August 17, 2022 | By: Justin McDonald, Sr. Risk Management Consultant, The Fraud Practice
Synthetic identity fraud is the combined use of compromised consumer data points alongside data points controlled by fraudsters or belonging to others, where the identity data points pieced together appear legitimate. It may be the most prevalent form of fraud in digital channels as it targets merchants selling all types of tangible and digital goods, as well as online lenders, card issuers and other organizations.
This form of fraud varies widely based on what stolen personally identifiable information (PII) is available to the fraudster. Compromised payment card numbers and the associated billing address could be used alongside fraudster-controlled phone numbers and shipping addresses. Fraudsters will try to extend the number of uses of each stolen payment card by using different email addresses, phone numbers and/or shipping addresses across multiple uses of the stolen payment credentials, a variation known as morphing fraud. The intent is to evade velocity checks which could more quickly detect the fraudster using the same exact set of data points again and again, known as repeat fraud.
Synthetic identity fraud around compromised Social Security numbers occurs less frequently but is more damaging, with estimates reaching up to $98,000 stolen per sophisticated synthetic identity. Some of these fraudsters spend up to 18 months building the synthetic identity’s credit rating before putting it to use (Source: Fiverity). Synthetic identities used to open credit cards often culminate in a bust-out attack, where the fraudster may make small purchases and pay them off for a few months before testing the credit limit with no intent to pay the bill. Synthetic identities used for personal loans will engage in loan stacking, applying for many loans in a short period of time before the first application appears on credit reports. Synthetic identities exist only in a credit file, but it’s enough clout to fool many lenders and issuers.
The same premise, using real consumer identity data points in conjunction with data points a fraudster controls, is prevalent in eCommerce as well. In this article, we cover three strategies for stopping synthetic identity fraud.
1. Authenticate First
Authentication is all about association. In this context, it’s about whether various data points have a history or association with other user-provided data points. If a synthetic identity is used, there will be data points provided that have no association with the compromised payment card, billing address, phone number or another data point that belongs to a victim consumer.
Whereas authentication confirms association, verification confirms possession or ownership. It might seem like verification is the more important piece; however, the latter is not very valuable without the former. Here is a comparative example that underscores this point:
Scenario 1: An online electronics retailer receives an order for a high-ticket item where the shipping address differs from the AVS-confirmed billing address. The buyer provides a phone number that is authenticated and confirmed to be associated with the cardholder name and billing address. Because of the purchase value and different shipping address with no direct association to the cardholder, verification is performed by sending a one-time-use passcode to this authenticated phone number via SMS text message, which the buyer provides during checkout. The order is very likely to be legitimate and accepted.
Scenario 2: Another online electronics retailer receives a similar order for a high-cost item with a shipping address that differs from the billing address that is an AVS full match. The buyer provides a phone number and SMS verification is performed without first authenticating the phone number. The buyer passes the verification check because they provided the number to one of their many “burner” phones. The order is accepted, a fraudster receives stolen merchandise and the victim consumer files a chargeback two weeks later.
These examples highlight why authentication must be performed before verification. Otherwise, what are you really verifying? This doesn’t mean that verification is not an important step ̶—it is! In the case of identity theft, fraudsters can provide the victim consumer’s real phone number that will pass authentication in hopes that the organization won’t attempt to verify possession of that phone. As implied in the above example, verification is likely to be used less often, such as in cases of a high-order value and differing billing and shipping address. Authentication, however, should be performed frequently, regardless of whether or not it is followed by verification.
Authentication is critical to identify which data points have no association to stolen identity information. It is an essential component of validating the legitimacy of an online order and should be performed early on in risk screening. Many synthetic identities can be weeded out if few or none of the data points can be successfully authenticated, and when association is scarce, it can be a signal to employ more risk management checks which may be higher friction or higher cost. Effective risk management requires a layered strategy, and authentication is a critical component of the first layer.
"Ecommerce sites need to be able to assess the risk of new accounts in real-time. This involves not only validating the data entered during sign-up (such as if the email address is real), but validating the relationships between that data (if the name entered belongs with the address entered) and behavioral data (if the email address entered was just created) as well."
Jordan Reynolds, VP of Market Strategy, Ecommerce and Marketplaces at Ekata
2. Determine Whether Corroborating Data Points Are Trustworthy
While authentication is essential to identifying fraud, there are ways fraudsters try to get around it. One tactic is to create data points that fake this association. Fraudsters know that merchants don’t expect to connect every single identity data point via authentication, but rather try to authenticate a subset of the many data points provided. This leads to fraudsters creating emails with cardholder names, entering cardholder names for caller ID information on prepaid mobile phones, and even creating detailed social media profiles intended to corroborate the data points provided as part of their synthetic identity.
There is no one-size-fits-all approach to authentication, not across organizations and not even across different order attempts or identities seen within a single organization. Each identity will present a different set of data points with variation across which of these data points can be authenticated relative to others.
While organizations should seek multiple points of matches or associations connecting multiple data points, the quality of these matches should be considered as well. That is where a strategy that employs data quality checks comes in. Simple data quality checks around the type of phone number provided are valuable, for example. Prepaid mobile and VoIP phone numbers are typically seen as higher risk and should reduce trust in any association to other data points provided because—in the case of changing caller ID data—these can be faked.
Higher-level data quality checks can include trust or risk scores on one or multiple identity points, including email address, phone number, email domain and more. In short, lower-trust identity points mean that any association they have to high-value data points ̶—such as an AVS-confirmed billing address—should not be as trusted.
A recent white paper from The Fraud Practice, Is This Really A New User? Detecting Fraud and Abuse at Account Opening, discusses three levels of data quality checks and their use cases, among several other topics related to fraud and abuse at account onboarding.
A broader consideration is how authentication fits into an overall risk management strategy, from onboarding and subsequent login through transaction or payment events. Identity proofing, or validating that an identity is real, is primarily conducted at account onboarding or creation. This step is closely tied to data authentication, and risk signals derived in these early stages require orchestration to ensure they’re applied at the final event or stage where a financial loss can occur, such as a payment transaction or loan approval.
3. Don’t Go it Alone
The most sophisticated synthetic identities are the most difficult to detect, and typically they are created by career fraudsters targeting high-value goods, if not money remittance, lending or card issuance. These are synthetic identities with carefully curated data points that corroborate stolen consumer PII and can sometimes be referred to as “clean” identities because they are so difficult to detect as illegitimate. When trying to identify these more sophisticated synthetic identities, there is strength in numbers, and this is a critical component of a layered approach to identity proofing and affirmation.