While Frankenstein was the doctor, not the monster he assembled from old body parts, the analogy with synthetic identity fraud is too good to pass up. It’s Halloween after all.
What is Frankenstein fraud?
Frankenstein fraud is another term for synthetic identities: an identity also made of ‘parts,’ usually a combination of fake and real Personal Identity Information (PII) data stolen from data leaks or the dark web.
While Viktor Frankenstein built his creation with beauty in mind, fraudsters are also careful in building their synthetic identity. They usually pair an easy-to-acquire Social Security number (SSN) with accompanying false PII to appear genuine. Onboarding, the first touchpoint between a customer and business, is where the synthetic identity first comes to life, akin to the spark that animates Frankenstein's monster.
This Frankenstein analogy is not new, but taking a closer look, perhaps we need to consider instead the alternative title used by Mary Shelley — The Modern Prometheus.
Greek myths, gods and monsters
In Greek mythology, Prometheus was a titan who defied the Gods by stealing fire and giving it to humanity in the form of technology and knowledge. Sparing you the details of how he was punished (it involves an eagle), Prometheus has come to represent human striving for knowledge and the risk of overreaching or unintended consequences. For Shelley, Viktor Frankenstein embodied Prometheus, a genius whose efforts to improve mankind ended in tragedy.
So what does synthetic identity have in common with Greek myths, gods & tales about monsters? As one of fraud’s fastest-growing global monsters, estimated to cause losses of $20bn to $40bn globally, synthetic identities might be more appropriately likened to cybercrime’s modern Prometheus. Here’s why.
Synthetic identities were initially developed by academic researchers in the 1990s, with early projects including the 1997 Video Rewrite program (which now appears to be the first attempt at deepfakes). The first iteration outside of the academic field came when credit borrowers made small tweaks to their names and SSNs to throw off a bureau’s linking system. Then in 2003, ‘synthetic identity’ was coined — with the name inspired by the android Lance Bishop in the movie Alien.
Since then, fueled by technological innovation like advances in generative AI, toolkits on the open web and hyper-realistic 3D masks, synthetic identities are increasingly sophisticated and difficult to detect. Not only that, fraudsters are increasingly adept at leveraging, tweaking and evolving these synthetic identities, staying under the radar by paying off minimal lines of credit and then gradually obtaining larger loans or credit before busting out. So successful is their use of synthetic identities, that today, staggeringly, synthetic identities account for 85% of all fraud with the average amount stolen by fraudsters before the synthetic fraud was discovered estimated at $97,000.
A constantly evolving threat
Fraudsters are constantly finding new ways to cobble up more realistic, more believable synthetic identities. Basic attacks will feature a good old fashioned mix of real and fake PII. But how do they obtain the stolen data? The many global data breaches over the years, like this recent one exposing millions of Americans, are the lifeblood of synthetic fraud, and fraud in general.
The go-to for fraudsters is usually a stolen, valid SSN — bought for a few dollars on the dark web — mixed with fake data like a name or date of birth. Even at this basic level, fraudsters are smart with what they choose for building the synthetic identity; they can target the deceased or homeless, and commonly target children’s SSNs and mix those with fake information, with millions of children estimated to be victims.
A more advanced attack can involve biometrics, with fraudsters donning 2D or 3D masks, and/or using sophisticated synthetic documents — with fraudsters not afraid to mix and match when it comes to gaming the system. They can take a fake ID and fake biometrics to create an ID, or use a real ID and fake biometrics, or vice versa.
Within the last few years we have seen yet another growing form synthetic identities, leaping straight into the consumer’s imagination with ‘Synthesizing Obama’ and @deeptomcruise — also known as deepfakes.
No silver bullet
There is no one way to eliminate synthetic identities or the risk they pose to both businesses and consumers. Some will use 2D or 3D masks, others will leverage childrens’ SSNs. Some may endeavor to literally become you with synthetic media used to manipulate visual and audio content. But there is a way to fight back against synthetic identity fraud. A way to fight back which, at the same time, allows businesses to balance consumer experience with security.
In order to reliably detect and identify synthetic identities, digital businesses must adopt a layered approach to their fraud prevention strategies. Layering identity verification and intelligence helps build a robust barrier against synthetic identity fraud. While fraudsters have a myriad of ways to game the system, digital businesses must similarly have a number of different tools and methods to counter nefarious attacks. Businesses today need to know instantly if an SSN is real, if a mask is being used, if the user is transacting from a high-risk region. With so many points of vulnerability and opportunity for fraudsters to spoof, a layered, holistic approach to fraud prevention must be adopted. At Onfido, we've built our Real Identity Platform to enable businesses to create such a layered approach — using a combination of document and biometric verification, trusted data sources, and fraud detection signals.
Furthermore, fighting synthetic identities cannot be done in a silo. Synthetic identity fraud, and fraud in general, has no boundaries. Fraudsters don’t care about regions, use cases or devices. While fraudsters collaborate openly with things like ‘suckers lists’ on the dark web, the mobilization of the fraud industry to work collaboratively needs refocus; it’s war-time in cybercrime. We need to collaborate to succeed and establish peer-to-peer digital consortiums across industry.
So, heed this Halloween warning: synthetic identity fraud is much more than a cobbled-together monster — it's not like a piece of malware or mindless zombie bots with one specific function — it is much much more dangerous, and can wreak far more havoc.
If a synthetic identity clears onboarding and gets assigned an element of trust, the untold fraud and financial crime it can go on to perpetrate is unimaginable. Indeed, the malicious intent wrought by synthetic identities must not be underestimated, with its claws reaching past fraud into money laundering, Norman Bates-esque account takeovers, trafficking, and terrorist financing, amongst others. And what enterprising fraudsters are doing now — akin to how Viktor Frankenstein turned to modern experiments in the laboratory in his search to spark synthetic life — they are evolving, adapting and applying new technologies to build more realistic, more believable synthetic identities.
We have already seen the advent of synthetic media being used to spoof likeness and voices with deepfakes and yes, while other attack vectors have shifted and evolved, the thought of what could be with synthetic identities in the future is nightmarish. If they get better and better, could they become almost near-identical doppelgangers, indiscernible from the genuine person? Could they enable fraudsters to take over someone's life in a way never imagined — transforming identity theft as we know it?
Both Frankenstein and his monster embody the destruction that the unchecked pursuit of technological advancement can result in; fraudsters today are on their own pursuit to make synthetic identities more sophisticated and harder to detect, with one synthetic identity spawning many monsters. To say synthetic identities are a mere monster like Frankenstein’s monster, would be an injustice — they are cybercrime’s Modern Prometheus.