The Synth ID You Don't See

   A call rings out on the police radio. “2C34 to any available Kilo unit reference a Signal 53 in progress”. In plain language, a patrol officer has just requested to speak with a detective from the Economic Crimes Unit in reference to a fraud in progress. A detective answers up and is told of an individual who was just taken into custody at a car dealership for attempting to purchase a vehicle and attain financing using a social security number in the application that is not his. The detective and his partner respond to the scene and their initial investigation reveals that the subject standing in front of them is in fact who he says he is. He has a valid state issued ID bearing his name confirmed through a records check. The dealership provides the responding detectives a copy of the financing application along with the credit report as evidence. Upon inspecting the credit report it shows that name and date of birth match the ID and person standing in front of them. He shows a credit score in the high 700s and has multiple accounts listed as open (trade lines) with varying lengths of reporting history. After additional research it is confirmed that the suspect standing in front of the detectives has a different social security number than that listed on the credit report and finance application. Not exactly sure what has happened but the detectives know that there is fraud at play. The suspect is taken in for questioning. As the interrogation begins the suspect fills the room with half-truths and misdirection. When finally confronted with the reality of possible identity theft charges, the suspect is quick to shout, “I didn’t steal anyone’s identity, I just used my CPN”. The detectives play it cool as not to look ignorant in front of the suspect and shortly thereafter excuse themselves from the interrogation room. As one detective looks at the other with a curious look he asks “CPN?”

   “You got me”, the second detective responds.

Credit Privacy Numbers as Replacement Social Security Numbers

    If you have never heard the term CPN, you are not alone. In fact, unless you are a criminal dealing in fraud, it is likely that you have no clue what a CPN is. CPNs are the newest evolution of committing fraud against financial institutions. The term stands for either “credit privacy number” or “credit profile number” depending on whose “credit repair”, or “financial advisory” Youtube channel you subscribe to. Once you do your homework you will undoubtedly discover a plethora of legitimate looking websites attempting to sell you CPNs and trade lines used to season them to a respectable score. You will be told how they are a legal mechanism by which to secure your identity and how they are used by the rich and famous and politicians alike for privacy concerns. If you choose to stop reading here then let me impart to you the message of this article before you go, CPNs are not legal, if you use them you will get arrested eventually, and lastly, if you choose to believe that CPNs are not a material concern for your institution, save this article aside and come back when your eyes are opened to the scale of this problem. 

    I became aware of this term late in 2016 when I responded to a car dealership with my partner to investigate a “Signal 53 in progress”. Since then, we have seen a steady flow of these cases from that specific dealership; at times taking multiple calls per week. The interesting thing was, as time progressed, the suspects we arrested started showing up to the dealership in new cars from other dealerships around town. We then noticed a reoccurring theme on the credit reports. We could see multiple credit inquiries from other dealerships around town often including the businesses that were proudly displayed on the license plate frames of the suspect’s sweet new ride in the lot when he got arrested. It did not take a detective to figure out what was going on here. However, upon looking into reports, we had not been receiving any calls for fraud from any of these other dealerships where we can see what is going on. They were not seeing it. They either did not know what to look for or they did not care for fear of losing out on sales. We may have started behind the 8 ball when we unsuspectingly stumbled into the hot new fraud trend, but through a network of industry professionals, research, and one on one time with the individuals in the game, the last year has been very enlightening.

A History Lesson in Credit Reporting

      In order to explain why a CPN works, you have to have a basic understanding of how financial institutions make decisions on authorizing new loans or credit and the role the credit bureaus play in that process. But before we go there, let us take a moment to understand the role your social security number plays in identifying you to the credit bureaus. We all know that social security numbers were created in 1936 as a way for the government to track benefits of citizens throughout their working life so that they could collect a check to see them through their old age. It was not the original design or intention however, for the social security number to be used as an identifier for the private sector. A paper published by the Federal Reserve Bank of Philadelphia titled, An Overview and History of Credit Reporting recounts the modest t beginnings of credit bureaus as local industry organizations that gathered what information they could to be used by other businesses in that specific industry. It was not until the 1970s that use of computer databases, proliferation of credit cards, and passage of the Fair Credit Reporting Act came together to drive the consolidation of credit bureaus into large national repositories of consumer information such as the big three we have today. But with this huge influx of consumer data and the need to differentiate one person from another there would need to be an easy way of the credit bureaus end-users (banks) to ensure they were able to assess their financial risk on a specific person. The answer was ready made in the social security number, which by this time was issued to every citizen and unique from any other. What is important to note here, is that credit bureaus are not a federal agency; they have no special access to the Social Security Administration, and are solely reliant on information reported to them by their users.

