July 7 2022
Think of the billions of users that enroll online every day for new digital services – whether that’s subscribing to a media service, taking out insurance, accessing medical records, or opening a bank account.
Businesses and organizations put great emphasis on getting as many happy customers onboarded as quickly as possible. For most businesses, more customers mean greater revenues. Meanwhile in the public sector, achieving mass adoption of digital services is central to their cost efficiency and overall effectiveness.
But what happens if you onboard a user who isn’t a real person? Organizations must ensure that an emphasis on completion rates is not costing them further down the line.
Synthetic identity fraud is a real, growing threat for businesses without robust onboarding practices. It’s the fastest growing form of ID fraud, surpassing ‘true name’ identity fraud (where a criminal uses a real person’s identity) and accounting for a huge 80-85% of all identity fraud according to an ID Analytics study.
In this article, we’ll explain what synthetic identity fraud is, why it’s such a difficult form of fraud to defend against, and how iProov’s secure biometric technology can assure the genuine presence of each and every user during enrollment.
Synthetic identity fraud is the creation of a new identity using fictitious, stolen, or manipulated information to gain access to services or defraud business, organizations or individuals.
It’s a highly sophisticated and hard-to-spot form of online fraud that differs from more traditional identity theft. Rather than stealing the identity of a real person, synthetic fraudsters create a “person” who doesn’t exist by using stolen, fictitious, or manipulated Personally Identifiable Information (PII) – this could include a person’s name, address, and social security number, for instance.
Synthetic identity fraud can take many forms and definitions, including:
You may also see this type of fraud referred to as “identity theft”, but it’s not really identity theft. In an account takeover attack, for example, a fraudster is stealing your identity credentials and using them to access and lock you out of your account. But in synthetic identity theft, the identity isn’t stolen per se – it’s created by the fraudster using multiple sources of information.
So, for the purposes of this article, we’re going to stick with the term synthetic identity fraud.
Synthetic identity fraud is generally used to exploit an organization’s onboarding process. Organizations are presented with the synthetic identity and unknowingly onboard the “person” under the assumption they are genuine. These “people” can then max out credit cards or apply for government support programs to steal money, or they can use the account to launder money or commit other crime.
One way that bad actors can make the fraud more convincing is to use synthetic identities to apply for credit/debit cards or complete other transactions and build up a credit score for non-existent customers. If fraudsters are successful, they will then be able to leverage one organization’s services to stack up even more debt or other fraud.
Another way of making synthetic identities look real is to use deepfakes. Criminals can use easy-to-access deepfake technology to create realistic photos or videos of people that don’t exist. Deepfakes are a hugely powerful tool in boosting the success of synthetic identity fraud.
Synthetic identity fraud is a compelling option for criminals – combining real and false information makes it hard to identify them, and even if they are eventually caught out, the synthetic nature of the identity makes tracking down and recouping losses from the “real” culprit extremely difficult. Synthetic identity fraud can take years to detect.
Synthetic identity fraud can easily fall under the radar of traditional organization security checks – especially automated processes where convenience and speed are prioritized. When validating a new customer, there are some helpful tools that can better detect and prevent this type of fraud.
Facial biometric verification is a robust method of spotting when someone is trying to create an online account using a synthetic identity. An organization can ask a new customer to scan their government-issued ID document and then scan their face. Biometric face verification will confirm that the physical person scanning their face is the owner of the asserted identity they uploaded. This helps prevent a synthetic identity being used to enroll for online services and create fraudulent accounts, thwarting criminal activity.
But what happens when the user attempts to combine a synthetic identity attack with a physical or digital spoof, such as wearing a mask of another person during the biometric facial scan? This is where liveness detection becomes essential: liveness technology verifies that the physical face is that of a real, live, human person. Without liveness detection, synthetic fraudsters can use photos or videos to spoof the authentication process. Liveness technology from iProov is able to detect that the “person” presented is 3-D, living and covered in skin – not a mask or photo. Other tools for verifying identity online cannot do this.
Overall, liveness detection is the single best tool in detecting synthetic identities. But it’s worth noting that not all liveness detection technology is created equal.
Genuine Presence Assurance® from iProov is being used by government agencies, banks, and other security conscious organizations around the world to deliver the highest levels of assurance that someone is who they say they are. Let’s discuss how iProov’s Genuine Presence Assurance technology, which goes beyond liveness detection, alone can fight against synthetic identity fraud.
iProov’s Genuine Presence Assurance technology is an invaluable tool in preventing synthetic identity fraud, as it offers organizations the highest level of assurance that a remote individual is genuine. It validates three key things – that the user is the right person, a real person, and that they are authenticating right now, in real time.
The latter part – that the user is authenticating in real time – is a big part of what differentiates Genuine Presence Assurance from other liveness solutions. GPA uses Flashmark™ technology which illuminates the user’s face with a unique sequence of colors that cannot be replayed or manipulated synthetically. This assures a user is authenticating right now – it’s not a presentation attack using a photo or mask, but it’s also not a digital injected attack using a replay of a previous authentication or synthetic video such as a deepfake. Additionally, illumination provides greater assurance as you get multidimensional information from the face to confirm it is a real person.
Example of synthetic identity fraud encountering Genuine Presence Assurance: a fraudster applies to open a new bank account using a synthetic identity that they have created and bolstered with a credit score and a deepfake video of a fictional individual. While the fake identity has worked to open accounts with other providers, this bank is different. Secured by iProov, the verification process at the onboarding stage detects that the applicant is not a real person. It therefore prevents the bank from approving the account, preventing any damage right at this most crucial formative stage of the bank’s relationship with the customer.
A key aspect of GPA’s security is that it is a cloud-based technology, meaning its defenses are hidden from attackers, making it far more challenging to reverse engineer. Its automated active threat monitoring service (called the iProov Security Operations Center or iSOC) monitors day-to-day operations and identifies new and evolving attacks.
Organizations don’t have to compromise on user experience or speed either. All GPA requires is a device with a user-facing camera and for genuine users to look at their device, nothing else. No active participation – such as moving or turning the head, or reading out instructions – is needed. This means that iProov provides truly passive authentication that ensures the widest scope of users can access and authenticate themselves.
Overall, GPA is essential for defending against synthetic identity fraud – particularly in cases where digital injected attacks using a replay of a previous authentication or synthetic video such as a deepfake are used.
Synthetic identity fraud may be based in fiction, but the threat is very real. For organizations that are granting access to money or data, it is imperative that additional security is worked into the initial onboarding process. Genuine Presence Assurance technology from iProov offers unrivaled security and assurance that the online user is real and authenticating right now.
If you’d like to see how iProov’s technology can bring effortless security to your onboarding and authentication processes – while helping to combat synthetic identity fraud – book your iProov demo here.