Fraudsters are nothing if they are not resourceful.
But the days of the search for carbon papers for credit cards are over, as are the relative ease of making new plastics with stolen account numbers, which is no longer as attractive a proposition as EMV chip cards. now dominate consumer wallets.
If instant gratification becomes hard to come by, what should a potential identity thief do?
Turns out the answer is: be patient and commit synthetic identity fraud.
Traditional Identity (ID) theft is well known: A criminal obtains enough personally identifiable information to open fraudulent credit accounts in a victim’s name or take over existing accounts.
Where synthetic identity fraud differs is in its approach, execution, and the nature of the information used in the schema. It’s a major problem that, by at least one estimate, accounts for around 80% of credit card fraud losses for the industry and creates major problems for its victims.
For starters, the process relies on an old stand-by: the theft of valid Social Security Numbers (SSNs). For this crime, children’s SSNs are the most prized because they are less likely to have an associated credit history.
To make this situation worse, the decision of the US Social Security Administration to switch to random social security numbers has encouraged fraudsters to look especially for unissued social security numbers – that is, those from social security numbers. ‘children born after the change took effect in 2011.
Once in hand, a valid SSN is associated with fictitious personal information and, in many cases, used to apply for a credit card. As part of its underwriting, the issuing bank will attempt to remove the applicant’s credit report from one of the nationwide credit reporting agencies.
Since this is a child’s SSN associated with fabricated information (although only the criminal knows), no files can be provided to the bank, which will likely result in the request being denied.
However, just like the process by which many consumers become active in credit matters, this investigation triggers the creation of a file with the credit reporting agency, but with the fraudulent information.
Thus is born a “synthetic” identity.
The next phase requires patience and sometimes a little help from a friend.
The synthetic identity is often “layered” as an authorized user on an accomplice’s credit card, giving the synthetic identity an immediate boost to their credit score.
Then over time (usually months) the valid card is kept up to date and on time, generating at least the start of a positive trade line on the false identity credit report.
Now is the time for the fraudster to go to another financial institution and apply for a card with the synthetic identity. This time when the bank asks for a credit report, one can provide one, although it is not great, but certainly one more likely to be granted with a modest line of credit.
If successful and repeated quickly and frequently by many issuers, the criminal is likely to accumulate a fair amount of credit.
This leads to shopping madness and the act of disappearing.
When the dust settles, financial institutions will be left with fraud losses to absorb. But the situation is worse for children whose SSNs have been used to create synthetic identities.
After all, they probably won’t be aware of any fraud until they first try to use their SSN for financial reasons (opening a first checking account or applying for student loans, for example). years after synthetic identity fraud.
As the first user of an SSN is often presumed to be the rightful owner, it is the real victim’s responsibility to clean up the mess caused by the criminal.
Astute readers have likely identified a key part of the solution: the need to verify during the application process whether the given SSN matches other Personally Identifiable Information, which could prevent a synthetic identity from taking off.
It turns out that a system exists within the SSA – conveniently the only source of truth about the validity of SSNs – to provide this verification: the Consent Based SSN Verification Service (CBSV).
Although it is designed to answer this exact question – “Do the following name, date of birth and SSN match?” – it is based on the fact that the financial institution receives the consumer’s paper consent before making the request for verification.
As a result, the utility of the service is drastically reduced for most of the increasingly digital banking ecosystem.
Congress recognized the potential benefits of modernizing this anti-fraud system when it included language in a sweeping Financial Regulatory Relief Bill enacted last May directing the SSA to modernize CBSV by allowing electronic consent, rather than paper, to access the system.
The Consumer First Coalition and other industry stakeholders are actively engaged with the SSA to make the implementation a success.
Congress got it right when it passed this important provision: With children’s identities increasingly the targets of fraudsters, providing the financial industry with the tools to tackle synthetic identity fraud is critical. .
JASON KRATOVIL is executive director of the Consumers First Coalition, a group of companies committed to the fight against fraud, the protection of identities and respect for the protection of privacy.
• This article originally appeared in IAPP Privacy Outlook