Ghost in the System: Synthetic Identity Fraud
Let's talk about Synthetic Identity Theft.
First, take note that this mainly applies to the good old USA. This type of thing is possible in Canada, but isn't really prevalent there...yet.
So what is it? A Synthetic Identity, or CPN (Credit Profile or Credit Privacy Number) is a form of fraud, typically using elements of Identity Theft, used to create “ghost” credit profiles among the three major credit bureaus, Equifax, Experian, and TransUnion.
What does that mean? Here is an example of how Synthetic Identity Theft typically works:
A cybercriminal goes to one of the many online criminal bazaars. Once there, he or she finds a vendor who traffics in stolen identities of children. These identities typically sell for $1-$3 each, depending on the time of year in which they are purchased. For that cost, the criminal receives the child's NAME, SSN, and DOB. Typically, criminals are looking for very young children, the younger the better. A criminal can also use an inmates social security number or, thanks to the Social Security Administration, fabricate a social security number, verify the number has never been issued to anyone, and then use it to commit synthetic fraud.
The most common way that this crime is committed is the latter, fabricating a social security number. In 2011, the Social Security Administration decided that the best thing they could do to fight identity theft was to make the issuance of social security numbers completely randomized. No longer would anyone be able to tell the year the number was issued, the state it was issued in, etc. The action had the opposite effect. The result for criminals was a boon for identity thieves. Now, criminals could make up numbers, verify they weren’t issued, and no one would be able to tell if they were newly issued numbers, what state thy were issued from, to whom, or anything else. Synthetic Fraud was already possible, but the action of the Social Security Administration now made it easy. How easy? Today, Synthetic Fraud accounts for over 80% of all new identity fraud. Total dollar amount of the fraud? Last year, it was $50 Billion.
While creating socials is by far the most popular, using the information of children is also very popular. It is so popular, that children are now the most common victims of identity theft.
What the criminal is needing is the SSN. This is the main piece used to create the Synthetic ID. The criminal tends to use ONLY the SSN and adds any NAME and DOB he wishes to it.
Let's take a break a second to discuss how credit profiles work.
You are born without the three major credit bureaus knowing you exist. In fact, they don't know you at all until you do something in your life which triggers a credit query with one of the credit bureaus. Typically, when an individual enters adulthood, they apply for a credit card, utilities, a smartphone, etc. The first time they apply it sends a request to one of the three credit bureaus for a credit check. If it is the individuals first time ever applying for credit, the return response is “No Record Found.” This means that the individual, as far as the credit bureau is concerned, has never had any credit in their life. The credit bureau reports such. At the same time, the credit bureau which was queried makes a new credit profile in the name of the person whose credit it just checked for. That is the way it works for everybody. Equifax and the other two have no idea who you are until you tell them who you are.
Criminals use this to their advantage. If completely new data is presented to a credit bureau—NAME, SSN, DOB-- it creates a brand-new credit profile that the criminal can exploit if they have the proper knowledge.
One of the major problems is that credit bureaus and credit issuers don't automatically verify the SSN against the Social Security Administration database. It is an easy fix, but it’s something that hasn't been implemented and isn't even on the horizon to being implemented. Because of this, the credit bureau simply doesn't know if the information submitted to it about the individual is accurate or not. The bureau makes the profile with the info given as long as the info isn't already in their system. Enter said criminal.
So now you should be able to figure out why criminals like to use kid's information. Their SSN isn't in the credit system. It is a real SSN that has never been used for anything. Also, using a child assures the criminal no one is likely to complain. At least not for many years. If the criminal uses the SSN of a 2 year-old, then he likely has at least 15 years before anyone knows a crime was ever committed. By that time, the trail has grown cold. Law enforcement likely won’t follow up on it. The crook has gotten away. The result? The kid who is now an adult is saddled with disastrous consequences which could take a LONG time to fix.
Which brings us to another problem. Currently there are no nationwide mechanisms to protect children from identity theft. It isn't a difficult problem to solve. A credit freeze can be placed on a child's identity as easily as on adults. Currently this takes the action of a parent. A few states have passed measures which assist in this to make it easier to freeze the info of a child, but it is pitifully few and for a parent to do it on their own can be a chore.
Saving children from being victims of identity theft is a pretty straightforward affair. The problem is not many people are doing anything about it.
Which brings us to the next level of this crime.
So the criminal now has a Ghost in the System. He has created a fictitious person using some real elements and gotten it entered into at least one of the credit bureaus. The problem for the criminal is the ghost credit profile has absolutely no credit. As such, it isn't really worth much to someone trying to commit fraud. The criminal needs to do a number of things at this point for the intended fraud to ultimately be successful.
