When businesses in the U.S. adopted EMV chips in credit and debit cards, criminals shifted their fraud efforts to online channels. That shift, coupled with large scale data breaches, loosening credit standards and the exploitation of legacy credit creation practices, laid the groundwork for synthetic identity fraud (SIF) — the combination of real and fake data to create a brand-new identity that belongs to no one, apart from the criminal who created it.
SIF is particularly concerning because it is so hard to detect. Fraudsters appear to be legitimate customers. They use both real and fictitious information, such as social security numbers and names, to create new, fake (yet seemingly legitimate) identities. In many cases the social security numbers are stolen from children who don’t have credit files yet, providing plenty of time for fraudsters to defraud businesses before anyone realizes the SSN has been hijacked.
These criminals are in it for the long haul. The longer an artificial identity remains “in play,” the larger the credit facilities secured by the identity become, and the greater the potential for criminals to profit when they “bust out.” Additionally, companies are forced to foot the bill.
BankNews reached out to Christina Luttrell, senior vice president of operations including product, client solutions and marketing for IDology, a provider of multi-layered identity verification and fraud prevention solutions to discuss how banks can combat SIF as demand for digital banking experiences increases.
BN: How can banks prevent identity theft and synthetic identity creation without hurting customer experience?
CL: Synthetic identities may appear to be complete and real identities, but they are actually a combination of disparate identity attributes. This is why the first step in combating SIF is acknowledging that traditional, static approaches to verifying identity and detecting synthetic identities are insufficient.
Through our work, we’ve found that SIF is consistently one of the leading fraud challenges financial institutions feel unprepared to address. It’s also one of the fastest growing forms of fraud and is extremely difficult to detect. The Federal Trade Commission estimates that SIF costs businesses $50 billion per year in fraudulent charges.
A new approach to identity verification can make a world of difference, not only for detecting and deterring synthetic identities but also to ensure a seamless user experience. Banks need a comprehensive multi-layered approach to identity verification with next-generation tools that utilize layers of identity attributes, big data relational analysis, and provide access to data-rich consortium networks from companies sharing fraud information.
By utilizing a multi-layered approach that cross-references data across a broad spectrum of sources (as well as relational intelligence and decisioning power) to uncover inconsistencies characteristic of a synthetic identity or other fraud, companies can ensure they will deter and detect these types of fraud. Such a solution is just as important for creating a frictionless experience for legitimate customers as it is for keeping the bad guys out, as it allows financial institutions to verify identities in the background in real time and only escalates to step up verification if an identity seems suspicious, decreasing friction in the process.
BN: Specifically, what can be done to ensure identity verification during mobile account openings/product sign-ups that doesn’t make customers abandon the process?
CL: From our recently published Second Annual Consumer Digital Identity Study, we found that for the first time Americans opened more new accounts online with their mobile device (61 percent) than on a computer (56 percent) during the past 12 months. Consumers exclusively using mobile devices creates new obstacles for account opening, as mobile users show that they have a lower threshold for the experiences being seamless and fast. Less than half (43 percent) of consumers said the account signup processes they experienced on their smartphone were “extremely” or “very” easy.
Meanwhile, mobile device attacks increased 167 percent from 2017 to 2018, according to IDology’s Sixth Fraud Report, and companies reported that fraud has almost doubled in mobile channels.
Any bank that wants to grow its digital business is facing a critical balancing act between providing customers with easy mobile access and greenlighting their activity quickly, without friction, while protecting itself and its customers from fraud. As companies are looking to improve their identity verification processes during mobile account onboarding, they can deploy tools that reduce friction and establish trust with legitimate customers. Using a robust identity verification platform that can verify an identity in real time, in the background, with little information needed from the consumer, businesses can deploy diverse step-up mechanisms to reduce friction during onboarding. This is ideal for successfully improving the onboarding process.
From our consumer study, we learned that consumers are open to using technologies that could prefill their information for them, reducing mistakes and frustration associated with the smaller screen and keyboard on mobile devices. Beyond prefill, 34 percent were open to mobile document capture. Using a picture of a driver’s license to pre-populate a form or verify an identity is a relatively new tool with a variety of potential applications. In the last 12 months, more than 50 million Americans submitted a picture of their license through their smartphone as part of an identity verification process. This type of technology can help decrease unnecessary friction and time.
