Ghost in the System: Synthetic Identity Theft

Let's talk about Synthetic Identity Theft.

First, take note that this mainly applies to the good old USA. This type of thing is possible in Canada, but isn't really prevalent...yet.

So what is it? A Synthetic Identity, or CPN (Credit Profile or Credit Privacy Number) is a form of fraud, typically using elements of Identity Theft, used to create “ghost” credit profiles among the three major credit bureaus, Equifax, Experian, and TransUnion.

What does that mean? Here is an example of how Synthetic Identity Theft typically works:

A cyber criminal goes to one of the many online criminal bazaars. Once there, he or she finds a vendor who traffics in stolen identities of children. These identities typically sell for $1-$3 each, depending on the time of year in which they are purchased. For that cost, the criminal receives the child's NAME, SSN, and DOB. Typically, criminals are looking for very young children, the younger the better.

Specifically, what the criminal is needing is the SSN. This is the main piece used to create the Synthetic ID. The criminal tends to use ONLY the SSN and adds any NAME and DOB he wishes to it. Now, it is important to note that this isn't the only way Synthetic Ids are created. Other methods include using ITINs and also using completely generated numbers which match the SSA issuing structure. That being said, using the identity of a child is most successful and popular.

Let's take a break a second to discuss how credit profiles work.

You are born without the three major credit bureaus knowing you exist. In fact, they don't know you at all until you do something in your life which triggers a credit query with one of the credit bureaus. Typically, when an individual starts entering adulthood, they apply for a credit card, utilities, a smartphone, etc. The first time they apply it sends a request to one of the three credit bureaus for a credit check. If it is the individuals first time ever applying for credit, the return response is “No Record Found.” This means that the individual, as far as the credit bureau is concerned, has never had any credit in their life. So the credit bureau reports such. At the same time, the credit bureau which was queried makes a new credit profile in the name of the whose credit it just checked for. That is the way it works for everybody. Equifax and the other two have no idea who you are until you tell them who you are.

Criminals use this to their advantage. If completely new data is presented to a credit bureau—NAME, SSN, DOB-- it creates a brand new credit profile that the criminal can exploit if they have the proper knowledge.

One of the major problems here is that credit bureaus and credit issuers don't automatically verify the SSN against the Social Security Administration database. It is an easy fix, but something that hasn't been implemented and isn't even on the horizon to implement. Because of this, the credit bureau simply doesn't know if the information submitted to it about the individual is accurate or not. The bureau makes the profile with the info given as long as the info isn't already in their system. Enter said criminal.

So now you know you should be able to figure out why criminals like to use kid's information. Their SSN isn't in the credit system. It is a real SSN that has never been used for anything. Also, using a child assures the criminal that no one is likely to complain. At least not for many years. If the criminal uses the SSN of a 2 year old, then he likely has at least 15 years before anyone knows a crime was ever committed. By that time, the trail has grown cold. Law enforcement likely wont follow up on it. The crook has gotten away. The result? The kid who is now an adult is likely saddled with disastrous consequences which could take a LONG time to fix.

Which brings us to another problem. Currently there are no nationwide mechanisms to protect children from identity theft. It isn't a difficult problem to solve. A credit freeze can be placed on a child's identity as easily as on an adults. Currently this takes the actions of a parent. A few states have passed measures which assist in this and make it easier to freeze the info of a child, but it is pitifully few states and for a parent to do it on their own can be a chore.

So this type of fraud has relatively easy countermeasures which aren't implemented.

Which brings us to the next level of this crime.

So the criminal now has a Ghost in the System. He has created a fictitious person using some real elements and gotten it entered into at least one of the credit bureaus. The problem for the criminal is the ghost credit profile has absolutely no credit. As such, it isn't really worth much to someone trying to commit fraud. The criminal needs to do a number of things at this point for the intended fraud to ultimately be successful.

Here is where I decline to state what some of those “things” specifically are. It is not my intent to walk would-be criminals through how to commit Synthetic Fraud. It is my intent to illustrate how easy this fraud is to perpetrate and equally how easy it is stop, given proper legislation and security.

