Before you say anything about this blog title, yes, I know, Frankenstein was the doctor, not the monster. But here’s the thing, ‘Frankenstein’ has become synonymous with the monster itself and, well, the analogy with synthetic identities was too good to pass up. It’s Halloween after all.
What is Frankenstein fraud?
Frankenstein’s monster, assembled from old body parts, is the perfect foil for today's synthetic identities; an identity also made of ‘parts’, usually a combination of fake and real Personal Identity Information (PII) data. While Viktor Frankenstein built his creation with beauty in mind, selecting ‘his features as beautiful’, fraudsters are also careful in building their synthetic identity. They usually pair an easy-to-acquire Social Security Number (SSN) with accompanying false PII data to appear genuine. Onboarding, the first touchpoint between a customer and business, is where the synthetic identity first comes to life, akin to the spark that animates Frankenstein's monster.
This Frankenstein analogy is not new, but perhaps we need to take it to task. Be more strict on how ‘Frankenstein’ is used erroneously to refer to the monster. Perhaps we need to consider instead the alternative title used by Mary Shelley — The Modern Prometheus.
Greek myths, gods and monsters
So who was Prometheus? Time for a quick Greek mythology lesson. Prometheus was a titan, who defied the Gods by stealing fire and giving it to humanity in the form of technology and knowledge. Sparing you the details of how he was punished (it involves an eagle), Prometheus has come to represent human striving for knowledge and the risk of overreaching or unintended consequences. For Shelley, Viktor Frankenstein embodied Prometheus, a genius whose efforts to improve mankind ended in tragedy.
Thus concludes the History/English literature lesson — but what does Synthetic Identity have in common with Greek myths, gods & tales about monsters? As one of fraud’s fastest growing global monsters, having started life academically and evolving to today’s $20bn nightmare, synthetic identities might be more appropriately likened to cybercrime’s modern Prometheus. Here’s why.
Synthetic identities were initially developed by academic researchers in the 90s, with early projects including the 1997 Video Rewrite program. The first iteration outside of the academic field came with credit tumbling, where borrowers made small tweaks to their names and SSNs to throw off a bureau’s linking system. Then in 2003 — a relatively short time ago — ‘synthetic identity’ was coined — with the name inspired by the android Lance Bishop in the movie Alien — honest.
Since then, fueled by technological innovation like: advances in synthetic face generation, advanced toolkits on the open web and hyper-realistic 3D masks, synthetic identities are increasingly sophisticated and difficult to detect. Not only that, fraudsters are increasingly adept at leveraging, tweaking and evolving these synthetic identities, staying under the radar by paying off minimal lines of credit and then gradually obtaining larger loans or credit before busting out. So successful is their use of synthetic identities, that today, staggeringly, synthetic identities account for 85% of all fraud. You read that correctly. In fact, the average amount stolen by fraudsters before the synthetic fraud was discovered stood at a shocking $97,000.
However, there is not just one kind of synthetic identity to detect. And there is not one way it is used to attack. One synthetic identity spawns many monsters — akin to how that scary story competition, drawn up by Mary Shelley, Percy Shelly, Lord Byron and Polidori beside Lake Geneva, spawned not only Frankenstein but the very first vampire story — the original social engineer via hypnotism you could argue.
There are many ways to tell a scary story — just like synthetic identities.
A constantly evolving threat
You get many types of synthetic identities and fraudsters are forever finding new ways to cobble up more realistic, more believable synthetic identities. Basic attacks will feature the good ole’ fashioned mix of real and fake PII. But how do they obtain the stolen data? The many global data breaches that have hit the headlines over the years is the lifeblood of synthetic fraud, and fraud in general.
The go-to for fraudsters is usually a stolen, valid SSN — bought for a few bucks on the dark web — with fake data like date of birth or name. Even at this basic level, fraudsters are smart with what they choose to build the synthetic identity; fraudsters commonly target children’s SSNs and mix those with fake information, with the average age of child victims being only 12 years old, with millions of children estimated to be victims.
