By Pattie Dillon and Mike Russell
If fraud is more of a zombie horde to be fought continuously than a dragon to be slain once, then it’s time to sharpen your blades, fraud fighters. Synthetic identities, the digital undead, are gathering strength.
With every data breach, fraudsters gain more material with which to combine attributes of consumers’ breached records—names, dates of birth, government ID numbers, etc.—to synthesize identities for account creations or fraudulent transactions.
Synthetic identities have been responsible for hellacious losses at credit issuers for years. In 2016, synthetic identities were blamed for up to 20 percent of credit losses ($6 billion). In December, Juniper Research forecast that losses from online payment fraud would reach $48 billion annually, and cited synthetic identities as a primary contributor to that increase.
The scope of the problem
In January, McKinsey & Co. shared their research into estimating the scope of this problem.
Using a sample of 15,000 profiles from a consumer-marketing database, McKinsey determined that 5 percent of the profiles were suspect. For example, one profile had two distinct names linked to the same phone number, the sole provided email address was just months old, and the oldest digital record was less than a year old.
McKinsey’s findings resonated with a proprietary study we conducted at Compromised. In a random sample of 55,000 records, we found up to 3 percent qualified as potential synthetic identities.
Some of these suspicious identities contain personal information from recent breaches. Some consist of information breached years ago. Fraudsters can mash together newly stolen personally identifying information (PII) with previously breached PII to create multiple new identities.
‘Wait,’ you might be thinking, ‘some breaches occurred years ago. That decayed data can’t be as useful to fraudsters as freshly breached data, can it?’
It depends on the data point.
Social security numbers never expire (which is why the deceased’s social security numbers are still unearthed for identity theft).
In the case of login credentials—username-password combinations—researchers using a ground-truth dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years found that “More than 70 percent of the users are still reusing the already-leaked passwords in other services one year after the leakage. Forty percent of the users are reusing the same passwords leaked more than three years ago.”
Let’s take a single breached email address as an example. It has probably appeared in multiple breached data sets, linked to multiple disparate identities: one with a Californian address and phone number in one transaction, another with a Virginian address and phone number in another transaction.
The same email could be used for ten applications or transactions with ten companies and appear each time as part of an entirely novel identity.
The email owner may never know someone else is using their email with different bits of breached or fabricated PII. Once the fraudster knows the password to the email account, he can simply set up a filter to archive or delete the emails that would signal his presence.
What you can do about it
For vigilant organizations, the presence of a breached record will command a closer look. If nothing else, you can note the information and treat with caution transactions associated with the email. If you want to cut down on synthetic identities, then you’ll want to layer compromised credentials into your fraud suite. That will allow you to track these Key Risk Indicators:
- How recently the breached information appeared on the dark web. Fresher credentials represent a stronger risk indicator. However, given that the average breach takes months to identify and contain, fraudsters have plenty of time to abuse victims’ data.
- What attributes were compromised in the same breach. An email and password is all fraudsters need to abuse password reset features, one-time-passwords, and research material for phishing attacks. That said, a name, address, and date of birth can be enough to start a synthetic identity. A social security number would make the other attributes more valuable, but other identifiers—for example, passport numbers or medical record numbers—can still give a headache.
- How many times the attributes have been exposed. Each exposure increases the likelihood that an attribute has been used in a synthetic identity.
- Whether strangers share the same attributes. One person should have one date of birth. When records from different breaches assign the same individual with multiple dates of birth (or names, phone numbers, addresses, etc.) some investigation is in order.
Prepare for more synthetic identities
In late April, Kate O'Flaherty reported that “an unsecured database belonging to an unknown organization has exposed 80 million U.S. households’ details.” The leaked data included full addresses, names, ages and dates of birth.
We have to assume that all of these records, like the other 14.7 billion lost or stolen since 2013, will appear for sale in underground marketplaces. Whereas fraudsters can freely combine data points into synthetic identities, fraud teams have to track individual breaches for insight into each attribute’s history of compromise.
Adding duplicate or unverified data from mammoth collections like those that surfaced earlier this year will make more work for fraud teams. If your organization lacks the resources to aggregate, authenticate, verify, compare and link records across breaches, consider integrating a risk intelligence service that specializes in compromised credentials.
Properly implemented, it reduces risk, protects revenue and reputation, and shields users. Think of it like an assistant zombie slayer.
Pattie Dillon is a Consultant, Strategist, and Risk Management Practitioner. Connect with her at https://www.linkedin.com/in/pattie-dillon/.
Mike Russell is a freelance writer and strategist for online fraud prevention companies. Learn more about him at https://pivotalwriting.com/.