Synthetic Fraud: Chasing Ghosts In The Credit System
9th April 2018, Bachir El Nakib, Senior Consultant Compliance Alert (LLC)
By definition, Synthetic ID theft (Fraud) is a type of fraud in which a criminal combines real (usually stolen) and fake information to create a new identity, which is used to open fraudulent accounts and make fraudulent purchases. Synthetic identity theft allows the criminal to steal money from any credit card companies or lenders who extend credit based on the fake identity.
Synthetic fraud is the fastest growing form of identity theft in the U.S., comprising 80% of all new account fraud and 20% of all credit card losses. In 2017, synthetic fraud caused an estimated $50 billion in losses. Why has the synthetic fraud problem grown to such heights? Because no one has been complaining about it.
Poor man’s credit repair
What is it? Synthetic fraud uses fake personally identifiable information (PII) to create new credit profiles, pump up credit scores and use them to get goods and services.
There are many faces to this crime, but it started out originally as a tool to help out poor people. Synthetic fraud began in poor communities in the U.S. where people with terrible credit couldn’t afford to purchase goods and services they needed. It was marketed as a credit profile number (CPN). They were told they could legally use a CPN in place of their Social Security number (SSN) and apply for credit.
Once popular in those areas, it was noticed by fly-by-night credit repair companies which began selling CPNs and tradelines as a means for people to fix their credit. It was only a matter of time before organized criminal elements noticed the potential. They co-opted synthetic identity fraud, refined it, and brought an efficiency and criminal expertise to it that hadn’t been seen before.
Today, a person engaging in synthetic identity fraud may still be someone with crappy credit trying for a fresh start. In this case, they will use their real name with a different SSN, address and phone number. However, much more common are professional crooks using a variety of methods to make money exploiting the systemic weaknesses of the U.S. credit system. It may be a crook stealing a child’s real identity and applying for an employer identification number (EIN). Then, the crook builds a synthetic credit profile with the victim’s real name, different SSN, same date of birth (DOB), different address and different phone number. Once done, the crook uses the real EIN with the synthetic profile and applies for business credit. Or maybe the fraudster just wants some quick cash. He can build a credit profile with a fake name, fake SSN, pumps the credit score up to 760 in 30 days, then apply for personal loans and walk away with cash in hand.
Social Security numbers are key
There are many variations, but it always starts with the SSN. A new credit file must be made in the credit bureau system to commit synthetic identity fraud and that requires a SSN not previously in the system. How can a fraudster easily get an SSN?
They take a child’s inactive SSN and substitute a real adult’s name to apply for credit.
They can also create a completely fake SSN and a fake name to go with it.
In 2011, the Social Security Administration made creating synthetic identities a whole lot easier when it randomized the issuance of SSNs to combat identity theft. This decision to randomize new numbers meant someone could no longer determine from the number what year the SSN was issued or from what state. That also meant that fraudsters could now use a child’s SSN without it being flagged as belonging to a child. They also could create a SSN out of thin air and credit and loan providers wouldn’t be able to tell it was a fake. As long as the SSN wasn’t already issued to another adult, a fraudster could use it.
Beyond the SSN, Synthetic fraud works by exploiting a variety of other systems, including the credit bureaus, open source intelligence (OSINT) gathering, credit application systems, know your customer (KYC) filters and more.
Typical synthetic fraud
How easy is it to get done? Let’s walk through how this crime is typically committed so you can see where the gaps are in the system and how fraudsters exploit them:
Create a SSN following the guidelines, being careful that the prefix doesn’t start with a non-SS number. Verify the number through a SSN validator easily found through a Google search. Alternatively, buy the SSN of a child born after 2011 on the darknet for under $2.00. Either way, SSN has never been seen by the credit bureau system, allowing the crook to build a new profile at the major credit bureaus.
Add a name, DOB, address and phone number to the fraudulent SSN.
Apply for credit through mortgage refinancing or a car loan – something which pulls the report from all three major U.S. credit bureaus (Experian, Equifax and TransUnion). The application will be denied, but the processing of reviewing it will create a new credit profile at all three bureaus (also known as “tri-merging”) with the synthetic information.
Wait 24-48 hours. Go to creditkarma.com and pull the free credit report. Security questions will be asked. The fraudster has the answers to those questions because he created the profile. If the credit report is available, proceed to the next step.
Manipulate OSINT to fool fraud prevention tools. Go to listyourself.net and input the synthetic information. The profile will appear in Whitepages’ directories and junk mail will be sent to the address in the synthetic profile’s name. Apply for various rewards cards from airlines, grocery chains and pharmacies. Consider building a Facebook page. If a creditor searches for identity information using OSINT tools the synthetic identity will have an online history.
