Hacked together: How crooks create one fake person from many real people
On film, Frankenstein exists only as a mythical creation. But online, a monster of many parts recently rose from the cyberswamp to take hostage a 49-year-old tech exec from Charlotte, North Carolina.
Alas, this tale from the digital crypt begins not on some operating table in a castle, but a car lot. The woman discovered the beast’s tracks as she tried to lease a vehicle, says her friend, David Barnhardt, a guy who knows about such things.
The tech exec, who began her day hoping to drive away happy, got run over: Her credit report showed a charge-off from a large financial institution for a card she never even knew she had.
Fraudsters opened the credit card account by creating a segmented beast composed of her Social Security number, another person’s date of birth and someone else’s contact information. They convinced the issuing bank that this composite was a real individual, says Barnhardt.
For the next three and a half months, the woman spent more than 30 hours of her own time trying to put the cyber brute to rest. And she’s in the tech business.
“Her outrage was two-prong,” says Barnhardt. “Number one, how did the bank not verify that it was not her using the Social Security number? And two, how did they allow this individual to charge $18,000 on the credit card?”
If only that shadowy monster were the last of its species roaming the internet for prey.
‘A runaway year for fraudsters’
The recent 2018 Identity Fraud Study from California-based Javelin Strategy & Research reveals that bad guys are so well-armed with data and tools that no institution can protect its customers without help.
There were 16.7 million victims of identification fraud in 2017, according to the study. That’s almost 7 percent of all consumers; both figures are records. It’s also enough for Javelin Senior Vice President Al Pascual to declare 2017 “a runaway year for fraudsters.”
Cold comfort though it may seem, the amount stolen has risen since 2015 at a much slower pace. The $16.8 billion taken in 2017 is off nearly a quarter from 2012’s total of $22.1 billion. That means fraudsters are working harder but getting less bang for their stolen buck. And while existing-card fraud losses are declining, the number of incidents rose from 5.07 percent to 5.47 percent of all consumers.
Thanks in large measure to the advent of EMV chips, fraud has shifted from point-of-sale (POS) to card-not-present transactions (CNP), according to the study. In 2017, nearly twice as many consumers had their cards misused in a CNP transaction as they did at POS.
Using new tools and data, fraudsters circumvent money laundering protections by creating armies of synthetic identities—like the one that plagued the tech exec—to open new mobile phone, internet payment and online merchant accounts. Through them, they can monetize accounts they might have compromised elsewhere.
A big turning point, according to Javelin, came during the September 2017 Equifax breach, which compromised the data of 148 million consumers. “Because of the breadth of the affected population and the value of the compromised data, this event was a strong contender for the most destructive breach recorded,” the study states.
As a direct result, Social Security numbers for the first time eclipsed credit card numbers as the most ripped off pieces of personal information, with 35 percent of victims reporting SSN compromises compared to the 30 percent who reported credit card hacks.
“Fraudsters are pulling info from the dark web, gathered from data breaches,” says Glenn. “They are getting phone numbers and email addresses and names and creating these Frankenstein identities.”
Ironically, Washington has helped this along. The Social Security Administration randomized Social Security numbers in 2011. Since its inception in 1935, the SSN had always been comprised of the three-digit area number, followed by the two-digit group number, and ending with the four-digit serial number. Dating to 1972, the SSA had issued Social Security cards centrally and the area number reflected the state, as determined by the ZIP code in the mailing address of the application.
And so a change designed for security actually helps fraudsters, says Glenn, because it makes it harder for financial institutions to determine customer identity based on digit groupings.
“Random numbers make it impossible to look at the numbers and see if the account is valid or not valid,” said Glenn. “This has enabled fraudsters to commit fraud more easily.”
And that, he notes, only makes it more difficult to stymie these Frankensteins. Because these are synthetic creations that open accounts, compromised consumers such as the Carolina tech exec can increasingly detect fraudulent activities ahead of financial institutions.
Glenn says iovation helps mitigate the problem by performing what he calls “device intelligence.” It works by looking at devices used in online transactions. Fraudsters, says Glenn, use a set of computers to create thousands of synthetic identities.
The social media solution
Barnhardt adds that financial institutions must do more to prove the reality of new customers. That includes scanning social media.
Frankenstein fraudsters, he says, usually fail to take the next step of building out a social media presence such as a Facebook page, Twitter handle or Snapchat profile. In the rare cases they do, those social media pages often pop up about the same time as the synthetic identity, serving as a clue that it might not be real.
“A lot of companies ask you to validate your name, address and date of birth,” he says. “But you have to validate with existing social media content to show that you are the carbon-based life form you say you are.”
But for those consumers with less savvy, or resources, there is help, says Eva Velasquez, president and CEO of the San Diego-based Identity Theft Resource Center. The non-profit was established to support victims of identity theft in resolving their cases.
“We have seen people who get stopped for running a red light and find out there is a warrant out for their arrest when they don’t have any warrants,” says Velasquez. “Or a child support case against them when they don’t have children.”
Many don’t realize that they don’t have to fight the fraudsters alone, says Velasquez.
“A lot of people think that if they don’t have the money to pay a professional, they have to figure out this very complex problem by themselves,” says Velasquez. “We never charge anyone. All our services are free to the public and we are here to help.”
Unless, of course, you’ve been cobbled together in some hacker’s house of horrors.
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman covers the military and national security for the Tampa Bay Times.
If you enjoyed, this article, check out our recent Executive Report: Fraud and cybersecurity: Staying steps ahead.