Synthetic IDs: Understanding the Threat
Postal Inspector Explains How False IDs Support Fraud
The use of synthetic identities is a rising concern for organizations, and financial institutions are often the ones taking the hit for the fraud, says Claudel Chery of the U.S. Postal Inspection Service.
Fraudsters develop synthetic identities by taking personal information from various individuals and combining them into a new, hybrid identity that only exists in the virtual world. Fraudsters use this information to open new bank or credit card accounts.
In the past, individuals who wanted to use and pay off their accounts legitimately but couldn't do so because of past bad credit created synthetic identities. "Fast-forward 20 years later, and it's more for illicit gain where the intention is specifically to establish a pool of accounts that can be used to create a greater systematic fraud," Chery says in an interview with Information Security Media Group (transcript below).
Financial institutions usually are the victims of the fraud because there's no individual victim; losses generally get written off as bad debt, Chery says.
Preventing fraud based on synthetic identities is difficult. If a bank took every possible measure to curb fraud, it wouldn't have any customers, Chery says. "As the balance shifts up and down between higher security, less security and better customer experiences, there's always a little loophole or a little crack where fraudsters or suspects will exploit for their illicit gain," he says.
In the interview, Chery discusses:
- How information is compromised to create synthetic identities;
- The role law enforcement is playing in helping organizations curb identity fraud;
- Continuing investigations within the U.S. Postal Service.
Chery recently gave a presentation on synthetic identities at ISMG's Fraud Summit 2013. A video of his presentation is now available.
Before joining the United States Postal Inspection Service in 2004, Chery worked as an investigator for the New York City Department of Investigation. Criminal investigations Chery conducted as a postal inspector have led to the arrest and conviction of more than 150 individuals.
ERIC CHABROW: One of the things you discussed in your presentation was synthetic identity. What is synthetic identity?
CHERY: Synthetic identity essentially is an identity of an individual that's created using various different PII, personally identifying information. This is where the ... bad guy ... will take that information - part of the information from [one victim], part of the information from himself and part of the information from another victim - put it into a melting pot, so to speak, and then try to make up a hodgepodge of a new person that really does not exist except in the virtual world.
Essentially, he'll take this address from this victim, this date of birth from this victim maybe, or his own date of birth so he or she actually remembers it, and half of a Social Security number from this victim, a portion from himself and a portion from another victim, or any type of variation of that kind of structure, and he'll create a synthetic identity that can be used to apply for different credit cards, different bank accounts and things of that nature.
CHABROW: This has been around for quite a while?
CHERY: It has been a while. ... It goes back to the days where someone would apply for a credit card account and they had bad credit so they would probably change their Social Security number so that they would actually get approved. It's gone to the way where someone would actually just change it to legitimately get a card so that they would use and legitimately pay off on their own to where someone will do this to illegitimately get a card ... with no intention of paying off. The express purpose is to use it for illicit gains where, before, someone might have done it because they had bad credit, they couldn't get a credit card and they really needed one. They wanted to continue using credit but they made mistakes in the past so they might have doctored or fudged their numbers a little bit to try to get that approval process done. Fast-forward 10, 15 or 20 years later, and it's more for illicit gain where the intention is specifically to establish a pool of accounts that can be used to create a greater systematic fraud.
CHABROW: Who are the general victims of this kind of fraud?
CHERY: Unfortunately for these types of frauds the victims tend to be the financial institutions. Don't get me wrong on this - there can be individual victims where the Social Security number can be linked back to a true person. The reason why I say that is because when an account goes bad and an institution charges it off as bad debt, it will typically be sold to a collection agency. Now there are various different collection agencies, some more aggressive than others, and they will go through whatever measures they can to collect on that account because it's a business. In doing that, if the Social Security number comes back to John Doe as a true person and it's being used as Mary Jane as a fake person, they may not only try their collection efforts against Mary Jane who doesn't exist, but they will also try to get their collection efforts on John Doe because John Doe has a real digital footprint, where Mary Jane does not. It can come back to a victim, but more often than not it doesn't. The ball ends up being on the bank's court where they will take the loss because there's no true victim and it gets written off as bad debt.
CHABROW: Can you give an example of a recent investigation you were involved in? How was that resolved?
CHERY: There are still two open investigations that I can cite. There's one particular investigation that U.S. Postal Inspectors had where the fraud - and by fraud I mean the exposure to the bank - was over $60 million, and in this particular case the individual opened over 200 different credit cards over various different institutions. Once he had those credit cards opened, he would use them in a traditional sense to make illicit credit card charges for services, goods and things of that nature. Now the thing behind these credit cards is that they were all created with synthetic identities, and he would use various different names, various different Social Security numbers, deviations and variations of, and different addresses across various different localities in the ... New York, New Jersey, Connecticut and Pennsylvania area.
Once he had these accounts opened, he would use the pool of accounts that he opened, let's say six months ago, to pay off the accounts he just opened today. The accounts that he opened today he would hold on to them, and a year later he would open another group of accounts in Pool C and then use some of Pool A and Pool B to pay Pool C and vice versa, creating counterfeit checks to pay them off. He would make overpayments in those accounts and essentially, by making overpayments, in this particular example, if the balance was about $500, he would send in a check for $1,000. He gets a $500 refund check. He'd call in and say, "I made an overpayment. Can I get a refund?" He gets issued a $500 refund check. Now by the time the credit card company realizes that the payment he originally made comes back bad, he's already gotten not only the charges he made on the card and new charges he made after the payment posted, but he also got a $500 refund.
CHABROW: I'm a little surprised that technology doesn't pick that up almost instantly. Why not?
CHERY: Financial institutions are kind of like a double-edge sword. The surefire way to eliminate fraud is not to have the credit card accounts at all. It's a balance between what the customers want versus protecting the customer or the institution itself from fraud. If an institution implemented every possible measure to prevent fraud from happening, and I mean every possible measure, they would not have a customer. Unfortunately that's the fact of the matter. It's a balance, and unfortunately that balance shifts to higher security measures and a less-pleasing customer experience until that customer experience becomes normalized where they expect this type of level of security for their accounts. As that balance shifts up and down between higher security, less security and better customer experience, there's always a little loophole or a little crack fraudsters or suspects will exploit for their illicit gain.
CHABROW: Are the fraudsters staying ahead of the game?
CHERY: It depends on who you ask. If you're asking us, no, we're catching them as fast as we can find them. If you ask the financial institutions, they're identifying them as fast as they come across them. It all depends on who you ask, but I think in this digital age it's not necessarily that they're staying ahead of the game; it's just that it's a lot easier for them to do it than it was 10 or 15 years ago.
Catching the Fraudster
CHABROW: The fraudster you were just discussing, how did you catch him?
CHERY: He came on our radar probably several times, and when I say ours, I mean law enforcement. But in that particular case, it was maybe one account, two accounts; it was never the whole pool of accounts. When he came to the attention of postal inspectors, a large investigation ensued. The banks were already realizing that they were taking losses, and postal inspectors did a lot of leg-work: data mining, surveillance, the traditional law enforcement steps. He would be sending out these payments and we would intercept the payments from the collection boxes and the mailboxes, and send them to our forensic labs for DNA analysis and fingerprints. It was the good old-fashioned, gum-shoe work that led us to identifying him and culminating these large pools of accounts by not only working the investigation with the financial institution that referred it to us, but also looking for other financial institutions that may have been a victim of his illicit scheme.
CHABROW: Has this case gone to trial yet?
CHERY: No it has not.