So, that said, the criminal must do certain things to make it look as if the ghost he has created is a real person. The created sham doesn't have to stand up to an in depth analysis, only a cursory check.

Which brings us to another error in the system which is being exploited by crooks. The systems in place tend to only do a surface look. Systems currently aren't performing detailed checks before issuing credit. Many issuers rely on public records to verify that the person wanting credit is real. Unfortunately, these same public records are VERY EASILY manipulated and fabricated.

So the criminal uses a variety of methods to make it appear that the ghost is, in fact, a real person if some bot were to quickly crawl through public databases to check for that ghost.

Next, the criminal needs to boost the credit score and history of the ghost he has created. There are a few ways to do this. And, thanks to the US Congress, it isn't really hard. A criminal could choose to build credit the old fashioned way, the same way that Americans conventionally do, by slowly building their credit over many months and years, paying their bills and being good creditworthy citizens.

The problem for the crook is going that route takes too damn long when you are trying to make some cash. Enter Authorized User Tradelines. Under current US Law, it is legal for Person A to add Person B onto one of A's existing credit lines as an Authorized User. This not only potentially allows user B to use the credit line A added him to, but MORE IMPORTANTLY gives Person B the credit history of that specific credit line (credit card) come the next billing cycle.

So what does that mean? That means that a person “B” with no credit can be added as an authorized user to someone else's (Person A) credit card, never actually use the credit card, and next billing cycle Person B will have the entire credit history of that one specific card added to their credit report. Its pretty nifty. And it can raise the credit score of an individual up VERY quickly, especially if the person has no credit score or history to begin with. This method of boosting ones credit has spawned an entire industry of folks who sell authorized user access to their credit cards and also companies who market those “Tradelines” to people wanting to boost their credit. Something not sound right? I agree. But it is still legal.

The criminal uses these tradelines to create a credit history for his ghost. By adding a tradeline of a card a few years old it looks as if the ghost has been credit worthy for SOMETIMES decades. Usually, also needed to commit this type of crime are cards actually in the name of the ghost. To satisfy this requirement, the criminal typically relies on a variety of easily obtained secured credit cards which report to credit bureaus.

And that is really all it takes to commit this crime. The crook must get the ghost into all three bureaus which isn't difficult. Then he has to get his ghost to look like a real person. Then he has to build the credit history. All it takes is a little time.

Ans the payoff for the crook? Anywhere from a few grand to many thousands of dollars. It all depends on the patience of the criminal. If the criminal takes his time, gets real credit cards in hand, pays off those credit cards over a few months and build a detailed credit history, then the criminal may ultimately walk off with well over $50k from that one profile.

This type of crime is ideal for fraudsters. The fraudster controls everything about the profile because he created the profile. He can answer all security questions. And no one EVER complains. At least not for many years.

This is the reason that Synthetic Identity Theft is now over 80% of all ID Theft. It is extremely effective.

But is is NOT extremely hard to counter. I have detailed above ways that this can be curtailed. Proper legislation goes a long way.

First, credit bureaus need to automatically be able to verify individuals identities against the SSA records. Gonna take legislation to do that.

Second, we need the ability to freeze the identity information of children so they don't become victims. A few states have made this easier. We really need this to be an automated process. At present, parents can do this for their children, but poorer and uneducated parents tend not to think of such things. Again, LEGISLATION.

Authorized User Tradelines. Its a good concept, but really? Too much fraud associated with this to keep it around. We get rid of tradelines and all of a sudden Synthetic ID Theft becomes very hard to commit. It would still be possible, but not as easy. Criminals would look elsewhere for money.

In addition, more in depth automated checks need to be done. The days of a simple web crawl to verify to see if a phone number and address pops up on something like whitepages needs to stop.

Also, there is a definite pattern fraudsters use to commit this type of crime. I've detailed a great bit of it in this post. Systems need to recognize the pattern and before credit is issued a detailed review needs to be conducted.

None of this stuff is rocket science. And that is one of the most important things to realize about cybercrime—it doesn't take a genius to commit these crimes. And it doesn't take a genius to stop these crimes, either.

If anyone has nay further questions or would like advice or instruction on the matter, please contact me