Synthetic ID vs Thin-File

Cameron D’Ambrosi [00:00:01] Synthetic identity is a hot topic. People really struggle to define it and understand it because it is a new threat vector and so many of the losses go undetected currently. If this is a topic that interests you, you definitely want to stay tuned. We have one of the world’s experts on synthetic identity and its prevention. Joining us. We take a deep dive. You won’t want to miss this episode. Stay tuned. Welcome to State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Kurt Weiss, vice president of enterprise Sales at Ikeda. Kurt, welcome to State of Identity.

Kurt Weiss [00:00:44] Hey, Cameron, thanks for the intro there. Nice to be here.

Cameron D’Ambrosi [00:00:47] It is a pleasure to have you excited for this conversation. Hopefully going to shed some light on some of the issues that I think are really top of mind for folks when we think about the current landscape of, you know, fraud and digital identity broadly across applications, I think, you know, particularly in regulated spaces. But I think a lot of these learnings, especially, you know, in light of, you know, certain former richest men of the world and social media platforms, they may have purchased, you know, who are people online and are they real? I think that the ring fence of where these issues are becoming applicable rapidly, rapidly expanding. So. Couldn’t have scripted a better moment in time for this conversation if we had if we had tried here.

Kurt Weiss [00:01:37] You know, it’s it’s a growing digital space. And, you know, the trust in the system is being challenged in multiple ways right now.

Cameron D’Ambrosi [00:01:45] So we’ll just kick right into it. You know, synthetic identity. It’s a cool term. It’s fun to say it’s kind of scary. It’s, you know, in some degrees become, you know, a buzz word, a boogeyman, I think to some degree, still a bit of a nebulous thing in terms of, you know, the definition and how folks are thinking about it and what is getting kind of lumped in under that umbrella. So, you know, from your perspective, when someone comes to you and says, I’m worried about synthetic identity, but I also kind of don’t know where to start, like, how were you at Accord of viewing the notion of this threat of synthetic identity?

Kurt Weiss [00:02:23] Yeah, it is a tough one. And part of that starts is, you know, we can kind of get into later when people the reason it’s become such a boogeyman is it’s very hard for people to identify it and understand that they have a synthetic identity problem because even as this persists and we know it’s there, one of the reasons it’s such a persistent attack is it goes unverified, it goes unacknowledged. And so it’s really hard for people to look at their environment and say, oh, that’s the scope of our synthetic identity problem. And the reason this is because a synthetic identity is based on a kernel of truth. There are identity elements that are going to be presented to you as the institution that are legitimate identity elements. And what happens is the fraudsters are pairing those with other digital signals to basically multiply the effect of that identity and keep it from being traced. Allow them to scale that up into multiple identities and perpetrate their attacks. So maybe I’ll break down what that kernel of truth is. I think we’ve all gotten used straight now to the headline of, you know, this company or this business had a breach. And there are now this many Social Security numbers that are out there on the dark Web being sold. That’s the kernel of truth. And it’s more of the whole COB at this point because pretty much all of that information has been breached at some point now. And it’s sitting out there online, very easy for really anyone, but especially fraudsters to go grab. And so what they’re doing is taking a Social Security number, a name. And applying to that other elements like a phone, an address and email, things that are going to be required for them to leverage that identity in a transaction somewhere down the road. And often they’re taking advantage really, unfortunately, as a new father of, you know, kids are really great target because they have a Social Security number. They haven’t done anything with that as far as establishing credit. And for the most part, no one is tracking their kids credit and trying to understand if that’s being used anywhere. So it makes, you know, folks under 18 really, really great targets to grab their Social Security numbers and use that to create a whole cloth identity in and of itself.