Wait 72 hours. Go to Capital One and apply for a secured credit card. A $49 deposit will give you a $200 credit limit. The profile is already making money.
Pick up a prepaid debit card and register it in the name of the synthetic identity. Use the banking routing and account numbers to fund the secured Capital One card. The secured card gives you a primary line of credit, but it does little for the credit score.
Time for authorized user (AU) tradelines. In the U.S., becoming an AU on someone’s credit card results in the specific credit history of that card becoming the credit history of the authorized user. It’s completely legal and costs anywhere from $300 to over $3,000 per card depending on the type of card, available credit balance, age of card and debt ratio. Doing this with a synthetic profile means a credit score can go from zero to the high 700s in just over 30 days. Another benefit is the age of the account being used affects the age of the synthetic identity profile, making the synthetic profile look older than it really is.
Once the fake profile is built, the fraudster can then apply for new loans and credit cards. Depending on how they wish to proceed, they can cash out from $20,000 all the way to $200,000 in a matter of a few months.
Please note that a creditor rarely actually looks at the credit report. Instead, they rely on automated systems to determine whether credit is granted to applicants. If the application falls within a given set of parameters, credit is granted without question.
This reveals one of the dangers of automated provisioning of credit. Only if an application falls far enough outside of those parameters does a human finally pull the credit report. Synthetic profiles are built to always fall within those automated parameters: High credit score, age, an open-source online presence, time at address and employer, upper average salary, etc. It becomes readily apparent an identity is synthetic if a credit report is actually examined.
Synthetic fraud as organized crime
Skilled fraudsters love synthetic fraud. The profits are large, the crime is easy, and it’s hard to get caught. No one complains because the identity is either fake or belongs to a child who has no reason to participate in the credit system. If the identity belongs to a child, they won’t realize they are a victim of identity theft for years. The other victims are creditors, but creditors usually don’t recognize it as fraud. It looks more like someone who didn’t pay their bill and is often classified as a bad debt.
Skilled fraudsters take this process make it efficient and scale it up into real organized crime. They use stolen credit card logins to add authorized users. They use virtual and drop addresses, mail forwarding services, fake driver licenses and sophisticated money laundering techniques to set up profiles, receive mail and cash out. They set up dozens or hundreds of synthetic profiles at once and often layer the profiles by adding authorized users onto credit cards of aged synthetic profiles, resulting in profiles with extensive credit histories. Professional fraudsters even use proxies or remote desktops to spoof IP addresses and locations, so each synthetic profile appears different.
Current prevention efforts insufficient
Little wonder increasing numbers of fraudsters realize synthetic fraud is about as close as one can get to committing the perfect crime. When I first wrote about synthetic fraud early last year most people then had never heard of it and were amazed such a crime was even possible.
Things have changed in the months since my initial article. Law enforcement is more aware of the problem and is making more synthetic fraud related arrests. Fraud prevention related companies like LexisNexis, Emailage, Idology and others are working hard on methods to recognize synthetic fraud profiles. Financial institutions, creditors, and even credit bureaus themselves are working to combat the problem and progress is being made.
Unfortunately, the steps taken to combat synthetic fraud have done little to stop its growth. Now synthetic fraud is a staple of many fraud related communities. Fraudsters openly discuss building profiles, tutorials are sold or traded (some over 300 pages long) teaching people how to do it. Classes in synthetic fraud for fraudsters are regularly being taught and the numbers of people committing this fraud have multiplied.
Fraudsters are aware that some companies are catching on. They know some measures have been introduced to flag synthetic profiles and they have a solution: patience. Fraudsters have started aging the profiles for longer amounts of time. They are adding multiple AU tradelines to profiles. The result is best summed up with a recent conversation I had with a Wells Fargo fraud analyst: “What the hell are we going to do when these people age a profile for 6 months or a year?,” he asked. “You won’t be able to tell the difference between a synthetic and a real person. What then?”
That is a really good question. I’ll let you know when I have an answer.
Former U.S. Most Wanted Brett Gollumfun Johnson has been a major player in the cyber crime world for over 20 years. He built a precursor to today’s darknet markets and was instrumental in developing many areas of online fraud still in operation today. After serving seven and a half years in a federal prison, Johnson started the consultancy AnglerPhish Security and today works with a variety of organizations and companies to stop cybercrime, including the FBI, The Identity Theft Resource Council, Microsoft, Emailage and Next Caller among many others.