Synthetic Identity

With the acceleration in terms of digitization forced by the pandemic, our digital identity has become a valuable asset, as it is an increasingly adopted means to authenticate us on various platforms. Therefore, the ability to reliably validate a person has become a latent concern in organizations, given that, in addition to fraud attempts through impersonation, account theft and non-payment, a new challenge has been added: synthetic identity.

In this article, we will explore in detail what a synthetic identity is, how it affects organizations, the economic impacts produced, and examine strategies to counteract this phenomenon.

‍What is a synthetic identity?

A synthetic identity is a fictitious identity created for the purpose of deception and illegal activities.‍

This digital construct combines real and fictitious information to form a unique synthetic identity. These identities can include names, real addresses, social security numbers, and other personal information obtained from various sources, such as public and private databases. The main difference between a synthetic identity and a real identity is that the former is not associated with a specific natural person, while the latter belongs to a legitimate individual.

Fraudsters use these synthetic identities to evade detection in order to open fake bank accounts and apply for fraudulent credit and loans. Because they are not linked to a real person, these synthetic identities make it difficult to identify the perpetrators and therefore to recover funds.‍

How it affects organizations

Organizations, especially banks, e-commerce, retail, or fintech that grant loans, credit cards, or BNPL, face significant challenges when it comes to synthetic identities, because when seeking to validate an applicant through fully digitized mechanisms, criminals seek to exploit vulnerabilities in identity verification systems to open fake accounts, apply for fraudulent loans and extract money.

This attack methodology involving the use of synthetic identities is not new, one of the first emblematic cases was in 2013, where a group of criminals in the US created more than 7,000 identities with an economic impact of around 200 million dollars.‍

According to the FBI, the mechanism had three simple steps:

1. "Make up": constructed false identities by creating fraudulent identification documents and a fraudulent credit profile.
2. "Pump up": would increase the credit of the false identity by providing apocryphal information about the creditworthiness of that identity to the credit bureaus. Believing the information provided was accurate, the credit bureaus would incorporate this material into the fake identity's credit report, making it appear that the fake identity had excellent credit.
3. "Run up": large loans using a false identity. The higher the credit score, the larger the loans they were able to obtain. These loans were never repaid.

Today, according to thomsonreuters, no one knows c o one knows precisely how much money is lost to synthetic identities, but estimates range from 20 to 40 billion. Since 95% of synthetic identities are not detected during the onboarding process and financial, e-commerce or retail organizations either never detect it or it is simply written off as an unrecoverable cost of doing business.‍

How to Prevent Synthetic Identity Fraud

Preventing the malicious use of synthetic identities is not simple and requires a comprehensive approach that combines technology and collaboration.

One of the most common ways to discern whether an applicant is a real physical person or a synthetic identity is through open source analysis with tools such as Maltego or Visallo that allow OSINT (Open Source Intelligence) involving manual processes with highly skilled personnel and above all, a lot of time and money. This path simply does not scale, since it impacts the cost of customer acquisition, increases the conversion time from applicant to customer and in the case of only analyzing non-payments, it is reactive and meaningless since the recovery of funds is very unlikely.

Let's start from the consensus that there is no unique and infallible mechanism, let's discard the silver bullet and granularize the problem.‍

A synthetic identity requires real and/or fictitious data conjugated to create this new digital identity, therefore, minimally it requires:

1. Email: it is one of the main data requested in onboarding, there are countless online tools to create temporary emails in which you can receive an OTP (one-time password) or a link to continue the onboarding process. Starting the synthetic identity verification in an automated way at this point, validating that the email is not temporary, is not involved in fraud cases already reported, is not newly created or requesting interaction beyond a click to avoid automated bots can be a great starting point.
2. Phone number: along with email, these are the two pieces of information that all digital onboarding requests, and just like the previous point, there are also countless online tools to create disposable numbers that can receive an OTP (one-time password) or a link via SMS (text message) to continue the process. Validating on which device the SMS was received, knowing its digital trace and other simpler validations such as operator and type of plan (pre-paid/post-paid) can be very useful.
3. IP address: this is a piece of information that is usually captured and not requested directly from the applicant. Using simple VPNs for the smartphone, desktop, or browser or more complex VPNs such as proxychain or TOR, it is easy for an attacker to falsify this data. Analyzing IP in detail to check its reliability and linking it to additional elements such as geolocation and address can result in very good defense mechanisms.
4. Geolocation and home address: like IP address, geolocation is easy for an attacker to manipulate. Linking geolocation to the declared home address by relating them to accepted/rejected zones and looking for consistency with the rest of the data can be a very impactful analysis. You can add robustness by matching the geolocation with the IP location used by the applicant.
5. Citizen ID number: depending on the country you are in it will have a specific denomination, we will take the case of Mexico where it is known as CURP (Clave Única de Registro de Población). Here we can face two scenarios:

1. The simplest is when a fraudster tries to use a non-real CURP, since when verifying it against government agencies it can be determined to be false.
2. The most complex is when the fraudster uses a CURP of a real individual, i.e., impersonates this data. It is then that it is time to start linking the different data points to understand the coherence of the digital identity, which in an agile way can be through the predictive power of automated analysis with artificial intelligence.

1. Identification document: understood as the physical credential with name, photo, etc., either in a passport or in an official document of each country. Returning to the case of Mexico, this document is known as INE and it is very simple for attackers to buy them forged or acquire editable templates (in case you missed our article on "The black market of identity data in Mexico"). This is a major point of failure for KYC providers, which is why many companies have manual document verification equipment making it unscalable and inefficient.
2. Selfie: In recent years, KYC solutions have sought to strengthen their proof-of-life identification mechanisms, making it generally more complex for attackers to abuse this step with photographs, videos, masks, etc. However, there are still cases in which facial recognition systems are circumvented.

We can conclude on the following three points as opportunities for improvement in origination to combat synthetic identity fraud:

1. Relate the different data points: Understanding the consistency of the data requested from the applicant can become somewhat complex when incorporating different solutions on the same onboarding pipeline since they must be monitored independently and generally do not intercommunicate with each other. Therefore, having an automated tool that centralizes, analyzes and allows to obtain a recommendation on each applicant can become decisive to successfully combat synthetic identity fraud.
2. Cross-industry collaboration: Collaboration between government, private and cross-industry organizations and entities is essential to combat the use of synthetic identities. By sharing data on suspicious identities and fraudulent activities, early detection and effective response to these cases can be facilitated through the creation of a reliable and centralized information-sharing ecosystem.
3. Improving identity verification systems: Understanding KYC beyond a regulatory tool, but investing in sophisticated and robust identity verification systems, subjecting them to ethical hacking tests and requiring assertiveness SLAs, which ideally communicate with the rest of the tools.

At Trully, we are aware of the negative economic impact that synthetic identities can generate, so we have developed tools that address this problem in a simple and dynamic way.

With Trully Fraud we guarantee the authenticity of each client, thus protecting the financial integrity of your organization. We use artificial intelligence and machine learning to perform an exhaustive analysis of the data provided by your customers and match their identities with our advanced facial recognition database.

Do you have suggestions, questions or would like to know more? Contact us.