Cameron D’Ambrosi [00:05:01] Yeah, You know, the way I often describe it is if you think about. Traditional identity theft. Traditional identity theft is I’m a bad actor. I understand that camera number. Use a real person. He has an address. He has a Social Security number. He has a credit profile with, you know, the traditional credit bureaus. Traditional identity theft is let me just fill out an account application as Cameron steal his established credit, open an account, synthetic identity. I often describe as you know, if you think of like a Lego person, right, you can kind of snap the head off. You can snap the arms off, you can snap the little legs off. What if you were to take some completely made up elements like the pirate head off of a Lego guy, but then maybe snap the arms and the butt of Cameron on there. So to your kids, point, you know, create a new name, a new age, a new address, but maybe layer on an existing real attribute like the Social Security number of a kid that is previously not tied to any known person within credit header data and basically create this person, you know, synthetically kind of, you know, reductive, using that in the definition, you’re creating a new person from whole cloth with the main purpose being there is no real person who, when the fraud gets discovered, can blow the whistle. So, you know, the the problem with the traditional identity theft is eventually Cameron, the real Cameron goes to check his credit score and goes, Crap, I didn’t open that credit card. I didn’t take out that mortgage. And they call the bank up and say, this wasn’t me. When you do this with a person who never existed, there is nobody to ever pick up the phone and say, This isn’t me. And so these credit losses basically go undetected as fraud. And the bank thinks, well, you know, Cameron Jackson never called up to say my identity was stolen. And so this just gets written off as as bad debt as opposed to a person who fundamentally never existed in the first place.

Kurt Weiss [00:07:06] Yeah, And I love that analogy. One thing that I would add to it is just the scale. We’re not creating just one Lego pirate or whatever it might be for this identity. I’m using that Social Security that I’ve gotten right. That’s my kernel of truth. Let’s say What I can do now is I can spin up a couple hundred emails, I can go grab some non fixed VoIP numbers, have a bunch of phone numbers that I can start using now as well. And all of a sudden I’ve turned that one piece into 100 different identities that I can now test and approach different businesses with to see which ones are going to get through.

Cameron D’Ambrosi [00:07:50] So the levels of sophistication we’re talking about here, you know, to your point on the high end scalable side, you know, people doing this at intense scale. But what is the is there one, you know, M.O. or modus operandi or, you know, there are different levels of sophistication, different kind of threats here from different varying sophistication of actors.

Kurt Weiss [00:08:17] There really is a tremendous array of sophistication here. And I think the thing that’s important to think through is sort of who’s perpetrating this, who are the fraudsters? And I almost feel like some of us have this image of like the Hamburglar, Right. Some lone wolf in their basement tapping away at a computer, kind of creating this this, you know, fraud at this point is more of a state sponsored activity. And in those states that are sponsoring this fraud really is a white collar job. Fraudsters are making, you know, six figures annually going in often to a room that is, you know, full of cubicles where they’re going to sit down and work day in, day out to create this. So a lot of the time when I think of the sophistication, I try to put my mindset and envisioning that. And then like any other company, we try to think of the investment now that it’s going to take. So if I go online to the dark Web, I can spin up a bunch of emails and phone numbers, like I said, and I’ve got some really, really great scale right now. Maybe I have a Social Security that really no one’s touched before, haven’t seen. I could really quickly go in and probably hit up a few businesses and get through. But there’s a lot of businesses that are going to have some basic fraud alerts in place and say, hey, hang on. That’s a non fixed VoIP phone. That does look a little risky to us and that that email was created yesterday. So also it’s auto generated, right? These are things that might start to raise the risk profile. And so I kind of have that spray and pray approach where I’m doing as wide scale and as quick of an attack as I can. I know I’m not going to get through everywhere, but where I do, I’ll I’ll take it. On the flip side, you’ve got synthetic identities and we talked to customers about this all the time. Or they say, Hey. That that risk signal of, you know, an auto generated email or an email that we’ve just seen for the first time yesterday. Those are really helpful. These fraudsters are sitting on these identities and they’re building up them legitimately for five, six, seven years. That gets harder and harder to detect. Still not impossible, but it becomes really hard. You also have to think about the fraudster in that case who set out with a seven year plan. Right. And needed the investment and the resources that they were going to sit on these for seven years. That also raises, you know, in terms of what they expect to get on or why they’re going to be going after bigger and bigger targets, what the scale is going to be getting smaller and smaller. Does that dichotomy make sense? The scale versus the sophistication?

