October 28, 2014 By Steven D'Alfonso 6 min read

Synthetic identity theft is fraud that involves the use of a fictitious identity. Identity thieves create new identities using a combination of real and fabricated information, or sometimes entirely fictitious information. Fraudsters use this fictitious identity to obtain credit, open deposit accounts and obtain driver’s licenses and passports.

Typically, fraudsters will use a real Social Security number (SSN) and pair it with a name not associated with that number. Fraudsters seek SSNs that are not actively being used, such as those of children and the deceased. In some cases, an identity fraudster may create a completely fake identity with a phony SSN, name and address. This would be categorized as synthetic identity fraud since there is no theft involved. For the purposes of this article, synthetic identity theft or fraud will be treated as the same.

Why Is Synthetic Identity Theft Important?

This type of theft has been emerging as a major fraud activity over the past five to seven years. The size of the synthetic identity theft business is estimated to be in the billions per year across North America. According to CBC, monthly case volumes are in the thousands as compared to five years ago, when they saw about 100 per month.

The exponential growth of synthetic identity theft — and particularly its impact on children’s identities — will have distressing consequences for young individuals in the future. A study performed by Carnegie Mellon’s CyLab found that children’s SSNs are 51 times more likely to be used in a synthetic fraud scheme than those of adults for the population studied. While CyLab clearly stated its findings could not be extrapolated to the general population, the threat to children is evident.

Synthetic identity thieves target children’s SSNs because they are inactive and will generally remain unchecked for up to 18 years. Children generally have no public information associated with their SSN, making them a prime target. Unless a victimized minor’s parents are tipped off by a bill collector, the child begins receiving credit card offers in the mail or the child is denied a driver’s license or college loan, the fraud may not be discovered.

The true impact of child identity theft, which has been increasing over the past 10 years, will be realized as the victimized youngsters approach college age, start applying for college aid or have difficulty getting their first jobs after high school when negative information appears in a company background screening.

How a Credit File Is Created

It’s important to understand how a credit file is created prior to delving into the ways in which cybercriminals manipulate the system to their advantage.

Credit history is compiled and maintained by credit reporting agencies (CRAs) or credit bureaus. There are three major CRAs in the United States: Equifax, TransUnion and Experian. These agencies collect consumer credit history from credit card companies, banks, mortgage companies and other creditors to create an in-depth credit report.

Whenever a consumer completes an application for a credit card or loan of some type, all the application information is sent to the CRAs. CRAs gather the applicant’s personally identifiable information and determine whether a credit report exists. They also scour public records for financial information such as court records from bankruptcies and foreclosures. If no matches are found, the CRAs must keep a record of the inquiry by establishing a credit file. If a match is found, the credit file information is returned to the lender for it to make a credit decision.

The key concept to understand is that any credit request submitted to a CRA will create a credit file if none existed prior to the request.

Every month, lending institutions and other creditors send updated consumer credit information to the CRAs. This information includes how much individual consumers owe and whether they make their payments on time.

There are two kinds of inquiries: hard and soft. Hard inquiries are requests made by institutional creditors such as credit card companies, mortgage lenders, retail companies and landlords for rental applications. Soft inquiries are made by the consumer or by an employer as part of an employment background screening. Negative events such as bankruptcies, foreclosures and charge-offs stay on credit reports for seven to 10 years, while positive events such as on-time mortgage payments, can stay on even longer.

There are three main ways in which identity fraudsters exploit the credit process to establish synthetic identities and execute frauds: apply for credit directly with a lender, use the authorized user provision of most credit card accounts or through a data-furnisher scheme.

Applying for Credit

Fraudsters will create a synthetic ID and build a credit profile by directly applying for credit with a lender such as a credit card issuer. The initial application will be declined, but a new credit file will be established as a result.

With the newly established credit file, the fraudster will then apply for credit with a credit card issuer. When the card company runs a credit inquiry, the CRA will return information to the card company that a profile does exist. The profile will not have any credit history associated with it, though the fraudsters typically target card issuers that offer credit lines of $300 to $500 to applicants with no history.

