Real or Fake? The Difficulty in Detecting Fraudulent Identity
Am I who you think I am? My name is on this article, right next to a picture. You could send me a comment on Twitter or do a Google search to see if I’m legitimate. But is that really enough proof to prove my identity, to show that I am the actual person behind this post?
(I am, by the way—unless someone hijacked my identity between the time I typed this on my computer to the moment it was posted.)
For whatever reason, you trust my identity, just like my friends on social media or my bank when I conduct online transactions or a government agency that requires an extensive form to be answered. Humans are trusting by nature, and we want to believe that what we see is true. The reality, however, is that cybercriminals have improved their game so much that it is almost impossible to tell truth from fiction.
More Alike Than Different
Socure, a leading provider of predictive analytics for digital identity verification, recently looked at identity and its data points based on actual fraud attempts. The result turned into the company’s first “Aida’s Insights on Identity: The Fake ID Edition” report, which revealed fraudsters have become so good at what they do that they’ve managed to virtually eliminate any reliable indicators once used to tell real from fake.
“After processing billions of data points, we confirmed that consumers and fraudsters are far more alike than different when it comes to digital identities,” Sunil Madhu, chief strategy officer for Socure, said in a formal statement. “While differences in fraudster behavior certainly remain, they have become subtle enough that relying on a handful of variables is no longer sufficient; the complex relationships between multiple variables must be analyzed to get an accurate result.”
Why This Matters
Co-opting digital identities is, of course, identity theft, but cybercriminals have changed the game. It’s all about synthetic identity theft now, creating new identities out of many parts rather than taking over some individual identity. It’s something that not only hurts individuals but also can be costly to organizations. A Javelin report found that each such attack is worth about $15,000 to the fraudster, and as a ThreatMetrix article pointed out, the fewer identifiers used to properly confirm a digital identity, the easier it is to commit the fraud.
Now, everyone leaves a digital footprint, or what Socure referred to as “digital exhaust.” And the chances of fraud go up when a company has little information on an identity. If the company has never dealt with an applicant, there is no other information to go by. If that applicant is synthetically created, the fraudster is likely home free.
Trends Fraudsters Use
“In the past, businesses have relied on static data points to confirm identity, like an address, phone number, or social security number,” explained Madhu in an email comment. “But now much of that personal data is easily searchable online or has been exposed in data breaches.”
And, to complicate matters, there are a lot of incidents that are legitimate transactions but look like they could be fraud. In the investigation, Socure found eight trends fraudsters use:
- They are less likely to use well-known mobile carriers for their phone numbers; instead, they use burner phones with lesser-known carriers.
- They tend to use common male names.
- They don’t use or create fake social media accounts.
- There is little consistency between device location and applicant location.
- Fraudsters tend to be in that ideal 25-45 age bracket, if they bother to give an age at all.
- The email address is valid but email is easy to create with an alias.
- And they use the alias to avoid a real name match in email.
That’s the trend for creating fraudulent identities today. This could change tomorrow because cybercriminals are constantly changing their tactics.
AI to the Rescue?
For those tasked with telling real from fake, however, these trends don’t tell them much. The people looking at applications or verifying identity aren’t looking at digital footprints. In fact, it is nearly impossible to tell real from fake with the human eye, according to the report. So what can you do?
“Connecting online personas to real physical identities is essential for preventing fraud,” said Madhu. “In order to do this, organizations need to continuously source live data and correlate thousands of online and offline data points to create a holistic, accurate customer identity model from users’ digital breadcrumbs. This can only be accomplished using machine learning and artificial intelligence.”
It’s a matter of moving past the bias of human behavior. Look at the trends above—there is a reason why fraudsters use the tactics they do. They create an identity that fits all the specs, while at the same time, humans can hold prejudices that interfere with logic or reason. Tasking a robot to scan the data exhaust and learn the patterns will decrease the human bias while improving the chances of catching fraudulent accounts before the damage is done. That will save money and headaches for both organizations and consumers.