    The credit profile is in essence the file which contains all your information that the credit bureaus have on you. From the time you were 18 and applied for your first credit card, or the 3 inquiries you had last week at age 50 when you were shopping for a HELOC. They maintain a record of your current credit lines with your outstanding balances, your addresses, and anytime any institution has inquired about you. The bureaus each have their own way of assessing these factors and assigning a number to your profile that end-users can use to assess how much risk they are in of losing the money they loan you. Enter the CPN. A CPN is the tool used by crooks to game the system that has been built over the last 50 years. It will be addressed by legislation eventually, but it is a reactive process that takes time and as of now, that time is on the side of the fraudster. So how do they do it?

Getting Clean Digits

    It starts with finding a nine digit number that does not have a current credit profile. This may be a SSN that has yet to be assigned, belong to a young child, or belong to a deceased person who did not trigger the creation of a new file prior to their death. When you pay for a CPN, in essence, you are paying for someone to have spent the time to “farm” the number. This can be performed by running soft credit hits on random numbers through a complicit or wholly fraudulent company, using employment verification sites, or obtaining those of young children or long deceased adults. However, as fraudsters will be fraudsters, we have encountered those who admitted to purchasing CPNs and were horrified when sitting across the interrogation room to discover they had actually used the SSN of a victim who wants to prosecute for ID theft. In total, there are 999,999,999 possible numbers to be assigned and the Social Security Administration reports that they have issued approximately 450 million. So as you can see there is no shortage of numbers to choose from. 

Gaming the Credit Bureaus

Once they have a clean number, just as you had a new credit profile created when you applied for that credit card at 18, they create an application using their CPN. And here is where CPNs are different than other forms of synthetic IDs. The users are instructed to use their real information including their real name and date of birth. However, there are explicit instructions to use addresses out of their county and new phone numbers. The idea here is that they have all identification to back up their new financial identity, but there will be enough differences that the automated controls within the credit bureaus’ system will not link the two separate credit profiles. They will then apply for an auto loan via an online lender and be denied; but that is all part of the show.

    Once the new application is denied for having no credit history, the file is created with at least one of the bureaus.  The fraudster will then begin the process of tri-merging. This is a process by which they cause the file created at one bureau to be shared with the other two bureaus. This is completed in part by opting-in to credit solicitations. Once the CPN has been created and tri-merged, it is time to season the file. They can begin by applying for credit cards from high-risk high-rate lenders, or obtain secured credit cards. These are called primary lines. They will never be able to increase their scores or attain worthwhile credit at this stage. Next is the secret sauce provided courtesy of greedy banks, in my humble opinion.

Authorized User Accounts

    An authorized user is a great feature when you want to add your kids onto one of your accounts to assist them in building credit. However, just as with any good thing, it is ripe for exploitation. It seems the banks love authorized user accounts. From their perspective, they are taking someone who is deemed as a low risk, possibly long term customer, and adding additional people to help rack up their charges without taking on the risk of new customers. From the consumer’s side, they can add their child or other designated person, sometimes as many as 9 additional users, and you can control their access ensuring they do not run your bill up too high and they get to piggy back on your good credit. As an example, if you have a $20,000 credit line with $18,000 worth of available credit, that has a 10 year history, your authorized user will now show that on their credit report and it will have a positive effect on their score as well. But why would someone with good credit allow their name to be used in this manner by someone they may not even know? Simply put, they are either renting it out willingly for payment, or they do not know they are being used. It is hard to keep up with the exact prices but depending on the vendor, getting an authorized user trade line on an account as listed above may cost you $1000 - $1500 a month. There are sites where you can actually willingly go on and rent out your trade line such as businesstradelines.net. The beauty is, the account holder has no risk. They are simply adding someone as an authorized user; they do not actually give them any access to their account or a credit card. The icing on the cake is that there is no blowback to the account holder when the authorized user defaults on all their subsequent loans. In addition to those who are willing participants, there are unwitting accomplices that are victims of account takeovers without even knowing it. Once upon a time the fraudster would use account takeovers to drain the account as quickly as possible. Now with some institutions permitting up to nine authorized users, the fraudster can rent the victims good credit account to up to nine people charging each authorized user for the service. The victim may never even know, and the fraudster will likely never touch any of the victim’s money so long as they can keep renting out the victim’s good credit. These authorized user accounts will be placed on the CPNs being seasoned for just enough time to jack up their score and make their credit reports look legit before busting out.

