Financial Criminals and SSNs Make a Bad Combination
A Social Security number (SSN), which supposedly distinguishes one person’s identity from another, is a key piece of information for a financial institution’s Customer Due Diligence (CDD) process and opening bank accounts. When bad actors abuse SSNs, however, they not only wreak significant havoc for their victims – they can also run up big losses for financial institutions.
This article provides a glimpse into the many facets of the world of identity fraud with special emphasis on the growing trend of synthetic identity fraud. It concludes with 10 Ploys Fraudsters Use to Commit Synthetic Identity Fraud.
Exploitation of Social Security Numbers Assigned to the Deceased
The Office of the Inspector General (OIG) published an audit report on the Social Security Administration (SSA) this past March titled “Numberholders Age 112 or Older Who Did Not Have a Death Entry on the Numident”. Before I share some of the report’s startling findings, I thought I’d provide a little background information to set the stage. The SSA records dates of death in their Numerical Identification System (Numident), an electronic file that contains personally identifiable information (PII) for each person issued a Social Security number. SSA further uses information from the Numident to create the Death Master File (DMF). Financial institutions, in turn, process financial, credit, payment, and other applications against the Death Master File to prevent and identify fraud.
And now, here’s where a big risk vulnerability for financial institutions comes into play. The OIG reported there were 6.5 million numberholders age 112 or older who did not have death information on their record in the SSA’s Numident, even though investigators found significant evidence that suggests the 6.5 million supercentenarians are deceased. The problem is that working SSNs for dead people enable fraud and the OIG determined that thousands of the SSNs could have been used to commit identity fraud. “These identities can be used for improper activities, such as opening bank accounts” the inspector general said.
The report cited one incident of a man who opened bank accounts using several different SSNs. SSA records indicated two of the SSNs belonged to numberholders born in 1869 and 1893 (meaning they would currently be 146 and 122 years old respectively). SSA’s Numident indicated both numberholders were alive and as a result, neither of these SSNs appeared in the Death Master File.
A spokesman for a nonprofit watchdog, Citizens Against Government Waste, gave this assessment. “The master death file is highly vulnerable to fraud. It’s incomplete. It’s not accurate. There’s a whole cadre of people who are making a living peddling these numbers to multiple people. That’s called organized crime.”
60% to 80% of SSNs Are Estimated to Have Been Stolen by Hackers According to the Lead Data Scientist for the Verizon Breach Report
Verizon receives cyberattack data from dozens of organizations around the globe, including federal agencies such as the U.S. Secret Service and the Department of Homeland Security’s Computer Emergency Readiness Team. Jay Jacobs, a Verizon expert who has been studying this data for years, points out that although SSNs have been stolen for decades, the scale of the problem is new. Now that everything is digital, if hackers compromise a server or data warehouse, that theft quickly scales into the millions. “It’s gotten somewhat easy for the attacker,” say Jacobs. “I think we’re underestimating just how [many] records are out there.”
Synthetic Identity Fraud: An Escalating Trend – Synthetic Identities Are Said To Be the Fastest Moving in the Internet Chat Rooms.
Synthetic ID fraud which is defined as “the combination of fake and real consumer identifying information or all false information to create a new fictional or partially fabricated identity” has reportedly been growing at an escalating rate. According to the Federal Trade Commission (FTC), synthetic identity theft accounts for nearly 85% of the millions of ID thefts in the U.S. each year.
Javelin Strategy & Research recently reported in their 2015 Identity Fraud Study that 12.7 million U.S. consumers were victims of identity theft in 2014 and that related fraud losses totaled $16 billion for the year.
The difference between true name fraud and synthetic identity fraud is “existence”; the fictitious identity doesn’t exist. A synthetic identity is created by combining bits of information from multiple individuals or by mixing real and fictitious information. With true name fraud, the victim can complain to authorities when they notice something financially suspicious. A fictitious identity, however, is more lucrative for a fraudster because no one exists to register a complaint.There are no bank customers victimized by synthetic identity fraud; the banks themselves are the victims.
Fraudsters have been able to obtain credit cards, as well as open bank accounts, take out bank loans and create companies, all under fake names. By the time police move in, many of the fraudsters have vanished, leaving investigators trying to locate people who never existed.
Some fraudsters behave very similar to legitimate customers, until the moment they “bust out”, cleaning out all their accounts and promptly disappearing. When a synthetic ID user has had some kind of credit for a long time, by the time he does something bad with it, he might look like an honest borrower who fell on hard times, says Richard Parry, a risk management consultant and former security executive at JPMorgan Chase, Citigroup, and Visa. “A lot of the losses associated with synthetics get written off as credit losses, not as fraud losses,” he adds. “That’s one of the reasons why they are so underreported.” One estimate by leading analyst firm Gartner stated that synthetic identity fraud makes up 20 percent of credit charge-offs and 80 percent of losses from credit card fraud.
