Baby and a credit card

Synthetic Identities: trust the behavior, not the data!

Who could imagine their two-year-old child as a criminal? While he’s playing with his toys and itching to get a new puppy, he could also be building up his credit score by bilking hundreds of thousands of dollars from online services. Chances are, neither he nor his family will even know about this activity until he applies for his first card or college loan.

Synthetic identity fraud is a trend that’s taking a firmer hold, one that has the potential to threaten the CNP industry, where fraud exposure is expected to hit $71 billion annually by 2020.

How Synthetic ID works

Fraudsters access genuine identity data, either through hacking or purchase on the Dark Web, then use that data to build artificial profiles. One common ploy to access social security numbers (SSNs) of children is through school or health insurance records filled out by the child’s parent. Often deceased people will act as a viable source of SSNs for synthetic IDs (known as ghosting) with no one available to contradict the usage.

According to the IDTheftCenter, thieves steal the identities of nearly 2.5 million Americans annually, including people of all ages from newborns to seniors. Many times the stolen SSNs are assigned fictitious birthdates of people in their 20s to give the appearance of someone starting to establish credit.

Using these IDs to start building credit history is easier than you might think. Applying for credit, even if the application is declined, starts a file with credit reporting agencies. After two or three applications, and perhaps a successful new cell phone account, the file grows and eventually a credit record is established.

Analyst group Aite says financial institutions are reporting that 13% of checking account application fraud and 9% of credit card application fraud use synthetic identities. Aite notes the reported rates are likely low because a fraud loss may be charged off or a credit loss written off without the organization realizing the applicant was not a real person.

One worrisome aspect of using children’s information is that the magnitude of crime may not be known for a decade or two when the then-young adult applies for credit and is denied based on “past” fraudulent behavior.

A more direct way of creating and using synthetic identities is to enlist the aid of unwitting private citizens. Criminals contact consumers on behalf of a fictitious credit bureau and sell them a “Credit Profile Number” (CPN), which would be used in place of a SSN to apply for credit or loans on the premise that it protects their privacy. There are two things wrong here: the first obvious issue is that the general public is supplying their SSNs to criminals, but also consumers are unknowingly committing federal offences by applying for credit with fraudulent information (the CPN).


Synthetic identity fraud can also be initiated via collusion schemes, called furnishing. In this situation, a company is set up with the sole purpose of making sales to synthetic identities created by the bad actors. An “applicant” synthetic identity applies for and is granted credit for the purchase of a high-end product from the “furnishing” merchant. Each month the “furnishing” merchant reports an on-time payment from the synthetic identity. This continually boosts the credit score of the synthetic identity so that it can eventually be used for other financial fraud with the bad actor knowing the identity has value.

Until recently, synthetic identity fraud was almost impossible to detect. Making use of behavioral biometrics is the most effective method for identifying the creation and use of synthetic identities. While the data points being entered by the individual bad actors may pass the traditional PII checks, knowing the underlying behavior of the user creating the account provides a new insight into the types of behavior risk present at the time of account creation.

Want to read more posts like this? See our full blog here.