DataVisor Threat Blog:
Senate Bill 2155 Aims to Stop Synthetic Identity Fraud
Senate Bill 2155, the “Economic Growth, Regulatory Relief, and Consumer Protection Act” became public law earlier this year. The law includes provisions intended to stop synthetic identity fraud. This post provides a few details about synthetic identity fraud and S.B. 2155. The post also highlights what businesses should expect when it comes to the rollout of the law.
What is Synthetic Identity Fraud?
Synthetic identity fraud is a technique where a bad actor creates an identity using a blend of personal information from different people or a combination of real and fake personal information. For example, a fraudster could buy a real social security number from a dark web marketplace but use a name, home address, and date of birth from a different person or multiple people.
Fraudsters use synthetic identities primarily for application fraud swindling lenders and financial institutions out of billions of dollars every year. Application fraud is where a fraudster uses a stolen or synthetic ID to apply for a line of credit or a loan with no intention of paying back the lender. The fraudster cultivates the synthetic identity building authentic looking credit and account activity over time. The goal is to gain access to more credit and max out the credit lines when the time is right.
Synthetic identity fraud is difficult to detect for many reasons. First, fraudsters are adept at creating (and stealing) identities and accounts then emulating user behavior to appear legitimate. Fraudsters will also create sleeper accounts that are used in legitimate ways for a period of time then suddenly break out with fraudulent activity.
Another reason synthetic identity fraud is difficult to detect is that fraudsters often target and steal the social security numbers of children. Fraudsters can buy the stolen social security numbers of children and adults from dark web marketplaces. And criminals can use a child’s social security many years before the fraud is discovered.
A Law that Targets Synthetic Identity Fraud
Senate Bill 2155 includes provisions specifically designed to prevent synthetic identity fraud. One of the provisions is that the Commissioner of the Social Security Administration (SSA) must modify existing SSA databases or develop a new database that verifies the fraud protection data contained in an electronic inquiry from a permitted entity. A permitted entity is a financial institution, service provider, or other organization working with a financial institution. Fraud protection data includes personal data for an individual such as social security number, date of birth, and full name.
The SSA system must also accept the electronic consent of an individual who has given a permitted entity permission to use personal details to verify their identity through the agency’s Consent Based Social Security Number Verification Service (CBSV). Individual consent and fraud data verification must be done electronically only, and not through a signature on paper or a “wet signature.”
The text of the bill explains in detail how the requirements related to preventing synthetic identity fraud are to be executed by the SSA and permitted entities.
Expect Synthetic Identity Fraud to Spike
There doesn’t appear to be a set deadline for the SSA to implement the technical components of the law. Like the EMV chip law, it may take several years for the law to be fully implemented. Also, like the EMV chip rollout, fraudsters will scramble to make the most from synthetic identity fraud while they still can. EMV chips are an obstacle to physical credit card fraud, so fraudsters set their sights on online fraud such as card not present fraud and account takeover fraud. Fraudsters will start cashing out synthetic identities in droves once S.B. 2155 is close to full implementation.
Senate Bill 2155, if implemented correctly, will put an end to synthetic identity fraud. But it will not put an end to application fraud. Massive data breaches occur every year, so fraudsters will still have plenty of stolen identities to use for application fraud.