Armed with a new credit account, the fraudster will legitimately use the credit account and make payments to establish good history. The fraudster will leverage the positive credit history to obtain more credit cards, retail store credit accounts and car loans.

The process is straightforward and easy to execute, but it is less favorable because of the time it takes to build a solid credit profile.

Authorized Users

The authorized user process is how most synthetic IDs are created. Adding authorized users to an account is legal and allowable by credit card issuers. It is typically used for legitimate purposes, such as adding a spouse or a child.

Fraudsters exploit the authorized user process and actively recruit cardholders with good credit to add unknown people/identities to their card, often for just several days. Using this technique, often referred to as “piggybacking,” the legitimate cardholder receives a fee for adding the authorized user identity to his or her account. A credit card is not issued to the authorized user; it simply sits on the credit account for a period and “inherits” the card owner’s credit history.

Once the trade lines have reported to the CRAs, the synthetic identity can be removed from the account as an authorized user, but the credit history is retained. The fraudster will then apply for credit with multiple card issuers. With multiple credit lines successfully obtained, the fraudster will max out all the credit lines by buying gift cards and valuable merchandise such as smartphones and other electronics that can be easily sold.

In this example, the fraudster could also execute a bust-out scheme in which the credit lines are maxed out, paid down with worthless or counterfeit checks and maxed out again before the check payments are returned. This creates an exposure of as much as two times the original credit limit. Well-organized criminals may be able to repeat this process more than once.

Card owners who are recruited to add authorized users will have as many as 50 in their account at once. Card owners may believe they are donating their good credit history to help others establish or repair their credit. There are many credit repair/piggybacking brokers who bring together donors and those who need credit assistance. Accounts that continually produce identities tied to fraudulent activity are known as pollinator accounts.

For example, a synthetic ID had a credit file created in June 2014 and used an address tied to a retail shopping center. In August, a seasoned trade line with a credit limit of $55,000 was added to the synthetic ID. Within two months of adding the authorized user, the synthetic ID amassed $200,000 in unsecured credit, making out over $140,000.

  • Bank A: $10, 000
  • Bank B: $10,000
  • Bank C: $50,000
  • Bank D: $5,700
  • Bank E: $20,000
  • Retail 1: $16,000
  • Retail 2: $20,000

The investigation revealed that most of the purchases involved retail gift cards and some high-end merchandise. One CRA investigator indicated that Verizon Wireless and other similar merchants are being targeted for smartphones, particularly iPhones.

Data Furnishing

Data furnishing is a very effective tactic but requires more sophistication and organization and may involve complicit insiders within a small business. This method requires fraudsters to use a front company, which is vetted by CRAs and approved to furnish or supply payment history on credit accounts extended to its customers.

These front companies may be new companies created for the purpose of committing fraud or may be existing businesses in which the owner or an individual within the business (e.g., credit or finance manager) is compromised by an organized fraud ring.

In the data-furnishing scheme, synthetic IDs can be created or credit files of existing synthetic IDs can be enriched. The typical scheme works in the following way:

  • An “applicant” applies for — and is granted — credit for a fictitious purchase of the business’s product, such as a used car.
  • Each month, the business reports payments on the credit account associated with the synthetic identities to which it has provided phantom credit.
  • Over several months, the synthetic identity’s credit score will improve, allowing the fraudster to obtain more and more unsecured credit from victim card-issuers until the fraudsters are ready to max out/bust out the card accounts.

Data furnishers engaged in synthetic ID activity may be identified because the CRA identifies anomalies such as credit accounts in amounts that far exceed the data furnisher’s product values. Additionally, CRAs may link multiple synthetic IDs to a particular data furnisher.

Synthetic identify theft is a growing problem, and its full effects may not be realized for several years. We will likely hear stories of children’s identities that were victimized years ago being uncovered years later as they moved into adulthood. Criminals understand that synthetic identity theft is generally an easy and lucrative scheme to employ. There are many factors that contribute to the problem, but the authorized user process and availability of credit from some of the major card issuers play key roles in this.

I will be writing more about synthetic fraud in the coming weeks, exploring challenges facing the industry, legislative initiatives and what financial institutions and consumers can do to help minimize synthetic fraud.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today