Cameron D’Ambrosi [00:11:25] Oh, yeah. And that’s a great way of putting it. You know, the way I often describe it is, you know, again, just blow this notion of like the lone hacker, you know, the guy. What did Donald Trump say, the £300 guy sitting in his mom’s basement like that is not the case. Right. Think cubicle farms. Think layers of management. Think KPIs. Right. Think like Bill Lumbergh from office space, walking over to everybody’s cubicle saying like, you know, let me see your TPS reports for the amount of fraud that you have of of committed today. And I think the other thing to keep in mind, right, as someone who comes from an AML background, the fundamental thing about the ill gotten gains of crime is that it is extremely hard and costly to convert, you know, the spoils of some types of fraud into real money that you can go spend. It’s a lot easier to just take that money and then reinvest it into committing more fraud. So these criminals have access to huge pools of kind of dirty money that it’s much easier for them to do things like spend on. Right. Computers, on IP telephony, on assets that then they’re using almost right. As CapEx to fund increasing amounts of fraud that make those proceeds easier to launder. So, you know, high sophistication and, you know, money, for lack of a better word, is is not an object. And and this affords them, to your point, an extremely long time horizon where you can take the time. I’m fond of saying, you know, to to take these identities, create them and sock them away almost. You know, I liken it to like a warehouse full of parmesan right there ripening these wheels of cheese, these identities over time and and will, you know, will create a credit history. They’ll go open a low credit, you know, low credit, no credit score needed account. And they will actually use that account and pay that bill off for sometimes years. And then because the credit system is so interconnected now, you then go to an American Express, you go to a credit provider that will not give credit to someone with no or low credit. And you can use that previous ripening that you’ve created, that payment history that you have built up over time to get access to a much higher credit limit. And that is when they will bust out. And that’s what makes it so, so pernicious.

Kurt Weiss [00:13:58] Yeah. And it really creates those layers of interconnectivity between the institutions where. Their institutions are probably profiting off of some of these synthetic identities. They’re being used to build up these more mature and more sophisticated identities that are going to be used in a larger fraud against the bigger players. And that might make it, hey, this is not really my problem. But at some point there is a reputational risk that comes into play there. Right. If I’m American Express in your example, and I start to see customers that are coming from specific institutions, specific banks that help them build up their credit profile, and those are leading to some pretty bad outcomes for me. I may be taking some action. I may be raising standards about how folks from those institutions can come in and do business with me.

Cameron D’Ambrosi [00:15:01] So how are we, you know, solving this, for lack of a better word? I know that’s obviously a huge question and a loaded question to some degree. But, you know, what are the approaches that platforms are taking? How are you at a cadre thinking about this and how are you creating useful signals that can be shared, you know, across this ecosystem to to sniff this out and start having an impact here?

Kurt Weiss [00:15:23] Yeah, I think, you know, one of the one of the positive things the tourism’s of fraud is we can always stamp out fraud. We just have to make it very, very difficult to get access to our products. Right. We talk a lot about friction at Ocado, asking customers to do a one time passcode, take a selfie, upload documents, speak to a rep at a call center somewhere, maybe even go into a physical bank. All of these things are really, really great at stopping and preventing fraud and just go back and think through that scale question again and what they’re trying to accomplish and where they are physically. It’s very, very hard for me to scale a synthetic fraud ring. If every account opening application said, Hey, we need you to go complete this in a branch, right? We need to show up in person. Even if the fraudster was in, let’s say, the US and in the city where that bank might be. I’ve really just lost my scale there and it’s going to take a lot of time. It’s less and less worth my investment. The flip side of this, of course, is that’s also a really bad way to attract and gain customers. And acquisition right now is really the name of the game. And so for Lakota we have really focused on is. 100%, focusing on the fraud signals and how to identify those bad customers. Because we do that so well, what we focus on is our ability to identify a good customer as well. And to me, that’s really the first piece is how can we identify the customers that should be getting access that are low risk and make sure that they’re on impacted by the fraud mechanisms we’re going to put in place and the friction we’re going to put there to stop that. So to me, that’s always step one. We have to take care of our customers because the solution to this is going to become about identifying risk and placing those friction components. In that pathway so that fraudsters are stopped at each step and their patience, their investment makes less and less sense as they try to move through those.