BN: Can you provide examples of multi-layered authentication?
CL: Across industries, companies increasingly interact with mobile-first and mobile-only consumers who demand better security without added friction. In order to successfully onboard legitimate customers, as well as improve their experience, businesses should deploy an identity verification platform that accesses diverse public and proprietary databases, correlates layers of identity attributes including mobile device and geolocation, deploys diverse step-up mechanisms only when needed and offers access to fraud consortium intelligence, to achieve a better user experience, reduce risk and deter fraud.
The key to multi-layer authentication is a system that allows financial institutions to locate and quickly identify a returning customer in the background, utilizing multiple identity attributes and presenting friction only when needed through multiple step-up options. In addition, access to cross-industry consortium data will provide actionable intelligence to detect and deter fraud.
For example, utilizing mobile network carrier data (in real time) to verify that the device belongs to the right person allows for seamless entry and ongoing authentication — and can even be used to flag risk factors and fraud indicators. One-time verification is another tool financial services can deploy to authenticate a person or confirm high-risk transactions. Using a secure link that is sent directly to the mobile phone, one-time verification ensures the message cannot be hijacked or faked. Another example of a step-up authentication process that is growing in relevance is employing a smartphone’s camera function to capture identity documents is an easy and accessible way to automate the onboarding process.
BN: Do you have any numbers specific to banks as to top threats they are facing and why these particular types of attacks are more common?
CL: IDology’s Sixth Annual Fraud report revealed that banks have been hit hardest by leaked personal information — they experienced the biggest increases in overall fraud compared to other industries (including insurance, lending, healthcare, ecommerce and fintech). On average, 58 percent of organizations experienced an increase in fraud, compared to banks which experienced a 71 percent increase (13 percent higher than the average).
Across multiple customer touchpoints, including online and mobile channels, banks experienced higher than average increases in fraudulent activity. On average, 67 percent of organizations experienced increased fraud online; 63 percent in mobile channels; 38 percent in contact centers; and 26 percent in-person. Compared to other industries, banks saw the highest increases in fraud online (81 percent), on mobile (72 percent), in contact centers (52 percent) and in person (31 percent) and the and the second highest increase in fraud from mobile (tied with Fintech at 69 percent, behind Insurance with 71 percent).
For banks, mobile device attacks, phishing and account takeovers were significantly prevalent fraud vectors/schemes over the past year:
- Mobile device attacks (such as malware, hacking and spoofing) were more prevalent in banking than any other industry, with 53 percent of banks saying it was a common issue (the average across industries was 39 percent).
- Phishing was highly prevalent among banks (58 percent) and was higher than the average (48 percent).
- Account takeover was highly prevalent among banks (52 percent) and was higher than the average (49 percent).
- The top four, in rank order are card fraud (73 percent), check fraud (62 percent), phishing (58 percent), and ACH/wire fraud (56 percent).
Banks feel least prepared to address mobile and synthetic fraud. However, they are taking steps forward to track and prevent fraud, especially SIF. This is probably due to ongoing press and awareness of SIF. Banks are more likely than the average to track synthetic identity fraud (13 percent compared to 8 percent for other industries).
Mobile device fraud techniques like caller ID spoofing, porting, device cloning and SMS interception, are more prevalent within the banking industry. This plays into concerns about mobile attacks in general, as well as being unprepared to prevent it.
- Caller ID spoofing: banking 39 percent; average 33 percent
- Porting: banking 34 percent; average 27 percent
- Device cloning: banking 30 percent; average 23 percent
- SMS interception: banking 31 percent; average 24 percent
Over half of banks (54 percent) believe mobile device attributes will be the hottest new trend in identity verification, yet the No. 1 challenge to preventing fraud for banks is balancing friction and customer experience (64 percent).
Banks believe identity verification has grown more challenging and complex (80 percent). But, the vast majority (85 percent) of banks see identity verification as a strategic competitive differentiator.