Fake folks, real threat: How synthetic fraud fools financial institutions
Parker Conrad’s LinkedIn page shows he has a thriving IT business, a loving family with “two princesses,” an electric car (a Chevy Volt, to be precise) and more than 500 connections.
But here’s one thing it doesn’t show: Parker Conrad doesn’t exist.
He is a fake persona, created by a Florida cyber security firm to show just how easy it is to develop artificial identities. “We created Parker to show he is an option,” says Stu Sjouwerman, CEO of KnowBe4.com, a Clearwater, Fla. company. “He has existed for seven years now. This imaginary person lives on LinkedIn, on Twitter and two or three more social media accounts.”
Now imagine that Parker was created by someone with nefarious intent and that person used the persona to establish a credit history. “It’s more difficult to detect than standard identity theft,” says Sjouwerman.
Instead of stealing someone else’s identity, a breed of bad hombres just make them up, says Colin Carvey, vice president of identity solutions at TransUnion.
Using a technique he calls “synthetic hacking” (also known as synthetic fraud), fraudsters create small armies of rogue Parker Conrads and apply for credit using Social Security numbers that are not purloined, but invented. Then they use the newly created credit profiles to pilfer from banks, auto dealers and virtually anyone who accepts credit for goods and services.
“Creating the identity is very simple,” he says. And by Carvey’s own reckoning, an initial investment of $79.99—less than the cost of three Swiffer Wet Jets—can mop up ill-gotten gains of $107,269.63, on average. That’s more than 1,300 times the initial cash outlay.
“I can make up a name, Social Security number, address and create an ‘identity,’” says Carvey. But then the real nefarious work begins—and the irony is that the federal government in part makes it possible.
Carvey and other cyber security experts point to loopholes in Social Security Administration rules. In 2011, the SSA changed the way it allocated Social Security numbers by randomizing the nine digits instead of assigning the first set of three numbers based on geography. Moreover, the SSA does not allow checks to see if a number is tied to a name.
“Who is to determine and say who owns a number?” Carvey asks. “We can’t do that in the financial world.”
So a fake identity, armed with an untraceable Social Security number, can create havoc, says Carvey. But it takes work—and, in many cases, willing partners along the way. At first, “It’s still worthless. There is no credit history.”
Thus the thief behind the persona needs to create a credit history. Carvey says there are a couple of ways to do that. Collusive merchants knowingly providing fraudulent credit; a company insider at a bank can help establish credit; and even legitimate organizations such as credit repair companies might temporarily offer access to strong credit, in order to help those with bad credit rebuild theirs.
Once the personas get credit, they “simmer,” building up their scores until it is time to strike. “We’ve seen them build credit to a 700 score in seven months,” he says. “We’ve also seen them take two to three years to milk the credit. It depends on the scheme.”
To keep the money flowing in, the bad guys maintain several personas in various stages of percolation; fraudsters can maintain 20 such accounts at a time in various stages.
The payoff, he says, can be lucrative.
In one case, when the credit score rose to the right level, the perpetrators began taking out credit cards and managed to buy big-screen televisions. They purchased vehicles. Then they sold the ill-gotten goods at far less than face value because it was the credit and not the goods that counted. And besides, when you set up a phony account, any money garnered is profit—except to the bank or store that is victimized.
Banks are vulnerable, says Carvey, “because they are giving out loans based on credit scores.” Meanwhile, organized criminals can steal as much as $100,000 per month, with the added assurance that phony people don’t complain to banks about identity theft, the principal fraud issue that commands their attention.
Another problem is that fake personas “are more difficult to detect than standard identity theft,” says Doug Johnson, senior vice president of payments and cyber security policy at the American Bankers Association.
“They are very patient,” Johnson says of the fraudsters. “They have years of history, high credit scores and they will wait for the right time.”
Like Carvey, Johnson can’t quantify the problem with any specificity. But the problem has to be dealt with, and soon.
“Going forward, we have to get a better fix on the magnitude of the problem,” he said. “I think it will increase rather than decrease and we’re trying to energize the industry to counteract it.”
To that end, the experts recommend three courses of action for financial institutions:
- Check for a pulse
In cyber security parlance, human beings are considered “biomatter.” “If there’s no biomatter, it’s fraud,” says Carvey. However, proving that a Social Security number, the basis for all credit accrual, actually belongs to a human isn’t easy. So as often as possible, he says, cross reference other attributes such as addresses, phone numbers and work history.
- Use Big Data
“When it comes to fighting fraud, data is most critical,” says Carvey. “Look for patterns. Fraudsters have patterns. They are trying to run up money faster than a normal consumer. How much data you analyze is critical.” If possible, banks should develop and use artificial intelligence tools that target synthetic fraud. “Machine learning helps,” he says.
- Employ outside solutions
TransUnion offers “synthetic score” and CreditVision suite, powered by proprietary technology that identifies synthetic identities early in the credit-building process at the time credit is applied for, and with extremely low false positives.
In the meantime, banks can only hope—and perhaps press—for SSA rule changes. To help stop the fake Parker Conrads from ripping off banks and other credit-providing institutions, experts say that the SSA should allow searches that can prove whether a Social Security number indeed belongs to a human.
“I’d like to see the SSA recognize that ID theft, and synthetic IDs in general, are an important part of their core mission,” says Johnson. But based on the track record, “there’s a feeling on their part that it’s not part of their core mission.”
That’s in large part because of the investment needed to crunch the numbers. “They feel they need to be reimbursed for any system they set up,” says Johnson. “In the past, there have been challenges of having too high a price point for checking individual Social Security numbers. But this is a particularly insidious crime.”
The SSA did not respond to a detailed request for comment. Ditto for Parker Conrad.
Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.