Cameron D’Ambrosi [00:18:03] Yeah. I mean, you know, there is always a surefire way of having zero fraud losses, and that’s to have no customers. Right? You can’t Zero customers equals zero bad accounts. Obviously, that’s not tenable. And where I think the fundamental opportunity and the challenge here is tying together. Right. The notion of how you are creating a positive user experience for good customers while at the same time challenging those bad actors. I think it’s often been assumed within the industry that those things necessarily must be in opposition to one another. And I don’t necessarily think that that has to be the case. Right. And this, you know, I’m an identity guy, so everything is obviously going to come back to identity for me. But in this case, I think we’re we’re completely spot on in the sense that if you center your approach around digital identity, you can kill both of those birds with one stone. You can be actively delighting and easing the friction, creating good positive experiences for those known and good and trusted customers while at the same time frustrating those bad actors, hopefully in a way that creates a completely divergent experience for those two sets of people.

Kurt Weiss [00:19:18] And the key to that, and we’re a cadre really comes in, is with probabilistic risk assessment. So when we talk about probabilistic, it’s really in contrast to deterministic. So deterministic assessment is, you know, when the the answer to the question I am trying to understand is going to be the thing that I can kind of decide on at the end of the day. So I think of KYC often as a classic deterministic risk assessment. We want to know, for instance, does this person, Kurt Weiss, live at this address? Right? And the answer I’m going to get from a KYC provider is Kurt Weiss does live at this address. Great. We can go on. Probabilistic is a little different. And fraud, especially synthetic identity fraud, really is a probabilistic challenge. We can’t just ask, is this synthetic identity and get a yes or no? Instead, we’re asking questions like, when was the first time we saw this phone paired to this email? Right. One of the first was the first time we saw those in a transaction. That’s not a question I am asking. However, what we see is the longer that a phone and email have been seen together, the more transactions they have seen to gather in over that time period. The more likely that it is to be a good customer. On the flip side, if this is the first time we’re seeing a phone and email paired together, that’s where those risk signals tend to fly up. And it’s not a full on guarantee. This is 100% fraud. It’s. Well, what what level of risk is this? Right. And that could be determined by a model. That could be determined by a scorecard, but it’s also determined by the institution itself. Who needs to say. How much risk are we willing to take and what means do we have to mitigate this risk? And I think that’s a really key piece. I mentioned those friction steps. I think what banks are starting to realize is they don’t have enough different friction steps in place. And there’s more and more players on the market that are offering things like selfie scans, you know, digital document uploads one time passcodes. While still friction. These are better than the alternatives of faxing in a document or talking to someone at a call center. But if I don’t have those in place, it’s hard for me to leverage that probabilistic risk because if my only means of, hey, any level of risk, I have to send them to a bank branch. That’s just going to hurt, you know, the conversion hurt those good customers. So getting those friction pieces in place is really important. Now, you can leverage the power of probabilistic data assets to start identifying cohorts of risk and tailoring a customer experience to those risk levels as they align with your institution’s policies.

