The unsealing of four federal indictments last April, which charged 19 suspects with a range of fraud and money-laundering offenses, revealed glaring holes in banks’ identity management practices. These charges are the result of a six-year, multiagency investigation led by the Federal Bureau of Investigation
(FBI), which revealed a transnational conspiracy that orchestrated the theft of more than $13 million from 170 victims, primarily based in the United States.
The conspiracy crossed the borders of Europe, Israel, and the United States, and involved four interconnected criminal schemes: online vehicle fraud, business email compromise (BEC), unlicensed money transmitting, and international money laundering. To date, authorities have brought 17 suspects into custody and are actively searching abroad for the other two, who remain at large.
At the press conference where the U.S. Attorney’s Office for the District of Columbia revealed the charges, federal prosecutor Channing Phillips said the “investigation uncovered an interconnected web of money launderers and fraudsters and individuals who enabled their criminal activity.”
Despite being unwilling counterparties, some 45 American banks also enabled this criminal conspiracy to flourish with their porous customer identification programs (CIP) and Know Your Customer (KYC) processes. Specifically, the online vehicle & boat fraud ring, which underpinned the entire investigation and functioned as the “gateway” scheme, relied on synthetic identity fraud (SIF) – a method that has grown increasingly popular in the global underworld. Last year, The Wall Street Journal identified SIF as one of the top three risk issues facing the banking industry. In SIF schemes, criminals use partially or entirely falsified consumer data to open new accounts (New Account Fraud or NAF), procure credit cards, or apply for loans.
The Csurgo identity
According to FBI documents, the online vehicle con worked like this: fraudsters from Europe would place false online advertisements for cars and boats on e-commerce platforms such as Ebay and Cars.com; deceived buyers would wire funds to the U.S. or an international bank account specified by the seller;
and fraud coconspirators would immediately withdraw the money, launder it, and send theft proceeds back to their associates in Europe before the banks and victims detected the scheme. The only reason the conspiracy worked is that the perpetrators withdrawing the stolen funds had used counterfeit identification documents to open dummy bank accounts, making them invisible to investigators.
Specifically, the U.S.-facing component of the fraud depended on Hungarian national Istvan Csurgo using fictitious driver’s licenses and passports, provided by his foreign accomplices, to open accounts at over 40 banks in the District of Columbia, Maryland, New Jersey, New York, Pennsylvania, and Virginia. In
2012, Csurgo pled guilty to one count of conspiracy to commit bank fraud and one count of use of a false passport. He also admitted to authorities that he stole or attempted to steal approximately $756,511 from fraud victims, while his coconspirators netted roughly $1 million from the scheme.
The synthetic ID fraud paradigm shift
The Csurgo case is emblematic of bank fraud’s paradigm shift away from customer impersonation to synthetic ID generation and NAF, the latter of which more than doubled in 2015, compromising 1.5 million consumers – up from 700,000 in 2014. This underworld trend is the result of widespread EMV (Europay, Mastercard, and Visa) chip credit card adoption in the U.S., which makes it harder to counterfeit consumer credit cards and has pressured criminals to alter their strategy. Also, the spike in online consumer data theft, which has spawned a market for stolen ID credentials on the Dark Web, an encrypted network that is inaccessible to traditional search engines, has created an optimal evolutionary ecosystem for SIF perpetrators.
The anonymity offered by the Dark Web has not gone unnoticed by traditional organized crime groups (OCGs), which have co-opted and criminally optimized SIF rings, inculcating them with generations of deviant expertise. Alternately, fraudsters are also forming their own coordinated criminal networks of hackers and money mules to rob financial institutions (FIs) and consumers. According to Richard Parry, a consultant and a former security executive at JPMorgan Chase, Citigroup, and Visa, a typical SIF ring has hundreds and sometimes thousands of fake IDs going at the same time. In 2014, technology research firm Gartner estimated that SIF schemes account for 20 percent of credit charge-offs, where creditors determine that a debt is unlikely to be paid, and 80 percent of all credit card fraud losses.
A culture of silence
Total SIF losses to banks remain unknown because FIs prefer not to publicize this data. Typically, investor relations and reputation-management considerations create an incident-response culture, where “there’s no self-reporting victim,” according to Parry. In fact, banks usually fail to detect synthetic accounts and incorrectly classify fraud as loan losses.
But, to articulate the scope of the problem, consider that in 2013, authorities exposed an organized SIF ring based in New Jersey that created 7,000 fake IDs to obtain more than 25,000 credit cards, enabling the theft of over $200 million from issuers.
Common SIF tactics
Criminals generally create synthetic identities in one of the following three ways:
- Pair a real Social Security number (SSN) with a fake name
- Use an “inactive” SSN with a real name (typically belonging to a child or someone who has died) to pass KYC filters
- Fabricate both the SSN and the name completely
Further, the Social Security Administration’s move away from an “orderly, rules-based numbering scheme” to random number generation in 2011 has allowed more numbers to be created, thus making it harder for institutions to distinguish legitimate SSNs from fake ones.
According to Garient Evans, Vice President of Solution Services at ID Analytics, SIF rings will generate SSNs that are one digit off or change the sequence of numbers. “They'll do things such that an actual credit bureau file will be pulled, because the Social Security number is close enough and a lot of institutions have fuzzy logic," he told American Banker. Further, Sonya Andreassen-Henderson, vice president of the mortgage investigative services group at PNC Bank, told The Wall Street Journal that criminals will also leverage fake pay stubs, fictitious businesses, and fabricated references to fraudulently obtain legitimate banking services.
Confronting the problem
FIs overwhelmed by the staggering size, scope, and unreliability of account application data need to adopt a leading-edge CIP regulatory technology solution that screens for evolving SIF and NAF indicators, and that is tailored to the unprecedented risk landscape of the digital age. For example, banks could cross-reference new client ID information against death records and redundant SSNs. Other FIs might adjust by incorporating screens for Voice over Internet Protocol phones from suspicious carriers and email addresses with a limited user history.
While the plethora of data points can make ID fraud recognition difficult to detect, FIs can turn their Achilles’ heel into their strongest asset. By leveraging a front-end solution that aggregates the wide universe of phone, email, social, online, and public records data in real time, and customizing this asset to match their unique risk profiles, banks can protect consumers, their reputations, and their balance sheets. With SIF scams’ disruption of customer authentication processes, institutions must invest in a next-generation KYC solution that efficiently eliminates risk at the account-opening stage. A front-end identity management tool has become the most essential safeguard to stop SIF, which has become a key nexus and staging point for scammers, money launderers, and terrorism financiers.
How efficient is your customer identification process?