The Bust Out

   So at this point you have a new credit profile on record at each of the three credit bureaus with a great credit score attached to your name. Is it illegal? Well I am not the authority to answer that, but I believe the claims of legality pushed by the purveyors of CPNs probable hang their hat on the fact that no real crime I know of has been committed to this point. Just as I can make up a driver’s license from a fictitious state with all my information, I would guess I am probably not breaking any laws until I decide to use it to go for a drive. For those who would argue that CPNs are legal, I have yet to see for what use you could use a CPN for other than committing fraud against financial institutions. That is not to say however that every CPN user is doing so with the intent of busting out. Some people may legitimately want a second chance and have every intent to do better this time around.

The issue of legality lies in how most jurisdictions would define bank fraud or defrauding a financial institution. To paraphrase, you will find that it usually involves a potential borrower knowingly making a material misstatement in the application process to the lender which the lender uses in their decision to fund the loan. With that in mind, despite their new, clean, financial identity, they are still the same person, and by using a CPN they are depriving the lender from making an educated decision based on all the facts that, if known, would likely cause them to deny the loan. Secondary to the intentional misrepresentation of their social security number, we have found that employment and income are almost always fabricated and inflated as well.

How To Combat CPNs

    Education is key in the identification of CPNs. There are clues to look for when assessing a credit report. Just as in the story recounted above we have one auto dealership that is identifying the CPNs on a weekly basis while others are oblivious, the only difference is that the dealership that is finding them, is looking for them. The credit report of a CPN will show authorized user accounts as the largest and oldest accounts. These accounts will sometimes reflect AU on the trade line to denote it is an authorized user trade line, and at other times I have seen no obvious designation. There will also be primary accounts with low limits that have only been open three to six months. These are the largest clues. Other ways to look for signs are to use risk mitigation data companies such as LexisNexis or TLO to identify addresses or search the borrower by name to find similar identities. If you do not have access to those kinds of paid resources, a simple search on Google can do wonders. You can identify listed addresses as homes for sale on Zillow or otherwise vacant properties used as drop houses and search the companies the borrower claims to work for.

Can You See It?

From speaking with the CPN users on the street it is evident that this problem is much greater than anyone is giving it credit. So why are financial institutions not seeing it for the problem it is? I believe that the financial industry has strong investigators many of which are Certified Fraud Examiners and are adept at seeking out fraud. The issue however, is that they are not getting the opportunity to review these files. The foot prints of a CPN bust out looks like any other uncollectible debt. There are no ID theft victims making reports, the dealerships who are one on one with the fraudster have no interest in flagging the sale as it would affect their commission, and the lenders are left completely in the dark until the loan is defaulted. At that time the loan is sent to the collection department who is not trained in recognizing this for fraud. They will fail to contact the borrower and the debt will get filed away and written off as bad debt with no fraud investigator ever having seen it.

Moving Forward

The lending process of our society is based on two large preventative measures to protect banks from ongoing losses. They are that loans are secured against assets which the banks have a legal mechanism by which to recover and reduce their losses, and secondly, that they have the ability to report those who do not honor their debts causing a detrimental effect on those debtors. When a CPN is used however, both of these avenues of recourse are stripped away. The addresses are vacant properties or are of no relation to the debtor so assets are difficult to locate, and the only reputation to tarnish is that of a nonexistent person. In the long term, the answer to this problem will have to come from a partnership between the credit bureaus and the Social Security Administration to validate the credit files being created which the banks rely so heavily on. In the law enforcement community we are able to use government records to identify the true social security number of a subject which makes our task a bit simpler. In the financial sector, investigators will have to pull their resources and use their investigative skills to connect the dots and find new ways to combat this plague.