Synthetic fraud and the ID crisis

by Mark Rowe

The more we shop, talk, browse, or bank online, the fewer chances there are to verify someone’s identity in-person. Some might point to the fact that you need a credit card, or a passport, or some type of genuine, government-provided identification to take part in all of this. However, synthetic identity fraudsters are already rampant in the financial sector, writes Audra Simons. She’s Senior Director of Global Products, at the cyber firm G2CI Forcepoint.

They “blend” identities, cobbling them together from fragments of identifying information that are picked up from stolen identity data. Businesses stand to shoulder the cost of an estimated $2.43 billion in fraud in 2023 because of it, according to the Aite Group.

These identity ghosts are more ghoulish than friendly, using a combination of real and fake personal information to craft virtual identities. In lieu of a brute-force style crime, these digital thieves use stolen information to begin building a credit rating for a person who doesn’t exist.
Before long, the trail of records they’ve left behind – applications for credit or loans, online purchases, and other activities – begins to precede any real identity. From there, they’re able to take out loans and capitalize on high credit limits with no intentions of paying them back.

Digital services

If synthetic identity fraud is already an issue, then why is it a cause for future concern? We’ve already seen content tied to identity come under fire in recent years, with anywhere from 5 to 15 percent of Twitter users found to be bots and not real people. These are synthetic identities with a malicious agenda: shape the conversation of the digital town square to sway public opinion.

And as more government services move online, such as access to social assistance or tax services, the desire to shift everything to the web grows. The UK attempted to roll out a digital identity assurance platform named GOV.UK Verify. Its goal was simple: verify your identity through one of a small number of trusted financial institutions with partners Digidentity and the Post Office, and gain access to public services online.

Verify has since fallen out of the public conversation [it’s being ‘retired’ in December] and the Post Office doesn’t even accept new customers anymore. But the urge to create a digital identity platform is still there: the UK government recently revealed plans to reinvent the programme. It’s not inconceivable to think that in the future, some form of a “Verify” would extend to most of the content we engage with online; from banking to social media to shopping for groceries, our digital identity might be accessible across the web.

It’s not too far off from the theory of blockchain.

But one trait that blockchain has, which isn’t immediately visible in a Verify-style program, is the immutability or dependability of information. The level of trust that would have to be extended to these digital identities would need to be infallible. That’s difficult to do when we already know that the companies entrusted with verifying identities are victims of synthetic identity fraud on a massive scale.

Future of identity

Despite the trouble it’s having, the financial sector’s interconnectedness with digital identity will only grow more over time. With bankers, lenders, and creditors seemingly set to become the standard bearer for digital identity, one very important question arises: are these companies secure enough to store all that information? These institutions will need to collect passports, legal documents, financial statements, and other sensitive documents at a nation-wide level to verify identities. These would be millions of documents flooding into the businesses from applicants – any of which could contain malware embedded inside.

For this activity these businesses need to keep themselves secure in the online document collection process. This is where Zero Trust Content Disarm and Reconstruction (CDR) is invaluable. Zero Trust CDR assumes nothing can be trusted and rather than try to detect malware, it extracts the valid business information, verifies it is correctly structured, and then builds new and fully functional files, all within seconds.

The tool is useful for an industry that must constantly evaluate documents which are submitted by users. Where a website is involved for a loan, organizations are also using Remote Browser Isolation (RBI) to limit any potential malicious attack. RBI enables users to browse and interact with the web safely neutralising online threats by hosting users’ web browsing sessions on a remote server instead of the user’s endpoint device, separating the web content from the user’s device to reduce its attack surface.

Stamping out synthetic identity fraud will be a difficult challenge that will take years to resolve. While Zero Trust CDR and RBI do not stop synthetic identity fraud, they do alleviate security concerns for an industry that might soon contain every piece of sensitive information about you – if they don’t already.

We can’t yet fully verify that an online entity’s information is real. However, the very least we can do is verify that the data collected on an identity is safe.

Photo by Mark Rowe, street art, Bristol city centre, summer 2021.

Related News


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing