Most consumers in the U.S. have some sort of smart device, and the two top activities they are using them for are online shopping and personal banking, according to the Experian Global Fraud Report 2018*. These consumers are placing their trust in online businesses and banks with the expectation that they can transact or buy what they want, when they want, without risk. Customers also expect that companies will protect their interests without making them jump through security hoops. Therein lies the challenge for online organizations.
Balancing convenience with security is the ongoing challenge for online businesses, and 75% of them are interested in more advanced security measures and authentication processes that have little or no impact on the customers according to the Experian Global Fraud Report 2018*.
Fake Identities Lead to Losses
In an ISMG Security Report podcast, * Julie Conroy, an analyst with Aite Group said that in 2017 there were $800 million losses from synthetic identity fraud through credit cards alone, and that could skyrocket to 1.2 billion by 2020.
The nine billion personal records stolen in the last few years have fueled the synthetic identity fraud market, with data available to create fake identities or combinations of different identities. This type of fraud is hard to decipher by companies as each piece of personal information can be legitimate, but it’s only combined that they create a fake one. Synthetic fraud is often powered by automated scripts that fill out forms to apply for services or open accounts.
Cybercriminals carefully nurture fake identities (register their phone number, sign up for loyalty cards, etc.) until they are fully established and ready to be sold on the dark web. The demand for cultivated synthetic identities has been rising in recent years.
For credit bureaus, a curated fake identity that has no previous credit history, looks like a young person just starting out or someone from another country who has never applied for credit. Julie Conroy exposes another complication; while the credit bureaus may not have Social Security numbers, they could see if the person applying for credit was within the age range of a specific social security number. However, this is no longer possible. In 2011, the government started randomizing those numbers so now credit bureaus could not even make an educated guess.
These synthesized identities are so realistic that traditional underwriting tools cannot detect them. It is even harder for banks and other institutions to classify these loses and measure their impact. Even after a fake customer defaults on their payment, creditors don’t know if it’s a fake identity or just the legitimate person not paying.
A wide-spread technique to build accounts with fake identities is automation. Bad actors buy sets of data from the dark web and feed them through a script to create accounts with mixed records.
Today, more companies are implementing multi-layered security solutions that include passive biometrics and behavioral analytics. These technologies detect fraudulent accounts created with automated tools and block them before any losses occur. This approach allows companies to identify automated scripts by their behavior and blocks fake transactions while providing a seamless experience to the legitimate customer. Additionally, good customers can be accurately identified and offered an enhanced seamless experience.
About the Author:
Ryan Wilk is Vice President, Customer Success for NuData Security, a MasterCard company. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various eCommerce roles. NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. NuData Security analyzes and scores billions of users per year and services some of the largest eCommerce and Web properties around the globe.