A more advanced attack can involve biometrics, with fraudsters donning 2D or 3D masks, and/or using sophisticated synthetic documents — with fraudsters not afraid to mix and match when it comes to gaming the system. They can take a fake ID and fake biometrics to create an ID, or use a real ID and fake biometrics, or vice versa.
Within the last few years we have seen yet another iteration of synthetic identities, leaping straight into the consumer’s imagination with ‘Synthesizing Obama’ and @deeptomcruise — yes, I am of course talking about deepfakes. With this year’s first large, concerted deepfake attack on a cryptocurrency marketplace, the novelty has worn off and the risk is real.
No silver bullet
There is no one way to eliminate synthetic identities or the risk they pose to both businesses and consumers. Some will use 2D masks, or a 3D Michael Myers mask, others will leverage childrens’ SSNs. Some may endeavor to literally become you with synthetic media used to manipulate visual and audio content. But there is a way to fight back against synthetic identity fraud. A way to fight back which, at the same time, allows you to balance consumer experience with security.
In order to reliably detect and identify synthetic identities, digital businesses must adopt a layered approach to their fraud prevention strategies. Layering identity verification and intelligence helps build a robust barrier against synthetic identity fraud. While fraudsters have a myriad of ways to game the system, digital businesses must similarly have a number of different tools and methods to counter nefarious attacks. Businesses today need to know instantly if an SSN is real, if a mask is being used, if the user is transacting from a high-risk region. With so many points of vulnerability and opportunity for fraudsters to spoof, a layered, holistic approach to fraud prevention must be adopted. At Onfido, we've built our Real Identity Platform to enable businesses to create such a layered approach — using a combination of document and biometric verification, trusted data sources, and fraud detection signals.
Furthermore, fighting synthetic identities cannot be done in a silo. Synthetic identity fraud, and fraud in general, has no boundaries. Fraudsters don’t care about regions, use cases or devices. While fraudsters collaborate openly with things like ‘suckers lists’ on the dark web, the mobilization of the fraud industry to work collaboratively needs refocus; its war-time in cybercrime. We need to collaborate to succeed and establish peer-to-peer digital consortiums across industry. After all, Frankenstein, the legendary, classic novel, would never have been written without Byron, Polidori, Shelley and a bit of competition.
So, heed my warning this Halloween, Synthetic Identity Fraud is much more than a cobbled-together monster — it's not like a piece of malware or mindless zombie bots with one specific function — it is much much more dangerous, and can wreak far more havoc.
If a synthetic identity clears onboarding, gets assigned an element of trust, the untold fraud and financial crime it can go on to perpetrate is unimaginable. Indeed, the malicious intent wrought by synthetic identities must not be underestimated, with its claws reaching past fraud into money laundering, Norman Bates-esque account takeovers, trafficking, and terrorist financing, amongst others. And what enterprising fraudsters are doing now — akin to how Viktor Frankenstein turned to modern experiments in the laboratory in his search to spark synthetic life — they are evolving, adapting and applying new technologies to build more realistic, more believable synthetic identities.
We have already seen the advent of synthetic media being used to spoof likeness and voices with deepfakes and yes, while other attack vectors have shifted and evolved, the thought of what could be with synthetic identities in the future is nightmarish. If they get better and better, could they become almost near-identical doppelgangers, indiscernible from the genuine person? Could they enable fraudsters to take over someone's life in a way never imagined — transforming identity theft as we know it?
Both Frankenstein and his monster embody the destruction that the unchecked pursuit of technological advancement can result in; fraudsters today are on their own pursuit to make synthetic identities more sophisticated and harder to detect, with one synthetic identity spawning many monsters. To say synthetic identities are a mere monster like Frankenstein’s monster, would be an injustice — they are cybercrime’s Modern Prometheus.