Cameron D’Ambrosi [00:22:43] Yeah, I think you know this again, bringing it back to this notion of identity for Amel was a thing, you know, fraud. Plus anti-money laundering was kind of in vogue at the beginning of my career was when I was in the anti-money laundering space. It fell off for a while. And now I think hopefully we’re heading back in that same direction. I hate the term for AML, mostly because it sounds I don’t know, it sounds like an oil filter or something, but. Right. It’s this notion of identity can solve both these problems, like figuring out who is this person and are they a real person and are they a sanctioned person? Are they criminal? Are they on the list? Is fundamentally the same challenge as is this also a trusted person? Is this a synthetic identity? Breaking down those organizational barriers that have previously kept this information often siloed between those two groups? Right. Your AML and compliance group was typically just tasked with, you know, is this a sanctioned person? Are we complying with AML regulations? And then on an ongoing basis, then the ball headed into the court of, okay, the fraud team, which has less of a compliance mandate and more of a business mandate of should we be stopping this transaction because we think it’s going to cost us money. Communication in the data sets that can can achieve both of those ends. They’re fundamentally, again, kind of the same thing. And getting out of that mindset of like, you know, this team does X in this team does Y and never the twain shall meet, I think is a legacy construct that hopefully we’re going to see going the way of the dodo.

Kurt Weiss [00:24:20] I couldn’t agree more. And it’s a tough challenge, but we are seeing more and more first time I’m hearing from all. But I agree with you, I think we need something better. What we’re seeing are new titles like Head of Identity, head of digital Onboarding that are looking at this, as you’re saying, holistically. Right. You know, I always think, you know, KYC, AML, these came around 2001, the iPhones not out yet, Right? The digital banks, the challenger banks haven’t even emerged. Right. Digital banking is just so far at that point from where it is now. We couldn’t have anticipated what this would look like. And I think that is also why the fintechs, the buy now, pay later, is the new digital lenders, the new challenger banks that are coming out. They’ve. Created from the get go a construct on an infrastructure where identity is paired together, where KYC, AML and fraud tend to sit at the top of the waterfall together as the information used on again. What is the customer experience going to be based on this risk profile we can build here? And a lot of what we see and some of the legacy institutions is quite challenging. As you mentioned there, Is that just sort of, hey, these parts of the orgs don’t talk even where they do? What we see is. We built this new digital product on our legacy infrastructure. And so we already had KYC moving on to credit and we had to tack fraud on at the end. It had sort of been this separate silo and just the infrastructure itself makes it hard for the communication on a data level, which really removes your ability to start taking some of those mitigation actions in real time and making those mitigations really attuned to that risk profile.

Cameron D’Ambrosi [00:26:36] I couldn’t agree more. And quite frankly, I’m glad that you haven’t heard of Fractal because, you know, a classic thing where I’m like, I hate that this is a thing. And you’re like, I didn’t know that was the thing. Thank you for sharing that with me. But, you know, it does go back to identity from our perspective and and how we can, again, provide these meaningful signals that can be useful across organizations. And, you know, again, towards this end of it is not about, you know, just compliance or just growth, but the notion that you are, you know, killing these two birds with one stone. Gaining a holistic understanding of the customer, which again is is only going to help you as a business, right. Put the right products and services in front of the right people at the right times, which is both about, you know, stopping fraudsters and preventing. Right. The raising of a credit limit for a bad actor, but also knowing when a good customer, for example, should have that credit limit raised because they just reached a new milestone, though it’s like they got a promotion, they had a kid and they need to spend more money. They need access to credit. Both of those things, again, should be going glove in hand 100%.

Kurt Weiss [00:27:48] And I think one other thing that I really want to call out here, this goes back to that beginning when you said, folks come to us, hey, we have this big synthetic identity problem. That’s usually after the attack, right? That’s usually after in the signatures that they’re really looking at is the bust out. Right. They’re seeing that all of these accounts busted out, meaning that, you know, whatever new credit limit they were able to achieve, new loan they were able to take out, they all defaulted on the same at the same time in the same spike. And. What’s not being done is investigation ahead of time. Deeper investigation into those attacks to be able to label synthetic identity fraud as synthetic identity. Typically, we’re left with, hey, this is a default, right? That is by far the biggest outcome that we see from our customers is we know that this person didn’t pay us back. Now, maybe we know some of this is confirmed fraud, because I think, as you alluded to earlier, someone might have called in and said, hey, you know, my identity was stolen. It was used at your institution. Now we can mark that as as fraud. This is a move in the right direction. But we’re not seeing companies take the time to invest and look at the fraud almost as a postmortem so that they can properly label what typically it’s called first party fraud, which means it’s not third party. Right. But also that synthetic identity isn’t a real person. So I think it’s hard to say that it’s actual first party fraud, but label it as synthetic identity and do the due diligence to go look at these things, understand some of the signals. That enables you to develop better and better models, better and better rule sets because you’re seeing more clearly the patterns to be looking for and to recognize. And without that investment, we’re always going to be a step behind where the fraudsters are.

