On a cold February morning in 2013, agents from the FBI and the U.S. Postal Inspection Service rounded up 13 suspects in four states across the Northeast who allegedly stole over $200 million. It was a truly massive scheme, involving over 7,000 false identities and 1,800 "drop addresses" to collect all the loot.
What made this crime different than most is that there were no ordinary "victims." Instead, the criminals used highly sophisticated schemes in order to create identities, build up credit scores and then take out loans and credit cards. They then used these instruments to buy merchandise which they could exchange for cash.
This type of "synthetic identity" crime is becoming more prevalent. As new security protocols, such as chips in credit cards, are being implemented cybercriminals are becoming more sophisticated and those that guard our financial system need to up their game as well. Yet it appears we are beginning to gain ground in this war and the story of synthetic identity shows how it can be won.
A New Pattern Emerges
By 2016, synthetic identity had become a major issue for financial institutions and there was little that could be done to stop it. However, Keir Breitenfeld, Vice President of Go To Market Strategy at Experian began to notice another strange trend that would eventually turn the tide: his customers were reporting unusually large credit losses from loans and credit cards.
Usually, credit losses are fairly easy to predict and there didn't seem to be any economic factors, such as a sudden recession, that would cause a spike in defaults. Yet he found his customers consistently reporting far greater losses than they should have. There seemed to be no logical explanation for it.
As he began to investigate, he conferred with his colleague, Michael Gross, who heads up Fraud & Identity product innovation. Gross had noticed a strange trend of his own. Using Experian's FraudNet software, which uses non-traditional data sources, such as from devices and social media to detect fraud, he was finding a lot of suspicious accounts. But when he notified customers, they told him they had verified those accounts.
It was puzzling, but both trends showed no sign of abating. In fact, they seemed to be rapidly increasing in frequency and value. The two began to wonder if they were related, both to each other and to the rising tide of synthetic identity theft.
Identifying The Method Of Attack
In the fall of 2016, Experian's Datalabs unit was brought in to investigate further. Through using sophisticated analytical techniques to sift through mountains of data, a clear story began to emerge. The cybercriminals had identified a weak point in the financial system and were exploiting it with gusto.
Here's how a typical synthetic identity scheme can work. A cybercriminal would gain basic information about a person or business through the dark web or some other source. Then they would call that customer's bank and have a new identity listed as an authorized user of the account. Later they would delete it to cover their tracks.
The criminals wouldn't actually steal money from that initial account, so the breach would go unrecognized. However, by adding that false identity as an authorized user to a real account they would begin to build up a credit history and credit score. With that verifiable identity profile, they could then go and open up real accounts under the false name.
None of this would be detected until the criminals began to spend money on the accounts created with the false identities. When the debts went unpaid months later, they seemed to be real customers that had just hit on hard times and were unable to pay their bills. So the affected financial institutions would record them as credit losses rather than fraud.
Preparing A Counter-Assault
Fighting financial fraud is tricky. If enforcement is too lax, then criminals are able to run wild and financial institutions lose a lot of money. However, if enforcement is too stringent, the system generates too many false positives and they can lose just as much money from turning good customers away. To be effective, models need to be accurate to a fraction of a percentage point.
Yet now that they had recognized a distinct pattern of activity, the data scientists could begin to analyze the situation and identify the few telltale signs that a synthetic identity is being created for the purpose of fraud. Over the next year, Experian Datalabs worked earnestly to do just that.
In September 2017, the company began offering a new service that provides a synthetic identity score in real time when fraudulent accounts are opened. It also offers device intelligence screening and portfolio monitoring services on a continual basis and, as criminals adapt their tactics, the data scientists adapt the model to detect new fraud schemes.
The synthetic identity story is just one example of how we are finally beginning to turn the tide against cybercriminals. However, much as Dr. Rieux observed in Camus' The Plague, it is not a tale of final victory, but only the record of what has been done in the "never ending fight against terror and its relentless onslaughts."
Getting The Edge Over Cybercriminals
To many, synthetic identity fraud may seem like a victimless crime. After all, no ordinary consumers wake up to find their accounts looted and financial institutions can write off the losses. Yet those losses show up in higher costs for the rest of us and cybercrime is a major source of funding for terrorism.
"We are beginning to win the war on fraud. No doubt about about it," Steve Platt, Group President for Decision Analytics & Data Quality at Experian told me. "The bad guys still continue to innovate, increasing their sophistication and finding weak points in the financial system. So we have really stepped up our game, made the necessary investments and innovated our processes to meet the challenge, with increasing success."
He points to three factors that are helping us beat cybercriminals at their own game. First, massive investments are being made across the financial system to increase analytical capabilities. Second, expanding the identity graph beyond simple characteristics like name, address, Social Security Number and date of birth to include data from alternative sources like devices, social media profiles and other behavioral characteristics. Finally, increased collaboration between financial institutions, law enforcement and companies like Experian.
At the same time, Platt notes that competitive pressures are increasing. "Consumers are demanding a frictionless online environment for financial services and it has become imperative that financial institutions deliver them in a safe, secure environment. Fraud and identity has transformed from an operational cost to a true source of competitive advantage," he told me.
We are far past the days when losses from fraud can just be written off as the cost of doing business. As we increasingly live our lives in the digital universe, global networks of cybercriminals are becoming far more sophisticated in the means they use to finance their illicit activities. The innovation war against cybercrime is one we must continue to fight vigorously.
Disclosure: In the past, Experian has paid my travel expenses to speak to its executives and appear at its annual Vision Conference.