By Ajay Kaushik, Founder & CEO, Panacea Infosec
Ajay is a first-generation entrepreneur, business leader, strategist, visionary and mentor, He is the founder of Panacea Infosec , which is amongst India's First Information Security Audit firm with twin accreditation by Payment Card Industry (PCI) Security Standards Council as a PCI Data Security Standard (DSS) Qualified Security Assessor(QSA)and SWIFT-certified firm. Panacea InfoSec is also empanelled on the Computer Emergency Response Team (CERT) under the Government of India.
Due to the IT Revolution and availability of sophisticated technologies, Financial Institutions have become much more effective at preventing many types of fraud but crime has evolved also. Synthetic Identity fraud that can be referred to as the crime of the new millennium, is one of the fastest growing problems worldwide. It is a significant example of how fraudsters evolve themselves and focus on weaknesses in online banking security when developing fraud techniques.
In this technique, Instead of using a stolen credit card or identity (ID), fraudsters use fabricated, synthetic IDs to draw credit. Indeed, by an estimate, synthetic ID fraud is one of the fastest growing modern financial crimes worldwide.
Either using a blend of real and fake information or wholly fake personally identifiable information (PII), cybercriminals create a synthetic identity and use this to open an illegitimate bank account. Criminals obtain personal information from customer data breaches and from the Dark Web. Personal information is also gathered through social engineering techniques. This information is then used to open various bank accounts and to get credit cards. The cybercriminals operate these accounts for some time and build up a good credit record of these synthetic IDs.
"To detect synthetic IDs using third-party data can be useful. Data of real identities scatter in many data systems either physically or digitally and these data trails can't be fake"
What Cybercriminals Use
Generally, Cybercriminals like to use PII relating to people who have very less or no credit history so the banks have no pre-existing credit records on them because their applications have little chance to be flagged. As per Federal Reserve, Synthetic Identity Fraud is so sophisticated and success rate is very high, hence it is becoming one of the fastest growing financial crime in the US and it is making its impact in India.
As per data maintained by the National Crime Records Bureau, 3,466 and 3,353 cases of online frauds were registered in 2017 and 2018, respectively in India. According to TransUnion CIBIL's Fraud Trend 2018, there is a significant number of synthetic identity fraud in India also. In India as per industry data, Frauds due to applicants submitting fraudulent contact information have risen by three percent contributing to 18 percent of all detected frauds a Falsification of address proof is the most popular behavior seen amongst fraudsters.
Synthetic Identity Detection
Detecting synthetic identities has been a major challenge for financial institutions because there is not a single definition or any industry standard to define the legitimacy of an identity. Banks are categorizing the financial losses tied to synthetic identity as 'bad debt' therefore it is difficult to consider a fraud timely.
In the US, Synthetic identity fraud accounts for 10-15 percent of lender's losses each year. As per an estimate through Panacea Infosec industry observation there is 10-12 percent of credit card losses due to synthetic fraud In India also.
By synthetic Identity, fraudsters present the fake Identities similar to real customers with limited credit history applying for an account therefore risk detection systems normally unable to identify. Along with this in most cases, there is no clearly identifiable victim and often goes unnoticed and unreported right up until fraudster makes the frauds. Normally banks identify synthetic identities very late.
Although in India as per Information Technology Act 2000 Chapter IX Sec 66C identity theft is a punishable offense, the law says, "Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh".
Many sophisticated technologies that help to detect other types of fraud are not useful in these types of fraud. Machine-learning techniques such as deep neural networks that find patterns associated with fraud are of little use because so few cases of synthetic ID fraud have been uncovered. Unsupervised machine-learning techniques that look for irregularities in data also struggle, because there are no clearly defined differences between real and synthetic IDs at the time of application.
To detect synthetic IDs using third-party data can be useful. Data Of real identities scatter in many data systems either physically or digitally and these data trails can’t be fake. With deep data mining into the data trails, real identities leave behind can help financial institutions detect whether their customers are real or not. Along with this, a robust set of identity protection and fraud management capabilities that address fraud and identity challenges, including account openings and account take overs protect banks or lenders curtail losses from this sophisticated crime of the new millennium.