Cameron D’Ambrosi [00:30:07] I couldn’t agree more. You know, this is the perennial, you know, example of a true cat and mouse game. And, you know, you can’t take a breath because, like, again, these folks are so well-financed that there is always, you know, I don’t want to say unlimited resources. But again, going back to how much easier it is to use existing ill gotten gains for CapEx towards new fraud, like the money is not the limiting factor. And these folks are are well trained and well focused. And, you know, I think the most pernicious element is the fact that when, you know, blood is in the water, so to speak, they will strike with a ruthless efficiency and exploit that weakness to the maximum possible extent. Right. These these folks are constantly probing and penetrating, you know, kind of like the, you know, the raptors in Jurassic Park that are constantly probing the fence to see if the electricity is on. And the second it is not, they’re all going to break through. So it’s you know, it is not about like, well, we have a good enough solution. Let’s just sit back, you know, on our laurels and and that’s good enough. Like the advances are going to continue to come in terms of new breakthroughs in fraud. And you need to constantly be evolving because they they will punish you if you slip even for a second.

Kurt Weiss [00:31:30] Yeah. We always like to say a fraud. Fraud finds a way, right? Anywhere there is a crack or a seam, it’s going to be found and it’s going to be exploited. And they’re reading the same articles that we are, right? So when that new fintech launches with that new digital product of the bank launches, they know that those systems are going to be immature. They’re usually a little bit stilted up on kind of a skeleton infrastructure of, Hey, maybe we have some blacklists in place, but we don’t yet have that third party fraud provider or our models not quite as mature yet because we’ve got a cold start problem. First couple of days, they all end up getting hit very hard by these attacks because the fraudsters have been laying in wait, watching the funding rounds, waiting for these things to go into production so they can take advantage of it.

Cameron D’Ambrosi [00:32:29] I love it. Well, we are coming up on the end of our journey here. I’d like to give you an opportunity for what I call shameless plug. You know, for folks who are listening, hopefully not our fraudster audience. You don’t get to ask questions, Curt. But but for our folks who are interested in doing business with Kurt, you know, what is the best place to go to learn more about Qatar’s offerings in this space? And, you know, if folks are interested in maybe getting in touch with you and your team to learn more, what’s the best place for them to go?

Kurt Weiss [00:32:58] We focus on telling the story through name, email, phone address and an IP address. And to us, that really creates that digital identity that we can identify both on the legitimate side. These are your good customers as well as those sophisticated synthetic identity fraudsters that we want to call out as bad actors. We’re always happy to talk. You know, folks can connect with me on LinkedIn as well and get directly in touch with me and my team that way as well. But we really, really like to take a consultative approach, understand the workflows that our customers are putting in place to prevent this fraud and layer on a cadre as an intelligence layer to help them optimize those decisions, optimize the friction strategies in place today and make sure that that fraud and that fraud capture increases, while at the same time we’re seeing conversions uptick as well.

Cameron D’Ambrosi [00:33:55] I love it, Kurt. Thank you so much for your time. Really, really appreciate it. Hopefully our audience appreciates this chat as well. It’s always fun to, you know, connect with with the true heads, as they say. So thank you again for your time and looking forward to catching up with you again. Soon to, you know, check in on our malicious friends and see how they’re adapting and how those countermeasures you’re developing are also evolving.

Kurt Weiss [00:34:18] Fantastic. Well, this has been great and I look forward to another one.