Cyberthieves can use the payment credentials they steal to charge products to the people who are the legitimate owners of that data. That’s bad enough. But increasingly, these fraudsters are using the information they glean from data breaches to invent fresh identities, sometimes out of whole cloth, leaving credit card issuers, banks, and other lenders holding the bag.
Indeed, the losses from so-called synthetic identity fraud are mounting fast. Card issuers alone sustained $820 million in synthetic ID fraud in 2017, up fully 41% in just two years, according to a new report from Aite Group LLC. On current trends, the firm projects these losses will swell to more than $1.2 billion by the end of 2020.
“It really is a perfect storm,” Julie Conroy, research director at Boston-based Aite and the report’s author, tells Digital Transactions News. While growing fast, the problem at many organizations remains cloaked in misunderstanding and confusion, leading Aite to call it “the elephant in the room.”
In fact, Conroy’s report, “Synthetic Identity Fraud: The Elephant in the Room,” shows loss data only for credit card issuers, even though synthetic ID fraud also plagues auto lenders and other credit grantors. That’s because only card issuers have compiled hard data, Conroy says. But fraud officers across the board are starting to get a clearer picture and to collaborate on solutions.
“This is not a new problem, but it is serious enough that [security officials] are coming together,” Conroy says. She contrasts this development with the state of affairs in 2011, when Aite conducted its last round of research on synthetic ID fraud. “That wasn’t happening then,” she says.
A number of factors account for the mounting losses, but there’s no question the rash of data breaches is fueling the trend. Since 2013, hackers have accessed more than 9.7 billion records online, according to data from the card-technology company Gemalto cited in the report. Victims now include credit bureaus themselves, with Equifax Inc. last year sustaining a breach that affected 147.4 million records. On Tuesday, the bureau reported the breach also included images of more than 50,000 passports, driver’s licenses, ID cards, and other documents.
With this pilfered information, criminals can mix and match bits of data to invent personas that can then apply for credit lines and take out cash that will never be repaid. And once these personas become files at the three major U.S. credit bureaus, it’s very difficult to root them out, Conroy says. “The problem is fairly systemic,” she says. “It’s going to take some fairly systemic solutions to really put a dent in this.”
Complicating the search for solutions is a decision the Social Security Administration made in 2011 to randomize Social Security Numbers. Where once these numbers were derived from date and region of birth, they are now simply randomly generated digits, depriving fraud fighters of “a valuable tool … that [financial institutions] could use to check the validity of an SSN at the time of account onboarding,” says the Aite report.
Criminals are taking advantage of this change. Where fraud officers expected 3.6% of all SSNs to be potentially randomized last year, the actual volume seen in credit applications was 5.8%, according to ID Analytics data cited by the report.
Ultimately, solutions will have to emerge to cut off the flow of data earlier, Conroy notes. “We need to have a way to detect synthetic records earlier so they don’t get furnished to the credit bureaus in the first place,” she says.