The Link Between Data Breaches And Synthetic Identities

Synthetic fraud is a hot topic currently, in part due to the informative white papers written by the Federal Reserve. However, in my opinion, many commentators have mischaracterized the relationship between first-party synthetic fraud (often referred to as identity manipulation) and data breaches. Specifically, many commentators imply that the availability of stolen PII for sale on the internet is a material contributing factor to first-party synthetic identity creation and that the outcome of first-party synthetic fraud for consumers is commensurate to the results of identity theft. I disagree with both propositions, for the reasons outlined below.

What is “First Party Synthetic Fraud”?

Firstly, a recap on synthetic fraud.

  • A synthetic identity is one where an applicant’s PII (typically, name, SSN, date of birth and address) does not correspond with any known person but who has passed a KYC process and will typically have a credit record at a credit bureau.
  • A first-party synthetic identity is one where the fraudster uses their own name and date of birth, but a different SSN, in order to allow the fraudster to create a new identity but still use existing documentary evidence (such as a driver’s license) to support their identity.

Do large scale data breaches contribute to first-party synthetic identity creation?

There are numerous articles that imply that large scale data breaches have exacerbated the use of first-party synthetic identities by making stolen SSNs generally available on the internet. While this is theoretically possible, I doubt it is true for the following reasons:

  1. It’s easy to produce an SSN without accessing breach data. The SSA moved to randomized SSNs in 2011, and there are a large number of possible SSNs that are yet to be allocated. If you want an SSN that pre-dates 2011, the SSA itself publishes the schema for non-random SSNs. Put bluntly, there is a vast universe of potential SSNs that a fraudster can use to create a synthetic identity without having to go through the effort of obtaining an allocated SSN.
  2. The risk of getting caught is higher if you use a stolen SSN than an unallocated SSN, because the credit bureau will post a flag to any existing account indicating that there are multiple users with the same SSN. Smart fraudsters will look for an SSN that would likely belong to a child to avoid this conflict risk, but a non-random SSN issued after 2002 is functionally equivalent to a randomized SSN in this respect, and possibly more desirable because it’s less likely to return an “unverified” response from the bureaus.

For the reasons above, there is no incentive to use a stolen SSN, and smart fraudsters are much more likely to generate a legitimately-looking SSN within the schemas offered by the SSA, than voluntarily enter the higher levels of scrutiny associated with SSNs exposed by a data breach. While there might be some correlation between data breaches and first-party synthetic identities, it’s not yet proven that the two are causally related.

Is the impact of a first-party synthetic identity using someone else’s SSN the same as having their identity stolen?

Identity theft is extremely problematic for consumers because it allows a fraudster to appropriate valuable assets. Most obviously, an identity thief can use your identity to gain access to intangible assets such as cash, credit, investments, and information in order to steal, launder and liquidate those assets.

On the other hand, the outcome of a synthetic identity is a new tradeline furnished to a name, DOB, SSN combination, creating multiple credit files with a common SSN. Where there are multiple credit files with the same SSN, the credit bureau will typically post a flag to the file.

There are serious consequences of this, particularly where the appropriated SSN belongs to a child. For example:

  • It can make adding a dependent with the IRS difficult.
  • It can cause delays in obtaining a loan in circumstances where time is of the essence, for example, student loans or a loan to obtain emergency funds.
  • It can create questions in an employee background check that result in lost job opportunities.

There is no doubt these consequences can be severe. Nevertheless, these issues are not comparable to losing one’s life savings. (It’s also important to note that advanced identity verification systems such as SentiLink’s can easily see through these flags to verify the applicant’s correct SSN, thus preserving the benefit of the flag, while eliminating any additional friction.)

Conclusions

Consumers are subject to a variety of fraud vectors, principally identity theft at account opening or via an account take over, and there is no doubt such fraud vectors are exacerbated by large scale data breaches.

However, first-party synthetic fraud is not something that should keep consumers up at night. As noted above, fraudsters are actually disincentivized from using a stolen identity for the purposes of creating a synthetic identity. And the negative consequences, while material, are rare and capable of being resolved with time.

Don’t get me wrong: synthetic fraud is a serious threat to our financial system. It allows individuals to obtain well-priced credit to steal money. It allows criminals involved in organized crime to evade KYC processes to easily launder money. However by overstating the impact on consumers, we risk distracting financial institutions, regulators, law enforcement organizations, and consumers with ineffective solutions to this serious problem, when simple, cost-effective synthetic fraud solutions are readily available.