Fraudsters are nothing if not resourceful.
But gone are the days of dumpster diving for credit card carbon papers—as is the relative ease of fabricating new plastic with stolen account numbers, which is no longer such an enticing proposition as EMV chip cards now dominate consumers’ wallets.
If instant gratification is getting hard to come by, what’s a would-be identity thief to do?
The answer is, as it turns out: Be patient and commit synthetic identity fraud.
Traditional identity (ID) theft is well-known: A criminal obtains enough personally identifiable information to open fraudulent credit accounts in a victim's name or take over existing accounts.
Where synthetic ID fraud differs is in its approach, execution, and the nature of the information used in the scheme. It’s a major problem that by at least one estimate represents around 80% of credit card fraud losses for the industry and creates major problems for its victims.
To start, the process relies on an old stand-by: Stealing valid Social Security numbers (SSNs). For this crime, SSNs of children are the most prized as they are less likely to have any associated credit history.
Exacerbating this, the decision by the U.S. Social Security Administration to move to randomized SSNs has encouraged fraudsters to seek out unissued SSNs in particular — that is, those of children born after the change took effect in 2011.
Once in hand, a valid SSN is paired with fictitious personally identifiable information and, in many cases, used to apply for a credit card. As part of its underwriting, the issuing bank will attempt to pull the applicant’s credit file from one of the nationwide credit reporting agencies.
Since this is a child’s SSN paired with made-up information (although only the criminal knows this), no file can be provided to the bank, likely leading to a declined application.
However, as is the process by which many consumers become credit-active, this inquiry triggers the creation of a file at the credit reporting agency, but with the fraudulent information.
Thus, a “synthetic” identity is born.
The next phase requires patience—and sometimes a little help from a friend.
The synthetic identity is often “piggybacked” as an authorized user on an accomplice’s credit card, giving the synthetic identity an immediate boost to its credit score.
Then, over time (usually months), the valid card is kept current and on-time, generating at least the beginning of a positive trade line on the fake identity’s credit report.
Now it’s time for the fraudster to visit a different financial institution and apply for a card with the synthetic identity. This time, when the bank requests a credit report, one can be provided—albeit not a great one, but certainly one more likely to be granted with a modest credit line.
If successful, and repeated fast and frequently across many issuers, the criminal is likely to rack up a good-sized chunk of credit.
This leads to the “bust out” shopping spree and disappearing act.
When the dust settles, financial institutions will be left with fraud losses to absorb. But the situation is worse for the children whose SSNs were used to create the synthetic identities.
After all, they will likely be unaware of any fraud until they first attempt to utilize their SSN for financial reasons—opening a first checking account or applying for student loans, for example—many years after the synthetic identity fraud has occurred.
As the first user of an SSN is often presumed to be the rightful owner, the burden is on the true victim to clean up the mess caused by the criminal.
Astute readers have probably identified a key part of the solution: The need to verify during the application process if the given SSN matches with the other personally identifiable information, which could prevent a synthetic identity from getting off the ground.
As it turns out, a system exists within the SSA—conveniently, the only source of truth as to the validity of SSNs—to provide this verification: the Consent Based SSN Verification Service (CBSV).
While designed to answer this exact question—“Do the following name, date-of-birth, and SSN match?”—it relies on the financial institution receiving paper-based consent from the consumer prior to making the verification request.
As a result, the utility of the service is significantly reduced for most of the increasingly digital banking ecosystem.
Congress recognized the potential fraud-fighting benefits of modernizing this system when it included language in a broad financial regulatory relief bill enacted this past May directing SSA to modernize the CBSV by permitting electronic—instead of only paper-based—consent to access the system.
The Consumer First Coalition and other industry stakeholders are actively engaged with the SSA to make implementation a success.
Congress got it right when it passed this important provision: With the identities of children increasingly the targets of fraudsters, providing the financial industry the necessary tools is critical to curbing synthetic identity fraud.
• This article originally appeared in IAPP’s Privacy Perspectives