit: sas.com/offices
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc.
in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their
respective companies. Copyright © 2018, SAS Institute Inc. All rights reserved. 110062_G88680.1118