One Financial Expert Claims Synthetic Identity Fraud Is a “Game Changer” and Believes Its Increase May Have Links to Terrorism
The growing problem of synthetic identity fraud has raised concerns that terrorists could be linked to these schemes. “This is not a conventional crime. This is more towards terrorism, I believe, not just merely revenue generation” says Dr. Kalyani Munshani, an expert in financial crime. Mushani suggested that the ease at which identities can be created, the amount of money that can be raised and the destination of the funds should be cause for concern. “There are streams of money. We don’t know where it’s going.” she says.
While domestic organized crime is certainly involved in these frauds, Munshani warns of the possibility of a terrorist link. She says synthetic identities are used for two purposes: revenue generation and logistical purpose. “Using synthetic identities, safe houses can be established, cars can be rented, heavy vehicles can be bought, international travel can be facilitated, restricted goods can be bought without any flags being raised,” she said.
A Toronto Police Detective in Canada, Constable Mike Kelly, who has spent years investigating synthetic identities said these schemes can be “very useful to anybody with bad things on their mind. Think of the potential of having an apartment and a vehicle and a phone, all registered in different names. That you can come and go as you please. And then at the end of the day, when people like myself go to investigate who’s behind it all, there’s a puff of smoke and there’s nobody there.”
In a five-month investigation called Operation Mouse, Kelly discovered synthetic identities were responsible for $25 million in fraud losses in which credit card bills and mortgages were never repaid. But Kelly said one of his concerns is that the vast majority of fraudsters they’ve come across who are involved in these schemes are living modestly. “Generally people do fraud for financial gain and most people get financial gain so they can enjoy the spoils of their efforts. In this case, we never saw that,” he said. Instead, Kelly said he believes the money is going to “something overseas that isn’t anything positive. I don’t think anything good comes from somebody in an organization hoovering tens of millions of dollars out of our legitimate economy and feeding some form of organized crime. Particularly one that operates overseas.”
Creating Synthetic Identities: It’s an Exponential Formula
A small ring of 2 bad actors can share and combine just 2 data elements – phone number and address – to create 4 synthetic identities. Each synthetic identity might have 4 or 5 accounts, resulting in a potential total of 16-20 accounts. Assuming a $5K average credit exposure per account, a financial institution’s loss could amount to $100K. The phone numbers are dropped after the “bust-out” and when investigators visit the 2 addresses looking for the 4 characters they want to question – the fraudsters who actually live there claim they’ve never heard of these people.
Fraud rings use multiple identities to increase the size of their criminal proceeds. The simple math below illustrates why financial criminals are fans of the old adage “there’s strength in numbers”.
- 3 person fraud ring with each ring member sharing 2 valid identifiers can fabricate 9 interconnected synthetic identities
- 4 person fraud ring with each ring member sharing 2 valid identifiers can control 16 identities
- 10 person fraud ring with each ring member sharing 2 valid identifiers can exploit 100 false identities. Assuming 4 financial accounts per identity, each with a $5K credit limit – a 10 person ring can commit a “bust-out” of $2M fraud losses.
A savvy synthetic fraud ring can share many data elements such as name, date of birth, phone number, address, or SSN to create a large number synthetic identities. A typical synthetic ID syndicate operates hundreds or thousands of synthetic IDs simultaneously. “They have a pipeline, and they’re enrolling these identities in other things to create all the behaviors that make them look like a really good customer,” says Richard Parry.
A Few of the Many Intricacies in the Synthetic Identity Fraudster’s Bag of Tricks
The most conniving fraudsters are sophisticated enough to know what legitimate SSNs have been issued. Their shrewd moves include generating an SSN that’s one digit off, or transposing numbers, so that there’s a good chance an actual credit bureau file will get pulled when an FI makes an inquiry because the SSN is close enough. There are an estimated 20 million SSNs in credit bureau files associated with 4 or more names.
An identity manipulator may make subtle variations to his true PII in an attempt to avoid past delinquent history or have an application for bank products and services associated with his true identity. The fraudster may increment one digit of the month, day or year of his date of birth, or SSN or interchange SSN digits.
Some synthetic ID fraudsters have even been known to load up a line of credit to its maximum, commit fraud, and then report the fraud as a victim to get reimbursed therefore increasing the revenue they make on these accounts. And the boldest of fraudsters might execute a bust-out scheme in which the credit lines are maxed out, paid down with worthless or counterfeit checks and maxed out again before the check payments are returned – creating a risk exposure of double the original credit limit. Even more damaging still – a highly orchestrated crime ring might be able to pull off this process more than once.
