Posted by: Arian Eigen Heald
Identity theft, Security
Most of the current options for addressing identity theft focus on the individual victim. We use credit freezes, fraud reports to the FTC, free credit reports and credit monitoring.
But if “pieces” of my information were stolen, how would I know? My address, perhaps, or my birth date? Or one credit card number?
We don’t have good information about this type of fraud. Most of the statistics we have are taken from the reports of victims. Victims do not always know how the theft happened, or all the places where pieces of their information might have been used. Lending institutions (banks, credit card companies, etc) are not required to disclose statistics about identity theft. They have not provided this information because it could cause embarrassment and could attract unwanted regulatory attention.
There’s a good paper here about why statistics are so bad and what we could do about it.
Federal Regulations about the term “identity theft” define it as “a fraud committed using the identifying information of another person, subject to such further definition as the [Federal Trade Commission] may prescribe, by regulation.” (These quotes come from the Fair Credit Reporting Act.) But what if different pieces from different people were combined? That’s what we’re talking about here, and it is new territory for regulators.
The FDIC defines it as: “Unlike typical identity theft fraud where a fraudster steals the identity of a real person and uses it to commit fraud, a synthetic identity is a completely fabricated identity that does not correspond to any actual person.”
In synthetic identity theft, the fraudster creates a fabricated identity using some information from a victim’s personal information. For instance, the impostor may use a real Social Security number, but a falsified name and address. Since this synthetic identity is based on some real information, and sometimes supplemented with artfully created credit histories, it can be used to apply for new credit accounts.
If the thief has your bank account number and social security number, for instance, he can reference those accounts to create a new account without ever “touching” your information.
Why does this work? Because credit reporting companies and lending institutions have algorithms that allow for variations in input. So if you “fat-finger” your Social Security number on a credit card application, it will still “find” you. But synthetic ID fraud creates subfiles at the credit bureaus. (The term subfile, says Evan Hendricks, author of “Credit Scores and Credit Reports,” refers to additional credit report information tied to a real consumer’s Social Security number, but someone else’s name.)
Because the identifying information contains some data that’s already linked to a particular consumer, the subfile gets associated with the consumer’s main file, or “A” file. So if someone runs a query “just” on your Social Security number, those “subfiles” will pop up – and your credit rating can tank. But until that query is run, the information remains hidden.
Synthetic identity theft is invisible to victim-based tracking because individuals whose information was used may never become aware of the crime. The “fabricated identities” are typically based on a real Social Security number, but with a fake name and address. As a result, because “the combination of the name, address and Social Security number do not correspond to one particular consumer, the fraud is unreported [by a victim to a bank] and often goes undetected…financial losses stemming from synthetic identity fraud are difficult for organizations to label as fraud when the approved account becomes delinquent and eventually charges-off as a loss.
According to ID Analytics, synthetic fraud is quickly becoming the more common type of identity fraud, surpassing “true-name” identity fraud, which corresponds to actual consumers. In 2005, ID Analytics reported that synthetic identity fraud accounted for 74 percent of the total dollars lost by U.S. businesses to ID fraud and 88 percent of all identity fraud “events” — for example, new account openings and address changes.
“True-name identity fraud was the prevalent identity theft mode about five years ago,” says Steve Coggeshall, chief technology officer of ID Analytics. “Synthetic identity fraud is the dominant mode now.”