Here is where I decline to state what some of those “things” specifically are. It is not my intent to walk would-be criminals through how to commit Synthetic Fraud. It is my intent to illustrate how easy this fraud is to perpetrate and equally how easy it is stop, given proper legislation and security.
So--that said--the criminal must do certain things to make it look as if the ghost he has created is a real person. The created sham doesn't have to stand up to an in-depth analysis, only a cursory check.
Which brings us to another error in the system which is being exploited. The systems in place tend to only do a surface check. Systems currently aren't performing detailed checks before issuing credit, and there are few manual revews. Many issuers rely on public records to verify that the person wanting credit is real. Unfortunately, these same public records are VERY EASILY manipulated and fabricated.
So the criminal uses a variety of methods to make it appear that the ghost is, in fact, a real person if some bot were to quickly crawl through public databases to check for that ghost.
Next, the criminal needs to boost the credit score and history of the ghost he has created. There are a few ways to do this. And, thanks to the US Congress, it isn't really hard. A criminal could choose to build credit the old-fashioned way, the same way that Americans conventionally do, by slowly building their credit over many months and years, paying their bills and being good creditworthy citizens.
The problem for the crook is that route takes too damn long when you are trying to make some cash. Enter Authorized User Tradelines. Under current US Law, it is legal for Person A to add Person B onto one of A's existing credit lines as an Authorized User. This not only potentially allows user B to use the credit line A added him to, but MORE IMPORTANTLY gives Person B the credit history of that specific credit line (credit card) come the next billing cycle.
So what does that mean? It means that person “B” with no credit can be added as an authorized user to someone else's (Person A) credit card, never actually use the credit card, and next billing cycle Person B will have the entire credit history of that one specific card added to their credit report. It’s pretty nifty. And it can raise the credit score of an individual up VERY quickly, especially if the person has no credit score or history to begin with. This method of boosting one’s credit has spawned an entire industry of folks who sell authorized user access to their credit cards and also companies who market those “Tradelines” to people wanting to boost their credit. Something sounds odd, right? I agree. But it is still legal.
The criminal uses these tradelines to create a credit history for his ghost. By adding a tradeline of a card a few years old it looks as if the ghost has been credit worthy for years, maybe decades. Usually, also needed to commit this type of crime are cards actually in the name of the ghost, otherwise known as primary tradelines. To satisfy this requirement, the criminal typically relies on a variety of easily obtained secured credit cards which report to credit bureaus.
And that is really all it takes to commit this crime. The crook must get the ghost into all three bureaus which isn't difficult. Then he has to get his ghost to look like a real person. Then he has to build the credit history. All it takes is a little time.
And the payoff for the crook? Anywhere from a few grand to many thousands of dollars. It all depends on the patience of the criminal. If the criminal takes his time, gets real credit cards in hand, pays off those credit cards over a few months and build a detailed credit history, then the criminal may ultimately walk off with well over $50k from that one profile.
This type of crime is ideal for fraudsters. The fraudster controls everything about the profile because he created the profile. He can answer all security questions. And no one ever complains.
This is the reason that Synthetic Identity Theft is now over 80% of all ID Theft.
But it is not hard to counter. I have detailed above ways that this can be curtailed. Proper legislation also goes a long way.
What else? Credit bureaus need to automatically be able to verify individuals identities against the SSA records. Takes legislation to do
Second, we need the ability to freeze the identity information of children so they don't become victims. A few states have made this easier. We really need this to be an automated process. At present, parents can do this for their children, but poorer and uneducated parents tend not to think of such things. Again, LEGISLATION.
Authorized User Tradelines. It’s a good concept, but really? Too much fraud associated with this to keep it around. We get rid of tradelines and all of a sudden Synthetic ID Theft becomes very hard to commit. It would still be possible, but not as easy. Criminals would look elsewhere for money.
In addition, more in depth automated checks need to be done. The days of a simple web crawl to verify to see if a phone number and address pops up on something like Whitepages needs to stop.
Also, there is a definite pattern fraudsters use to commit this type of crime. I've detailed a great bit of it in this post. Systems need to recognize the pattern and before credit is issued a detailed review needs to be conducted.
None of this stuff is rocket science. And that is one of the most important things to realize about cybercrime—it doesn't take a genius to commit these crimes. And it doesn't take a genius to stop these crimes, either.
If anyone has any further questions or would like advice or instruction on the matter, please contact me Gollum@anglerphish.com