“Hackers are evolving and getting far more sophisticated, using big data sets where they can take bits and pieces of the data and string together new identities” says Yaron Samid, founder of BillGuard.
Identity Fraudsters Prey on Children: Criminals Are Increasingly Targeting Minors – Even Infants’ SSNs for Identity Theft
Synthetic ID thieves need SSNs with clean histories that are not currently being used, allowing them to attach a different name and date of birth to the number. Synthetic identity fraudsters regard SSNs of minors as a hot commodity. A child’s identity is a blank slate, and the probability of discovery is low, as the child will not be using it for a long time. Minors are targeted at a much higher rate than adults. Children may be victimized at a rate 35 times higher than that of adults according to research by AllClear ID.
“If you use a child’s Social Security number, the chances are you have 10 years to make use of that before that child reaches an age where they’re likely to apply for credit in their own right” says risk management consultant Richard Parry.
Carnegie Mellon CyLab published a report titled Child Identity Theft: New Evidence Indicates Identity Thieves are Targeting Children for Unused Social Security Numbers which presents a number of disturbing findings based on an analysis of over 4,000 incidents of child identity theft. The report shares evidence that identity thieves target children due to the unique value of unused Social Security numbers.
- More than 4,300 children in the study had someone else use their SSN
- Child IDs were used to purchase homes and open credit card accounts
- The youngest victim was 5 months old
- 303 victims were under the age of 5
- There were 6,948 instances in which a child’s SSN appeared in loan and credit account records
- There were many cases with more than one suspect attached to a single child’s identity
- Children were targeted 51 times more frequently than adults in the population studied
A Few of Many Tragic Stories:
- A 14-year-old boy (KY) had a credit history that went back more than 10 years. He was three years old when somebody started using his identity. Several credit cards and a foreclosed mortgage were in his credit history. The thief established good credit for the first 10 years and was able to finance a $605,000 home through first and second mortgages. He also used the boy’s SSN to open several credit accounts. The home loans then went into default and the fraud was assessed at over $607,000.
- A 17-year-old girl (AZ) had over $725,000 in debt. Her SSN was linked to 8 suspects who opened 42 accounts including mortgages, auto loans and credit cards.
- A 17-year-old boy (OH) had 12 people use his SSN to obtain credit. The thieves racked up over $58,000 in bad debt and over $23,000 in unpaid credit card bills.
Criminal Cases Reveal That Synthetic Identity Fraud Can Inflict Exorbitant Losses
The two cases summarized below showcase that multiple financial institutions can be exploited by synthetic identity fraud schemes.
James J. Rose defrauded multiple financial institutions issuing credit cards. He and his partner used a small consumer reporting agency to steal valid SSNs to create synthetic identities. One of his synthetic frauds included using a person’s real SSN to apply for a credit line under a fabricated name. He and his partners obtained over 250 credit cards from 15 different banks and charged $760,000 to these synthetic identities.
In 2013, federal agents arrested 13 people for creating 7,000 fake identities and stealing $200 million from multiple lenders. The perpetrators found unused SSNs sourced through Craigslist listings that solicited individuals who were not credit active to willingly offer up their credentials. The fraudsters used “drop addresses” as mailing addresses for the false identities and created sham companies that accepted credit card payments. After obtaining the cards, the fraudsters made small charges and paid off the cards to raise their credit limits and create a strong credit history. With a strong credit history, the thieves secured a large loan, which they then defaulted on. This synthetic identity fraud operation involved 25,000 credit cards; 169 bank accounts; 1800 mailing addresses and 80 fraudulent merchants.
10 Ploys Fraudsters Use to Commit Synthetic Identity Fraud
- Two or more bad actors form a fraud ring
- The ring shares some legitimate information (e.g. phone numbers, addresses, etc.) and combines them to create fake identities
- Ring members use these synthetic IDs to open accounts with FIs
- New accounts (e.g. unsecured credit lines, credit cards, overdraft protection, personal loans, etc.) get added to the original one
- The accounts are used normally with regular purchases and timely payments
- Banks increase revolving credit lines in response to perceived good credit behavior
- The fraud ring “busts out” – coordinates activity, maxes out credit lines, and then quietly exits stage left
- Some particular greedy fraudsters bring their balances to zero using fake checks just before the bust-out to double their damage
- Collection efforts are attempted but agents can never reach the fraudsters
- Unpaid debt is written off and the FI absorbs the losses
As the above information clearly shows, criminals have realized that synthetic identity fraud can reap a good ROI for the effort expended and the patience and care it takes to create and curate these identities. It behooves financial institutions to diligently be on guard against this growing type of fraud.